Clinician Workflow Revisited

I returned to part-time clinical practice as an orthopedic surgeon last week after a 2 year hiatus (retirement) to study medical informatics. I am now working in a hospital-based outpatient office practice. The system for clinical documentation is hybrid. Overall, I would say that the hospital rates a HIMSS analytics(sm) EMR Adoption Model Stage 1 or 2. Current notes are either dictated or handwritten. Prior clinic notes, labs, and inpatient hospital records are scanned into a program called Chartmax. Access is via a wired hospital network. To review x-rays, CT scans, MRIs and ultrasounds (via the hospital PACS system), a separate, dedicated computer and monitor are utilized for the best viewing resolution. In an orthopedic clinic we depend heavily on both systems. A separate username and password is needed to log on to a desktop computer with the PACS application and another set of usernames and passwords is needed to access the clinical application. The application for access to clinical information is set to automatically log out after 6 minutes of no activity. I must log on at least once (and often more than once) for every patient I see. Computers are located in a dedicated physician office located at the end of a hallway off the clinical exam rooms. A few hospital staff members may walk by but no patients access this area unsupervised. We have clinical staff outside the exam rooms, approximately midway down the hall virtually at all times.

Two years ago, for the computer system in my private office, I set up a local area network, an Internet-based practice management system, and access to hospital records via a physician portal that required 2-factor authentication. Computers were located 1) in my office just off the exam rooms, where I did all documentation, 2) at the front desk, and 3) in my assistant's office. It would be fair to say that all computers were located in "clinical areas" of the practice. For all practical purposes though, unsupervised patient access to the three desktops was extremely unlikely. No timeouts were set for automatic logoffs. I felt access to the electronic clinical systems was quite reasonable--secure logon with two factor authentication (I was the only one in the practice with a fob), immediate access to the systems when I sat down at my desk, and good security for electronic clinical information.

It is amazing to me how satisfied I was with the information systems as they worked in my office contrasted with how dissatisfied I am with the hospital's system that I am using now. Remember, I am a clinician who is an HIT advocate to the extent that I expended considerable energy and financial resources to obtain master's degree level training in the field. I would find it hard to promote the current hospital system to clinicians. I talked to a very high level manager of IT systems at the hospital about my concerns. He cited the hospital policy that requires applications in "clinical areas" to time out in 6 minutes. This is a rigid policy. There are no exceptions. I don't know who the people were that were involved in development of the hospital policy. It has the hallmarks of having had little clinician input. Policies such as these should only be established with extensive and broad-based clinician input, in my opinion. They should be reviewed frequently as the hospital information systems evolve. The number of logons I am required to perform definitely does not fit my clinical workflow, slows my work, decreases productivity, impairs work satisfaction, and does not add much, in this instance, to the security of the hospital's health information system.

Security and privacy of health information systems are top concerns of clinicians, health IT administrators, and the general public. Recent breach notification reporting requirements are putting increased pressures on IT staff to secure health systems. On the other hand, systems must be usable and meet workflow requirements if they are to engage clinician support. I don't think rigid, uninformed policies are the answer. NIST provided a useful framework for completing a risk assessment when making decisions about how to secure electronic systems. I recommend this highly accessible publication to followers of this blog.