Oliver Ellis: Health records in the cloud

Oliver EllisOn my first ever hospital placement the thing that most struck me was just how antiquated the records system was. Junior staff were writing with pen and paper; the grander ones used a tape (an actual magnetic tape!) to dictate letters to a secretary. To find something in a patient record you couldn’t type a few terms into a search box, you had to flip through the pages and decipher scrawl.

It just didn’t seem very 21st century. So I’ve been following the emergence of electronic healthcare record systems (EHRs) and the NHS National Programme for IT (NPfIT) with a great deal of interest.

I was especially interested to read recently that one London NHS trust is testing out a new cloud-based system for storing patient records. Meanwhile, news has leaked that other parts of the NHS are looking at getting cloud computing.

In the past few years the computer industry has been buzzing with hype about the cloud. But what is a cloud, and is it a good thing for health records?

Head to the cloud
In the past, if you wanted to create an EHR system you had to buy expensive hardware (a server or servers) and software. During quiet times the expensive server would be sitting almost idle. And during peak times it might get overloaded with too many users, making it slow and unresponsive.

Enter cloud computing. It’s a service provided by companies (cloud hosts) that own big rooms full of servers. A healthcare provider can pay for the use of those servers on a timeshare basis. Doctors and other healthcare professional can then access them over the internet.

An all-in package could provide everything that’s needed for a complete EHR. The cloud host saves all the data, makes sure everything is backed up, and supplies a web browser based interface that healthcare workers can use from any computer.

If they suddenly double the number of patients on their list, the cloud host can automatically give them more resources. If they are having a quiet day, they aren’t paying for computer time they don’t need.

Patient power
The London system promises patients the ability to manage their own records and decide who has access to them.

Tony Lucas of Flexiant, the company involved in developing the system, said in a press release, “Hosting the data in the cloud as soon as results are published means that the patient can go online and access them, sharing them in real time with everyone who needs to see them.

“They will be able to invite their GP, consultants, health carers and family members – people they trust and who need to know the results.”  (See footnote.)

In 2009, Prime Minister David Cameron said he wanted to go even further and allow individual patients to choose their own cloud-based healthcare record system. The patients would then grant their clinicians access to the records as they saw fit.

Cameron was reported by the Guardian as saying, “People can store their health records securely online; they can show them to whichever doctor they want. They’re in control, not the state.”

So far, so utopian. The idea of giving patients control of their own records in this way is an appealing notion – the ultimate expression of patient autonomy. But there are some pitfalls, which need to be addressed before systems like this are rolled out.

Medical records are difficult to interpret. Patients already have a right to see their records, but many hospitals insist that they must read them in the hospital in the presence of someone who is trained to interpret medicalese.

If patients are able to read their own records while sitting at home, without explanation or context available, it could cause quite a lot of distress.

Privacy is also a concern. There are lots of consultations that patients might not want their family or partner to know about.

For example, the patient in a long term relationship who wants a sexual health screen, or the under 18 who wants contraceptive advice from their GP. If the patient is able to access these records on their home computer it is easy to imagine a family member pressuring the patient to allow them access.

Ownership of data
There is also a question about ownership of data. It seems all very empowering for patients to have control of their records, but in fact they don’t have them. The company providing the cloud service has them.
But what happens when the cloud host get too expensive, so their customers would like to change to someone else? What happens if the cloud service gets shut down, like Google is doing with their health record offering? (http://googleblog.blogspot.com/2011/06/update-on-google-health-and-google.html) Or if the cloud host goes bust, like care home provider Southern Cross almost did? How easy will it be for individual patients or healthcare providers to move cloud host?
It’s not an impossible problem. Some cloud services allow you to download all your data in a portable format, like Facebook, and Google. But these facilities weren’t there when the services first launched – they only came in response to consumer group concerns about data portability.

Local laws
Finally, there are data protection questions that need to be clarified. Customers need to be clear what jurisdictions their data is being held under, and what the implications of that are. The EU and the US, for example, have very different laws about what data can be accessed by government organizations; as well as differing rules protecting medical records.

At their recent launch of cloud-based Office 365, Microsoft UK managing director Gordon Frazier admitted that even data that is stored in the EU, on computers owned by US based companies, could be vulnerable to American court orders made under the sinisterly named “Patriot Act”.
Again, these issues aren’t insuperable. But it needs some heavy duty lawyering, and perhaps reassurances from governments. Patients need to be told exactly who would be allowed to access their information, and in what circumstances.
Headlong rush
Cloud based health records have a great potential. They could save clinicans time, healthcare providers money, and promote a level of patient autonomy that was impossible until now.
But before there is a headlong rush to the cloud there needs to be a thorough debate about what can be done to mitigate the risks and avoid the pitfalls. Patients need to be reassured that their private information is being looked after in an appropriate way.

Oliver Ellis is the departing student editor of Student BMJ.

Footnote – Strictly, cloud hosting isn’t an absolute must for this. It would be possible for a healthcare provider running their own servers to allow patients access to their own data. But it would likely be prohibitively expensive and difficult for individual healthcare providers to set up their own systems to do it.

Competing interests – OE have a relative employed by one of the companies working on the NPfIT, although they are not currently working on that project.