Fever. Nausea. Vomiting. Diarrhea.
At first, bioterrorism—whether it’s inhalation anthrax, smallpox, pneumonic plague or something else entirely—will probably feel like the flu. You’ll be miserable, but you probably won’t be alarmed. You’ll go to your local drugstore, clinic, maybe an emergency room. Doctors in one place or another might notice a small uptick in flu-like symptoms. But no one will see the pattern. Until the dying starts.
Unless, of course, a sophisticated IT network could transmit and integrate all that data in real-time so that health officials could see what was happening across hundreds, if not thousands, of facilities. And that’s just what legions of technologists and clinicians in public health departments, hospitals, laboratories and pharmacies are trying to develop right now.
“The systems are being defined and created as we speak,” says Rosemary Nelson, chairman of National Preparedness and Response, a new bioterrorism task force created by the Healthcare Information Management and Systems Society (HIMSS). If such a network existed, health officials could sound the alarm in that precariously short window of time when the spread of the disease could be stopped.
This kind of system could be IT’s greatest success, saving lives as well as money. Even without a bioterror attack, a surveillance system would be useful in detecting the early stages of any disease, such as the recent outbreak of the mysterious ailment called SARS, or severe acute respiratory syndrome.
Such a system could also help lay the groundwork for a long-desired system of standardized electronic medical records, which would significantly reduce errors in patient care and save substantial sums of time and money.
But if the pieces don’t come together—or if they do but in the process erode the concept of patient confidentiality—then that could also be IT’s biggest failure.
“IT has so much potential use in bioterrorism and health care, but the word is potential,” says Dr. Eduardo Ortiz, a senior fellow with the
Agency for Health Care Research and Quality at the U.S. Department of Health and Human Services, which last August released a 354-page report about how IT could be used for bioterrorism preparedness and response. “We’re not there yet; we’re not even close.”
Since the anthrax attacks in Connecticut, Florida, New York and Washington, D.C., definite progress has been made in creating an effective early warning system for bioterrorism. But wildly disparate computer systems, disconnected and often overlapping projects, and a lack of industry standards still stand in the way of creating the kind of network that can save lives.
The Paper Chase
In late January, HHS Secretary Tommy Thompson unveiled a $3.5 million command center in Washington, D.C. Seeking to reassure a public nervous about biological and chemical attacks, Thompson explained that this new command post would let him coordinate the response to a bioterrorist attack and bring together everyone from the CIA to the Centers for Disease Control and Prevention, which is part of HHS. As CNN cameras filmed a wall of video screens 24 feet wide and 7 feet tall, correspondent Wolf Blitzer told viewers that they were witnessing “how your life could be saved.”
It was all window dressing. In many parts of the country, the primary mechanism for detecting bioterrorism—or any epidemic—is still the little stacks of cards that doctors are required to fill out with the patient’s name, address and diagnosis, and submit to local health departments when they come across a disease that poses a significant health risk.
The diseases that must by law be reported vary from state to state: West Nile in New York; the hantavirus in New Mexico; most sexually transmitted diseases, everywhere. The root philosophy is that sometimes, doctor-patient confidentiality must give way to the risk to public health. (The notable exception to that rule is when a patient has AIDS, or is HIV-positive.)
On a local level, health officials use those reports to track treatment, notify others who may have been infected or quarantine an individual if necessary. On a broader level, epidemiologists look for disease patterns across the city, county, state or nation, and alert health-care practitioners and the CDC to anything unusual.
Some local health departments have started allowing clinicians to submit this information electronically, but not many do. Some local health departments still worry about upgrading their dial-up Internet connections to broadband.
For doctors, the reporting process is so labor intensive that observers put the compliance rate at less than 20 percent. That means that four times out of five, doctors never even bother to fill out a report. Fortunately, the laboratories where they send their tests tend to be more automated and therefore more likely to file that information electronically with the public health department. But no one believes that public health departments have anything like a full window into what’s going on—regardless of the bank of video screens that adorn Thompson’s command center.
“In retail America, they long ago made the entire supply chain of data electronic from cradle to grave,” says CDC CIO James D. Seligman. “The chairman of Wal-Mart can find out how many widgets got sold an hour and a half ago anywhere in America. That’s where we’re trying to get with health data, to enable that electronic passage of information from the point of encounter, when a patient sees a health-care professional, and then pass all that data on electronically to the appropriate jurisdictions.”
The health-care system is a long way away from that, says Jim Klein, a vice president and research director for Gartner. Even in areas where local health departments do accept information electronically, he estimates that only about 5 percent of hospitals have fully automated medical records. And if patient information is entered electronically at some point, there’s often no consistency as to whether, say, the red blood cell count is keyed in as RBC or RB.
This lack of automation and standardization means that the disease reporting process is not only spotty but also slow. A doctor’s office might wait until the end of the month to mail its stack of forms to the local health department. From there, the forms could take another month to be processed, analyzed and sent on.
Needless to say, that’s just not fast enough for bioterrorist incidents, which doctors say they must respond to in hours, not weeks. Anthrax, for instance, should be treated in the first couple days after exposure. By day six, when a victim is sick enough to go to the emergency room, she might be too sick to be saved.
“Epidemiology is good and gets you to disease recognition, but unfortunately [the recognition comes] a month or two after the information is worth anything,” says Dr. Michael Allswede, an emergency room physician and clinical associate professor at the University of Pittsburgh School of Medicine, who was also a U.S. Army medical company commander in Desert Storm.
It gets worse. Even if all the information available about disease diagnoses were collected and analyzed in real-time, that still wouldn’t be enough to short-circuit a biological attack. That’s because the information we possess under current law and practice is insufficient. Doctors have no reason or obligation to report many of the early warning signs of bioterrorism, the flu-like symptoms that could be public health officials’ first hint that something has gone wrong. In fact, the Health Insurance Portability and Accountability Act (HIPAA) prevents doctors from sharing any kind of personally identifiable patient information with a third party, except in cases when the public health departments need to know about a legally reportable disease. In other words, a doctor is legally obligated to notify public health that a certain patient has anthrax, but legally forbidden from notifying public health that a specific patient has the symptoms of anthrax.
Nevertheless, a few local health departments are starting to gather symptom information that could give early warning about the outbreak of a disease. But this “syndromic surveillance,” as it’s known, is being held back not just by technological challenges but by political ones, as health-care providers grapple with the line between trend information—perhaps including a patient’s age, gender and ZIP code along with his symptoms—and the personally identifiable information protected by the HIPAA legislation.
Tracking Symptoms in New York
New York City has stopped waiting for doctors to fill out those little cards. Instead, the city is working on what it hopes will one day be a model of how to identify the outbreak of a disease in its earliest stages. More than two years ago, the New York City Department of Health and Mental Hygiene started gathering 911 call data for cases involving sickness and respiratory distress. Then, shortly after Sept. 11, the department also began collecting from emergency rooms what’s known as the “chief complaint” of incoming patients, such as fever, nausea or a persistent cough. This is the most likely health information to be entered into a computer because even if patient case files are not automated, insurance and admittance systems usually are. That information also includes a patient’s age, gender and ZIP code, but not his name, ethnicity or other personal data.
All the information comes in via secure FTP once or twice a day, sometimes just in ASCII format, with about 40 of the city’s 90 hospitals participating so far. “We said, ’Give us whatever you have, and we’ll put it in a common form for analysis,’” says Ed Carubis, CIO of the New York City Health Department. “We didn’t force them to use a certain data standard or make them jump through hoops because what we really wanted was participation.”
Using that information, public health officials can now identify the start of flu season two weeks before the trend shows up in laboratory results, allowing them to get a jump on awareness campaigns. The department has also started gathering information about certain kinds of prescription and over-the-counter drug sales (from at least one major pharmacy chain) and absentee rates (from a few major employers in the city).
Will the city start tracking sales of orange juice and Kleenex next? Carubis can’t be sure because the health department is still trying to figure out how, exactly, to extract meaning from pharmacy sales and absentee rates. (What red flag goes up when Maalox is on sale?) He also won’t say which pharmacy or employers are sharing numbers with the city. That probably has something to do with the fact that this kind of system, frankly, gives some people the creeps. Privacy advocates wonder how useful this kind of information can really be and what further invasions of privacy it might lead to.
For one researcher, New York’s fledgling surveillance project is just “No. 47” on a spreadsheet of projects. John McLamb has been trying to pull together a comprehensive list of all the national, state and local bioterrorism initiatives currently being attempted by health departments, universities, professional associations and even the Department of Defense. McLamb, who is director of informatics for emergency medicine at the University of North Carolina at Chapel Hill, is doing the work for HIMSS’s group on bioterrorism not at the bequest of any federal agency.
Every line on his spreadsheet has a story. In Kansas City, for instance, the health-care vendor Cerner is working with local hospitals to automatically send certain computerized lab reports to health departments in Kansas and Missouri. Only health departments have the key to unencrypt identifying information, but physicians at any of the 23 participating hospitals can view the region’s trend data for research purposes. “Before, we were living in our own little pockets of data,” says John Wade, vice president and CIO of Saint Luke’s Health System, one of the participating organizations.
In the Minneapolis area, after much wrangling over HIPAA, the nonprofit health-care organization Health Partners started sending information about flu-like illnesses to researchers at the Harvard Medical School, as part of a $1.2 million early warning system funded by the CDC. Other participants include Kaiser Permanente and Optum, which runs a national 24-hour health hot line. “I’ve spent as much time working on the privacy concerns as everything else combined,” says Dr. James Nordin, a clinical research investigator at Health Partners. “What we have done is to be very limited about the information that goes out to the Minnesota Department of Health and even more limited about the information that we send to the data center at Boston.”
And in New Mexico, researchers at Sandia National Labs have developed a system called the Rapid Syndromic Validation Project—the only one of the bunch that, instead of fishing information out of existing data streams, requires health-care providers to actually log on to a secure website and type in information about a patient’s symptoms in return for trend and treatment information. “We tell the doctor that we only want sick people, and we give the doctor something back that’s relevant to the patient they’re treating not in 10 days but in 10 seconds,” says Alan Zelicoff, the senior scientist who developed the system and hopes it will eventually be used across the country.
In those programs and dozens of similar ones in the works, there’s more than a little braggadocio involved. “This one’s the best,” Zelicoff says, by way of greeting a CIO reporter who called for an interview.
And there’s more than a little overlap too. “I see a lot of efforts out there that are redundant,” McLamb says. “If people who are doing the same thing would get together, they wouldn’t have to reinvent the wheel.”
A $918 Million Pie
With so many projects being developed by so many entities, the ultimate success of any national bioterror surveillance system will depend on one thing: whether those systems can ever talk to each other. And if there’s one thing that everyone involved agrees on, it’s the need for standards.
The federal government has taken one big step in that regard. In March, the U.S. Department of Health and Human Services along with the departments of Defense and Veterans Affairs jointly released the first set of uniform health information standards for exchanging clinical data electronically across the federal government. When developing new systems, all federal agencies are now obligated, among other things, to use the Health Level 7 messaging format—a set of drug-ordering guidelines already adopted under HIPAA—and a group of codes for laboratory results.
Ultimately, though, public health is a very local activity. It’s you, your doctor, your exam room, your lab test results. When it comes to reaching the state and local health departments that interact with all the players, the federal government has a lot less control than one might expect. “Typically, if there’s an outbreak of a disease at the local or state level, they will handle it locally or invite the CDC in on an as-needed basis,” the CDC’s Seligman says. “We offer our assistance, but ultimately it’s their call.”
The one place where the federal government does have power to persuade is with its pocketbook. And that’s where the CDC’s National Electronic Disease Surveillance System (NEDSS) comes in. This system lays out a sort of meta-standard for both health-care information and IT standards. All state health-department systems must be NEDSS-compatible—at least they do if they want a piece of the $918 million in bioterrorism grants that the CDC is handing out this year.
This pocketbook persuasion could pave the way for electronic medical records in the health-care industry. “These standards that make national disease surveillance work are the same standards that we’ll need if we’re going to move forward to a day when you can ask a doctor to send your medical records electronically to a new doctor,” Gartner’s Klein says. But the work also highlights just how difficult the journey will be.
Pennsylvania is one of the few states that have already adopted the system. There, the state Department of Health built a NEDSS-compliant application that allows doctors to go to a secure website to report a disease. As soon as a doctor hits “save,” the information is available to public health investigators.
Development was no small task, says Mary Benner, CIO and IT director for the department. The state had to consolidate some 6,000 data fields from 100 forms to 600 actual data elements in the database, and also work out problems with providers on antiquated operating systems trying to use the digital certificates that enable secure, encrypted communications.
Now, the biggest challenge is getting doctors to register. Since July 1, when the system went live, the department has received 57,000 cases of reportable diseases electronically. It also gets several hundred reports a week in paper form. “Some [doctors] are very enthusiastic, and others don’t have a computer in their office and don’t want one,” Benner says.
With that kind of reluctance and the ongoing challenge of getting the industry to adopt a set of standards, a national bioterrorism surveillance system seems far off, indeed. Right now, truly effective public health surveillance must await the resolution of a national debate on how homeland security will play out in a country that has always prided itself on its freedoms. And that debate will increasingly depend on how technology and CIOs can balance the public need to know with the individual’s right to privacy.
“We have to decide as a nation how much security and privacy we need when those two things are in a trading relationship,” says Pittsburgh School of Medicine’s Allswede. “What we’re doing in terms of information technology, and where it has to progress, is a microcosm of that larger sociological change.”