Need for a Time Machine in the Distributed EHR

Ab Bakker


The electronic health record (EHR) will present to authorised health professionals in an ordered way patient data collected in different care settings and different care facilities. It is widely expected that such an EHR will become an important tool for healthcare professionals when delivering care. As soon as the EHR is mature, it will become a professional responsibility to use this tool when appropriate.

Until now, the focus in the design and implementation of the EHR is on its real-time behaviour. In this paper, it is argued that there is an additional requirement: the need to be able to reproduce the EHR as it would have presented itself to a specified healthcare professional at a specified point of time in the past (a time machine). This to be able to assess whether the behaviour of the healthcare professional was appropriate in view of the data that he did retrieve or could have retrieved from the EHR at that point in time.

In this paper, the consequences of the implementation of such functionality are explored; they are found to be huge. It would require substantial investments to implement this functionality. So, it is important that clarity is created on the need for this time machine. The professional associations involved and the bodies responsible for the quality of care have to be involved in further discussion on this issue. The question is raised whether IFHRO has to take the lead. Because implementation of the time machine would have consequences for any information system that contributes in real-time to the EHR, it may well be that the need for this functionality will affect the current common opinion that medical patient data should remain stored in the information systems of the healthcare establishments where the data were generated and be requested from these systems by the virtual EHR when needed. Uploading medical patient data from the operational systems in healthcare establishments to medical data repositories could reduce the number of systems affected considerably.

Key words: EHR legal aspects, EHR design, medical audit, time machine


It is a well-accepted expectation that the electronic health record (EHR) will become an important support tool for health professionals in the near future. Because of the structure of almost all healthcare systems, medical patient data are stored now in the healthcare establishment where they were collected, so the medical data of a patient is inherently distributed. For a healthcare professional who is confronted with a patient, it is important to be aware of the medical history of that patient. A coherent overview of the data collected earlier, including those collected in other healthcare establishments, will contribute both to the quality and the efficiency of the care process. For data collected on paper, coherent presentation within a healthcare establishment is already difficult, to extend this to other establishments is not feasible. However, the use of ICT opens new horizons. For data stored in digital form in the information systems of the healthcare establishments, such coherent presentation in principle can be achieved; the concept HER presents the medical data of a certain patient on request to an authorised healthcare professional, irrespective of the location and the originator of the data.

For the acceptance of such distributed EHR by both the healthcare professionals and the patients, it is important that sufficient attention is paid to the security aspects. The Security workgroup of IMIA (better known as IMIA WG4) organised two working conferences on security of the EHR--the first at Victoria Canada in 20001 and the second at Varenna, Italy, June 2003.2 In the latter conference, the need was discussed to be able to reconstruct the EHR as it (would have) presented itself to a specified health professional at a specified point in time (in the past) for a specified patient.3 It was concluded that this issue deserves more attention, because if such functionality is needed, this will have huge consequences for the design and implementation of the EHR. This paper presents the issue and explores the consequences.

The Need for an Electronic Health Record

Medicine is a domain where the knowledge has for many years reached a volume that cannot be managed by one person. By consequence there is a large degree of specialisation in healthcare, not only between healthcare professionals (medical specialists of different type, nurses with different qualifications, pharmacists, clinical chemists, physiotherapists, etc.) but also between healthcare establishments (acute hospitals, clinics, nursing homes, general practices, pharmacies, etc). Patients in general have contacts with a variety of healthcare establishments: hospitals, general practitioner, pharmacy, physiotherapist, and often within each category, with more than one caregiver. In addition to this, patients tend to choose the facility which best suits their wishes, for example, shorter waiting lists. In addition to that the mobility of patients may lead to an increase of the number of healthcare establishments that have collected their medical data.

Striving for an increase in efficiency of the healthcare system, there is a tendency to bring patients to the facility that best fits with their stage of illness, so shorter stay in the acute hospitals, more often transfer of the patient to another healthcare establishment. This all leads to the present situation where medical patient data is spread over many locations. Each healthcare establishment or each healthcare professional collects its own data and records these, in the past exclusively on paper and film, but now, with the introduction of ICT in healthcare, to an increasing percentage in digital form in electronic archives.

Healthcare professionals often need data on the medical history of their patients to be able to provide adequate care. It would be a great help if data collected and stored by other professionals, often in other establishments, would be available to them. This might:

  • Accelerate the diagnosis
  • Alert them to allergies
  • Avoid drug interactions
  • Inform them of dangerous comorbidities
  • Inform them of the cause of certain symptoms

The goal of the EHR is to present a coherent overview of medical patient data to authorised healthcare professionals irrespective of the place where the data were collected or stored. For the paper records such coherent overview was in general not feasible. Because an increasing percentage of the medical patient data are stored in digital form in the information systems of the healthcare establishments, the concept of a distributed electronic health record is attractive: present the medical data of a certain patient on request to an authorised healthcare professional, irrespective of the location and the originator of the data.

The implementation of an effective EHR is one of the major challenges today for medical informatics but even more for the healthcare systems that have to adapt themselves to take full advantage of this new support facility. The use of the EHR no longer will be an extra, it will become a duty. Health records officers have a responsibility in the implementation of the EHR and the gradual migration from paper/film to digital.

The Implementation of the Distributed EHR

The implementation of the EHR is far from simple:

  • The way a patient is identified may be different in the different systems, for example:
    • In a certain hospital a patient identifier being unique within that hospital
    • In another hospital a different unique patient number
    • Identification on date of birth and surname in a general practise

We need a patient identifier that is unique for the health system concerned (national or regional). In many countries such an identifier is not yet implemented.

  • The number of systems where data of a patient may be stored is huge (at least thousands in a medium size country). It would not be practical to send a request for data to all these systems, so there is a need to know in which systems data for a certain patient may be stored. A national or regional registry might be implemented where for a patient is recorded each system that holds data of that patient. When in any system data of a patient are stored for the first time a message has to be sent to the related registry.
  • Medical data will be stored in the various information systems in a local format with possibly local reference values. Before the data can be presented in a coherent way they have to be mapped on a standard.
  • Data have to be presented in their historical context: nomenclature may change over time and technology for diagnostic tests may evolve, leading possibly to adapted reference values.
  • How can be guaranteed that only authorised healthcare professionals get access to the patient data?
  • How can the own responsibility of the patient be taken into account in the access authorisation?
  • The access control mechanisms in the local information systems are not standardised. As long as these are not harmonised the user of the EHR does not know whether the absence of a certain data item in the EHR means that the item is not recorded or that it is withhold to him because of the access control mechanism of the system where the data item is stored. Such uncertainty would reduce the value of the EHR.
  • The healthcare professional using the EHR will need a good response time (< 3 seconds) , it is far from trivial to fulfil that requirement.

In view of the substantial advantages the EHR has to offer the development of the software needed has a high priority of both the system vendors for healthcare and the governments. So, despite the many problems that have to be solved, EHR implementation can be anticipated in the near future.

The Use of the EHR

There are several juridical, ethical and technical issues involved in the implementation of the EHR, for example, identification and authentication of the healthcare professional, access rights and the influence on these of the patient, electronic signatures, etc. In this paper an issue is discussed that until now has attracted little attention. The issue was raised during the IMIA working conference at Varenna, Italy, "Realising Security of the Electronic Health Record," June 2003.

As soon as the distributed EHR is a reality it will become an important tool in healthcare. Not using such tool when appropriate would be a negligent, so it will become a professional duty for each healthcare professional to incorporate the use of the EHR in the daily routine. In any situation where the behaviour of the healthcare professional is to be assessed there arises the need to be able to judge whether the EHR-data were sufficiently taken into account when making decisions in the care process. So the question will arise how the EHR would have behaved when accessed by a certain health professional at certain moment in the past when asking data of a certain patient: so we will need a "time machine" for the EHR.

It is emphasised that it would not be sufficient to log all EHR output, for example, in the workstation of the healthcare professional, and inspect this log to see which HER data were presented to the healthcare professional. That would only partly resolve the issue because it would only show what has been presented. It would not show what could have been learned from the EHR in cases when it was not consulted and whether the behaviour of the healthcare professional concerned is appropriate in view of the information from the EHR that he did not consult, for some good reason or negligence.

Exploration of the Consequences if We Would Have to Implement a Time Machine in the EHR

In a distributed setting there will be many systems that may contribute to the EHR for a certain patient. Any system contributing to the EHR must be able to process requests for information. Such requests not only have to specify the originator of the request and the patient identifier, but also the point in time for which the data have to be provided (not only real-time).

To be able to fulfil this global requirement a number of more detailed requirements can be identified that have to be fulfilled by any system that directly contributes to the contents of the EHR.

  1. Because the value of data items may change over time, each item must be time-stamped and a trail of the value has to be maintained to be able to reproduce the correct value at the moment specified in the access request to the EHR. Deletion of data items that may be part of the EHR is not allowed. (The latter requirement may be in conflict with data protection legislation that often prescribes that data have to be deleted after a certain time).
  2. The access control algorithm may use not only medical data but also logistic data, for example, whether the patient at the moment specified in the access request, was admitted, had an appointment for an outpatient clinic, or was on the waiting list. So also for these logistic data the preceding requirement will hold.
  3. Because new versions of the application software that takes care of the retrieval and presentation of the data can not be trusted to behave exactly the same way as their predecessors, these predecessors should be kept operational and applied when the request deals with a point in time when these modules were operational. The system software has to be able to select the right version of the software module.
  4. Because user access authorisation may change over time (for example, because of a different role, qualifications or responsibilities of the user), the access control has to be carried out as it would have been at the specified point in time.
  5. In case a system that plays a part in the EHR was not accessible ("down") at the specified point in time it should not respond to the request. So each system has to keep a record of the periods it was off-the-air and consult this record before responding.
  6. Because not only changes in the application software may affect the selection and presentation of the patient data, also for the system software requirement 3 will apply.

The requirements 1, 2, 5, and partly 4 could be fulfilled by the application software developers. The vendors of system software should take care of the requirements 3, 6, and partly 4. In considerations on fulfilling these requirements a distinction can be made between the development of new systems and adaptation of existing systems. When building a new system the application developer could fulfil requirements 1, 2, 5, and partly 4, be it at the expense of considerable additional development effort and additional storage capacity. Adaptation of existing systems to make them satisfy these requirements would require huge investments and will often not be feasible.

The vendors of health information application software will only be prepared to make the investments necessary if the healthcare community makes clear that implementing the "time machine" is a must, not just an extra. Because system software serves a much broader market than healthcare it will be even more difficult to convince the vendors of the need to invest in the time machine.

Requirement 4 may have serious consequences for the system of access authorisation. That system may be beyond the control of the system developer and even beyond the control of the healthcare establishments, it may well be government controlled. So requirement 4 extends to the controller of access authorisation (for example, the body that registers the professional qualifications).

A special situation occurs when not only one module is replaced but the whole system. The replacing system may well come from another vendor. Then the chance that the EHR data will be presented in exactly the same way as the old system did is rather low. The consequence may be that the old system has to be kept operational to be able to process access requests dealing with a point in time when this was the production system. A gatekeeper system might be needed that receives the requests and channels them to either the new system or its predecessor.

The Requirement for a Time Machine May Affect the Overall Model of the EHR

The total effort that would be required to implement the "time machine" in the EHR might be reduced if the number of systems that directly contribute to the EHR could be reduced. Such reduction could be achieved by installing one or more repositories of patient data, for example, on a national or regional scale. The repositories could be filled by uploading all patient data from the information systems of the healthcare establishments. The EHR would have to request information only from such repositories, so only these repositories would have to satisfy the requirements listed above. For the feeder information systems of the healthcare establishments only minor adaptations would be needed to upload the information. Of course the issues: unique patient identification and standards for data presentation would remain.

A set of "central" repositories is at the moment not a popular model for the EHR. The common view is to keep the data stored in the local information systems and retrieve them from there when needed; however, in view of the huge efforts required to implement the time machine in each system, it seems worthwhile to reconsider the model of the distributed EHR.

One of the forerunners in the implementation of a paperless patient record in Malaysia does indeed use a central repository.4

Do We Really Need the Time Machine in the EHR ?  

In this paper arguments were given to require a time machine in the EHR. It was shown that implementation of such a time machine would require substantial investments for any system contributing to the EHR and even may require an approach different from the current common view on an EHR architecture. So the question has to be answered: Does the healthcare community recognise the need for a time machine in the EHR, and are they willing to pay the price?

This paper does not give the answer, it raises the issue and explores the consequences. The answer should be given by the bodies responsible for the quality of healthcare, both government agencies and associations of healthcare professionals and by the lawyers. The IFHRO is one of these professional bodies, they should decide whether they recognise the need for the "time machine" and if so whether they are prepared to draw the attention to this issue of other professional bodies.

Conclusions and Recommendations

Within a few years the EHR will become an important tool for healthcare professionals. In many situations access to the medical data collected by other healthcare professionals will contribute to the quality and efficiency of the care process. It is not difficult to imagine situations where such information can contribute to the quality of care, for example, by preventing serious medical complications or shortening the diagnostic phase. So, the use of the EHR will no longer be optional, on the contrary, responsible professional behaviour will in the near future include the use of the EHR when appropriate.

In this paper, it is argued that a consequence of this development will be that in situations where the behaviour of a healthcare professional is to be assessed one of the questions to answer is whether the EHR was used appropriately. Examples of such assessment situations are: in medical audit, in a law suit, in self-assessment. However, the EHR is dynamic in nature, its content is changing over time. To be able to determine whether the EHR was used in a responsible way, it will be necessary to be able to reproduce the EHR as it presented itself (or would have presented itself) when accessed by a specified healthcare professional for a specified patient at a particular point in time in the past (the so-called time machine).

In this paper the consequences to fulfil this requirement were explored. It was found that these consequences are huge for each system that directly (in real-time) contributes data to the EHR as it will be presented to the authorised healthcare professional. If the "time machine" functionality in the EHR is really needed this would have a serious impact on design and implementation of the EHR. So, the first question to be answered is whether the reasoning in this paper is underwritten by the bodies responsible for the quality of care and the assessment of the behaviour of healthcare professionals. The IFHRO and its members could play an important role in answering this question.


  1. Bakker AR, Barber B, Moehr J, editors. Security of the Distributed Electronic Patient Record (EPR). IJMI Vol 60, 2000.
  2. Barber B, Gritzalis D, Louwerse CP, Pinciroli F, editors. Realising Security of the Electronic Health Record (EHR). IJMI Vol 73, Issue 3, 2004.
  3. Bakker AR, Access to EHR and Access Control at a moment in the past: A Discussion of the Need and an Exploration of the Consequences. IJMI Vol 73, Issue 3, pp 267-270, 2004.
  4. Mohan J, Yaacob RRR. The Malaysian Telehealth Flagship Application: A National Approach to Health Data Protection and Utilisation and Consumer Rights. IJMI Vol 73, Issue 3, 2004.

Address for correspondence: Ab Bakker, Atjehweg 10, 2202 AP Noordwijk The Netherlands, e-mail: abakker@addabit.d e ; tel +31 7136 21984.

Source: 2004 IFHRO Congress & AHIMA Convention Proceedings, October 2004