To the Editor: In the Clinical Computing column in the March issue, Good and DiTommaso (1) suggested that using open-source software to manage medical records will be easier and cheaper than proprietary software. The authors note that open-source software is by definition free and can be modified to meet the needs of the consumer. We applaud these authors for their efforts to move the dinosaur approach to psychiatric records management into the 21st century. However, their assumption that open-source is cheaper, easier, and more customizable has some notable limitations. Organizations need to be aware of these limitations, as well as the issues of cost, maintenance, and security that arise when such a solution is implemented, so that they can make an informed decision about what is best for their particular environment.
The use of open-source software for any enterprise is of course initially cheaper, because the software is often free. However, Good and DiTommaso neglected to fully explain the costs of implementing free software, such as programming fees for customization, advanced computing systems costs (for example, for Web and database servers), and ongoing consultation and maintenance. Large hospitals might easily absorb these costs, but smaller agencies will need to consider the issues of customization and maintenance and not simply those of initial implementation when deciding to use such a complex and system-interdependent solution. We do not dispute the potential benefits of open-source software that can be customized to perfectly meet agency needs. However, we caution that "free" software can quickly become a costly "fixer-upper."
In addition, recent HIPAA (Health Insurance Portability and Accountability Act) regulations require an unprecedented level of security for electronic medical records (2). It is no longer sufficient to simply password-protect client records. Solutions such as SQL Clinic are responsible not only for storing sensitive information but also for transferring information. By default, Good and DiTommaso's solution transfers information in clear text, thus making this information more susceptible to common security breaches (3). To meet HIPAA guidelines, software must encrypt transferred data. Although open-source programs like SQL Clinic can be programmed to contain such encryption, it requires further implementation and maintenance costs, as well as legal consultation, because encryption is not legal in all countries. Before implementing SQL Clinic, organizations need to be aware of the security and confidentiality issues inherent in such a solution and address these issues to protect the privacy of consumers.
Although we have raised concerns that Good and DiTommaso did not mention in their column, we would like to reiterate that we applaud their generosity and their efforts to bring new open solutions to an age-old problem. However, without information about start-up costs, maintenance, and HIPAA security requirements, readers would be hard-pressed to make an informed decision about implementing this solution. We hope that by making these issues explicit, organizations will be better able to determine whether open-source solutions such as SQL Clinic are the best option for managing their electronic medical records.
The authors are affiliated with the School of Social Work at the University of Pittsburgh.