Would it be possible, as far as security and HIPAA compliance, to have a patient enter their demographics from a website?
Here’s what I’m thinking: have a practice website with a log in. The patient logs into the website, with a username provided by the practice, and enters their demographics. An employee of the practice would then receive the information and review it, and then import it to the EMR.
One of the biggest request I hear from office staff is having to enter patient demographics. This would also speed the patient through the initial process.
I’ve been contemplating this for a while now. We have an intake form on our main site with SSL encryption and I use soupermail cgi script (http://soupermail.sourceforge.net/index.html) to generate a pdf form attached to an email. Soupermail can also do sql querys and inserts. I imagine it could also be configured to generate a sql file as well and email that to the staff (which could then be imported).
Now, while all of this can happen with proper SSL encryption, my concern has been twofold:
First, doing sql inserts means storing the data on the webserver in mysql and being sure that is secure.
Second, emailing the data. Since I do this already and the mail accounts are on the same box (DV account on mediatemple.net) as the webserver, not too much concern there except for the fetch action from the mail client (which can also be an SSL connection). Were you to use an email system hosted separately, then you could not insure the security of the data as it moves from your webserver to your mail server.
The ideal solution would be to host OpenEMR, the website and the mail server all on the same system and SSL protect everything. The upside is that you don’t need a local machine as a server, the system is available from anywhere and you can have your hosting company do backups. Downside is that if you lose internet access (temporary outage, whatever), you lose your EMR system. Also, the data is potentially accessible by employees at the hosting company and OpenEMR is not likely a hardened system. It’s very likely it can be hacked.
I’m paranoid so, I serve OpenEMR on a box locally in the facility behind a firewall. No outside access.
The next hurdle is what to do with the data once received. While it shouldn’t be too difficult to standardize the basic demographics data as a web form, we collect a lot of other data which is specifically suited to a custom encounter form. Might as well have all that imported too. Since every facility uses different forms with different data (we’re an Acupuncture & Chinese Medical clinic), that means custom work on a per facility basis.
fred0 is right. There are security issues to deal with. I would not want to expose OpenEMR to patients directly. Even data collected externally and imported has to be checked for sql injection attacks.
A web service where patients and physicians each had secure access would be useful. Patients could fill out customized forms and their doctors could access them. Maybe this exists already.
Then, we would just have to deal with a standard method of importing this data. Maybe it would be an XML file with one or more patients and OpenEMR would have an upload form to get this file in and processed.
I’m not a big fan of running a public web/mail server on the same server the EMR is running on. I paranoid too, and think this would be a little risky.
What I was thinking is having the web/mail server hosted remotely (by a hosting company), and having the patients enter demographics there, where it is check for sql injections.
The issue seems to be transfering the information to the EMR server - maybe a Point-to-Point VPN… passing traffic in one direction? I suppose the actual hosting could be considered a security issue too. And, what about secure email? Having the email come encrypted and have an employee view the data before uploading to the database.
I’ve read, worked with, and research EMR systems for a while now, and find this OpenEMR to be the most interesting to use. I believe it’s much better than the very high $$$ systems and am willing to invest some time and money to make it work for our office. However, there are some issues I need to workout before putting it into production. One of the main issues is learning the billing part. Anyone know of a manual for that? In 2.9.0 version?
Up to now, billing has been in combination with SQL-Ledger. There’s a number of threads about the ups and owns of that. It’s always been cumbersome and generally pain to manage, but it works (I did the interface updates last year to make it work with the newer versions of SQL-Ledger).
Rod Roark, one of the main developers here is currently doing a major update that should eliminate the need for SQWL-Ledger (https://sourceforge.net/forum/forum.php?thread_id=2300464&forum_id=202506) so I would suggest holding off until that work is completed as I would expect it to greatly simplify billing management.