business of Medicine
Onboarding Practice Managers Toolkit
Electronic Medical Records (Emr) & the HIPAA Security Rule
Although electronic medical records (EMR) offers substantial benefits, it is necessary to understand and manage the special security risks introduced by such systems. Physicians maintaining patient records electronically should become familiar with the requirements of the HIPAA Security Regulations (or HIPAA Security Rule) that became effective in April 2005 and as amended under the American Recovery and Reinvestment Act of 2009. To achieve and maintain compliance with the Security Rule, physicians, hospitals and other “covered entities” will have to implement a series of administrative, technical and physical security procedures. The rule will generally require physicians to do the following:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information (PHI) they create, receive, maintain or transmit.
- Protect against any reasonably anticipated threats or hazards to the security or integrity of electronic PHI.
- Protect against any reasonably anticipated uses or disclosures of electronic PHI that are not permitted or required under the Rule.
- Ensure compliance with the rule by their staff.
The Security Rule focuses more on the end result -compliance- than the method by which physicians will achieve that end result. It was designed to be scalable, flexible and addressable through multiple ap-proaches. The rule states that when deciding which security measures to use, physicians must take into account such things as the size, complexity and capabilities of their practices and their technical infra-structure, hardware and software security capabilities.
Physicians are encouraged to contact an attorney or a qualified healthcare consultant knowledgeable on healthcare information sys-tems to ensure compliance with those Regulations.
Security challenges created by the electronic medical record can be both internal and external. Examples of internal challenges include the unauthorized release of medical record information or the unintentional deletion of information from a patient’s record. Challenges from external sources include computer viruses, hackers, and vendors who install disabling software. Other risk management concerns include theft of laptop computers, power failures, transmission errors and computer hardware failures.
Security should be designed into the system from the start.
- All records, centralized or decentralized, should be kept in a secure location accessible only to authorized individuals.
- Levels of security should be established so users can only access the information they need to do their jobs. Access codes should be assigned according to job codes.
- Maintain a list of users, their access codes and their level of access.
- Disclosure of an employee’s access code (for login to the system) should be subject to the same sanction as disclosure of confidential patient information.
- Disclosure of information should be handled by trained individuals to ensure compliance with state and Federal laws.
- If participating in an EMR network, draft and execute a confidentiality agreement with all others in the network, and make sure all employees understand their responsibility to keep patient information confidential.
- All employees should sign confidentiality agreements at the time of hire and a confidentiality acknowledgment annually to remind them of their ongoing confidentiality responsibilities.
- Implement policies and procedures to protect against the theft of laptop computers and any computer hardware used in a physician’s practice.
- Document security measures.
- All users, including physicians, should be required to attend an orientation program and have periodic updates.
- Deactivate codes when a person leaves employment.
- Limit staff’s access to printers.
- Prepare a disaster plan.
- Protect against viruses.
- Negotiate indemnifications in contracts with computer vendors.
Check with your state laws allowing healthcare providers to create, maintain, transmit, receive and store medical records in an electronic format, and would not have to maintain duplicate paper copies. A pa-per print-out of an electronic record would be considered an original for purposes of providing copies to patients or other authorized parties and for introduction of the records into evidence in administrative or court proceedings.
For additional information regarding certification standards for electronic health records systems, contact the Certification Commission for Health Information Technology (“CCHIT”) at www.cchit.org.
Responding to subpoenas, requests for production of documents and search Warrants
Patient’s medical records may also be requested by a subpoena or a request for production of documents. By law, the physician must comply with a subpoena or a request for production of documents, and in the time frame required.
Under HIPAA a covered healthcare provider or health plan may disclose protected health information required by a court order, including the order of an administrative tribunal. However, the provider or plan may only disclose the information specifically described in the order.
A subpoena issued by someone other than a judge, such as a court clerk or an attorney in a case, is different from a court order.
A covered provider or plan may disclose information to party issuing a subpoena only if the notification requirements of the Privacy Rule and state are met. Before the covered entity may respond to the subpoena, the Rule requires that it receive evidence t hat reasonable efforts were made to either:
- Notify the person who is the subject of the information about the request, so that the person has a chance to object to the disclosure, or to
- Seek a qualified protective order for the information from the court.
For further information on this topic, please refer to 45 C.F.R. § 164.512(e) and the Office of Civil Rights (OCR) Frequently Asked Questions.
When responding to a request as a non-party to a lawsuit, allow time (the length of time is specified by each state) for the parties in the law-suit to object to the record release through the court. The physician may also file an objection to providing information at or before the time specified in the subpoena or request for production of documents. This should be done through legal counsel. If an objection is filed, the physician shall not produce the records unless and until ordered by the court.
As a practical matter, physicians produce certified copies of medical records in lieu of originals. Include with the certified copies of the record, a copy of the subpoena and an affidavit by the person responsible for maintaining the medical records testifying to the identity and authenticity of the records, that they are true and correct copies and, as appropriate, that the records were made and kept in the regular course of business at or near the time of the events recorded by persons having knowledge of the information set forth. The court may still order the original record to be produced in order to determine the accuracy of the reproductions made. If the release of original medical records cannot be avoided, a chain of custody should be established that states who picked up the record, the date it was released, where the record was being taken, how long the record would be kept, when the record would be returned, the location of the record and who will have possession of the record. The pages should be numbered to help verify that the entire medical record is returned.
Since laws and specific requirements vary from state to state, policy-holders should consult with MagMutual Insurance Company when receiving requests for patient medical records pursuant to a legal notice, request made by an attorney, and court etc. if there are questions or concerns.
Generally, a search warrant is obtained by the police when investigating the commission of a criminal offense. A warrant is obtained by making an application to a magistrate. Evidence must be provided before the warrant is issued. The warrant may be issued to a named member of the police force or all members of the police force. If it is issued to all members of the police force, any member may execute the warrant. The warrant should state clearly the address that may be searched and the items sought pursuant to the warrant. The warrant authorizes the police to break, enter and search any premises named in the warrant, and to arrest the person having custody of the things named in the warrant. It is necessary to cooperate with the police who are executing the warrant.
Appropriate response to search warrants
- Inform management as soon as possible that you have been presented with a warrant
- Cooperate with the police who are executing the warrant – be courteous and act professionally.
- Ensure the warrant has been issued by the court. Note the person to whom it has been issued and the items that may be seized pursuant to the warrant.
- If the warrant has been issued to the police generally, any member of the police force may execute it. Otherwise, the officer named in the warrant must execute it. Monitor that only material named in the warrant is taken during the search. Object politely if police attempt to remove material that you believe is outside the scope of the warrant.
- Keep a list of all material taken in the search. If possible, keep copies of the documents.
- Do not undertake any routine or other shredding of documents or erasing of information from computers while the search is being undertaken.
- Keep notes of all requests made of the police during the search and their responses.
- Obtain legal advice concerning the search and seizure of material as soon as possible.
HIPAA privacy regulations permit the release of medical records pursuant to a search warrant (45 C.F.R. § 164.512 (e) & (f)), without prior notice to the patient and giving the patient an opportunity to object to the search warrant.
Other Law Enforcement Requests
Except in certain limited circumstances, physicians should not release a patient’s health information to a law enforcement officer without some legal process (e.g., subpoena or search warrant).
In most respects, law enforcement officers do not have greater authority to access patient medical information than any ordinary citizen does.
Under HIPAA Privacy Regulations, a physician may disclose limited health information without patient authorization in response to a law enforcement official’s request for the purpose of identifying or locating a suspect, fugitive, material witness or missing person. In this instance, the physician may disclose only the following information: (a) name and address; (b) date and place of birth; (c) social security number; (d) ABO blood type and rh factor; (e) type of injury; (f) date and time of treatment; (g) date and time of death; (h) description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair, scars, and tattoos. HIPAA Privacy Regulations allow disclosure to law enforcement officers in certain other cases, as well. See 45 CFR 164.512.
Privileged Medical Records
As referenced in other parts of this Handbook, mental health records, AIDS confidential information or alcohol and drug abuse treatment records should not be released without specific and proper patient authorization patient or a court order signed by a judge commanding the physician to release such records. Such records are not only confidential like all medical records, they are considered privileged or subject to a higher degree of confidentiality. Thus they may not be released without legal waiver of privilege by the patient or a court order.
In-Camera Inspection of Medical Records
If a physician has received a subpoena regarding medical records and has concerns about violating a patient’s confidentiality or privilege the physician should consult with an attorney about complying with the subpoena, and consider asking the judge to conduct an in-camera inspection of the records. The physician would file a sealed copy of the medical records with the court clerk’s office, placing a notation on the outside of the envelope that the contents are “Medical Records of John/Jane Doe” subpoenaed under a specifically identified case (including case number) and are not to be opened without a court order directing such action.
The sealed medical records should be accompanied by a cover letter stating the physician’s reasons for declining to comply with the subpoena, requesting an in-camera inspection and asking the court not to release records to the parties without issuing an appropriate court order.
Authorization for release of medical information–checklist for compliance
HIPAA privacy regulations provide that the healthcare provider generally must furnish a complete and current copy of the record to third parties upon written request from the patient.
The patient must identify the records to be released and the person or class of persons that may receive copies of them.
To release copies, the physician must be provided with an authorization signed by the patient or an appropriate personal representative. Under the HIPAA Privacy Rule, physicians must treat personal representatives as the patient for matters relating to medical records access and release. Examples of personal representatives include, but are not limited to, parents of minors, executors of deceased patients’ estates, and persons holding a Durable Power of Attorney for Healthcare. HIPPA privacy regulations require the following elements to be present in a proper authorization for release of medical information. You may find this checklist useful to ensure that a medical release you have received complies with the privacy regulations.
Authorization Form Checklist
A valid authorization must contain at least the following core elements:
- A specific description of the information to be disclosed.
- The name (or other specific identification) of the person(s) or class of persons authorized to make the use or disclosure of information.
- Specifically to whom the physician may make the requested use or disclosure.
- A description of each purpose of the requested information. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
- An expiration date or an expiration event that relates to the individual or the purpose of use or disclosure.
- The signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided. 45 CFR § 164.508(c) (1)
- The individual’s right to revoke the authorization in writing, and either: (a) the exceptions to the right to revoke and a description of how the individual may revoke the authorization; or (b) a reference to the physician’s notice of privacy practices.
- The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization.
- The potential for information disclosed with this authorization to be subject to redisclosure by the recipient. 45 CFR § 164.508(c) (2)
The authorization must be written in plain language. If it is the physician that seeks an authorization from a patient for a use or disclosure of protected health information, the physician must provide the patient with a copy of the signed authorization. 45 CFR § 164.508(c) (3) & (4).
Release of confidential information
Patient medical information is confidential. There are state and federal laws that govern the release of such information to protect the patient and the physician. Subject to certain exceptions, medical information may be released only upon written patient authorization. It is recommended that the authorization be updated at a minimum annually.
There are a number of situations in which medical information may be released without patient authorization. Some of those exceptions will be addressed in following sections. If unsure about whether to release a patient’s medical information, it is always best to err on the side of protecting the patient’s confidentiality. If there are any questions regarding release of medical information, the physician should contact legal counsel or his/her professional liability insurance company for advice.
Destruction of records
It is suggested that the physician review office records before allowing them to be destroyed to be sure he/she is comfortable that the record will not be required for patient care or to defend a medical professional liability lawsuit.
Records should be destroyed either by shredding or incineration. Special care should be taken to ensure patient confidentiality is maintained throughout the destruction process. Under HIPAA, the practice should initiate a business associate agreement with the company hired to destroy the medical records. A manifest or list of the medical records which were destroyed should be developed and maintained permanently.
As noted previously, the original record should not be given to the patient. In the event the patient needs a record, a copy should be provided, and the physician should retain the original in accordance with the guidelines set forth in the previous section concerning “Record Retention.”
Never give the patient the original record; it should be destroyed. Only give the patient a copy to prevent changes in the record that could be alleged the physician made.
How long medical records must be kept is determined by the potential use of the record and specific legal requirements. Unless state statues require that medical records be retained for a longer period of time, MagMutual requests that our policyholders retain patients’ medical record for 10 years from the date of the last patient visit or medical record entry. This includes medical records of deceased patients.
Otherwise, medical records should be kept indefinitely or until the applicable statute of limitations or repose expires for situations:
- With adverse or less than desirable outcomes
- When patients are unhappy with results
- Any time a patient threatens or files a lawsuit
Every medical office should have an approved list of standard abbreviations for use in medical records. When healthcare practitioners use unusual or non-standard abbreviations, the quality of communication suffers and patient care can be compromised.
Guidelines to follow regarding the use of abbreviations include:
- Using abbreviations easily recognized by all healthcare providers.
- Avoiding the use of ambiguous abbreviations or abbreviations known only to yourself or a few others.
- Developing a list of approved abbreviations for use in the medical office which should be consistent with abbreviations used in the hospital(s) with which the physician(s) has privileges.
NOTE: Abbreviations should not be used on informed consent forms or in any other communication with the patient.
Making corrections to the medical record
Every practice should establish a policy and procedure for correcting medical records, whether paper or electronic (EHR). A correction is a change in the information meant to clarify inaccuracies after the original document has been signed or completed. It is acceptable to make an addendum to a medical record. It should be made after the last entry noting the current date and time, and both entries should be cross-referenced. A record that appears to have been altered implies that a cover-up has occurred. Never improperly or unlawfully alter a medical record.
If an error has been made in a paper record, draw a single line through the inaccurate entry and enter the necessary correction. Enter the date and time and initial the correction in the margin. Questionable medical record corrections or additions, e.g. notes in the margin, writing between the lines, erasures, etc. should be avoided.
Correcting errors in the electronic record should follow the same basic principles as correcting errors in paper copies. The following specific considerations apply to the EHR.
- Work with your vendor to confirm that your EHR system allows error correction, and whether or not the vendor has established a process.
- The system should have the ability to track corrections or changes once the original entry has been entered or authenticated.
- When correcting or making a change to an entry, the original entry should be viewable, the current date and time should be entered, the person making the change should be identified, and the reason should be noted.
- In situations where there is a hard copy printed from the electronic record, the hard copy must also be corrected.
- The process should permit the author of the error to identify, and time/date stamp, whether it is an error.
- The process should offer the ability to suppress viewing of the actual error but ensure that a flag exists to notify other users of the newly corrected error.
- The location of the error should also point to a correction. The correction may be in a different location from the error if there is narrative data entered, but there must be a mechanism to reflect the correction.
Our suggestion is that you develop a practice policy, and train your physicians and staff to ensure that your facility corrects and reports errors in a consistent and timely manner.
Timely dictation, review, and filing of reports
To facilitate continuity of patient care and ensure corporate compliance, it is recommended that medical practices establish an organization-wide policy to track and address medical record delinquencies, and ensure that dictation, transcription, and the filing of medical records are completed accurately and in a timely manner. Medical record statutes, regulations, and accreditation standards all require healthcare providers to maintain complete records. The medical record serves as the main communication tool between all members of the healthcare team. The medical record should support and help coordinate the medical care of a patient.
Timely dictation, review, and reconciliation are important in facilitating the flow of information among the providers involved in the patient’s care. In today’s complex healthcare delivery environment, requiring an exceptional amount of coordination among the various providers involved in the care of a patient, it’s easy to see why communication errors are frequently cited as one of the leading causes of medical errors.
Obtaining and analyzing medical records is a critical component when reconstructing the medical treatment of a patient. Approximately 35-40% of all medical malpractice suits are rendered indefensible because of problems with documentation in the medical record and/or the management of the medical record in general. A complete record, with factual, objective documentation of the care rendered, is the provider’s most effective defense in the event that the provider is sued for medical malpractice.
As part of the discovery process, lawyers may request not only printed copies of the electronic health record (EHR), but also the audit trail for metadata analysis. This includes logon and logoff times, what was reviewed, and for how long, what changes or additions were made, and when those changes were made. A record entry completed long after a patient encounter, or at the time an attorney is requesting the medical record, is likely to hurt that provider’s defense.
It is clear that inadequate, incomplete, or untimely completion of medical records expose the physician and the hospital to risk. Hospital rules and regulations and medical office policies and procedures should be strictly enforced to enhance patient care and to avoid potential legal exposure.
Vital signs: vitally important
Errors in diagnosis, failure to supervise or monitor case, and failure to recognize a complication of a treatment are among the top five most prevalent medical factors associated with medical liability claims.1 Further, for those cases in which an associated medico legal issue was included in the allegation against the practitioner, problems with a patient’s history, exam or work-up was most prevalent.2
Below are some of the more common factors leading to diagnostic errors:
- Inadequate patient-provider communication
- Incomplete medical history documentation
- Failure to examine the patient
- Failure to order diagnostic tests
- Follow-up and tracking diagnostic information
- Interpretation of tests
- Patients not referred to a specialist
Accurate, documented vital signs are an important component of patient care. They provide essential, baseline data for treatment decisions and historical trends. This historical information allows for recognition of acute or chronic changes that may prove significant.3 Ignoring basic findings, such as vital signs, is a common factor that leads to diagnostic error. These lapses interfere with appropriate and timely interventions for deteriorating patients. All too often physiologic abnormalities that develop up to 24 hours prior to death are either undocumented or unrecognized.
In the medical office setting, at minimum, vital signs should be taken and recorded for patients presenting with an acute illness, procedures, and high-risk treatments.
Healthcare organizations continue to struggle to ensure that critical findings are communicated and acted upon in a timely manner. Approximately 40 percent of patient encounters in primary care offices involve some form of medical test. Studies of primary care offices consistently show that the process for managing tests is a significant source of error and patient harm.1
The Joint Commission has prioritized safe and timely communication of critical tests as a National Patient Safety Goal (NPSG.02.03.01), “Report critical results of tests and diagnostic procedures on a timely basis.” The definition of a critical test varies but may be described as those that require rapid communication of results regardless of findings such as normal, abnormal, or critical. A critical test result may also be defined as “any result or finding that may be considered life threatening or that could result in severe morbidity and require urgent or emergent clinical attention.”2 For practical purposes, it is important to recognize that critical test results may vary by specialty; for example, a nephrology practice may not consider a potassium level critical unless it is higher than 5.1. However, a primary care physician or cardiologist may have a different threshold value.
Providers are encouraged to design reliable processes that recognize and address opportunities for system failures. In doing so, the practice will be better equipped to improve patient safety and reduce the risk of a professional liability claim. Components of a well-designed system for the management of critical tests should include the following:
- A list of tests and results that require timely and reliable communication
- A process for immediately conveying critical results to the responsible provider or a surrogate if the responsible provider is not immediately available
- A mechanism to ensure that test results are reviewed timely and acknowledged by the provider
- A process for patient notification of test results which includes documentation in the medical record
- A process that ensures follow-up of any additional testing or monitoring required/needed
Additional recommendations regarding the management of critical tests and results includes orientation and ongoing education of all members of the healthcare team on procedures for communicating critical tests and/or results, ongoing monitoring of the effectiveness of the system and patient engagement.
Health care organizations should continue to develop and redesign processes as needed to ensure safe and timely test-result communication in order to reduce risks and effectively ensure quality patient care.
The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.