Open Source Solutions for Public Health?

ubiquitin asks: "This week at the CDC's PHIN conference there is a lot of buzz about the possibilities of building out an infrastructure for the public health information network with both closed and open source technologies, especially since the work needs to be solidly secure and is typically done under tight budgets. A handful of states are currently involved and more are getting on board, so it may well be a genuine growth opportunity for Linux/Apache/MySQL-based systems. What would really be helpful are stories about how Open Source systems have been put to use in public health departments, labs, or clinics. Does Slashdot have any such anecdotes to share?"

HIPPA

[bofh31337]

I would take a serious look at HIPPA requirements before implementing something not specifically designed for health care related systems. The requirements for HIPPA (Healthcare Information Privacy and Portability Act, I think) are pretty strict about the format of data. That being said, I'd head over to The Open Source Health Care Alliance. I'm not sure they are still active.

Re:HIPPA

[Unordained]

Format? Posh. However, they do require security, though you can (as I recall) get by without over-the-wire encryption so long as everything is inside a secured network not shared with people who shouldn't have access. Or some such.

HIPPA is actually more often violated by nurses and doctors who talk too freely -- the best security in the world won't prevent them from talking, leaving charts out, leaving doors open, or just generally not being discrete.

The other thing is that you probably won't find many open-source programmers looking forward to implementing HL7, X12, and other protocols, particularly after designing a database schema of their own (thus you have to translate not only the layout of your database, but also the format of individual fields, etc.) I'm paid, and I still don't look forward to it. But ya gotta do ...

So far as I can tell, medical/insurance stuff is scope-creep in action. That lends itself well to projects being handed over from one team to the next over the years, or bits being developed (freely) by parties involved in the scope-creep, but if you like to keep things tidy, it could get messy. You'll want at least a few architects everyone else listens to.

And as a reminder, open-source does NOT mean mysql. Medical data is too important to have wandering around a system not designed around transactions, constraints, and concurrency. Look more in the direction of Postgresql or Firebird for your open-source database needs.

And please, for the love of something holy, don't use magenta and cyan as your base colors. And align things to grids. And don't roll your own file format. Some of us have to come in and clean up after that, and if we can't stand to even -look- at it, we can't emulate it. I mean really ... (did I mention that the use of random fonts isn't appreciated either? Nope, looks like I forgot that one too.) Oh, and please design your systems to be multi-user from the start, working well under multi-user loads.

I should get back to work ... those billing wizards aren't going to write themselves. Unless ... open-source software to write other open-source software automatically? Hmmm.

Re:HIPPA

[bersl2]

The mailing list sure seems to be. The most recent post in the list archive is 18 May 2004.

Re:HIPPA

without over-the-wire encryption so long as everything is inside a secured network not shared with people who shouldn't have access.

This is true. We have a seperate, 'private' network for our health department patient data applications.

Medical data is too important to have wandering around a system not designed around transactions, constraints, and concurrency. Look more in the direction of Postgresql or Firebird for your open-source database needs.

Not necesarily true. We've been using mysql in production for three+ years without a *single* hitch... and yes, mysql does have transactions and locking.

Our health data application hasn't been released publicly yet...it's not quite ready, but it is GPL and we're moving(slowly ; >) towards getting it ready to release.

again?!

[eraserewind]

This is the third or fourth time in the last few months that people have asked basically the same questions about open source medical stuff on ask slashdot. What gives?

But is it HIPAA compliant? And who certifies it?

[WarPresident]

With the overreaction to HIPAA rules driving everyone to distraction, I doubt open source software is going to gain much traction in the U.S. What guarantee (from a manager's or director's point of view) is the software HIPAA compliant? What the hell does that mean, anyway? Buy it from a vendor and it's their fault if something goes wrong (again, from a manager's viewpoint), download it from the Internet and something goes wrong... important people are in trouble!

HIPAA madness has hit a major teaching hospital that will remain nameless. They're rolling out an expensive new HIPAA-compliant (certified! --of course) Health Information Management System. It's replacing an existing infrastructure that works perfectly, and is completely paid for (except for maintenance contracts). 400+ people have to be retrained on the new software, new hires have to learn both systems as they'll both be operating over the 2 month roll-out.

I believe...

[HotNeedleOfInquiry]

That the writing of open-source software in general has already made a significant contribution to public health. Because of their committment to coding open-source software, countless young geeks have avoided the temptations of premarital sex thus slowing the spread of venereal disease.

dang

[spcmastertim]

working for a healthcare software company, being an OSS activist, and having family who is working on that very initiative, you would think that I would have an opinion....but I don't.

Hospital IT needs to be open

My feeling about this is that any hospital/health IT infrasctructure needs to be open as you may want to change vendors/support at any time and _YOU_WILL_ be intergrating the system with multiple other parts of the hospital IT.

For example in radiology, not only does your PACS archive need to interact with MRI/CT/US/CR machines, but it helps if the database can talk to the patient tracking, general hospital results sysytem, and other hospitals.

The last thing you want is to have years of patient data trapped in a proprietary format database. Also proprietary stuff tends to have headaches getting different bits of your network to work together.

Shameless plug for my favourite PACS supplier: http://www.intelerad.com/ produce DICOM compliant PACS archives ontop of opensource products (?redhat with PostgreSQL). These databases are often 50+ Terabytes of images.

Some major problems...

[Eneff]

Full disclosure: I work for a public health company as a developer.

The company I work for gives its source code to its clients, but isn't Open Source. Why? Selling to states or communities, many of these products take dozens of man-years to create. No one state can afford all of the tools that technology can afford, so companies lose money on the first, hoping to gain money on the sale to other states.

That's the ultimate problem in this niche market. Either the states have to provide their own staff (which is problematic, because it's expensive to hire and release employees for government) or they have to pay the true cost of developing the software, rather than spreading the cost out through maintenance and other states.

That said, the company I work for is dependent on the Apache and Jakarta set of projects for our work. Our developers have also contributed code back to open source projects.

Re:But is it HIPAA compliant? And who certifies it

[Unordained]

That article's interesting. No fines have been imposed (note: the maximum fines per incident are not large), there haven't been very many reported violations, and besides ... patients have so much trouble reading HIPPA stuff in the first place, they don't know what's a violation. (HIPPA works purely on the reported-problem basis: if nobody, in the course of their daily lives, notices a problem then it just doesn't exist.)

I believe it was NPR a few weeks ago (this reported via girlfriend) that had an interview in which HIPPA officials (please correct me) said they weren't interested in imposing fines of any sort -- they're just there to help people get the big picture and do the nice thing. They really just want to be a support desk / consultants to help hospitals and clinics move forward. For as little teeth as this thing has, it's a wonder people react at all. (Then again, the attitude may be temporary -- they could be planning on having a nice smile for a few years, and then "when everybody should know by now", crack down?)

Maybe we should rejoice that doctors will go on and on and on at us geeky types about how secure our systems need to be? Maybe it shows how much they care about this, without needing to be threatened with hefty fines or worse? Or was it all an excuse to get to talk to our cute and single programmer chick for longer?

Cuba

[zaroastra]

I'm to lazy to look for the sites now, but ALL the IT health infrastructure in Cuba is open source. I have somewhere at home a prospect from the Cuban government publicizing that.

answer: very carefully

[RMH101]

Disclaimer: i work as an IS architect for a large pharmaceutical company, putting together systems for electronic data capture of clinical data that's used for regulatory submission. It's not the same as general healthcare, but a lot of it is covered by the same regulations.
The short answer is you do this very carefully. There are a whole raft of legal and ethical regulations, of which HIPAA are only the start, and certainly the easiest to attain. If the stuff you're doing falls under FDA regulation then you need to validate those systems: this is very hard indeed to do properly - I'd suggest hiring a validation lead to do this who's got experience of the industry.

Basically, you have to prove to an insane level of detail that everything is consistent, tested, and built/installed as per your testing. On our systems I can document them right from the Little Rubber Feet upwards: hardware firmware revision level, exact version of all drivers, wet-ink signed documents for each step of the build process, and demonstrate that they're locked down and an audit trail exists for Electronic Record/Electronic Signatures for anyone who's ever used it etc etc.
You may find it cheaper to buy in a software package, as you can audit the vendors and if they're considered validated you can reduce your testing - it's testing and documentation here that are going to take up the majority of your time and budget - the actual coding's the easy bit.

This is why OSS isn't automatically the cheapest way of doing things, although this is offset by the massive amount of testing and revalidation that's required everytime an MS patch comes out!
Basically, tread very carefully, speak to a validation rep and have a work with an FDA rep if you can to attempt to clarify exactly how strict the conditions are that you have to work under.

For us, worst case scenario might be that you sign off an implementation, you get audited, and the FDA discover an irregularity - maybe you didn't collect those evidence screenshots when you tested your data capture for example - and they decide any data captured over the intervening few years is suspect - result could be a formal warning (visible to the whole industry and your shareholders) or simply pulling a megabrand off the shelves...this is one area where a single mistake by a single IT guy can have massive direct impact on lives - both in terms of patients and in terms of your personal safety of employment...