Managing the Transition from Paper to EHRs
Editor's note: This practice brief replaces the October 2003 practice briefs "Complete Medical Record in a Hybrid EHR Environment: Part I: Managing the Transition," "Part II: Managing Access and Disclosure," and "Part III: Authorship of and Printing the Health Record."
The transition from a paper-based health record to an electronic health record (EHR) must be addressed and managed on many different and complex levels: administratively, financially, culturally, technologically, and institutionally. The EHR consists of many components that work together to create the foundation of the legal health record. These components may include software applications such as computerized physician order entry; integration with laboratory, radiology, and cardiology systems; an electronic document management system; or other solutions. The EHR journey is one that will evolve over many years, requiring many change-management dynamics that will challenge each of those involved with the transition process.
Given the complexities involved with the transition to an EHR environment, implementation has been slow yet steady, and many valuable lessons have emerged in recent years that are helping healthcare providers and organizations ease the transition to a workable, practical electronic record environment. A focus on patient safety, best practices, and return on investment, as well as ease of end-user adoption have driven healthcare organizations to adopt solutions that support workflow performance improvement versus those that simply automate existing process or system dysfunction.
In February 2009, President Obama signed the American Recovery and Reinvestment Act (ARRA) into law. Part of ARRA’s goal is to encourage healthcare organizations to adopt EHRs through financial incentives. Because of the slowness of adoption, funding barriers, concurrent regulatory compliance timelines, competing technical priorities, strained human resources, and the lack of industry education, many healthcare providers are finding themselves maintaining a hybrid (combination of paper and electronic) health record as an alternative to full automation of the legal health record. It is widely recognized that a hybrid record state is not an ideal situation for any facility for any extended length of time. If an organization can avoid hybridization altogether, or minimize the effect of hybrid components, it will decrease the risk to patient safety and be more effective and cost-efficient. ARRA included the Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH is not meant to be the magic bullet for EHR implementation, so the hybrid record will continue to exist. Therefore, it is imperative for organizations to identify and address the challenges with the hybrid record and implement possible solutions to mitigate potential risks.
This practice brief is intended to provide guidance and practical steps for managing the transition from paper to EHRs and for use and disclosure, authorship, and printing from paper to hybrid (paper and electronic) records and hybrid to electronic records.
Definition of the Legal Health Record
Organizations must define health record content and format in their policies. The health record comprises individually identifiable data, in any medium, that are collected, processed, stored, displayed, and used by healthcare professionals. The legal health record is generated at or for a healthcare organization as its business record and is the record that will be disclosed when required. It does not affect the discoverability of other information held by the organization. Healthcare organizations must designate the custodian of the legal health record. The custodian is responsible for the operational functions of the development and maintenance of the health record and may certify through affidavit or testimony the normal business practices used to create and maintain the record. Typically, this is the health information manager in collaboration with information technology professionals. HIM professionals oversee the operational functions related to collecting, protecting, and archiving the legal health record, whereas information technology staff members manage the technical infrastructure of the EHR.
The legal health record is the documentation of healthcare services provided to an individual during any aspect of healthcare delivery in any type of healthcare organization. It is consumer or patient centered. The legal health record contains individually identifiable data, stored on any medium, collected and directly used in documenting healthcare or health status.
Legal health records must meet accepted standards as defined by applicable Centers for Medicare and Medicaid Services (CMS) Conditions of Participation, federal regulations, state laws, and standards of accrediting agencies such as the Joint Commission, as well as the policies of the healthcare provider.1
Legal health records are records of care in any health-related setting used by healthcare professionals while providing patient care or for administrative, business, or payment purposes. Documentation that constitutes the legal health record may exist physically in separate and/or multiple paper-based or electronic systems.
Currently and into the near future, paper documents and various types of media containing patient health information will continue to exist. Documents that are produced outside a facility and are brought in for continuing care may be physical paper documents or exist on various types of media. This information may be technologically difficult to integrate into an EHR. If nothing else, access and readability, portability, and downtime backups all require some paper-based records.
Information that is both electronic and paper based is collected and/or directly used to document healthcare delivery or healthcare status and is the basis for research and planning functions in hospitals. A hybrid health record is a system with functional components that include any of the following:
Some examples of hybrid medical record scenarios are:
Managing health information in this hybrid environment is challenging, particularly given the transition management requirements. It is also extremely costly to a facility because it requires duplicative efforts by staff to manage both paper and electronic documentation and the acts of compiling and retrieving information in a hybrid environment are labor-intensive and fraught with risk for errors. The costs of designing interfaces and integration in a partially electronic record system become increasingly expensive when written to manage only certain portions of the medical record. Increasingly, sites have learned lessons, and best practice is considered full adoption of an electronic document management system across the healthcare organization.
When creating the legal health record policy, healthcare organizations must evaluate accreditation standards and state and federal laws.
Legal and Accreditation Requirements
As organizations develop their vision and accompanying policies and procedures for the EHR, it is important to understand and address the many federal, state, accreditation, and other regulatory requirements that affect health information. Federal and state regulations are constantly changing and evolving, so it is crucial to keep up-to-date with these changes.
The HIPAA privacy rule requires that covered entities adhere to certain standards when using protected health information (PHI). It provides broad guidance insofar as defining to whom and under what circumstances information may or may not be requested, used, or disclosed.
The HIPAA security rule establishes the administrative, physical, and technical safeguards covered entities must implement to protect electronic PHI. ARRA and HITECH update the HIPAA rules and further establish privacy and security protections. The Confidentiality of Alcohol and Drug Abuse Patient Records 42CFR part 2, regulation establishes requirements for the use and disclosure of information maintained in connection with the performance of a drug abuse prevention function assisted directly or indirectly by the federal government.
The Privacy Act of 1974 grants people the right to find out what information has been collected about them, correct and amend that information, and exercise limited control over disclosure. The provisions of the Privacy Act apply to healthcare organizations operated by the federal government and record systems operated pursuant to a contract with the federal government. The Federal Rules of Evidence, Article VIII, outline the criteria necessary for health records to be acceptable as evidence in federal court.
Often states have laws or regulations that define the circumstances in which patient health information may be used, disclosed, and retained. Many states have special rules for access and disclosure of sexually transmitted disease, drug or alcohol abuse, or mental health information.
In addition to ensuring compliance with federal law, organizations must determine the laws and regulations within their states that affect EHRs in areas of electronic signature, access and disclosure of personal health information, and retention and destruction of information.
When federal and state laws exist, it is important that policies and procedures comply with both. When it is not possible for organizations to comply with both, the organization must comply with the more stringent law or regulation.
States also may have rules that relate to the use, disclosure, and retention of business records and/or materials that may be admitted into evidence. Organizations should examine and consider such rules when designing electronic or hybrid health information systems, policies, and procedures.
Many accreditation organizations such as the Joint Commission, American Osteopathic Association, CMS, and Accreditation Association for Ambulatory Health Care establish standards aimed at ensuring access to needed health information by authorized users and safeguards preventing access by unauthorized individuals. Organizations that are or wish to be accredited must look to these accreditation standards for guidance.
For example, the Joint Commission has posted prepublication editions of standards for hospitals and long-term care facilities on its Web site that state:
Managing the Transition
There are key differences to systems that are focused on being a clinical or patient-centric EHR and those that provide workflow and integration of a post-discharge document management. Both are important. The following chart illustrates some of the key differences between aspects of these systems. The first column focuses on managing a legal EHR. The second focuses on combining patient-centric clinical documentation solutions and electronic document management solutions:
Managing the Change: Top 10 Paper/Hybrid/EHR Tenets
The following table describes specific HIM functions, operational considerations, and suggested strategic guidelines for organizations to consider when planning the transition from a paper-based environment to a hybrid environment and then on to a fully electronic environment.
Transition of HIM Professional Responsibilities
In collaboration with the information technology professionals, HIM professionals will serve as the custodians of patient health information, regardless of the media on which health information is maintained (e.g., film, video, paper, electronic, or other media).
Evolving Roles for HIM Professionals in the Electronic Environment
The 2010 AHIMA practice brief “e-HIM Practice Transformation” identified several additional roles for the HIM professional. Building on that resource, HIM roles should be reviewed and updated when planning the transition from a paper-based environment to a hybrid or completely electronic environment.
Guidelines for Access and Disclosure
Access and Disclosure Overview
It is important to understand exactly what access and disclosure means as it relates to sensitive information—electronic and paper. The National Institute of Standards and Technology (NIST) set forth guidelines for the federal government. The following concepts will be helpful to understand in your planning efforts.
Confidentiality of information refers to authorizing disclosure to authorized users for authorized purposes and accessed in an authorized manner. As defined by NIST:
“Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542]
A loss of confidentiality is the unauthorized disclosure of information.2
Integrity of information refers to maintaining safeguards to prevent alteration or modification of that data by unauthorized users.
“Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” [44 U.S.C., Sec. 3542]
A loss of integrity is the unauthorized modification or destruction of information.3
Availability refers to making information available to authorized users.
“Ensuring timely and reliable access to and use of information…” [44 U.S.C., Sec. 3542]
A loss of availability is the disruption of access to or use of information or an information system.4
Organizations that successfully implement an EHR will have a shared vision with measurable outcomes. Relative to access and disclosure, the EHR vision and, to the extent possible, the hybrid health record should:
Practical Discussion for Managing Access and Disclosure
Access and Retrieval
Healthcare organizations must document where the components of their hybrid records are stored so they can access, use, and disclose the information as necessary, regardless of the information’s location or the media on which it is maintained. To accomplish this task, organizations must define and describe the location of information contained in the legal health record and the designated record set. (See appendix A “Legal Source Legend.”) AHIMA’s practice briefs “Defining and Disclosing the Designated Record Set and the Legal Health Record” and “Update: Guidelines for Defining the Legal Health Record for Disclosure Purposes assist organizations with these two topics.
The location of components of the legal medical record and designated record set may need to be cross-referenced to alert users of the health record to which information exists across both the paper-based record and EHR, particularly as new or revised computer systems are implemented or updated. In addition, organizations will need to consider reviewing and updating their policies and procedures on access, disclosure, and printing for both the legal medical record and designated record set at least annually. Consideration also should be given to information stored on legacy systems that use technology that is old or no longer supported and how this information will be retrieved as the EHR evolves.
Organizations will need to consider the access afforded to hybrid health records by affiliates and business associates and formalize these decisions in their policies. Although it may be expedient to provide affiliates and business associates with access, organizations must consider carefully such access or disclosure in the context of the HIPAA privacy rule’s “minimum necessary” standard.
During the transition to an EHR, information available to the patient electronically may be a subset of the patient’s designated record set. In such cases, the EHR should indicate where the primary or complete information resides and how it can be accessed.
Because EHRs will contain many abbreviations and words with which patients may be unfamiliar, organizations will find it advisable to provide patients with links to abbreviation lists, references, medical dictionaries, and information about diseases and illnesses. They also will want to provide patients with information about how to contact their physicians should they have questions.
As the organization allows patients access to their EHRs, they should determine if the selected portions or the entire content of the EHR will be accessible to the patient and how it will be accessible. In addition, organizations will want to discuss disposition of clinician-to-clinician and patient-to-provider e-mail messages and text messages as it pertains to the hybrid health record. Any organization contemplating e-mail communications should review AHIMA’s practice brief “Provider-Patient E-mail Security.”
In an ambulatory care situation, patients may document various types of clinical information. For example, diabetic patients may track their blood sugar levels over time. Organizations should consider allowing patients to access and record such information electronically. Organizations should determine whether such information will be part of the legal medical record and designated record set, to whom access will be granted, and under what circumstances.
Referral Provider Access
Organizations that allow referral providers access to their EHRs should determine which information will be accessible. Steps should be taken to ensure this is a view-only access. It should be tested at each upgrade to ensure the view-only status continues. In addition, organizations should determine if referral providers will be allowed to print a copy of the EHR.
Potentially, referral providers could ask for access for their patient care team because of the workflow of the provider and the nurse preparing the chart for them to see the patient. Organizations will need to determine if they are willing to extend this access and if the tools are in place to audit such access.
Outside Reviewer Access
Payers, accreditation reviewers, and other external reviewers requiring access to review the medical record need access to both the hybrid chart and the electronic chart, whether on-site or off-site. Organizations must develop policies and procedures governing system access by external reviewers (e.g., for purposes such as auditing and accreditation). These could include creating queues that can be populated with requested charts, individual log-ins, and timed expiration date for access. This procedure would allow view-only access. Access to the electronic record is more efficient than printing and mailing to the reviewer, but all steps must be maintained to ensure that the protected heath information is secure.
Dissemination and Disclosure
In a hybrid environment, it is important that organizations develop and implement policies and procedures that describe the circumstances in which electronic documents may be duplicated. This determination is important because:
In particular, organizations must address the handling and disposition of interim reports, weighing the risk to the organization of the performance of the following options:
Maintaining all interim results reports provides the greatest measure of security for the organization but causes a high volume of duplicate reports within the health record, particularly in a paper-based environment. This duplication also can lead to confusion regarding which report to use, especially for future access and disclosure.
The hybrid health record also should reflect who received disclosed information and whether it was paper based or electronic. As organizations work toward tracking disclosures electronically, they must interface disparate systems components to capture and track the required details of the disclosures (i.e., who, where, and what). The accounting should be available for review by the patient when it is requested.
Guidelines for Authorship and Printing of the Health Record
As the healthcare organization transitions from the paper-based record to the EHR, authorship and printing policies must be put in place. Identifying individuals who have rights for authorship will ensure the integrity of the health record. Printing policies need to be identified to ensure users are reviewing the most up-to-date information in the EHR. The following guidelines should be considered when developing the authorship and printing policies:
use such as:
Managing the transition from paper-based records to EHRs is a complex process intensified by the multitude of systems, functionality, and rapid technology advances. No single standard approach exists for solving the transitional process concerns, and each healthcare organization must determine the steps and policies that are needed as they evolve into using a fully functioning EHR. Many healthcare organizations have some degree of hybridization that coincides with the implementation plan. There are many decisions to consider when determining steps and guidelines for managing the transition process from paper to hybrid records and hybrid to electronic records. To ensure accurate and timely business records, healthcare organizations need to define the legal health record and ensure that the quality and integrity of the health record remains intact during the transition process.
AHIMA. “e-HIM Practice Transformation (Updated).” Journal of AHIMA 81, no. 8 (Aug. 2010): 52–55. Available online in the AHIMA Body of Knowledge at www.ahima.org.
AHIMA e-HIM Workgroup: Best Practices for Electronic Signature and Attestation. “Electronic Signature, Attestation, and Authorship (Updated).” Journal of AHIMA 80, no. 11 (Nov.–Dec2009): 62–69. Available online in the AHIMA Body of Knowledge at www.ahima.org
AHIMA e-HIM Work Group on the Legal Health Record. “Update: Guidelines for Defining the Legal Health Record for Disclosure Purposes.” Journal of AHIMA 76, no. 8 (Sept. 2005): 64A–G. Available online in the AHIMA Body of Knowledge at www.ahima.org.
Amatayakul, Margret, et al. “Definition of the Health Record for Legal Purposes (AHIMA Practice Brief).” Journal of AHIMA 72, no. 9 (Sept. 2001): 88A–H. Available online in the AHIMA Body of Knowledge at www.ahima.org.
Burrington-Brown, Jill, and Gwen Hughes. “AHIMA Practice Brief: Provider-Patient E-mail Security.” Updated June 2003. Available online in the AHIMA Body of Knowledge at www.ahima.org.
Department of Health and Human Services. “Breach Notification for Unsecured Protected Health Information; Interim Final Rule.” Federal Register 74, no. 162 (Aug. 24, 2009). Available online at http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf.
Department of Health and Human
Services. “Health Insurance Reform: Security Standards, Final Rule.”
45 CFR, subtitle A, subchapter C, parts 160 and 164, Federal Register
68, no. 34 (Feb. 20, 2003). Available online at http://aspe.hhs.gov/admnsimp/
Department of Health and Human
Services. “Standards for Privacy of Individually Identifiable Health
Information; Final Rule.” 45 CFR, subtitle A, subchapter C, parts
160 and 162. Federal Register
67, no. 157 (Aug. 14, 2002). Available online at www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/
Department of the Treasury,
et al. “Identity Theft Red Flags and Address Discrepancies under the
Fair and Accurate Credit Transactions Act of 2003.” Federal Register,
72, no. 217 (Nov. 9, 2007). Available online at www.ftc.gov/os/fedreg/2007/
Federal Rules of Evidence, article VIII, rule 803. Available online at http://judiciary.house.gov/hearings/printers/111th/evid2009.pdf.
Hughes, Gwen. “Defining the Designated Record Set (AHIMA Practice Brief).” Journal of AHIMA 74, no. 1 (2003): 64A–D. Available online in the AHIMA Body of Knowledge at www.ahima.org.
National Institute of Standards and Technology. “Guideline for Identifying an Information System as a National Security System.” Special Publication 800-59. August 2003. Available online at http://csrc.nist.gov/publications/nistpubs/800-59/SP800-59.pdf.
The Joint Commission. Standard Record of Care, Treatment and Services (RC),. Available online at www.jcrinc.com/Joint-Commission-Requirements/Hospitals/#RC
The Privacy Act of 1974. Section 5 U.S.C. §552a. Available online at www.justice.gov/opcl/privstat.htm.
Public Health Service, Department of Health and Human Services. “Confidentiality of Alcohol and Drug Abuse Patient Records.” Code of Federal Regulations, 2000. 42 CFR, chapter 1, part 2. Available online at www.access.gpo.gov/nara/cfr/waisidx_00/42cfr2_00.html.
This practice brief was updated by the following AHIMA e-HIM workgroup:
Cris Berry, RHIA
AcknowledgmentsKathy Arner LPN, RHIT, CCS, CPC, MCS, CPMA
Roberta Baranda, RHIA, CHP
Donna Barnard, RHIA
June Bronnert, RHIA, CCS, CCS-P
Jill Clark, RHIA
Karen Czirr, RHIA, CHP
Emily Macko, RHIA
Nicole Miller, RHIA
Edith Okenquist, RHIT, CCS, CCS-P
Catherine Ptak, MS, RHIA
Melinda Teel, RHIA, CCS
Lou Ann Wiedemann, MS, RHIA, CPEHR
Henryetta Wynne, RHIT
Prepared by (original)
This practice brief was developed by the following AHIMA e-HIM workgroup:
Cris Berry, RHIA
AHIMA. "Managing the Transition from Paper to EHRs." (Updated November 2010).