Still Seeking the Legal EHR: The Push for Electronic Records Increases, the Record Management Questions Remain

By Michelle Dougherty, MA, RHIA, CHP, and Lydia Washington, MS, RHIA, CPHIMS

Electronic health records are edging into the mainstream, but they still have one foot outside the law. Many EHR systems struggle to create credible and compliant business records, and with major initiatives like the ARRA incentive program pushing their adoption, now is the time to get the electronic legal record right.

In 2003 AHIMA launched a workgroup to provide practice guidance on an emerging topic-the “legal electronic health record.” At that time, HIM professionals working at facilities that were early adopters of EHR systems were struggling with basic HIM principles: determining the official record of care within an EHR that was made up of many different applications; disclosing information from multiple EHR systems that had limited report functionality; and establishing trustworthy records in systems that did not incorporate basic record-keeping principles.

HIM professionals recognized what those early EHR systems overlooked: that in order to support an organization’s complete operations, EHRs must create and maintain credible and compliant business records. If they do not, organizations face significant clinical, regulatory, financial, and legal repercussions.

Today the concept of a legal EHR has evolved, yet it remains vexingly complex. New national efforts to accelerate the adoption of EHRs make it even more critical to get the legal EHR right. The questions that follow frame the issues the industry faces today and must resolve for the future.

What is the “legal EHR?”

The term “legal EHR” gained use largely for lack of a better term. It has been confusing because it has a different connotation depending on professional perspective.

For HIM professionals, the “legal record” refers to that data and information constituting the official record of care that is disclosed externally for continuity of care and other required business and purposes. An official record of care is required by regulation, has specified content, is retained for a period of time, and follows accepted practices for maintaining integrity.

This regulation enables the disclosure and use of the information for a host of new purposes such as health information exchange and personal health records as well as existing purposes such as demonstrating medical necessity, billing compliance, quality reporting, research, public health, accreditation, and legal requirements.

The term “legal EHR” evolved from the term “legal health record.” Originally HIM professionals were concerned primarily with identifying the data and information in early EHR systems that constituted the official record of care-the information that would be disclosed externally for continuity of care and other business purposes when requested.

However, it soon became apparent that the design of EHR systems presented many more complex challenges that risked the authenticity and integrity of the health information contained in these systems and affected their ability to be used for business, regulatory, and legal purposes.

The term evolved and came to be understood as a concept that addresses a number of health record and information management issues. These issues speak not only to identifying the record of care but also to governance, record management functionality, documentation quality, and the ability to use records for compliance requirements:

• Governance. Because of the distributed nature of health IT systems that contain or comprise the record of care, healthcare organizations must establish governance processes that include record management policies, retention schedules, destruction procedures, privacy and security practices, and custodianship or stewardship roles and functions.
• Defining the record of care. Technically part of governance but critically important in EHRs, defining the record of care involves declaring in organizational policy the data and information in the EHR system that constitutes the record of care for an episode of care to ensure compliance and meet business needs for the medical record (in HIM this is also called defining the legal record-see above). Declaring the record is an important step with EHRs that have been developed on database platforms. Because these systems are not document-based, records must be defined in the system and then “locked” to ensure an accurate historical picture for an encounter or episode of care.
• Record management functionality to support integrity and authenticity. The EHR system must have appropriate record management and evidentiary support functionality to ensure the integrity of the record through its lifecycle.
• Documentation quality. An EHR system must contain documentation that reflects the healthcare actions and services performed and the patient’s condition. It must “tell the story” of care accurately and completely.
• Disclosure management. The record of care must be in a form and format that can be disclosed for a multitude of requirements and business purposes. Organizations operate under complex rules and requirements governing disclosure. Also critically important is the need to get adequate reports or outputs from EHR systems that are useable, concise, and accurate to meet the disclosure requirements.
• Compliance. Regulations govern medical records regardless of their form and format (paper or electronic), as do laws, payer policies, standards, and generally accepted practices. Healthcare organizations must be aware of the requirements related to medical records (both their content and management) to ensure that EHR governance and system functionality support compliance.

Why do healthcare organizations need to declare their record of care in policy?

Health information today is contained in a multitude of forms, formats, and views. It exists as text-based documents, medical images, machine tracings, voice data, and more. In EHRs, health data and information also include metadata, audit trails, decision support rules, documentation templates, value tables, records and data from external sources, and more.

Organizations must identify or declare which elements of this health information content they consider to be their records of care so that these records can be tracked, preserved, and retained for business, legal, and compliance purposes.

Without this declaration, organizations will find it difficult to:

• Know what information to disclose upon request for medical records (e.g., patient requests, health information exchange, billing compliance, quality reporting, research, public health, accreditation, litigation, etc.)
• Know what information to preserve or sequester when a legal hold order is received for the medical record
• Apply state or other mandated record retention schedules
• Identify when the health record is “complete” for accreditation or other compliance purposes
• Take effective measures to protect the medical record against breaches, tampering, or destruction
• Determine what information is appropriate for various types of compliance audits

At a minimum, healthcare organizations must identify in policy those classes and types of health information content they consider to be the record of care.

How is the HIM role of record custodian changing?

Custodianship and stewardship are components of governance. With paper records, custodianship implied physical possession of the health record. Stewardship goes beyond mere physical possession to include responsibilities for ensuring the health record’s integrity (accuracy, completeness, timeliness) and security (protection of the privacy as well as protection from tampering, loss, or destruction).

Traditionally HIM managed the physical record. With electronic records there is no longer a need for HIM to “keep” the record in a physical sense. IT takes on the role for physical security of the information system housing the EHR data. HIM’s role has evolved to one of leadership, responsibility, and governance to ensure the consistent application of and compliance with organizational record-keeping policies across the distributed information systems that comprise the health record. As the expert on requirements for the health record and record lifecycle management, HIM must lead as well as collaborate with IT and business units in this effort.

In collaboration with the system business owners and IT, HIM professionals will still be called upon to testify in court about how the record of care was created and maintained, including the organization’s governance and policies.

How do paper and electronic records differ?

A paper-based medical record is a static document that can be identified as a component of the record of care. Paper-based records can be reviewed for content, completeness, signature, dates, and changes-in effect, what you see is what you get.

EHRs are inherently different because they are not document-based; instead they are transactional database systems with underlying tables and fields full of data. As a historical record keeping system, transactional databases have limitations unless functionality can define, lock, and retain the business records along with the required metadata over long periods of time and for multiple episodes of care or encounters.

What EHR system functions support record integrity and authenticity?

A complete evaluation of clinical content and records management functionality will help organizations support the trustworthiness of the data and support the downstream uses for a legally sound record.

Clinicians and business units evaluate applications for appropriate clinical content, documentation processes, and workflows; HIM professionals should evaluate all EHR applications that create and maintain content for the record of care for compliance and records management functionality. IT and other departments also bring their roles to the evaluation process.

Health Level Seven, the healthcare IT standards development organization, offers the Records Management and Evidentiary Support standard for EHR systems, which can be incorporated into an evaluation process. This standard identifies the important functionality for supporting the integrity and authenticity for the record of care, including:

• Patient identity validity
• User authentication and authorization
• Attestation (e-signature) and nonrepudiation
• Alteration, amendment, and correction
• Auditing, metadata, and validation support
• EHR output and reports
• Information and record availability, preservation, retention, and destruction
• Pending and version management of records
• Completion status for records and reports

Have there been legal and compliance incidents?

There is a growing body of knowledge reflecting the legal, regulatory, and compliance issues related to EHRs. Some information is anecdotal, some officially noted, and much of it kept confidential for risk management and settlement purposes.

Since record management, governance, and compliance have not been either well understood or a priority for EHR deployment, healthcare organizations are at risk on multiple fronts. For example:

• One organization had multiple claims denied and lost arbitration due to improper use of electronic signatures, which did not follow payer requirements.
• A large hospital is fighting a malpractice case and has been dealing with challenging record management issues with the plaintiff and court.
• The board of pharmacy in one state required that hospitals dismantle their e-prescribing and e-medication administration processes because of inadequate compliance with requirements for strong authentication and signature processes.

As EHR use matures, case law, regulations, and practice standards will evolve.

Healthcare is currently challenged by state and federal regulations that are silent or conflicting on EHRs. In Kansas, for example, state law related to health information contains approximately 180 statutes and regulations that specify content, retention, access, or format.

The lack of clarity makes compliance efforts and governance even more important in mitigating risk and establishing the organization’s business practice.

Are there unique aspects to litigation involving EHRs?

In the past attorneys and courts relied on paper records or computer printouts in litigation. E-discovery has changed the playing field and opened up new avenues and standards for handling electronic records that have a direct impact on the EHR.

Healthcare organizations can declare their formal record of care and identify the appropriate output for those records, but attorneys and courts may access the EHR application and native files if the court determines them to be relevant to the case.

As a result, organizations must pay due diligence to the record management and evidentiary support functionality for the EHR system to ensure proper creation and management of the native EHR files, not just the output. HIM professionals must recognize that they cannot limit their oversight and management of the record to the paper printouts, PDFs, or a document imaging system; they must also be attentive to and knowledgeable about the effects of underlying system rules and metadata included in the source EHR applications.

Healthcare providers who have experienced litigation involving EHRs report other challenges-the inability to chronicle the events of an episode and the inability to reproduce the record of care as the physician or clinician saw it.

Record of care reports from an EHR application often are not the same as the clinician view, screen shots, and data entry pages. The difference between the input and output has been problematic. Perceptions of incomplete information and hidden evidence has resulted due to the lack of understanding that the record of care is not a complete replica of all information contained in an EHR application.

How does the legal EHR relate to ECRM?

Enterprise content and records management is a set of strategies, processes, and technologies that can address the challenges associated with managing any and all types of business data and records. This is particularly important with electronic content dispersed across multiple systems, all of which may not be considered records. Applied to health information and records, ECRM helps enforce the organization’s policies surrounding the legal EHR/electronic record of care no matter what system(s) contain them.

The foundation of ECRM is information management governance, which involves developing, monitoring, and enforcing the business rules and standards for information management across the enterprise. EHRs are subject to their own unique set of internal and external requirements, and governance processes should address this.

Once the requirements are identified, the business owners of IT systems that contain information that comprise the legal EHR/record of care can be held accountable for compliance with the requirements. HIM professionals play a dual role of both identifying the requirements and monitoring or auditing compliance with the requirements. ECRM technology can assist by performing functions such as:

• Declaring designated content as records
• Addressing taxonomy and organization
• Providing a unified view and efficient search capability for analysis, coding, and release of information
• Facilitating preservation for legal hold and other purposes
• Automating record retention and destruction

ECRM technology can be used across a variety of applications to manage information regardless of source. It can also deliver information from a variety of applications to a central repository where lifecycle management can be applied.

The technology is inclusive of, but not limited to, document management, workflow automation, e-mail management, search functionality, and portals that provide a unified view across different systems.

What are the emerging issues?

The issues identified and being discussed today include:

• ARRA implications that are still to be defined.
• The use of data and records in health information exchanges; how data retain context and the record management issues for data being exchanged.
• How EHR systems can support an individual’s privacy rights including amendments and corrections, accounting of disclosure, and security practices that help to reduce breaches.
• How system design affects user interaction with the system and the resulting impact on data integrity.
• The changing standards of practice that may result as more litigation involves EHRs and case law evolves.
• Data ownership, stewardship, and custodianship issues, which will become more concrete as the industry recognizes the need for stewardship over ownership.

The need to maintain a sound record of care that supports the organization’s business, compliance, and legal needs will require strategies and skills that are different from, but complementary to, those that address the clinical processes and technical infrastructure associated with EHR systems.

Just as critical are the secondary purposes (e.g., legal, business, and compliance) for which health records are created and maintained. HIM professionals must take a leadership role in helping organizations address these needs by ensuring that the EHR systems create and maintain a credible record of care.

Michelle Dougherty (michelle.dougherty@ahima.org) and Lydia Washington (lydia.washington@ahima.org) are directors of practice leadership at AHIMA.