Managing the Transition from Paper to EHRs

Editor's note: This practice brief replaces the October 2003 practice briefs "Complete Medical Record in a Hybrid EHR Environment: Part I: Managing the Transition," "Part II: Managing Access and Disclosure," and "Part III: Authorship of and Printing the Health Record."


The transition from a paper-based health record to an electronic health record (EHR) must be addressed and managed on many different and complex levels: administratively, financially, culturally, technologically, and institutionally. The EHR consists of many components that work together to create the foundation of the legal health record. These components may include software applications such as computerized physician order entry; integration with laboratory, radiology, and cardiology systems; an electronic document management system; or other solutions. The EHR journey is one that will evolve over many years, requiring many change-management dynamics that will challenge each of those involved with the transition process.

Given the complexities involved with the transition to an EHR environment, implementation has been slow yet steady, and many valuable lessons have emerged in recent years that are helping healthcare providers and organizations ease the transition to a workable, practical electronic record environment. A focus on patient safety, best practices, and return on investment, as well as ease of end-user adoption have driven healthcare organizations to adopt solutions that support workflow performance improvement versus those that simply automate existing process or system dysfunction.

In February 2009, President Obama signed the American Recovery and Reinvestment Act (ARRA) into law. Part of ARRA’s goal is to encourage healthcare organizations to adopt EHRs through financial incentives. Because of the slowness of adoption, funding barriers, concurrent regulatory compliance timelines, competing technical priorities, strained human resources, and the lack of industry education, many healthcare providers are finding themselves maintaining a hybrid (combination of paper and electronic) health record as an alternative to full automation of the legal health record. It is widely recognized that a hybrid record state is not an ideal situation for any facility for any extended length of time. If an organization can avoid hybridization altogether, or minimize the effect of hybrid components, it will decrease the risk to patient safety and be more effective and cost-efficient. ARRA included the Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH is not meant to be the magic bullet for EHR implementation, so the hybrid record will continue to exist. Therefore, it is imperative for organizations to identify and address the challenges with the hybrid record and implement possible solutions to mitigate potential risks.

This practice brief is intended to provide guidance and practical steps for managing the transition from paper to EHRs and for use and disclosure, authorship, and printing from paper to hybrid (paper and electronic) records and hybrid to electronic records.

Definition of the Legal Health Record

Organizations must define health record content and format in their policies. The health record comprises individually identifiable data, in any medium, that are collected, processed, stored, displayed, and used by healthcare professionals. The legal health record is generated at or for a healthcare organization as its business record and is the record that will be disclosed when required. It does not affect the discoverability of other information held by the organization. Healthcare organizations must designate the custodian of the legal health record. The custodian is responsible for the operational functions of the development and maintenance of the health record and may certify through affidavit or testimony the normal business practices used to create and maintain the record. Typically, this is the health information manager in collaboration with information technology professionals. HIM professionals oversee the operational functions related to collecting, protecting, and archiving the legal health record, whereas information technology staff members manage the technical infrastructure of the EHR.

The legal health record is the documentation of healthcare services provided to an individual during any aspect of healthcare delivery in any type of healthcare organization. It is consumer or patient centered. The legal health record contains individually identifiable data, stored on any medium, collected and directly used in documenting healthcare or health status.

Legal health records must meet accepted standards as defined by applicable Centers for Medicare and Medicaid Services (CMS) Conditions of Participation, federal regulations, state laws, and standards of accrediting agencies such as the Joint Commission, as well as the policies of the healthcare provider.1

Legal health records are records of care in any health-related setting used by healthcare professionals while providing patient care or for administrative, business, or payment purposes. Documentation that constitutes the legal health record may exist physically in separate and/or multiple paper-based or electronic systems.

Currently and into the near future, paper documents and various types of media containing patient health information will continue to exist. Documents that are produced outside a facility and are brought in for continuing care may be physical paper documents or exist on various types of media. This information may be technologically difficult to integrate into an EHR. If nothing else, access and readability, portability, and downtime backups all require some paper-based records.

Information that is both electronic and paper based is collected and/or directly used to document healthcare delivery or healthcare status and is the basis for research and planning functions in hospitals. A hybrid health record is a system with functional components that include any of the following:

  • Both paper and electronic documents without a central electronic document management system where all patient information is maintained
  • Manual and electronic processes to compile components of the medical record
  • Multiple repositories (paper or electronic) of information that need to be accessed by the end user to compile the medical records for a single episode of care

Some examples of hybrid medical record scenarios are:

  • Dictation, laboratory, and X-ray results are available electronically, whereas progress notes, ancillary care, provider information, graphic sheets, and doctors’' orders are on paper.
  • Patient health information may be maintained on various other media types such as film, video, or an imaging system.
  • Patient information may be scanned images that are accessed in a separate part of the system versus being integrated together in a chronological packet of information defined as the legal health record.
  • Hospital records are automated, but clinic records are on paper and processed and stored in the clinic, never becoming part of the core EHR.

Managing health information in this hybrid environment is challenging, particularly given the transition management requirements. It is also extremely costly to a facility because it requires duplicative efforts by staff to manage both paper and electronic documentation and the acts of compiling and retrieving information in a hybrid environment are labor-intensive and fraught with risk for errors. The costs of designing interfaces and integration in a partially electronic record system become increasingly expensive when written to manage only certain portions of the medical record. Increasingly, sites have learned lessons, and best practice is considered full adoption of an electronic document management system across the healthcare organization.

When creating the legal health record policy, healthcare organizations must evaluate accreditation standards and state and federal laws.

Legal and Accreditation Requirements

As organizations develop their vision and accompanying policies and procedures for the EHR, it is important to understand and address the many federal, state, accreditation, and other regulatory requirements that affect health information. Federal and state regulations are constantly changing and evolving, so it is crucial to keep up-to-date with these changes.


The HIPAA privacy rule requires that covered entities adhere to certain standards when using protected health information (PHI). It provides broad guidance insofar as defining to whom and under what circumstances information may or may not be requested, used, or disclosed.

The HIPAA security rule establishes the administrative, physical, and technical safeguards covered entities must implement to protect electronic PHI. ARRA and HITECH update the HIPAA rules and further establish privacy and security protections. The Confidentiality of Alcohol and Drug Abuse Patient Records 42CFR part 2, regulation establishes requirements for the use and disclosure of information maintained in connection with the performance of a drug abuse prevention function assisted directly or indirectly by the federal government.

The Privacy Act of 1974 grants people the right to find out what information has been collected about them, correct and amend that information, and exercise limited control over disclosure. The provisions of the Privacy Act apply to healthcare organizations operated by the federal government and record systems operated pursuant to a contract with the federal government. The Federal Rules of Evidence, Article VIII, outline the criteria necessary for health records to be acceptable as evidence in federal court.


Often states have laws or regulations that define the circumstances in which patient health information may be used, disclosed, and retained. Many states have special rules for access and disclosure of sexually transmitted disease, drug or alcohol abuse, or mental health information.

In addition to ensuring compliance with federal law, organizations must determine the laws and regulations within their states that affect EHRs in areas of electronic signature, access and disclosure of personal health information, and retention and destruction of information.

When federal and state laws exist, it is important that policies and procedures comply with both. When it is not possible for organizations to comply with both, the organization must comply with the more stringent law or regulation.

States also may have rules that relate to the use, disclosure, and retention of business records and/or materials that may be admitted into evidence. Organizations should examine and consider such rules when designing electronic or hybrid health information systems, policies, and procedures.


Many accreditation organizations such as the Joint Commission, American Osteopathic Association, CMS, and Accreditation Association for Ambulatory Health Care establish standards aimed at ensuring access to needed health information by authorized users and safeguards preventing access by unauthorized individuals. Organizations that are or wish to be accredited must look to these accreditation standards for guidance.

For example, the Joint Commission has posted prepublication editions of standards for hospitals and long-term care facilities on its Web site that state:

  • Only authorized individuals make entries in the medical record
  • Every medical record entry is dated, timed, and signed TJC RC 01.01.01, CMS 482.24 (c )(1)

Managing the Transition

There are key differences to systems that are focused on being a clinical or patient-centric EHR and those that provide workflow and integration of a post-discharge document management. Both are important. The following chart illustrates some of the key differences between aspects of these systems. The first column focuses on managing a legal EHR. The second focuses on combining patient-centric clinical documentation solutions and electronic document management solutions:

Clinical/Patient-Centric Systems versus Workflow/Integration Systems
Functions of Patient-centric Clinical Documentation Solutions Functions of Electronic Content Management and Electronic Document Management Solutions
Focuses on clinician workflow, including daily notes, transcribed documents, orders, and diagnostic results Focuses on the legal health record in its entirety from preadmission to post-discharge documentation
Extremely dynamic, replacing temporary and working copies of documents with multiple versions of documents Dynamic until point of completion, and then the record is considered sealed in a permanent state only to be altered through legal amendment and correction process
May be longitudinal in nature, potentially trending clinical results across multiple episodes of care Typically episodic in nature, provides book-style chronological record for a single episode of care (i.e., outpatients within a single day, inpatients for an entire length of stay)
Requires separate repositories for data and scanned images Incorporates paper documents through imaging (scanning), as well as alternate media and electronic feeds to capture the entire record through combination of computer output to laser disc (COLD) feeds and images
Provides input and results and, potentially, analytics around results within the components Supports access, secure control, and workflow or work-routing functions for the entire record on an access, processing, maintenance, retrieval, and destruction basis

Managing the Change: Top 10 Paper/Hybrid/EHR Tenets

  1. The EHR must be part of an organization’s vision and strategic plan. As part of this plan, the organization should have a standard definition for the legal health record.
  2. The organization must ensure that adequate leadership, consultation, staff training, equipment, policies and procedures, and funding or other resources are in place to support EHR development.
  3. Organizations must establish a legal health record steering committee to guide the organization from a paper to an electronic environment. This group must be empowered to make proactive and constructive changes. Its members should include department managers from health information management; risk, quality, or compliance management; medical staff; nursing; ancillary departments; IT, and the privacy officer.
  4. The legal health record steering committee must develop and publish policies and procedures for operating in the paper state, hybrid state, and electronic state and include long-term archive, purge, retention, and destruction guidelines.
  5. HIM professionals must participate actively in the development and implementation of the EHR, given the significant operational management effects on workflow within HIM and their role as custodians of the legal health record.
  6. There must be a formal process for approving EHR software and hardware to ensure that it can support the organization's operational needs adequately for the paper, hybrid, and electronic medical record.
  7. There must be a formal process for managing forms, paper, electronic, hybrid, and system-generated records, including input, output, and versioning of document content and access.
  8. There must be a formal process and written guidelines addressing access, confidentiality, security, print control, spoliation mitigation, disclosure, and e-discovery.
  9. A complete record inventory of all existing storage and management of paper, hybrid, shadow (duplicate), and electronic records must be maintained by all healthcare organizations.
  10. The facility must develop a policy for retention and destruction of medical records, regardless of whether paper, hybrid, or electronic medical records are used.

The following table describes specific HIM functions, operational considerations, and suggested strategic guidelines for organizations to consider when planning the transition from a paper-based environment to a hybrid environment and then on to a fully electronic environment.

Strategic Practice Guidelines for Traditional and Emerging HIM Operational Functions
HIM Operational Function Operational Considerations Strategic Practice Guidelines

Transcription/Coding Staffing

In-house, home based, outsourced, or offshore
  • Familiarize and synchronize transcription/coding staff with your organization’s strategic plan
  • Become knowledgeable about system integration capabilities, limitations, and opportunities of both source and interfacing information systems
  • Ensure availability and implementation of quality control features and reporting capabilities of all source and interfacing systems
  • Ensure compliance with any and all privacy, confidentiality, and security laws (e.g., state, federal, or organization specific)
  • Ensure organization has planned its off-site EHR content carefully before implementing any off-site coding or transcription functions (e.g., have major clinical documentation needed by coders, such as physician progress notes, available online to coders before implementing off-site coding)
  • Consider bidirectional interfacing for edits, changes, and other source document integrity
  • Consider electronic signature authentication; encourage online signature

Transcription Delivery Media

Fax, tape, disc or CD, paper, electronic (e.g., batch mode, uploading, integrity maintenance)
  • Standardize delivery media to minimize paper and/or duplicate delivery modalities
  • Ensure device availability (e.g., remote access) and notification to recipients of delivered electronic documents
  • Ensure proper privacy and security controls are in place regardless of media

Electronic Signature

Transcription and other critical EHR documentation
  • Review and consider e-signature processing capabilities, limitations, opportunities (see practice brief: Electronic Signature, Attestation, and Authorship)
  • Consider versioning control and replacement of temporary versus permanent (after review and authentication) document storage
  • Understand clearly the minimal operational workflow requirements for processing e-signatures when working with information systems and vendor representatives

Release of Information (ROI)

Customer service when ROI function is off-site or remote; electronic transfers rather than paper printing
  • Consider expansion of HIM responsibilities for ROI functions into decentralized areas, including off-site clinics, if not already responsible
  • Consider how to continue to meet standards and laws if ROI function is decentralized (e.g., disclosure laws with respect to ETOH, HIV, and mental health; have HIM continue to handle all requests for amendments coming through ROI)
  • Consider whether HIM will continue to maintain oversight or be a subject matter resource to those managing ROI; consider centralization of ROI and other printing and access functions for greater confidentiality, compliance, audit control, and cost efficiencies
  • Ensure EHR plans incorporate ROI workflow capabilities both on-site and remotely (e.g., disclosure tracking and auditing capabilities)
  • Consider electronic rules and alerts on ROI requirements to allow for expanded delegation of ROI operational capabilities and responsibilities

Record Processing

Completion, abstracting, assembly, indexing
  • Establish business rules for online EHR viewing that are based on an individual’s role and completion status of online document (e.g., ROI only sees complete online records)
  • Ensure EHR system capabilities to monitor and track record completion (e.g., online alerts to individual clinicians, aggregated management screens and reports for HIM)
  • Manage record completion business processes, regardless of where organization is along the EHR transition continuum
  • Transfer and/or retrain staff members for other operational areas (e.g., assemblers become preppers and scanners where imaging has been deployed) as the need to print and assemble paper-based records diminishes
  • Develop standardized assembly order based on user needs for printed EHRs (e.g., different EHR views may necessitate different assembly orders [lawyers, patients, etc.])
  • Work with EHR vendor toward use of expert rules for automated abstracting, where possible
  • Ensure productivity standards are in place for all record-processing functions
  • Determine which information will be back loaded into the EHR system
  • Ensure that the workflow and work routing support COLD electronic document/results feed is used to reduce dependency on manual scanning of documents

Data Management

Data quality and integrity
  • Ensure backlogs are eliminated before any EHR implementation
  • Ensure periodic spot-checks are made to ensure data integrity within the medical record
  • Ensure daily reconciliation of all interfaces for exported and imported feeds to ensure integrity of the medical record
  • Ensure processing standards (availability standards) are maintained as immediately as possible seven days a week 24 hours a day via adequate processing, staffing, and backups
  • Develop and review a data dictionary

File Room

Define the file room in terms of where files are stored and whether scanned images are used (are files paper, electronic, both?) 

Need to consider staffing support for retrieval of older records for length of retention; records are used most heavily the first three years after discharge

  • Conduct an assessment to determine where along the EHR transition continuum your organization’s current and planned state of the file room is or will be:
    • Paper-based health record
    • Shadow health record
    • Hybrid health record
    • Complete EHR
  • Consider logistically what kinds of HIM policies, processes, procedures, and management practices are needed as the file room transforms from a physical environment to a virtual operation:
    • Elimination of shadow records
    • Shelving and hard-copy paper folders or files stored in a fixed location accessed and managed by staff
    • Electronic records contained on a server managed by information technology business rules for access, retrieval, retention, etc.
  • Consider which file room operations may need to shift  to ensure acceptable productivity levels (e.g., timeliness, accessibility, completeness) in a hybrid file room environment (e.g., combination of hard-copy records, scanned records, and data repository records):
    • List of functions
    • Hours of operation
    • After-hours access and backup
    • Staffing needs
    • Record control
    • Filing and indexing
    • Retention, purging, and archiving
    • Other

Dynamic Data Handling

Alerts, flow data, e-mails, e-logs, and practice protocols
  • Determine whether dynamic data will be considered part of the legal medical record
  • Ensure proper security measures are taken to protect your PHI if dynamic data are being maintained at a remote community health information network location
  • Determine whether online alerts and associated audit information should be included as part of the legal EHR

Data Integration Issues

System merges, conversion issues, and multiple EHR systems in a given environment
  • Ensure appropriate quality control mechanisms are in place to ensure data integrity (e.g., enterprise-wide master patient index encounters or episodes as part of the overall IT conversion process) for multifacility and/or multidepartmental EHR system integrations
  • Ensure HIM plays a strong role in all quality control planning and implementation activities (e.g., audit reporting and monitoring)

Retention/Destruction Issues

State and federal mandates, legal counsel recommendations, and system limitations and needs; e-discovery policies
  • Conduct a compliance review to ensure current policies are up-to-date with all state and federal laws on retention and destruction
  • Ensure that your retention and destruction policies include the components of the legal medical record that are stored in nonpaper-based media (e.g., remote and local servers, tapes, film, fiche) if the legal medical record is defined as being in a hybrid environment
  • Ensure that EHR systems have the ability to retain and destroy health information in accordance with your facility’s legal medical record definition (e.g., fetal monitor data)

Definitions/Glossary of Terms

Varying definitions of original, legal, complete, or hard-copy record; business rules
  • Define what a complete medical record is in a paper-based versus EHR environment (e.g., transcribed outpatient clinic notes)

Transition of HIM Professional Responsibilities

In collaboration with the information technology professionals, HIM professionals will serve as the custodians of patient health information, regardless of the media on which health information is maintained (e.g., film, video, paper, electronic, or other media).

  • HIM professionals will establish policies, procedures, systems, and safeguards to ensure that patient health information is documented, maintained, and disclosed in accordance with all health information laws, regulations, and standards.
  • HIM professionals will maintain a matrix of sources for various reports or types of information that constitute the hybrid health record. (See appendix A, “Legal Source Legend.”)
  • HIM professionals should evaluate the adequacy and validity of authorizations and requests for patient health information, making sure that the sources used are from the legal source as designated by the organization.
  • HIM professionals will participate actively in the periodic reassessment of policies and procedures for accessing and disclosing information in the hybrid and electronic environments.
  • HIM professionals will ensure standardization and ongoing maintenance of all forms (paper based) or templates (electronic).
  • HIM professionals will play a key role in ensuring the functionality of EHR systems with respect to the practice of HIM and its support of other business functions of the organization.

Evolving Roles for HIM Professionals in the Electronic Environment

The 2010 AHIMA practice brief “e-HIM Practice Transformation” identified several additional roles for the HIM professional. Building on that resource, HIM roles should be reviewed and updated when planning the transition from a paper-based environment to a hybrid or completely electronic environment.

Guidelines for Access and Disclosure

Access and Disclosure Overview

It is important to understand exactly what access and disclosure means as it relates to sensitive information—electronic and paper. The National Institute of Standards and Technology (NIST) set forth guidelines for the federal government. The following concepts will be helpful to understand in your planning efforts.


Confidentiality of information refers to authorizing disclosure to authorized users for authorized purposes and accessed in an authorized manner. As defined by NIST:

“Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542]

A loss of confidentiality is the unauthorized disclosure of information.2


Integrity of information refers to maintaining safeguards to prevent alteration or modification of that data by unauthorized users.

“Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” [44 U.S.C., Sec. 3542]

A loss of integrity is the unauthorized modification or destruction of information.3


Availability refers to making information available to authorized users.

“Ensuring timely and reliable access to and use of information…” [44 U.S.C., Sec. 3542]

A loss of availability is the disruption of access to or use of information or an information system.4

Organizations that successfully implement an EHR will have a shared vision with measurable outcomes. Relative to access and disclosure, the EHR vision and, to the extent possible, the hybrid health record should:

  • Be protected by a rigorous information security structure consistent with laws and regulations, standards of practice, and available technology
  • Support the organization’s ability to perform electronic security audits
  • Allow the organization to authorize or limit access based on user, record, document, and data element
  • Provide access to all relevant information from a patient’s hybrid record when needed for use in patient care, regardless of storage medium
  • Provide for retrieval of information on a timely basis without compromising the data or the patient’s confidentiality
  • Bring together information contained in multiple systems, applications, or other media so complete information can be retrieved from a single point of access, where feasible
  • Facilitate effective retrieval, display, reporting, and dissemination of data and information individually, comparatively, and collectively
  • Minimize the need for printing while facilitating the delivery of efficient and effective healthcare
  • Facilitate printing or copying of concise and easy-to-use documents that support continuity of care, patient requests, subpoenas, accreditation, legal requirements, and other business needs
  • Facilitate electronic requests and disclosures of personal health information to authorized external users
  • Give patients the opportunity to see, copy, and amend the information contained in their designated record set
  • Support electronic tracking of disclosures that can be made available to the patient
  • Support a personal health record that may be used for care decisions
  • Support not only the delivery of patient care, decision support, and performance improvement but also the performance of all HIM and other required business functions

Practical Discussion for Managing Access and Disclosure

Access and Retrieval

Healthcare organizations must document where the components of their hybrid records are stored so they can access, use, and disclose the information as necessary, regardless of the information’s location or the media on which it is maintained. To accomplish this task, organizations must define and describe the location of information contained in the legal health record and the designated record set. (See appendix A “Legal Source Legend.”) AHIMA’s practice briefs “Defining and Disclosing the Designated Record Set and the Legal Health Record” and “Update: Guidelines for Defining the Legal Health Record for Disclosure Purposes assist organizations with these two topics.

The location of components of the legal medical record and designated record set may need to be cross-referenced to alert users of the health record to which information exists across both the paper-based record and EHR, particularly as new or revised computer systems are implemented or updated. In addition, organizations will need to consider reviewing and updating their policies and procedures on access, disclosure, and printing for both the legal medical record and designated record set at least annually. Consideration also should be given to information stored on legacy systems that use technology that is old or no longer supported and how this information will be retrieved as the EHR evolves.

Organizations will need to consider the access afforded to hybrid health records by affiliates and business associates and formalize these decisions in their policies. Although it may be expedient to provide affiliates and business associates with access, organizations must consider carefully such access or disclosure in the context of the HIPAA privacy rule’s “minimum necessary” standard.

Patient Access

During the transition to an EHR, information available to the patient electronically may be a subset of the patient’s designated record set. In such cases, the EHR should indicate where the primary or complete information resides and how it can be accessed.

Because EHRs will contain many abbreviations and words with which patients may be unfamiliar, organizations will find it advisable to provide patients with links to abbreviation lists, references, medical dictionaries, and information about diseases and illnesses. They also will want to provide patients with information about how to contact their physicians should they have questions.

As the organization allows patients access to their EHRs, they should determine if the selected portions or the entire content of the EHR will be accessible to the patient and how it will be accessible. In addition, organizations will want to discuss disposition of clinician-to-clinician and patient-to-provider e-mail messages and text messages as it pertains to the hybrid health record. Any organization contemplating e-mail communications should review AHIMA’s practice brief “Provider-Patient E-mail Security.”

In an ambulatory care situation, patients may document various types of clinical information. For example, diabetic patients may track their blood sugar levels over time. Organizations should consider allowing patients to access and record such information electronically. Organizations should determine whether such information will be part of the legal medical record and designated record set, to whom access will be granted, and under what circumstances.

Referral Provider Access

Organizations that allow referral providers access to their EHRs should determine which information will be accessible. Steps should be taken to ensure this is a view-only access. It should be tested at each upgrade to ensure the view-only status continues. In addition, organizations should determine if referral providers will be allowed to print a copy of the EHR.

Potentially, referral providers could ask for access for their patient care team because of the workflow of the provider and the nurse preparing the chart for them to see the patient. Organizations will need to determine if they are willing to extend this access and if the tools are in place to audit such access.

Outside Reviewer Access

Payers, accreditation reviewers, and other external reviewers requiring access to review the medical record need access to both the hybrid chart and the electronic chart, whether on-site or off-site. Organizations must develop policies and procedures governing system access by external reviewers (e.g., for purposes such as auditing and accreditation). These could include creating queues that can be populated with requested charts, individual log-ins, and timed expiration date for access. This procedure would allow view-only access. Access to the electronic record is more efficient than printing and mailing to the reviewer, but all steps must be maintained to ensure that the protected heath information is secure.

Dissemination and Disclosure

In a hybrid environment, it is important that organizations develop and implement policies and procedures that describe the circumstances in which electronic documents may be duplicated. This determination is important because:

  • The electronic copy likely will contain the most current information.
  • Duplicating documents prevents the organization from optimizing its return on investment. The organization will be spending money on printers, toner, paper, CDs, USBs, and other media, as well as retention and destruction. These resources could be applied better toward making sure that there are adequate points of access to the electronic information wherever needed.
  • Users may be inclined to make notes on the printed copies, further complicating operational management of these documents, since these notated copies would need to be retained as part of the legal health record. This   potentially could create a data management issue because of the paper record and the electronic record containing disparate information.
  • It is difficult to manage and secure duplicated copies.
  • Once users are given permission to print, it is difficult to remove this permission.

In particular, organizations must address the handling and disposition of interim reports, weighing the risk to the organization of the performance of the following options:

  • Maintaining all interim results reports within the health record
  • Maintaining interim results reports only when the final results differ

Maintaining all interim results reports provides the greatest measure of security for the organization but causes a high volume of duplicate reports within the health record, particularly in a paper-based environment. This duplication also can lead to confusion regarding which report to use, especially for future access and disclosure.

The hybrid health record also should reflect who received disclosed information and whether it was paper based or electronic. As organizations work toward tracking disclosures electronically, they must interface disparate systems components to capture and track the required details of the disclosures (i.e., who, where, and what). The accounting should be available for review by the patient when it is requested.

Guidelines for Authorship and Printing of the Health Record

As the healthcare organization transitions from the paper-based record to the EHR, authorship and printing policies must be put in place. Identifying individuals who have rights for authorship will ensure the integrity of the health record. Printing policies need to be identified to ensure users are reviewing the most up-to-date information in the EHR. The following guidelines should be considered when developing the authorship and printing policies:

  • The organization must have a multidisciplinary steering committee to develop and express the vision, strategic plan, and policies and procedures for the hybrid environment.
  • With regard to policy issues about authorship, the HIM committee should:
    • Designate which individuals are authorized to make entries (author) in the hybrid record across all predesignated legal media
    • Identify documents and authors requiring cosignatures across all media such as medical students, residents, physician assistants, and nurse practitioners
    • Identify who is authorized to make changes when someone has discovered a nonclinical error such as wrong title of template, wrong patient, or wrong attending assigned
    • Establish the appropriate cosignature (e.g., name, credentials, date/time stamp)
    • Determine the method to capture patient-originated data, as approved
    • Establish guidelines about automated tools such as copy and paste, copy forward, and “blown-in” data elements
    • Identify and help the organization procure and implement software that supports the organization’s authorship guidelines, including date/time stamp of entries and modifications
  • The HIM department and the HIM committee should address policy issues regarding printing, including:
    • Designating the electronic components of the legal health record for which printing will occur and requiring authorized users to access clinical information in the EHR rather than keeping paper copies. (Refer to AHIMA’s practice brief Update: Guidelines for Defining the Legal Health Record for Disclosure Purposes.) Organizational policy must address and regulate the keeping of and referring to shadow records.
    • Identifying the date when an electronic report will no longer be routinely printed and available only through the EHR (See appendix A, “Legal Source Legend.”) For example:
      • Transcribed reports (discharge summaries, operative notes)
      • Diagnostic reports (laboratory, radiology, cardiology, pathology)
    • Developing methods to ensure all components of the hybrid medical record are compiled when providing a copy of the medical record
    • Developing methods to ensure STAT printing queues for customer service and patient transfers between facilities
    • Overriding print queues to meet turnaround time requirements or customer needs
    • Mass printing requests (RAC, PERM, MIC, ZPICs, etc.) queued to meet system efficiency and response time
    • Developing an online data pushed to patients or legal guardians via direct EHR access or PHR access or CDs
    • Ensuring that CDs and other electronic media copies contain the correct patient information, are labeled correctly, and are formatted for easy access
    • Ensuring that procedures exist for producing paper or electronic copies of the EHR for external reviewers, including RAC, MIC, PERM, or ZPIC in a format that optimizes:
      • Review of documentation by a reviewer not familiar with your organization’s medical record
      • Presentation of key information first, such as discharge summary, history and physical examination, coding summary, etc.;
      • Ensuring attestation or coding summary is included and is one of the initial documents in the printout or CD;
      • All documents being accounted for in the copies;
      • All like documents being formatted in either reverse chronological or chronological order so that the medical record tells the story of the care provided
      • The medical record being complete, including all reports dictated and signed.
    • Identifying the date(s) on which the following will be or is eliminated:
      • Routine printing of reports by ancillary departments and nursing units
      • Concurrent filing of in-house reports into facility patient records
      • Discharge report filing
    • Availability or nonavailability of online transcribed reports before verification and attestation (please refer to AHIMA’s practice brief on Electronic Signature, Attestation, and Authorship)
    • Determining the method to be used to indicate any online changes to a signed EHR document to ensure clear visibility of any changes for users
    • Identifying those few roles allowed to print from the EHR and how this will be tracked for accounting of disclosure
    • Determining a formal process for review and approval of all new requests for access and printing for accounting of disclosure
    • Designating where copies of an EHR may be printed in the organization and methods to be used for copy disposal
    • Labeling reports printed by authorized users to include a prominent watermark or label with the following information:
      • “Confidential medical information”

        Instructions for use such as:
        --“Do not file or scan in patient’s medical record”
        --“Document any clinically pertinent information in the medical record” 
        --“Do not remove report from facility”  
        --“Discard report in designated disposal area”

      • For all unauthenticated reports, indication that the report has not been reviewed for accuracy or authenticated
    • When information is no longer printed, users are notified by one of the following methods:
      • Medical record folder or tabs in paper-based record alert users that additional medical information is in the EHR with similar cross-references in the EHR, where feasible.
      • The EHR has an online reference listing of all available reports and dates of availability (see appendix A, ”Legal Source Legend”).
      • When remote access to the EHR is allowed, a determination should be made if the ability to print information from the EHR will be allowed.
      • Auditing of printing through the development of audit trails and associated processes to identify and monitor users who have printed reports or screen-printed patient information
    • Disclosure of information, subpoenas and audits
      • Requests for disclosure of information, subpoenas, and audits requiring printing from all designated sources of the legal health record that may be in a hybrid environment, in addition to photocopying the paper medical record or downloading onto disks or CDs
      • In a hybrid environment, it may be difficult and confusing to tell the story of the patient’s care when it resides in both paper and electronic media. When releasing information, consideration should be given to printing out the electronic record and combining the electronic record and paper record into a closed chart order before releasing so that the continuity of care can be reflected. Recommend documenting on a cover sheet that pages that are copied from paper may not be in numerical order as printed from the EHR so that the component of the patient’s stay that is documented on paper can be integrated into the printout of the electronic record, eliminating confusion. The story of the patient’s care is integral to all users of the record being released.
      • For on-site audits and regulatory reviews requiring printing reports or allowing auditors to have online access to EHRs, development of viewing stations for on-site requesters and staff training to support them is needed.
      • When possible, create a review queue for auditors who are reviewing the record; the records available in the queue are only the ones requested for the audit. The auditor does not have the ability to search the system.


Managing the transition from paper-based records to EHRs is a complex process intensified by the multitude of systems, functionality, and rapid technology advances. No single standard approach exists for solving the transitional process concerns, and each healthcare organization must determine the steps and policies that are needed as they evolve into using a fully functioning EHR. Many healthcare organizations have some degree of hybridization that coincides with the implementation plan. There are many decisions to consider when determining steps and guidelines for managing the transition process from paper to hybrid records and hybrid to electronic records. To ensure accurate and timely business records, healthcare organizations need to define the legal health record and ensure that the quality and integrity of the health record remains intact during the transition process.


  1. AHIMA e-HIM Work Group on the Legal Health Record. “Update: Guidelines for Defining the Legal Health Record for Disclosure Purposes.” Journal of AHIMA 76, no. 8 (Sept.2005): 64A–G. Available in the AHIMA Body of Knowledge at
  2. National Institute of Standards and Technology. “Standards for Security Categorization of Federal Information and Information Systems.” FIPS Pub 199. February 2004. Available online at
  3. Ibid.
  4. Ibid.


AHIMA. “e-HIM Practice Transformation (Updated).” Journal of AHIMA 81, no. 8 (Aug. 2010): 52–55. Available online in the AHIMA Body of Knowledge at

AHIMA e-HIM Workgroup: Best Practices for Electronic Signature and Attestation. “Electronic Signature, Attestation, and Authorship (Updated).” Journal of AHIMA 80, no. 11 (Nov.–Dec2009): 62–69. Available online in the AHIMA Body of Knowledge at

AHIMA e-HIM Work Group on the Legal Health Record. “Update: Guidelines for Defining the Legal Health Record for Disclosure Purposes.” Journal of AHIMA 76, no. 8 (Sept. 2005): 64A–G. Available online in the AHIMA Body of Knowledge at

Amatayakul, Margret, et al. “Definition of the Health Record for Legal Purposes (AHIMA Practice Brief).” Journal of AHIMA 72, no. 9 (Sept. 2001): 88A–H. Available online in the AHIMA Body of Knowledge at

Burrington-Brown, Jill, and Gwen Hughes. “AHIMA Practice Brief: Provider-Patient E-mail Security.” Updated June 2003. Available online in the AHIMA Body of Knowledge at

Department of Health and Human Services. “Breach Notification for Unsecured Protected Health Information; Interim Final Rule.” Federal Register 74, no. 162 (Aug. 24, 2009). Available online at

Department of Health and Human Services. “Health Insurance Reform: Security Standards, Final Rule.” 45 CFR, subtitle A, subchapter C, parts 160 and 164, Federal Register 68, no. 34 (Feb. 20, 2003). Available online at

Department of Health and Human Services. “Standards for Privacy of Individually Identifiable Health Information; Final Rule.” 45 CFR, subtitle A, subchapter C, parts 160 and 162. Federal Register 67, no. 157 (Aug. 14, 2002). Available online at

Department of the Treasury, et al. “Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003.” Federal Register, 72, no. 217 (Nov. 9, 2007). Available online at

Federal Rules of Civil Procedure—Rule 26. Available online at

Federal Rules of Evidence, article VIII, rule 803. Available online at

Hughes, Gwen. “Defining the Designated Record Set (AHIMA Practice Brief).” Journal of AHIMA 74, no. 1 (2003): 64A–D. Available online in the AHIMA Body of Knowledge at

National Institute of Standards and Technology. “Guideline for Identifying an Information System as a National Security System.” Special Publication 800-59. August 2003. Available online at

The Joint Commission. Standard Record of Care, Treatment and Services (RC),. Available online at

The Privacy Act of 1974. Section 5 U.S.C. §552a. Available online at

Public Health Service, Department of Health and Human Services. “Confidentiality of Alcohol and Drug Abuse Patient Records.” Code of Federal Regulations, 2000. 42 CFR, chapter 1, part 2. Available online at

Prepared by

This practice brief was updated by the following AHIMA e-HIM workgroup:

Cris Berry, RHIA
Susan Dolack, MHIM, RHIA
Denise Dunyak
Darice M. Grzybowski, MA, RHIA, FAHIMA
Karl Koob, MS, RHIA
Cindy Loragner
Cindy Rupe
Diana Warner, MS, RHIA, CHPS


Roberta Baranda, RHIA, CHP
Donna Barnard, RHIA
June Bronnert, RHIA, CCS, CCS-P
Jill Clark, RHIA
Karen Czirr, RHIA, CHP
Emily Macko, RHIA
Nicole Miller, RHIA
Edith Okenquist, RHIT, CCS, CCS-P
Catherine Ptak, MS, RHIA
Melinda Teel, RHIA, CCS
Lou Ann Wiedemann, MS, RHIA, CPEHR
Henryetta Wynne, RHIT

Prepared by (original)

This practice brief was developed by the following AHIMA e-HIM workgroup:

Cris Berry, RHIA 
Jill Burrington-Brown, MS, RHIA  
Cindy Doyon, RHIA 
Linda Frank, MBA, RHIA  
Aviva Halpert, RHIA  
Susan Helbig, MA, RHIA  
Gwen Hughes, RHIA, CHP  
Julie King, RHIA  
Karl Koob, MS, RHIA  
Carole Okamoto, MBA, RHIA, CPHQ  
Tracy Peabody, RHIA  
Carol Ann Quinsey, RHIA (staff)  
Mary Reeves, RHIA  
Clarice Smith, RHIA  
Melanie Thomas, RHIT  
Lydia Washington, MS, RHIA 
Ann Zeisset, RHIT, CCS, CCS-P (staff)  
Lin Zhang, RHIA, CHP

Article citation:
AHIMA. "Managing the Transition from Paper to EHRs." (Updated November 2010).