Managing Nontext Media in Healthcare Practices - Retired

The most common type of media used in healthcare practices in the past several decades has been text. Text is comprised of printed words, letters, and numbers translated into information used for diagnosis and treatment.

Today's healthcare practices have adopted more sophisticated medical equipment that captures data in various nontext formats (see sidebar below). This results in information that is processed and viewed using different types of media.

The type of nontext data ranges from photo images to more complex files where data must be processed by an application before they can be viewed or used.

Managing nontext data creates unique challenges. For example, data stored in equipment can be retained only by keeping the equipment. This complicates storage and retrieval practices.

Familiar issues surrounding the management of electronic health information such as version control, retention and destruction, and access and release of information also must be managed. Legal regulations present further complexities because state and federal retention laws do not directly address the various types of nontext media, so defining the legal health record can be daunting.

This practice brief defines a variety of nontext data types found in healthcare practices today and outlines the operational challenges of managing this data. It also discusses legal and regulatory considerations, including best management practices to achieve optimal compliance outcomes.

Legal and Regulatory Considerations

Managing and maintaining health information has never been a simple task. Nontext data identified and defined as part of the legal health record is considered health information and must meet the same legal and regulatory requirements.

Core HIM processes and applicable federal and state regulations must be applied to nontext data. As with text, legal considerations and decisions regarding nontext data can affect daily operational tasks and the success of the healthcare practice. Ambiguity in the legal realm regarding nontext media can result in unnecessary legal and regulatory risks.

Key core HIM functions that must be addressed to ensure compliance are discussed below.

Defining the Designated Record Set and Legal Health Record

Assimilating nontext information into an electronic health record (EHR) may be new to practices. Defining the designated record set and legal health record is crucial in determining what information will be maintained to support the practice's business and legal record.

Defining these record sets serves to support:

• Patient care
• Billing practices
• Legal purposes
• The practice's business and legal record

Under HIPAA, the designated record set allows individuals the right to inspect and obtain a copy, request amendments, set restrictions, and receive accounting of disclosures of medical and billing information. The practice must consider whether to include external nontext data brought into the practice for continuity of care as part of the designated record set.

Retention and Retrieval

Retention policies for long-term storage and maintenance of the legal health record vary by state. Nontext data defined as the legal health record must follow the same retention policy as the rest of the health record.

Healthcare organizations and providers should maintain records for a period of time sufficient to meet applicable state statutes of limitations and accreditation requirements, or they should follow Centers for Medicare and Medicaid Services guidelines. The records must be kept for whichever period of time is longer.

Records generated during the care of a minor should be kept until the patient reaches the age of majority plus the period of statute of limitations, as indicated by state law. Organizations should consult with legal counsel to determine appropriate internal retention policies.

Record retrieval requires that records are stored in a way that provides ease in accessibility and retrievability. Detailed and accurate indexing will facilitate the retrieval process. However, proprietary software used by some medical systems may preclude converting nontext media into a format accessible outside of the original application.

For example, many radiology systems are able to replicate imaging studies onto a CD containing a "viewer" program that allows the end user to open the image file. Without the viewing program embedded on the CD, the imaging study is inaccessible. Therefore, systems should be assessed to determine the capability of converting and retrieving nontext data over time.

Destruction

Destruction of patient health information must be carried out in accordance with federal and state law pursuant to a proper written retention schedule and destruction policy.¹ The appropriate destruction of patient health information is vital to the management and legal compliance of health records and must follow the practice's retention and destruction policy.

The retention time of nontext data is determined by its use and healthcare practice policy in accordance with law and regulation. Nontext data may be destroyed after the most recent encounter has met the retention time period.

The best method of destruction varies by media type. Destruction methods such as degaussing or pulverizing are usually the preferred methods for computerized data and laser discs, respectively. Regardless of method or media type, adequate steps must be taken to ensure protected health information (PHI) is indisputably destroyed with certainty.

Certificates of destruction must be issued and permanently maintained to document the details of destruction for nontext media as is done for text media. It is an important and necessary document, but it is not a "get out of jail free" card.² The certificate of destruction should include at a minimum the date of destruction, method used, what information was destroyed (including date range), and appropriate signatures (e.g., witnesses).

Release of Information

Requests for nontext data may pose a particular challenge for healthcare practices. Due to the nature of these file types, organizations need to clearly understand the specific type of information requested, such as interpretive reports versus the original nontext data file. Clear definitions of the designated record set and legal health record help minimize this challenge.

Depending on the media, the information may not be useful or in a readable format outside of the original device. For example, consider how Doppler flow images stored on a Doppler device may be replicated to allow the recipient to view the requested data without access to the device. This would be particularly important if the recipient needs to see .wav files or other "moving" file types instead of still images (such as blood flowing through a vessel using color Doppler).

Questions healthcare practices should answer for the effective management of nontext data maintained within medical devices include but are not limited to:

• Does the device store and reproduce the original data?
• Does it interface with other electronic systems to simplify data storage and retrieval?
• Does it have audit trail capabilities to maintain compliance with access and disclosure reporting requirements?
• Do organizational policies and procedures address storage of the hard-copy original results (e.g., ultrasound equipment that provides a printout of the image)?

E-Discovery

E-discovery refers to the electronically stored information owned by the organization that may be requested and expected to be produced in response to litigation. An e-discovery request is any legal document (including a subpoena) issued by legal counsel or a court to facilitate the collection, analysis, and preservation of electronically stored information.

The process surrounding the admissibility and authentication of electronically stored information is currently not consistent throughout the legal system. However, the organization must clearly define its designated record set and legal health record to ensure that nontext data maintained within the EHR can be accessed and produced pursuant to an e-discovery request.^† Electronically stored patient health information not part of the designated record set and legal health record or EHR may also be requested.

Understanding the Complex Challenges

As nontext data become more commonplace, the management of various complex systems is essential. Defining an EHR that incorporates the various types of nontext media can be challenging.

The format and standards (e.g., DICOM, CDA-R2) used to store the nontext media are different than Health Level Seven (HL7) standards, which are used for text. Healthcare practices are tasked with developing ways to appropriately retain, retrieve, and reproduce nontext media used in diagnosing and treating patients.

Systems management considerations for nontext data include reviewing the capabilities of each system to view, store, retrieve, and reproduce the various types of nontext data. Of particular concern is the possibility of technology and media obsolescence. As vendors enhance their existing systems or replace them with newer versions, historical nontext media files may not be compatible with the newer systems, creating retrieval and data transfer issues.

Equipment no longer in use for patient care must be maintained for the data stored within it. If the equipment malfunctions and is not repairable, nontext media can be lost. Therefore, considerations for alternative storage methods to keep the old equipment are important. For example, the old data can be copied onto new equipment or arrangements can be made with off-site vendors that have the capability to manage and maintain the older equipment and its data.

EHR products do not automatically accommodate all types of nontext data. Often healthcare practices need to purchase additional modules or components. These modules may act as management, archival, and viewer systems for nontext data.

In some cases, broader access to nontext data can be achieved using a standard workstation. Conversely, for some types of data to be viewed with full fidelity, designated workstations need to be used for viewing (e.g., high-resolution monitor and an advanced graphics card).

Disadvantages can include the number of modules needed; effort of implementation; and cost of licensing, hardware, software, upgrades, and maintenance fees. One module may not support all the nontext data (due to variability) maintained throughout the organization. For example, one module may be needed for voice data and a second module for photo data.

The variety and volume of nontext media associated with the diagnosis and treatment of a patient can be extensive. Defining the electronic legal health record can be difficult when considering accessibility and potential media obsolescence.

Presenting nontext media as evidence in a court of law to defend against a lawsuit can be difficult. A court may order data to be sequestered and may also question the completeness and authenticity of the nontext media.

Storage and retention requirements of the various media types can cause confusion and lead to misinterpretation. Furthermore, fulfilling e-discovery requests to both active and obsolete systems must be managed.

As health information exchanges become more prevalent, nontext data will continue to present distinct challenges. Proprietary file types often preclude the transmission of discrete data through a standard HL7 message. Rather, a "viewer" program is often needed, which results in producing and transporting the data using a CD or DVD. If recipients do not have the required viewer equipment or software, they will not be able to view the nontext data with the full intent of the sender or the full integrity of the data.

Transmission of nontext data can negatively affect the view capability, quality, fidelity, and/or integrity when enhancements, comparisons, correlations, and annotations are not received correctly.

Recommendations

Determining the appropriate processes for managing and maintaining nontext data will vary. There is no one right answer. Each individual practice is diverse in its size, complexity, organization type, and specialty.

Healthcare practices must establish policies and procedures for nontext media that establish clear criteria for retention and destruction, storage, access controls, and tracking of access and disclosures.^† At a minimum, the following must be considered for effective controls and management of nontext data to meet optimal compliance and success.

Defining the Designated Record Set

Each type of nontext data should be considered for inclusion or exclusion from the designated record set. In defining the designated record set, it is important to consider the following:

• Organizational designated record set and legal health record policies
• Need for the primary source nontext data for ongoing clinical decision support
• Subsequent system or data needs resulting from the nontext data
• Necessity of the nontext data as part of the legal health record for potential legal implications

If nontext data are included in the designated record set, decisions relating to retention, destruction, reproduction, and disclosure should mirror those applied to the designated record set. These decisions may differ if nontext data are excluded from the designated record set.

For instance, if nontext data are excluded, the practice can determine destruction timelines in accordance with state laws for business records, which may be a shorter time period than for the designated record set.

Appropriately Retain, Retrieve, and Reproduce

Nontext data must be treated as PHI containing individual identifiable health information. As such, it must follow the same state and federal retention requirements for PHI. Nontext data must be easily retrievable and reproducible in a timely fashion to meet individual requests as well as for business operations and compliance needs (e.g., outside audits, accreditation). Note: disaster recovery processes must also be included as part of the retention, retrieval, and reproduction policies.

Additional modules or components may need to be purchased and installed to successfully manage nontext data. These modules can help provide effective management tools to ensure proper archival practices, including viewing and reproduction capabilities to meet practice and customer needs as well as achieve overall compliance.

Develop and Implement Policies and Procedures

Developing policies and procedures is fundamental to guide a practice in selecting, using, storing, and retrieving nontext media. Documented policies and procedures assist healthcare practices evaluate equipment and devices that produce nontext media and help them maintain their data in the best interest of the patient and the practice.^† Detailed procedures will help the healthcare practice manage its nontext media as personnel change over the years.

Policies and procedures to manage nontext data must include, but not be limited to:

• Equipment and media type evaluation. This policy and procedure investigates the type of nontext media a device uses, including its ease of access, interoperability, and the ease of data transfer for long-term storage. Long-term retrievability and release of the nontext data is also a factor for consideration.
• Individual device operation and function. This policy provides detailed procedures for each device that generates nontext media. Specific procedures address how the device interfaces or communicates with the EHR.
• Retention, retrieval, release, and destruction. This policy and procedure provides guidance on how long the nontext media is retained, how it will be stored, and the methods used for retrieval and release. This procedure can also address how nontext media will be destroyed once the retention period has elapsed. Healthcare practice should consider how to manage the data with expired business associate relationships.
• System upgrades. This policy and procedure provides detailed guidance on how to analyze the impact of updated software and new versions of applications on the devices housing nontext data. This policy and procedure will help alleviate lost data and appropriately prepare the practice for the impact of updated systems.

Implement Audit Controls

An organization must track access as part of its effective security practices. The audit log functionality must be enabled in each device (where available) to track user activity.

Audit log information must be retained in accordance with record retention and destruction schedules set forth by the healthcare practice and to meet state and federal regulations. This information can also be critical in legal proceedings for evidentiary purposes.

Access controls need to capture the who, what, and when (date and time) for accessing the information.

Electronic Content and Records Management

Electronic content and records management (ECRM) includes the technologies, tools, and methods used to capture, manage, store, preserve, and deliver content across the enterprise.³ Practices must ensure ECRM strategies are in place to manage the life cycle of all data formats retained, including nontext data.^† In addition, the strategies must ensure there is a way to provide intuitive methods for identifying relevant data.

Electronic content and records management enables increased value by managing the information effectively and improving operations. It focuses on comprehensive data management versus fragmented systems. ECRM also reduces redundancy by allowing the information to be captured once and used many times.

In addition ECRM improves efficiency and productivity by ensuring users have access to the content that is relevant to their work and ensuring that the most up-to-date information is readily available. It instills trust in the data and enables the organization to effectively manage compliance of electronically stored information. ECRM:

• Minimizes risk from information loss
• Reduces risks from legal exposure
• Enables the organization to understand costs associated with retrieving electronic information from obsolete equipment
• Enables the organization to collect, review, and preserve electronically stored information

Information Systems

Nontext data needs to be confidential, secure, and readily available. Practices must ensure that every information system containing nontext data has the capabilities and controls necessary to effectively manage that data.

At a minimum, systems must take into account:

• System redundancy. These solutions virtually eliminate both planned and unplanned downtime by creating an exact duplicate of applications, data, and objects on one or more secondary servers.
• Interoperability. When more than one nontext data management and archive system is used for the broad range of files, an interface engine can be used to provide links from the EHR to the core system. For example, HL7 is a type of language including a number of flexible standards, guidelines, and methodologies by which various healthcare systems can communicate with each other.
• Storage capacity. Storage capacity and retention times must be taken into consideration when deciding which nontext data to maintain. Some files, such as layered photo files with annotations, can be very large and the capacity to store increasing volume over time can be a significant expense. The file size also affects system capabilities and requirements for downloading and viewing.
• Technology and media obsolescence. Central storage of nontext data is critical for the management of information from outdated systems and media. There are many approaches offered by storage vendors to ensure safe, replicated storage, both locally and remotely. Software compatibility, both inside the practice and with potential vendors, needs to be evaluated to ensure the nontext data are continually available, retrievable, and reproducible.

Notes

1. AHIMA. "Retention and Destruction of Health Information." Journal of AHIMA Updated August 2011. Available in the AHIMA Body of Knowledge at www.ahima.org.
2. Johnson, Robert. "The Certificate of Destruction: What It Is, What It's Not." Journal of AHIMA 76, no. 6 (June 2005): 54–55, 59.
3. AIIM International and ARMA International. Revised Framework for Integration of EDMS & ERMS Systems (ANSI/AIIM ARMA TR48-2006). AIIM International and ARMA International, 2006.

References

AHIMA. "Enterprise Content and Record Management for Healthcare." Journal of AHIMA 79, no. 10 (Oct. 2008): 91–98.

AHIMA. "Fundamentals of the Legal Health Record and Designated Record Set." Journal of AHIMA 82, no. 2 (Feb. 2011): expanded online version.

AHIMA. "Security Audits of Electronic Health Information (Updated)." Journal of AHIMA 82, no. 3 (Mar. 2011): 46–50.

Baldwin-Stried Reich, Kimberly A. "Sorting out Discovery Requests." Journal of AHIMA 81, no. 10 (Oct. 2010): 60–62.

Prepared By

Anita Archer, CPC
Lisa Campbell, PhD, CCS, CCS-P, CPC, CPC-H
Janice Crocker, MSA, RHIA, CCS, CHP, FAHIMA
Angela K. Dinh, MHA, RHIA, CHPS
Elisa Kogan, MS, MHA, CCS-P
Jennifer Miller, MHIS, RHIA
Diana Warner, MS, RHIA, CHPS, FAHIMA

Acknowledgments

Cecilia Backman, MBA, RHIA, CPHQ
Jill Clark, MBA, RHIA
Joan Croft, RHIT
Julie Dooling, RHIT
Lisa R. Fink, MBA, RHIA, CPHQ
William Lee Ford, MHA, RHIT, CPC, CPC-H, CHC
Marta Kennedy, RN, BS, CPC, MCMC
Priscilla Komara, MBA, RHIA
Carol Liebner, RHIT, CCS
Jean MacDonnell, RHIA
Jennifer McCollum, RHIA, CCS
Monna Nabers, MBA, RHIA
Cathy L. Price, RHIT
Laura J. Rizzo, MHA, RHIA
Lance Smith, RHIT, CCS-P, CHC
Lou Ann Wiedemann, MS, RHIA, FAHIMA, CPEHR

The information contained in this practice brief reflects the consensus opinion of the professionals who developed it. It has not been validated through scientific research.

† Indicates an AHIMA best practice. Best practices are available in the AHIMA Compendium, http://compendium.ahima.org.