I once read a blog post that said “Healthcare IT is neither ‘healthcare’ nor ‘IT’.” It sounds strange and even a bit funny, but it’s true. Healthcare IT (HIT) is its own branch of the information technology world. Yes, basic IT skills are necessary, but when working in a healthcare environment everything you do has to meet regulation compliance, right down to your communication and how you act on-site. In addition to the knowledge and execution of regulatory requirements there are also a few IT skills that the HIT technician should specialize in in order to be successful in the industry.
HL7 (Health Level Seven). HL7 is a standardized protocol that enables different computer system to communicate with each other. It is the protocol that makes interoperability possible (or at least hopeful)! The “7” refers to the seventh layer of the OSI model, or the Application layer, because HL7 operates primarily with the network protocols of this level. The standards for HL7 are developed and maintained by Health Level Seven International. Version 2 (V.2.x) of HL7 used a textual, non-XML encoding format. The newer Version 3 (V.3.x) uses XML encoding syntax.
A sample V.2.x partial message containing a Glucose request would look like this:
MSH|^~\&|GHH LAB|ELAB-3|GHH OE|BLDG4|200202150930||ORU^R01|CNTRL-3456|P|2.4<cr>
PID|||111-22-3333||DOE^JANE^A^^^^L|JONES|19620320|F|||111 HOMEVILLE DR.^
OBR|1|845439^GHH OE|1045813^GHH LAB|15545^GLUCOSE|||200202150730|||||||||
OBX|1|SN|1554-5^GLUCOSE^POST 12H CFST:MCNC:PT:SER/PLAS:QN||^188|mg/dl|70_105|H|||F<cr>
The basic codes in this message are:
MSH: Message Header. Contains the message type and trigger event
PID: Patient ID. Patient identification and demographics
OBR: Observation Request. Identifies what was originally orfered and who ordered it.
OBX: Observation. Contains the results of teh observation
There are many HL7 codes; a google search will provide you with a list.
Here is a sample Glucose Observation in HL7 V.3.x (XML formatted):
<id root=”2.16.840.1.113883.19.1122.4″ extension=”1234567″
assigningAuthorityName=”RGH LAB Filler Orders”/>
<code code=”1234-5″ codeSystemName=”LN”
displayName=”GLUCOSE^POST 12H CFST:MCNC:PT:SER/PLAS:QN”/>
<value xsi:type=”PQ” value=”188″ unit=”mg/dL”/>
<low value=”70″ unit=”mg/dL”/>
<high value=”105″ unit=”mg/dL”/>
HL7 is vast and complex with many tags and segments to learn. The HIT tech would definitely benefit from learning the basics of HL7. Interoperability is a major problem in the healthcare IT world since many facilities are using multiple systems from different vendors all segmented throughout the network. HL7 is key in making these systems connect and communicate to each other, saving time and probably lives.
If you are interested in learning more about HL7 there is an upcoming web-based e-learning course now open for registration on the Health Level Seven International website. The class starts on August 18, 2011 and goes to December 1, 2011, giving a nice overview on all areas of HL7 (the full course is $500, but you can take individual modules for less, and some countries get major discounts). The organization provides various certifications and specialized training depending on how deep you want to get involved with HL7.
Security is no joke in the healthcare setting. Major HIPAA/ARRA violations and security breaches can cost a healthcare facility millions of dollars in fines.
This chart is directly from the American Medical Association (AMA) regarding individual HIPAA fines:
HIPAA Violation Minimum Penalty Maximum Penalty
Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million
The HIT technician should be well versed in securing clients, servers, and networks. If the healthcare facility is large then these tasks would probably be split up, meaning a particular technician wouldn’t have to specialize in all areas of security; however, it doesn’t hurt, especially if you are consulting or working in a smaller facility as an IT generalist. In addition to experience, certifications such as Security+ would be a good start, CISSP (isc2) and the new CASP (CompTIA Advanced Security Practitioner) from CompTIA are both good advanced security certifications. Knowledge and implementation of encryption standards (AES, DES, 3DES, SSL) are a must. Physical security is also important since PHI (protected health information) must remain confidential. Privacy screens need to be placed on monitors and placement becomes an issue. Don’t forget to securely sanitize/destroy the hard drives! There are many security considerations to be aware of in a healthcare setting.
Falling under the topic of security in the healthcare setting would be setting up wireless networks and mobile device management. Securing these devices is crucial and can be a challenge. A easily cracked WIFI setup or a doctor leaving his smart-phone unattended with a patient chart on it will end up in lawsuits and fines, and yes, the IT department/service/consultant will be blamed for the mishap.
As I conclude part 1 of this specialized skills for the HIT technician series, I’d like to mention a recent article from Healthcare IT News stating that “consultants are favored over vendors for health IT roll-outs.” Only one EMR vendor was preferred over a consultant! This means that for the vast majority of EMR implementations healthcare providers are opting for IT consultants with specialized skills as opposed to the EMR vendors themselves. I found this rather intriguing and it definitely proves there is a large market for consultants in this area.