IT as Gatekeeper: Who’s on PACS?

Allowing physicians, whether they are referrers or outside specialists, access to an outpatient radiology practice’s PACS is a subject that is being discussed with increasing frequency among CIOs. Craig Roy is chief information officer and head of IT (information technology) for Radiological Associates of Sacramento (RAS), a private practice that serves 23 sites in Northern California. RAS radiologists read for two major Sacramento area hospitals as well as manning the group’s own outpatient clinics. Roy says that how doctors are allowed access to electronic images—and under what parameters they are given access—is a hot topic among CIOs. For one thing the radiology practices must keep an eye on the legal requirements of the federal Health Insurance Portability and Accountability Act (HIPAA), which is designed to keep patient medical records private unless the patient gives consent for their dissemination. HIPAA however is quite liberal in allowing dissemination of patient information, including images, between medical specialists once the patient has signed a consent form with the initiating doctor. Images can be sent by doctors to other doctors for consult without the patient’s direct consent once the original form has been signed. While transfer of patient data for treatment purposes is clearly allowed, there are HIPAA best practices that are annoying to doctors, Roy says, especially a recommendation that system entry passwords be changed at least every 90 days. RAS has made this a requirement for continuing PACS access despite the displeasure of its referring doctors. “Security overrides the inconvenience,” Roy says. “We do the same thing for all our internal systems.” Roy says IT at RAS has become the gatekeeper for access to electronic images. “We aren’t the only component, but we are a large part of the process.” For technological and security reasons, RAS has created an external or peripheral PACS to hold the images being accessed by referrers. Only images show up on this PACS, not reports by the radiologist. Reports can also be accessed electronically, but typically they are mailed, faxed, or couriered, Roy says. About a year ago, RAS completed an online physician profiling system that has streamlined access to the peripheral PACS. Access to the internal PACS from which RAS radiologists interpret is much more closely controlled, Roy says, although the images a referrer sees are the same on both PACSs. Marketing’s Role A perhaps counterintuitive aspect of PACS access by a referrer is the role played by the marketing department. This is true not only at RAS. A radiology practice’s marketing department can become itself a de facto gatekeeper to PACS images. At RAS, both IT and marketing act as a combined gatekeeper. The process as Roy outlines is this. Marketing makes the office call on the prospective new doctor client, one who is not already part of the RAS network. This can be the case whether the doctor is primary care or a specialist. Once the physician agrees to join the RAS network of referrers, marketing sets up an appointment for a RAS IT specialist to make a visit to that doctor’s office to connect the doctor’s computers to the RAS peripheral PACS. This can be a lengthy process. “We get a support ticket to our help desk from marketing. We schedule a time with marketing when we can visit the doctor’s office,” says Roy. If the physician is part of a larger practice, there may be firewalls and other technical factors from the physician’s end that the RAS technician has to solve to make the connection. Roy says he has one technician assigned to the connectivity task and that the technician makes about three visits per week to connect a new doctor. When a physician is set up for connectivity to the peripheral PACS, a “physician profile” is initiated that will tell the radiology technician at RAS how that doctor wants to receive images. It could be over the PACS, it could be a CD, or a paper print, or a filmed image. The profile also tells the tech how that doctor wants to get the radiologist’s report. This physician profile shows up on the technician’s screen every time an exam is ordered by that physician. Primary care physicians and specialists too are connected to the peripheral PACS. If a specialist not connected wants images, RAS will send a CD. If that’s too slow, then the specialist must sign a HIPAA waiver before the PACS can be accessed, Roy adds. Roy says about 60% of all RAS imaging is ordered by two large health care provider groups in Sacramento. Because these doctors make up such a large chunk of business, RAS has established a direct online interface with each provider group’s EMR to which written reports are immediately routed when signed off on by the radiologist. But even among these doctors, many still prefer mailed or faxed reports, Roy says. RAS has also built a separate shared imaging repository to temporarily cache all images from the RAS internal PACS and the PACSs at each of the two major hospitals it serves. Thus, priors and current images from both the RAS centers and the hospital are available to RAS radiologists and to any physician affiliated with either of the two hospitals. This image repository can be accessed for priors from either the RAS centers or the hospitals, saving referrers and specialists the trouble of signing on to both PACSs. Priors can also be pulled in advance for patients in either the hospitals or the RAS clinics. Because so many area specialists have access to images through either the peripheral PACS or the “Community Shared Image Service” that Roy designed for the hospitals, it is rare that RAS has to transmit images to an outside specialist. In those cases where a CD is too slow, then RAS IT or the office managers will attempt to meet the needs of the patient, Roy says. He says a Sacramento student on a scholarship in London once needed such emergency priors. The student’s father was so concerned that he had come to the RAS offices. Through exchanged patient and physician identifiers, RAS was able to verify the validity of the request and route the priors to London. When other such emergencies arise, RAS carefully checks doctor and patient identifiers before sending images to a specialist, including looking the specialist up in some way to verify that he/she is a physician, says Roy. “We don’t send anything over the web unless there are secure socket-layer connections,” he adds. “We give access but we’re not normally pushing anything out. That way we can control audit trails.” DIA Not all multi-site radiology practices handle image access the same way. It’s more likely that each practice defines its image accessing system based on a number of differing factors—the hardware and software deployed, client preferences, workflow, even competition. Diagnostic Imaging Associates (DIA) headquartered in Wilmington, DE, is a case in point. Barbara Novak is director of marketing for DIA, a position she has held for eight years. At DIA, which operates eight imaging centers in Delaware, Novack and her two marketing associates are the ones signing up referring doctors and, as part of that process, giving them access to the DIA PACS. DIA’s patient health data control begins in-house. The marketing team and a few managers are the only ones with what Novak calls “administrative privileges,” meaning for one thing that they alone can make PACS adjustments to admit new users and determine what data those users can access. Novak and her team have been trained to sign referring doctors onto the system. All that’s needed are security log-ins and passwords and a computer with Internet access capability, Novak says. “We physically give this access at the doctors’ offices on their computers. We make it (the DIA PACS) a favorite and put it on the desktop and teach them how to use it for copy and paste and review.” Access to DIA data is restricted based upon the referring doctor’s need. Most need only radiology reports, so that’s all they normally call up, and then only for their own patients. If the referrers have an EMR set up for their practice, they can pull the reports right to their EMR, Novak says. But they don’t need an EMR to see the reports online. Referrers who want to see images as well as reports can also access those on the DIA PACS. But access is restricted to their patients only. “There are two levels of privileges,” Novak says. Most doctors can see only the images and reports for their own patients. This is called level one access. “There are preset restrictions built into our PACS. When the doctor logs in, he or she gets a study list with his patients—there are tabs that say today, yesterday, last seven days and two weeks. When the doctor logs in, it automatically calls up today’s patients, and then he can click on that patient and view the images or the report. The images are available when the technician sends them to PACS. There’s a lag time on the reports.” When a patient is sent to a specialist, that specialist must, ordinarily, call DIA to access the patient’s images. “They must call because they’re not the ordering physician,” Novak says. The access granted these specialists is temporary, patient-specific, and granted over the phone only after patient and provider numbers have been confirmed. The access granted is level one access. Most of these requests for prior images come from local specialists. Sending images to outlying specialists is rare, Novak says. “We’ve had physicians from far away places call and ask if they can view our images on a patient they’re treating, and we tell them yes. We grant them access, but only for three days and only for that patient,” Novak says. Broader Access There are specialty groups in DIA’s market however for whom level one access doesn’t really work, and so for them, DIA grants a broader access to its entire PACS data base. This means that these specialists can access any referred DIA patient who shows up in that specialist’s office. Novak calls this broader access level two. It is never marketed, she adds. Level two is granted to specialty groups or to specialists who frequently see patients originally referred to DIA by primary caregivers. This broad access is granted because it makes for better patient care and is much more efficient, Novak says. Even so, DIA is wary of its scope and level two access is tightly controlled. While level one access requires no custodial paperwork, level two specialists must sign what Novak calls “chain of trust agreements” that spell out the safeguards for release of patient data. The specialist groups or individual specialists must have their own data firewalls. “They take responsibility if something happens to their computer system and something gets out,” she says. “They are accepting liability as this information is for medical treatment only.” If DIA did not grant this blanket access to specialists who see DIA patients daily or several times per day, the specialists would be on the phone setting up patient-specific access continually. It is too cumbersome for the specialists, the patients, and DIA to hold to level one access for these high-use specialists, Novak says. She points out that if a patient shows up at the specialist’s office without images that is a wasted office visit that must be rescheduled. “They are not going to do surgery based on their exam of the patient and what’s in the radiologist’s written report.” With level two access they can simply go to the DIA database, look up the patient and get the studies. The process is smooth and everyone is happy. Novak won’t say that competition forced DIA’s hand on granting level two access. “But remember,” she says, “there are other radiology groups in the area who do this.” So do some hospitals, she adds. Novak estimates that close to 200 doctors have been cleared for level one access at DIA. For level two, the numbers are much smaller, perhaps 30 practitioners. “We grant level two only if it specifically requested,” Novak says. While DIA does some tracking of level two use rates, it does not monitor all clicks. “If we continue to grant level two access, we might need somebody to monitor the log-ins a little more,” Novak says. “Does this guy use it as much as he says he does? I have disabled log-ins before when they weren’t being used. If you’re not using it, you don’t need it.” Moving Target According to Novak and Roy, neither DIA nor RAS has to date encountered a HIPAA violation for mis-released patient information. The whole matter of patient EMRs and image access is a moving target. A few years ago, most images were being sent to referrers on film. Now the referrers click into a radiology group’s PACS or get the images on a CD. In another five years, Roy says, the access points of today will look as outmoded and foot-dragging as film delivery does now. Already, he says, regional EMR databases are being planned. Governmental entities or the private sector, or both, are going to construct these databases, he says. When that happens the gatekeeping function for access to patient images and reports might move out of the hands of the radiology group and into the hands of administrators of the EMR databases. Roy says he’s eager to see these EMR networks take form. “We view them as a good thing.”