Role of information technology on documentation and security of medical data

Abstract: Information technology (IT) is increasingly used in medicine, mainly for processing medical data. Understanding how IT affects the documentation and security of medical data and how users adapt IT systems can help to improve the quality of medical data and consequently the quality of medical care. Aim: The aim of this thesis was to explore the impact of IT on the documentation and the security of medical data in a middle-income country, in order to identify influencing factors on the quality of medical data. Method: In study I, a set of 300 randomly selected paper-based medical records (PBMR) was evaluated for the completeness of data (quantitative). Additionally ten physicians and ten nurses were interviewed for their opinions on the quality and the use of PBMR at a university hospital (qualitative). In study II we used similar approach to analyse the quality of medical data after an electronic medical record (EMR) system had replaced the PBMR system. The completeness of data was explored in 300 randomly selected EMR (quantitative) and then the opinion of medical staff (ten physicians and ten nurses) on the quality of data and potential barriers for using EMR was sought (qualitative). Study III was an interventional study which investigated the impact of a computer-generated physician-oriented reminder system on the quality of documentation in two randomly selected intervention (n=188) and control (n=188) groups of EMR. In study IV the security of medical data in EMR in six university hospitals was explored by observing users interaction with hospital information systems (HIS), analysing the databases and log files in HIS (quantitative) and interviewing six computer network administrators and four representatives of four HIS developing companies for technical details (qualitative). Descriptive analysis for quantitative materials and content analysis for qualitative materials were applied in the studies. Results: All PBMR investigated were incomplete in terms of medical data. The quality of data varied among different fields of the PBMR, with the lowest percentage of documentation of demographical and administrative information and highest percentage of documentation of diagnostic and treatment information and also care providers identity information. Illegible handwriting, missing sheets, high workload and insufficient quality control for documentation of medical data were prominent influencing factors that were highlighted by the interviewees (study I). Findings in study II indicated that after introducing EMR, the documentation of medical data was improved in some fields, especially where nurses documented the data, but physicians involvement in documentation of medical data in the EMR was low. Neglecting physicians in the development and implementation phases of the EMR and their concerns about security of medical data influenced their acceptance of the EMR system. High workload, shortage of bedside hardware and lack of software specification to identify incompleteness of medical records were other negatively influencing factors on documentation of medical data in the EMR. The results of study III showed that an automatic physician-oriented reminder system has the potential to improve documentation of medical data in EMR in a high workload environment. In the intervention group 165 of 188 EMR (88%) were documented completely (X2 = 75.6, p < 0.0001). In the control group only 91 (48%) of EMR were completely documented. The findings of study IV underlined that the security mechanisms for protecting medical data in the HIS environment were inadequate. All six HIS investigated suffered from lack of policy for information security, weak authentication techniques, absence of functions for managing users and log files. Conclusions: EMR is a good substitute for PBMR. However, in order to successfully transfer from PBMR to EMR and to have comprehensive documentation of medical data, some requirements have to be met. Establishing organizational policy for both documentation and security of medical data is fundamental. Involving medical staff in the development and implementation phases can facilitate staff s acceptance of the new system. EMR needs to have functions to identify and remind users of incomplete records. Concerning the security of medical data, HIS and EMR systems should implement all up-to-date information security services, including strong authentication techniques, data encryption and digital signature.