Open Source Solutions for Public Health?

ubiquitin asks: "This week at the CDC's PHIN conference there is a lot of buzz about the possibilities of building out an infrastructure for the public health information network with both closed and open source technologies, especially since the work needs to be solidly secure and is typically done under tight budgets. A handful of states are currently involved and more are getting on board, so it may well be a genuine growth opportunity for Linux/Apache/MySQL-based systems. What would really be helpful are stories about how Open Source systems have been put to use in public health departments, labs, or clinics. Does Slashdot have any such anecdotes to share?"

Re:HIPPA

[Unordained]

Format? Posh. However, they do require security, though you can (as I recall) get by without over-the-wire encryption so long as everything is inside a secured network not shared with people who shouldn't have access. Or some such.

HIPPA is actually more often violated by nurses and doctors who talk too freely -- the best security in the world won't prevent them from talking, leaving charts out, leaving doors open, or just generally not being discrete.

The other thing is that you probably won't find many open-source programmers looking forward to implementing HL7, X12, and other protocols, particularly after designing a database schema of their own (thus you have to translate not only the layout of your database, but also the format of individual fields, etc.) I'm paid, and I still don't look forward to it. But ya gotta do ...

So far as I can tell, medical/insurance stuff is scope-creep in action. That lends itself well to projects being handed over from one team to the next over the years, or bits being developed (freely) by parties involved in the scope-creep, but if you like to keep things tidy, it could get messy. You'll want at least a few architects everyone else listens to.

And as a reminder, open-source does NOT mean mysql. Medical data is too important to have wandering around a system not designed around transactions, constraints, and concurrency. Look more in the direction of Postgresql or Firebird for your open-source database needs.

And please, for the love of something holy, don't use magenta and cyan as your base colors. And align things to grids. And don't roll your own file format. Some of us have to come in and clean up after that, and if we can't stand to even -look- at it, we can't emulate it. I mean really ... (did I mention that the use of random fonts isn't appreciated either? Nope, looks like I forgot that one too.) Oh, and please design your systems to be multi-user from the start, working well under multi-user loads.

I should get back to work ... those billing wizards aren't going to write themselves. Unless ... open-source software to write other open-source software automatically? Hmmm.

But is it HIPAA compliant? And who certifies it?

[WarPresident]

With the overreaction to HIPAA rules driving everyone to distraction, I doubt open source software is going to gain much traction in the U.S. What guarantee (from a manager's or director's point of view) is the software HIPAA compliant? What the hell does that mean, anyway? Buy it from a vendor and it's their fault if something goes wrong (again, from a manager's viewpoint), download it from the Internet and something goes wrong... important people are in trouble!

HIPAA madness has hit a major teaching hospital that will remain nameless. They're rolling out an expensive new HIPAA-compliant (certified! --of course) Health Information Management System. It's replacing an existing infrastructure that works perfectly, and is completely paid for (except for maintenance contracts). 400+ people have to be retrained on the new software, new hires have to learn both systems as they'll both be operating over the 2 month roll-out.

Cuba

[zaroastra]

I'm to lazy to look for the sites now, but ALL the IT health infrastructure in Cuba is open source. I have somewhere at home a prospect from the Cuban government publicizing that.

answer: very carefully

[RMH101]

Disclaimer: i work as an IS architect for a large pharmaceutical company, putting together systems for electronic data capture of clinical data that's used for regulatory submission. It's not the same as general healthcare, but a lot of it is covered by the same regulations.
The short answer is you do this very carefully. There are a whole raft of legal and ethical regulations, of which HIPAA are only the start, and certainly the easiest to attain. If the stuff you're doing falls under FDA regulation then you need to validate those systems: this is very hard indeed to do properly - I'd suggest hiring a validation lead to do this who's got experience of the industry.

Basically, you have to prove to an insane level of detail that everything is consistent, tested, and built/installed as per your testing. On our systems I can document them right from the Little Rubber Feet upwards: hardware firmware revision level, exact version of all drivers, wet-ink signed documents for each step of the build process, and demonstrate that they're locked down and an audit trail exists for Electronic Record/Electronic Signatures for anyone who's ever used it etc etc.
You may find it cheaper to buy in a software package, as you can audit the vendors and if they're considered validated you can reduce your testing - it's testing and documentation here that are going to take up the majority of your time and budget - the actual coding's the easy bit.

This is why OSS isn't automatically the cheapest way of doing things, although this is offset by the massive amount of testing and revalidation that's required everytime an MS patch comes out!
Basically, tread very carefully, speak to a validation rep and have a work with an FDA rep if you can to attempt to clarify exactly how strict the conditions are that you have to work under.

For us, worst case scenario might be that you sign off an implementation, you get audited, and the FDA discover an irregularity - maybe you didn't collect those evidence screenshots when you tested your data capture for example - and they decide any data captured over the intervening few years is suspect - result could be a formal warning (visible to the whole industry and your shareholders) or simply pulling a megabrand off the shelves...this is one area where a single mistake by a single IT guy can have massive direct impact on lives - both in terms of patients and in terms of your personal safety of employment...