EHRs as the Business and Legal Records of Healthcare Organizations. Appendix A: Issues in Electronic Health Record Management (2010 update)

As the need to print and assemble paper-based records diminishes, HIM management must transfer or retrain staff to work in other operational areas (e.g., assembly clerks might be trained to perform document preparation or scanning if imaging has been deployed).

When the EHR is printed, a standardized chart order must be developed based on the user's needs (e.g., different EHR views may necessitate different assembly order for lawyers and patients).

If scanning documents continues to be part of the EHR, the processing of the documents before scanning, indexing, display, storing, and destruction will be an essential function.

Format and access should be defined according to the information system chosen and the user's need for protected health information (PHI) relative to his or her job for both display and print capabilities.

When the EHR must be printed, a standardized chart order based on the user's needs must be developed (e.g., different EHR views may necessitate different assembly order for lawyers and patients).

Develop print groups of the record that are printed out when a paper medical record is needed.

Forms inventory is critical, as is forms design, for efficient capture of information.

Develop policies for disclosure tracking and auditing capabilities.

Determine whether ROI will remain centralized in HIM or be decentralized.

Ensure that the organization has carefully planned EHR content and access before moving coding or transcription functions off-site (e.g., will coders require online access to clinical documentation, such as doctors' progress notes?).

Forms inventory and design become even more critical at this phase because efficient processing (scanning, indexing, and online review) is predicated on effective forms management.

Define when the record is complete for coding purposes (e.g., which reports will be available to coders and in which format-paper or electronic).

Conduct a workflow analysis determining current manual and paper processes that will be electronic. Look for duplication, redundancies, and inefficiencies associated with the current manual process. Streamline current processes preparing for the transition (reduce duplication of efforts, redundancy of entering data, and other related inefficiencies).

Consider electronic rules and alerts on ROI requirements to allow for expanded delegation of ROI operational capabilities and responsibilities.

Develop policies for disclosure tracking and auditing capabilities.

Determine whether the ROI will remain centralized in HIM or be decentralized.

Ensure the organization possesses appropriate access to EHR content before moving coding or transcription functions off-site.

Define when the record is complete for coding purposes (e.g., must specific reports be available to coders before coding?).

Forms management and control are essential so that manual processing is avoided and the EHR can be upheld legally without disruption of unofficial forms.

Each record is reviewed for presence or absence of reports requiring necessary signatures.

With use of an automated deficiency system, deficiencies are entered manually into the system for tracking and notification that completion is necessary.

Review and consider e-signature processing capabilities, limitations, and opportunities for electronic portions of the EHR.*

Determine if the vendor can automate deficiency analysis.

Establish business rules for viewing the EHR on the basis of an individual's role and the completion status of a document (e.g., should ROI staff see only complete electronic records?).

Ensure EHR system capabilities to monitor and track record or document completion (e.g., notifications to individual clinicians, aggregated management screens, and reports for HIM).

Written procedures outline deficiencies to look for when reviewing the different record types (e.g., inpatient, emergency room).

Review and consider e-signature processing capabilities, limitations, and opportunities for electronic portions of the EHR.*

Determine if the vendor can automate deficiency analysis.

Establish business rules for viewing the EHR on the basis of an individual's role and the completion status of a document (e.g., should ROI staff see only complete electronic records?).

Ensure EHR system capabilities to monitor and track record or document completion (e.g., notifications to individual clinicians, aggregated management screens, and reports for HIM).

Policy defines where and how records are stored. Retention schedule is included in the policy.

Policy outlines handling and storage of incomplete records, as well as when the record is considered complete for permanent filing.

• Functions and tasks
• Hours of operation
• After-hours access and backup
• Staffing needs
• Record control
• Filing and indexing
• Retention, purging, archiving

Determine whether any of the paper record will be converted to electronic format or whether paper records will be phased out over time as a result of retention and purging policies.

Establish policies and procedures to outline the management of remaining paper records to include loose sheets and any outside records.

Policy also defines when both paper and electronic portions of a hybrid record are considered complete (e.g., no additional processing is required, all reports are complete).

Complete records are locked and avail- able as read only. Any subsequent additions, changes, or deletions are handled as addenda to the record.

Policies and procedures must define which documents are to be signed electronically and which are to be signed manually, as well as how to handle the existence of both electronic and manual signatures on the same or different versions of the document.

Policy must indicate at what point electronic documents are locked and available as read only. Any subsequent additions, changes, or deletions are handled as addenda to the record. Software must have the ability to insert a record document in such a way that the entire record is retrievable, regardless of the discontinuity of episodes of care or late additions of documentation to a single episode of care.

Depending on the capabilities of the abstracting software or other information system, reports may be available from these data electronically. If no electronic reporting capability exists, reports may be prepared by using data from printed reports produced by the system.

There also may be predefined (e.g., standard or boilerplate) reports available that are part of the electronic portion of the medical record.

Flexibility in report functionality (such as graphing) is a major asset.

Predefined (or standard) reports can be developed for routine reporting.

HIM departments long have had to determine whether to retain older versions of documents in the complete medical record. (The laboratory, for example, often has multiple versions of test results from the initial preliminary result until the final result is available.)

In hybrid and fully electronic health records, it is important to have a flag or other signal indicating that previous versions of the document exist. System documentation should include a clear indication of when each version was viewable by caregivers for use in making clinical decisions. Another version control scenario to consider carefully is when amendments are made to documents through the organizationally approved process.

Every organization should determine the capacity of their medical records in each state of being (paper, hybrid, or fully electronic) to allow appropriate viewing of earlier versions of documents and develop policy that reflects the capability of the individual EHR. At the very least, caregivers should be made aware that earlier versions of documents exist, and they must be able to access them if needed.

Policy and procedure also are needed detailing how disclosures of documents with multiple versions are to be handled. This is not a new issue with EHRM and should be considered carefully and redefined during the migration from paper through a hybrid state and into a fully electronic record. Are all versions released or only the final version? Each organization must specify what will be released when copies of the record are requested. It may be acceptable to release only the final versions of documents if there have been no changes between versions except the addition of signatures or minor editorial changes. However, if clinical information that may have been critical to caregiver decision making has changed, it may be appropriate to release previous versions of documents in addition to the final version.

Another consideration is the HIPAA requirement to notify all parties who may have been sent copies of health records to be notified when there is a change. A procedure for accomplishing this notification must be integrated into organizational policies and procedures to ensure compliance.

The focus on timely reconciliation processes has accelerated with the advent of the EHR. Processing must move from five days a week to seven days a week throughout the year. As the reliance on the EHR increases, processes such as ensuring that data move across interfaces for timely posting in the record and elimination of duplicate medical record numbers become critical for effective care decisions.

HIM professionals are skilled at creating and managing processes that ensure attention to detail and have a broad understanding of the flow of information across the care continuum. Orientation to detail and a broad understanding of the effect of timely, quality information are necessary traits for successful implementation and maintenance of the EHR. HIM professionals also understand how to balance and prioritize the criticality of clinical information and business system needs.

Verify correct patient type registered (e.g., inpatient, short stay, observation status) to ensure accurate billing.

Verify correct registration of multiple visits in one day according to APC regulations.

Research and correct documents that fail to cross an interface between disparate computer systems (e.g., stand-alone transcription system to an EHR).

Ensure that documents are posted to the correct encounter and are in the correct location.

Verify that content remains constant when moved from one system or database to another.

The extent of reconciliation increases with the number of disparate computer systems.

Ensure match to all computer systems (e.g., laboratory, radiology, pharmacy, and billing).

Correct other or duplicate names in system (e.g., legal guardian names) through verification of secondary matched data elements.

Periodically validate that fax numbers work and that remote fax machines are located in secure locations.

Track legal EHR variations from the policy on individual records for all downtimes, as well as historically for lengthy downtimes.

Living Wills and Durable Powers of Attorney for Healthcare Decision Making

E-mail has become a record-generating and communication system vital to the business processes within healthcare organizations. It has replaced most healthcare organizations’ traditional analog communication processes, and it is being used increasingly for a number of nontraditional e-mail activities, such as sending secured, digital reference laboratory results and attaching secured, digital discharge summaries to the physician’s office. Therefore, it is essential to manage e-mail with the same thought and attention that have gone into managing other types of patient records.

E-mail is another type of business record and is subject to the same course of evidentiary discovery as any other healthcare organizational business record, such as the patient medical record, patient financial record, or employee record. In addition, e-mail messages have a life cycle just like any other record. E-mail messages are created, indexed, searched, retrieved, routed, stored, and purged. More importantly, e-mail is now one of healthcare organizations’ largest and most vital information assets. Therefore, like any other business records, e-mail records and the information contained in the e-mail require EHRM.

The first step in e-mail management should be to retain e-mails within an overall electronic document management strategy. For example, most often, the information contained in e-mails is interconnected (e.g., regarding Mary Smith’s diagnosis, the privacy official’s recent meeting minutes, etc.). To ensure that all the e-mails relating to Mary Smith or the organization’s privacy meetings can be located, it makes sense that the strategy includes identifying the existing enterprise-wide repositories that securely store e-mail records and attachments that merit evidentiary handling.

Next, to reduce the legal risks of e-mail records, healthcare organizations should develop or acquire an e-mail management system. This system should include a centralized archive. In addition, the system must be easy to use, providing intuitive methods for identifying e-mail classification (such as patients) and retention rules. The system also must provide fast and efficient access to the archive, including tried-and-true search capabilities. Finally, the system must work with today’s popular e-mail systems, such as Microsoft Exchange, and be seamlessly integrated into the EHR.

For example, the system should enforce e-mail archiving policies. When an individual closes an e-mail and is ready to discard or save it, a prompt should appears with a yes or no choice asking if the user would like to make this a part of any of the healthcare organization’s business records, such as the classification of patient medical records. If the healthcare organization declares ahead of time that the e-mail must always be retained to comply with a regulatory, legal, or business need, such as an e-mail correspondence between a provider and a patient, then this opt-in or opt-out e-mail capture function can be eliminated. In addition, this function can be managed in the background by using Web technology so that, for example, each new patient added to the master patient index triggers a domain name with all inbound and outbound mail captured for “patientname.com.”

Retention rules should be triggered automatically by actions, which include automatically deleting or encrypting a “patient class” of e-mail after a defined number of days, months, or years so it cannot be accessed. (Note: Never archive encrypted e-mail records for fear of losing the algorithms or keys.) This process can include issuing an e-mail notification to all authorized users when, for example, e-mail records one through 100 for “patientname.com” are approaching the organization’s retention mark or issuing an e-mail notification when user mailboxes contain more than, for example, 100 MB of messages.

Despite good intentions, such systems quickly become overwhelmed by metadata and attachments. In terms of a storage crisis, attachments present a significant risk. Perhaps a problem of greater importance is the proliferation of e-mail copies (i.e., carbon copies and blind copies). Copies produce a negative effect on healthcare organizations’ abilities to discard all e-mail record copies at the end of retention periods. Therefore, creating the appropriate rules, policies, and processes must precede system deployment.

Like other business records, e-mail records present a huge opportunity to reduce the risks of enormous legal costs in evidentiary proceedings. On the other hand, their anticipated explosive growth and growing significance in the legal process present formidable challenges. The opportunity for HIM professionals to manage the organization’s patient e-mail records just like other records will allow HIM professionals to oversee the aspects of many enterprise-wide information repositories and focus on both the digital and analog patient record repositories inside and outside their existing domains.

E-mail messages containing PHI are encrypted in transit and at rest.

Analog telephone messages or notes may be documented as progress notes or orders that are later appropriately verified by the physician.

Complete documentation of patient and provider identification, date, and time of the actual conversation or message, as well as the date and time of the entry into the EHR.

Diagnostic images, cine film, and CDs are reviewed by healthcare providers and may be returned to the originators after copies are made if they are deemed necessary. If copies are made, they should be filed in an easily identifiable and accessible storage repository, such as in an analog film library or in CD jackets that can be attached to the paper chart.

Depending on the status of the EHR, digital diagnostic images and cine film, including those stored on CDs, may become part of the EHR. Analog diagnostic images, cine film, and CDs may be stored in the appropriate storage repository of the appropriate facility department.

Digital diagnostic images and cine film, including those stored on CDs, become part of the EHR.

Free text is one type of unstructured data found in EHRs. Free-text data are narrative. The data are generated by word- or text-processing systems, and their fields are not predefined, limited, discrete, or structured. Instead, their fields are unlimited and unstructured. When a healthcare professional needs to search unstructured free text, it is not a simple task for the information system’s search engine to find, retrieve, and allow the user to manipulate one or more of the data fields or elements embedded in the text. Typically, EHR free text is found in healthcare information systems’ comments fields and in the documents generated by healthcare transcription systems.

Many EHR users like to generate free text by typing unstructured, narrative information into EHR comment or related fields and documents instead of pointing and clicking structured data into EHRs because they are used to typing information into e-mail messages and other electronic documents to express their findings and recommendations (similar to the way they handwrite findings and recommendations into analog [e.g., paper] documents). When users are required to point and click pieces of information or phrases into electronic fields and documents in EHR systems, they often complain that the point-and-click data input method takes more time than typing, that the composed sentences based on pointing and clicking appear rudimentary, or that the structured data elements for pointing and clicking cannot be located easily on the screens.

Some EHR users like to generate unstructured free text by dictating narrative information into digital-dictation or speech-recognition systems. Once the information is transcribed by word-processing systems or translated to text by speech-recognition systems, familiar easy-to-read and easy-to-understand documents are presented to the user. Such documents include but are not limited to radiology and pathology result reports, operative reports, and clinical notes and evaluations. (Note: Speech-recognition system engines take the unstructured, free text–based voice data and codify the data, often with the help of templates. Hence, the format of the output text data from these systems becomes structured, with predefined and limited fields.)

Free text is important in the management of EHRs.

1. Because free text is unstructured and not easy for electronic search, retrieval, and manipulation functions, many information systems of structured data (e.g., healthcare information systems, clinical information systems) do not allow for free-text data entry or carefully limit such options on their screens.
2. To speed up the documentation process and avoid duplication of effort, many EHR users copy and paste free-text data into their SOAP notes, progress notes, and narrative reports. Just as with paper-based records, EHR users must be held responsible for their record entries that are not complete, accurate, timely, and authenticated. Therefore, healthcare organizations should develop policies and procedures related to copying and pasting free-text documentation into EHR systems.

The copying and pasting action poses several risks, including but not limited to:

• Copying and pasting the note to the wrong encounter or the wrong patient
• Copying and pasting abnormal laboratory or X-ray results into notes without addressing the abnormalities in the note, which could be used as evidence of carelessness or negligence
• Lacking the identification of the original author and date

In addition, the action of copying and pasting free-text data into the EHR can lead to documentation excesses. Such excesses can be unnecessary duplication of information that not only lengthen the notes and reports but make the notes and reports more difficult for other caregivers to read. In addition, such excesses take up space in computer memory that is potentially limited and slow computer retrieval times.

3. Digital dictation, transcription (word-processing), and speech-recognition systems must be integrated carefully into EHR systems, the systems responsible for meeting all legal (local, state, federal) requirements in the areas of document authentication and retention. Therefore, standards, such as those recommended by Health Level Seven (HL7), version 2.3 and higher, must be deployed for document message transfer between these systems and the EHR. Key features include the electronic capture and integration of text reports into the EHR and the electronic scanning and correcting of each report for omissions and inaccuracies of patient and provider identification data. In addition, key EHRM tasks must include collecting appropriate signatures; allowing for the review and retrieval of the text reports; and archiving the text reports in a way that allows for economical, long-term storage and eventual destruction.

In the development of a recommendation, the fundamental requirements considered for representing multimedia objects in patient EHRs include that the objects stored in the patient records are uniquely identifiable persistent entities and that the objects contain patient study, study component, examination, equipment, unique identification, and other information (e.g., date, creator, body part) as attributes and metadata in addition to the objects themselves. The following items are recommended for future consideration and research support to address issues related to multimedia patient information:

1. Standards committee collaborations-As the standards continue to develop, it is recommended that the Digital Imaging and Communications in Medicine (DICOM) and HL7 standards developing organizations (and others as appropriate) work together to harmonize their standards for healthcare applications.
2. Time to incorporate industry standards-Consideration should be given to providing support for reducing the time between implementation of industry standards and incorporation into federal standards.
3. Long-term storage and retrieval of information-Consideration should be given to accounting for problems associated with the migration of information among media bases-problems that are partly due to rapidly changing information technologies.
4. Unique identifiers-Assignment of unique identifiers should be supported in the Integrating the Healthcare Enterprise initiative to provide harmony with DICOM, HL7, and other standards.
5. Computer system firewalls-For biomedical information exchange between agencies, issues of computer system security and firewalls are often a larger hindrance to effortless communication than are the use of different data standards within agencies. Additional research is needed to develop secure data systems that remain open to exchange of large data sets from the outside.

HIPAA privacy and security standards support the idea of providing access by determining the needs of groups of users. Facilities must identify such groups and then determine to what information the group needs access and under what circumstances, which includes determining the subsets of the information an individual is authorized to access and the functions the individual will be able to perform using the information.

For example, one group could be identified as “physician of record.” This group would include any physician who had been listed as the primary, admitting, attending, dictating, consulting, or ordering physician in the EHR system. This group would be allowed to view all information included in the record of the patient, but they might not be allowed to fax or print the information. On the other hand, an ROI group would be allowed access to all patient information for viewing, printing, and faxing.

Authorization for access to information also can be granted on the basis of other criteria besides membership in a group. Items such as terminal address, day of week, or time of day can be considered. For example, if a department operates from 8 a.m. to 5 p.m., the system could be set up so that no terminals in the department would be able to access patient information outside those hours.

Access should be terminated automatically after a certain period of inactivity. Groups also can set the length of system inactivity. The access for nurses on a nursing unit could time out after 10 minutes of inactivity; access for coders should be set for a longer time, since coders often must review numerous documents before determining a code.

Sophisticated EHR systems can limit access according to document type or field in the patient record.

Access to information for emergency situations should be considered during the process of defining access, sometimes referred to as “break-the-glass” access. Clinicians requiring access to PHI during an emergency should be allowed easy access to it. However, every incidence of such access should be monitored carefully by using audit trails within a reasonable time after the access.

When authorization is granted, the individual must be made known to the system. The term for this is “authentication” and can be accomplished by using a “what you know, who you are, or what you have” model.

Giving the individual a user name and password generally addresses “what you know.” The user name is kept in a file that identifies the information that the individual can access and the functions that the individual can perform. This model is termed “single-factor identification,” since it requires only that the user know both the password and user name.

“Who you are” refers to some form of biometric identification including fingerprints, retinal scans, and voice recognition. These more sophisticated forms of authentication require additional devices be connected to each access device (e.g., PC, laptop, PDA) to record the imprint.

“What you have” relates to a smart card or other item the user carries that can be used to identify the user.

At least two of the above factors should be joined to produce strong authentication to clinical systems. Users generally are accustomed to a two-factor model, since most bank cards require the purchaser to have a card and use a personal identification number or password to complete a transaction.

Organizations will have to find ways to accommodate providers by using multiple systems that require the use of unique passwords for each system. The concept of single sign-on, which allows a provider to be authenticated to use the EHR one time, rather than having to log in to every application he or she is authorized to access, is very much a topic of discussion but is not a reality in most organizations today.

Do not alter the original record in any way.

Print the word “error” at the top of the entry, sign with name, discipline, date, and time.

Indicate the reason for the correction (e.g., incorrect patient).

Note the change or addition in proper chronological order.

The type of correction should be noted (error, delete, etc.) at the top of the entry, signed with name, discipline, date, and time.

Maintain the original incorrect entry or document and add the corrected entry or companion document to it.

Addenda should be timely and bear the current date and reason for the additional information being added to the health record.

The type of correction should be noted (addendum) at the top of the entry, signed with name, discipline, date, and time.

A destruction log must be maintained to identify the destroyed records. At minimum, the destruction log must capture the information listed below:

1. Date of destruction
2. Name(s) of the individuals responsible for destroying the records
3. Witness (name(s) of the person witnessing the destruction)
4. Method of destruction
5. Patient information including full name, medical record number, date of admission, date of discharge

If the records are destroyed by a third-party destruction company, a certificate of destruction should be obtained attesting to destruction of the records. The destruction log must be maintained permanently.

Workstations, laptops, and servers use hard drives to store a wide variety of information. Patient health information may be stored on a number of areas on a computer hard drive. Simply deleting these files or folders containing this information does not necessarily erase the data.

1. To ensure that any patient’s health information has been removed, utility software that overwrites the entire disk drive must be used, which could be accomplished by overwriting the data with a series of characters. Total data destruction does not occur until the backup tapes have been overwritten. Magnetic neutralization will leave the domain in random patterns with no preference to orientation, rendering previous data unrecoverable.
2. If the computer is being redeployed internally or disposed of owing to obsolescence, the aforementioned utility must be run against the computer's hard drive, after which the hard drive may be reformatted and a standard software image loaded on the reformatted drive.
3. If the computer is being disposed of owing to damage and it is not possible to run the utility to overwrite the data, then the hard drive must be removed from the computer and physically destroyed. Alternatively, the drive can be erased by use of a magnetic bulk eraser. This requirement applies to PC workstations, laptops, and servers.

Federal guidelines for data disposal and sanitization can be found in the National Institute of Standards and Technology’s Special Publication 800–88, Guidelines for Media Sanitization, at http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf.

CDs containing patient health information must be shredded or pulverized before disposal. If a service is used for disposal, the vendor should provide a certificate indicating the following:

1. Computers and media that were decommissioned have been disposed of in accordance with environmental regulations, since computers and media may contain hazardous materials.
2. Data stored on the decommissioned computer or media were destroyed according to the previously stated method(s) before disposal.

Methods of destruction and disposal should be reassessed periodically on the basis of current technology, accepted practices, and the availability of timely and cost-effective destruction and disposal services.

At about the same time, private organizations such as healthcare organizations began to deploy intranets to address internal business needs within secure environments. The intranets became analogous to internal, private “Internets” by restricting access to authorized users. Soon, portals were recognized as a way to provide easy access to private organizations’ internal information, offering a central aggregation point or gateway to the data via a Web browser. And the portals became analogous to internal, private “Webs” by restricting access to authorized users. Portals quickly evolved into an effective medium for providing secure access to an organization’s applications and systems used by diverse, disconnected participants in various locations.

Like the predecessor clinical workstations in healthcare organizations, clinical and clinician portals began as a way for clinicians to access easily via a Web browser an organization’s multiple sources of structured and unstructured data from any network-addressable device and develop loyalty to the healthcare organization. They quickly evolved into an effective medium for providing access to multiple applications, both internal and external.

Therefore, clinical and clinician portals became “private Webs,” restricting user access to the data and applications contained within the portal. This capability was crucial to protect the integrity of decisions made by healthcare providers and to ensure confidentiality of patient information.

More important, the portals began to provide more functionality. For example, they included customization capabilities and simplified automated methods of creating taxonomies or categories of data. Similar to how consumer portals such as Yahoo organize files and data into such categories as food, fashion, and travel, clinical and clinician portals might classify files and data according to test results, dictations, and patients.

In addition, portals grew to offer other enabling technologies, such as single sign-on, personalization, document and Web content management, proactive delivery of data, and metadata management. Therefore, in healthcare organizations with EHR implementations, the portals allowed physicians to access the EHR easily.

Quickly, it became clear that clinical and clinician portals could provide a way of addressing some of the cost issues of implementing EHR capabilities across the enterprise, including which EHR information and transactions could benefit patients. Consequently, savvy chief information officers and marketing executives determined that extending the reach of the portal to the patient could enhance the healthcare organization’s image and relationship with its customers, as well as develop community loyalty.

Soon portals developed into an efficient way to organize all the information (structured, such as relational data, and unstructured, such as e-mail, Web pages, and text documents) that clinicians and patients needed to access routinely. Consequently, today, clinician and patient Web portals are viewed as the single point of personalized access (i.e., an entryway) through which to find, organize, and deliver all the content contained in the EHR.