Medical IT Modernization In the United States

 In the United States, general hospitals, pharmaceutical companies, life science laboratories, etc. are introducing cutting-edge IT infrastructure one after another with a huge budget. In recent years, as one of the digitization of medical information, systems that combine remote image diagnosis, artificial intelligence (AI), and big data have been attracting attention. The digitized patient charts managed by medical institutions are called Electronic Medical Records (EMRs).

  Until now, EMR only stored test results as text characters, but nowadays, very clear image data for medical diagnosis is used. The so-called “diagnosis support AI”, which loads medical images of patients into analysis software and gives new awareness to doctors and pathologists, is receiving a great deal of attention.

 Also, EHR (Electronic Health Record: EHR) and wearables that store individual health information such as medical history, allergy information, and vaccination status in a big data platform can be shared between medical facilities and other facilities. Consideration is also increasing for the introduction of the latest technology that combines devices and IoT.

 Not all medical institutions in the United States are equipped with such state-of-the-art IT infrastructure. Vendors have introduced many examples of cutting-edge IT solutions and services that have been introduced at large medical facilities and laboratories with huge budgets, but on the other hand, in depopulated areas and small medical institutions, equipment It is often difficult to renew the IT infrastructure because it is difficult to secure the purchase budget and personnel. 

 When we talk about IT in US medical care, we cannot avoid talking about laws and regulations. One of the factors that prolong the life of legacy IT in US medical institutions is the regulation set by the US government.

In 1996, the Health Insurance Portability and Accountability Act (HIPAA Act), a law concerning the privacy of medical data, came into effect in the United States. HIPAA includes privacy and security rules for healthcare professionals, and entities seeking to use personal health information are required to comply with HIPAA and will be penalized for violations. You can. HIPAA’s privacy rules apply to personally identifiable health information, not only in electronic media but also in paper and oral communications.

 In this HIPAA, this personally identifiable health information is called “Protected Health Information (PHI)” and includes sensitive patient information such as personal health information and payment information. In addition to HIPAA, we have obtained certification for a certification framework for medical-related regulations and standards called the “Health Information Trust Alliance Common Security Framework (HITRUST CSF)”, and in Europe, it is called the “General Data Protection Regulation (GDPR)”. There are also data protection regulations.

 In the medical IT infrastructure, IT functional requirements must be set in a manner that complies with various regulations such as HIPAA, HITRUST CSF, and GDPR, and businesses that handle patient PHI (protected health information) must take security measures. Must be done.

 Specifically, access to medical facilities, use of PCs, workstations, electronic media, access control and use of e-PHI (electronically protected health information), deletion, disposal, user ID management, automatic logout function, Data encryption and decryption procedures, unauthorized access measures, emergency access procedures, software, and hardware-level log acquisition, etc., which provide sensitive patient data, including physical ones. It is necessary to strictly define and implement protective measures and safety measures.

 The more you pursue both regulatory compliance and convenience, the more complex the IT infrastructure itself becomes and the higher the initial investment in development. Therefore, medical institutions where it is difficult to secure a budget cannot actively introduce new IT, and the status quo will continue to be maintained by continuing to use legacy systems.