Montefiore has a large warehouse of data to analyze—it's had EMRs and computerized physician order entry since 1997. The Looking Glass program can keep track of anything that's digitized—from lab results to coding data. "You can go through 80,000 discharges in about a minute," says Senior Vice President and Chief Medical Officer Gary Kalkut, MD. "It used to be all chart review. That's gone."
But it's the ability to define cohorts that's the strength of CLG, Kalkut says. The program can identify patients who are on Medicaid, Hispanics who are also diabetics, or every patient with congestive heart failure that in a certain ZIP code, for example. "All of that you can pick out and then you have a subset that you can ask a question of. That's the beauty," Kalkut says. "There's incredible sophistication built into that program that allows you to identify not only patient sites, cohorts, and populations, but also look at effect over time."
A caution from lawyers
The legal warnings about using EMR data for clinical and business purposes are what you'd expect—maintaining security and compliance with HIPAA and other regulatory mandates. And, under new HITECH provisions, you must also make sure your business partners comply with the privacy rules. The best bet, especially if you're using a third-party partner to analyze the data, is to choose a company with healthcare experience, says Kevin Erdman, a partner in the law firm Baker & Daniels in Indianapolis. "A lot of times the third parties that do that kind of analysis might not be used to having HIPAA requirements. This is a new gig for the consultants that are doing the number crunching."
Organizations that are overly confident about the security of de-identified data and that take the position that de-identified data can be used for purposes outside of the scope of the original terms of consent are taking a risk, he says.
For example, if the cohort is small and the condition rare, it is possible a determined sleuth could supplement the data from the study with other public records and figure out the identities of the study's subjects—or at least make a fair guess.
Another concern centers on the intended use of the analysis. Conducting a study on the efficacy of a breast cancer treatment is one thing; using the data for strategic marketing purposes or to optimize reimbursement rates is another. The latter is more likely to attract the attention of privacy groups or state attorneys general.
"When you're setting up your study, make sure that the statisticians that are setting up the study are also schooled in the logics and the statistics of de-identification and to err on the side of stripping out more data than less," Erdman says. "The ideal thing is to get advanced consent and to put in that consent [phrases such as] 'We may use your medical records to do marketing studies'—something very broad."