Rebuttal to “Electronic Medical Records: The Dangers of a Web-Based System”
By Heidi Jannenga, PT, DPT, ATC/L, cofounder and president of WebPT
Recently I came across this article in the October issue of Impact by Adam R. Aitken, the founder of a server-based electronic medical record (EMR), touting the “dangers of a web-based system.” Now, we all have our opinions about EMRs—and, as Aitken writes, “volumes could be written on the merits” of different types of EMR systems—but, unfortunately, this particular article doesn’t do the discussion justice. In fact, as far as I’m concerned, its inaccuracies and unsubstantiated claims are not only misleading for providers and health care organizations, but also flat-out embarrassing for us in the health care technology sector. As physical therapists, we pride ourselves on embracing evidence-based practice. And we should hold the organizations that serve our profession to the very same standards.
Full disclosure: Aitken’s software company, A2C Medical, is a direct competitor of my company, WebPT, which developed a web-based EMR system designed for physical therapists. But that’s not the issue I have with this article. In fact, plenty of our competitors publish factually accurate content that raises important arguments aimed at moving the profession forward and encouraging lively debate—and that’s beneficial to all of us. I welcome and appreciate that kind of content—regardless of its source. This inflammatory article, however, pulls our entire industry several steps backward, which is why I’m writing this rebuttal: to help rectify the blatant errors published in Aitken’s piece, so we can all talk about this important topic intelligently—and providers can evaluate the pros and cons of all systems to make the right decision for their clinics. In my professional opinion, the only thing “dangerous to you and your company” would be buying into Aitken’s unfounded claims and weakly presented argument.
The Difference Between Web-Based, Server-Based, and Web-Enabled Systems
Before I get into the “case study” Aitken offers up as the foundation for his argument, I think it would be best to give a more comprehensive overview of the main types of EMRs on the market right now: web (aka cloud, application server provider, or Software as a Service) and server (aka client)—not “web and app,” as Aitken writes. To complicate things further, some server-based systems have developed web-enabled versions, which operate very differently than fully web-based systems. Here’s the breakdown of each:
A web-based system is not a “website that functions as an EMR,” as Aitken suggests; it is a remotely hosted software platform that users can access via a password-protected application in a web browser. The application—and all user data—is accessible via the cloud and supported by the EMR vendor’s servers, which are stored and encrypted within extremely secure, HIPAA-compliant, and usually geographically diverse data centers. This type of setup has several benefits, including the only one Aitken mentions: Users can safely access their EMR on any web-enabled device with an Internet connection. These systems do require a reliable internet connection and an up-to-date browser to function (although most operate well on many different browsers).
Additionally, providers and practices that use web-based systems don’t need to house the application or their own data on internal hardware, which can be risky. After all, if a natural disaster caused physical damage to a clinic—or if a clinic’s internal hardware wasn’t secured or encrypted correctly (something that requires a significant amount of technological know-how to accomplish and maintain)—it could lead to costly HIPAA infractions and/or irretrievably lost data. That’s why high-quality web-based systems are operated by professional IT companies with full-fledged security teams devoted to keeping their clients’ data safe and fully backed up. Furthermore, web-based system vendors provide real-time updates to ensure the technology and all of its industry-specific compliance features always align with the latest regulations. According to an article in Computer Weekly, “Gus Hunt, chief technology officer of the CIA, told the [Amazon Web Services] conference that, in fact, cloud computing may be more secure than the traditional client-server approach.” And that was all the way back in 2011.
Server-based systems, on the other hand, require users to store and protect all of their data as well as the EMR software itself, which means users need a server, corresponding hardware, and—depending on their level of technological aptitude—an IT person or team to not only maintain the system with regular updates that ensure continued compliance but also secure that system and all of its data. For providers who (1) have the necessary tech savviness and (2) actually want to shoulder the responsibility of securing their data and updating their system—thus ensuring that it can withstand the rise in recent cybersecurity threats—then a server-based system may be the way to go.
In most situations, however, these types of systems require a higher upfront investment in equipment, space, and personnel, making them less than ideal for private practice physical therapy clinics. Plus, such systems are only accessible via the computer on which the software was installed, which means that unless you use an incredibly secure virtual private network (something that may also require IT support), you won’t be able to access your data outside of your office—a feature providers say they find efficient and time-saving. On the upside, server-based systems require no Internet connection or bandwidth, and depending on the network or system setup, may operate faster than a web-based system.
In the past, many server-based systems were behemoths designed for large organizations and a wide array of provider disciplines. In other words, they weren’t nearly as nimble, flexible, or customizable as their web-based counterparts. To remain competitive, several of these server-based systems developed web-enabled versions to provide their users with some of the features germane to true web-based EMRs. With these pseudo cloud-based systems, users must still install software on the computer they plan to use to access the EMR, and that computer must handle all the processing necessary to run the system. However, the software does connect to the Internet to sync data to the cloud at certain intervals. Depending on the web-enabled system, these updates will either happen automatically (although not in real-time), or you’ll need to initiate each sync manually.
If your practice has multiple clinics and/or therapists, then without real-time syncs, it is possible for users who access your system simultaneously to view or alter records that aren’t up to date. Furthermore, with a web-enabled system, you may still have to purchase and secure the server as well as hire IT support—or pay for the vendor to store your server on your behalf.
The Best Way to Transition to a New, Better System
Without knowing for sure which out-of-business EMR company Aitken is using as an example in his argument, it’s hard to call into question what he says regarding the direct experience of rehab therapists who used that system—whether they used the server-based system or the web-enabled version. On the whole, however, his argument still misses two crucial points:
- Providers would be extremely remiss to continue using a system that was defunct—even just to “report on old data and finish collecting past balances.” Without the necessary support managing the back end and developing crucial compliance and technology updates, providers may as well be writing those notes on paper. With the sheer number of regulations and compliance rules that consistently come down the pipeline, maintaining compliant, defensible documentation is nearly impossible without a fully functioning software system. Sure, you can search the old system, but what’s the point if, instead, you can transition all of your data to a brand-new—and much better—system? And that brings us to point number two.
- All software vendors worth their salt will work with providers transitioning from a no-longer-functioning system (or a subpar system, for that matter) to migrate all of their data into the new system. Thus, all “reporting and statistical data” would be accessible and queryable in the new system—even if it originated from PDF files on a disk. Plus, this type of arrangement ensures consistency in the data flow (as opposed to providers having to access two different EMR systems to view their patients’ medical records or amass information for an audit).
Now, there are always inherent risks when it comes to using any type of technology—but you can mitigate those risks by doing your due diligence to ensure all potential software vendors are not only financially solvent, but also extremely capable when it comes to development, security, and industry-specific compliance measures. You should also ask your current and potential software vendors important questions like:
- “Who owns my data?” (Correct answer: You do.)
- “What happens to my data if I choose to leave?” (Correct answer: You’ll get all of it in an easy-to-access format.)
- “What are the consequences—if any—if I choose to leave?” (Correct answer: There aren’t any. You may leave without penalty as long as there’s no long-term contract in place.)
In other words, when selecting an EMR vendor, all providers should find a partner they can trust—one that employs a software architecture that’s well suited to their practice and understands the health care industry well enough to provide valuable education and thought leadership. If your current vendor doesn’t check those boxes, it’s high time you found one that does. After all, it’s on each one of us to hold not only each other, but also our partners and vendors, to the highest of standards. It’s on us to discern truth from reality—to separate fact from fiction. And in the age of the internet, that’s a pretty tall order, because we’re all being hit with a near-constant stream of questionable—and often completely fake and false—information. So, stay vigilant. Ask questions. Seek evidence. Rise above the hot air—and do your part to keep elevating our amazing profession.