EHR Adoption in LTC and the HIM Value. Appendix C: The HIM Professional as Privacy Officer in LTC

In the early 1900s the American College of Surgeons' Hospital Standardization Program provided guidance on how to organize data in medical records for research. Currently many disciplines use medical records for a variety of purposes. Since the early days, HIM professionals have guarded the integrity of the medical record through ethical and administrative guidelines.

The federal government built on these health information standards when it recognized the need to further improve the efficiency and effectiveness of healthcare systems by standardizing the electronic exchange of administrative and financial data. These changes are incorporated in HIPAA, the first comprehensive federal health privacy protection legislation. When combined with stricter state privacy protections, access to the medical record is surrounded by lengthy and complicated rules intended to safeguard medical information and protect the privacy of the individual. Employers looking for a privacy officer are looking for an individual familiar with applying HIPAA privacy regulations and health information standards of practice.

LTC organizations are covered entities under HIPAA and the expansion of HIPAA under the HITECH Act. The privacy rule portion of the HIPAA regulation mandates all covered entities appoint a privacy officer to enforce HIPAA compliance by the organization's officers and employees.

Many of HIPAA's privacy protection provisions evolved from medical record department practices. For this reason, HIM personnel are called upon to provide education and training in adopting HIPAA rules into organizational practices. HIM has been a source of information and ideas on the best way to protect health information. Many facilities already assign HIPAA enforcement to members of the HIM department.

Like the compliance officer, the organization's workforce must be trained and motivated to carry out the mandates of complicated federal and state regulations. The privacy officer in an LTC environment recognizes that regulations that apply to hospitals may be modified for their HIM department.

If a state has stricter guidelines than the federal regulations, the stricter guidelines must be followed. For example, federal provisions in HIPAA outline how to access records, but these regulations may be modified by stricter state legislation allowing complete access to information in a shorter period of time. Federal and state regulations must be combined to provide the most protection for personal health information.

The privacy officer will be called upon to assist facilities in assessing current and future legislative changes in code sets, computer technology, and privacy practices as the government transitions the healthcare community to EHRs. President George W. Bush called for every individual in the United States to have an EHR by 2014. This includes the ability to collect quality data and protect that data as it follows the person through the healthcare continuum. The HIM professional is familiar with current regulations and is a good resource to help evaluate and plan for changes. The facility must enforce these changes because failure to understand and develop a plan to implement current and future regulations places an organization at risk for increased penalties in terms of dollars and damage to its reputation.

The required content of the medical record has not changed because its storage medium has changed. The medical record standards that organized and protected the integrity of the medical record over the years are now under scrutiny from many auditing branches of the state and federal government.

As the migration to the EHR progresses, the federal government is intensifying mandates for privacy protection. The recently passed federal HITECH Act, part of the American Recovery and Reinvestment Act, includes provisions to fund health IT and protect data to allow the public to feel more comfortable using EHRs and have their information follow them through the care continuum using information exchanges. HIM professionals understand the current health information environment. If the public is not confident that their sensitive information is protected, the e-HIM transformation faces a large obstacle.

Using health information training and methodology, the privacy officer is in a position to safeguard protected health information and smooth the transition to EHRs. The HIM credential is evidence of a working knowledge of health information practices. Although specialized certification is available many employers value the specialized skills inherent in the HIM credential.