A Primer on EHR Risk
Management and Risk Mitigation
By Reed D. Gelzer, MD, MPH, CHCC
Over recent months, there has been a slow advance of
realization that an EHR implementation is no silver bullet. People are
beginning to move past their initial enthusiasms for EHRs and on further toward
a more businesslike assessment of both the advantages and the risks of
implementation of these new but, as yet, non-standardized systems. Until
manufacturers, the government, or an independent body validates these systems,
one cannot assume that any given EHR has been designed to meet your facility’s
basic compliance requirements or, for that matter, will even stand as a true
medical record.
Here the intent is simply to point readers in the
direction of identifying how to include risk considerations (and data quality
considerations) in an EHR selection, implementation, or internal risk assessment
process, including how you can do some basic tests in your own system to test
its ability to follow some fundamental medical records principles.
Here is a simple test on Authorship functions:
First, if you are testing your own system, find out if it is possible to set up
test patients in your system that will, in some manner, be isolated from your
real patient population. It would best to not fiddle around with your live
system if possible. Your system may have a test environment or means to indicate
a patient record is outside your patient population (like giving them a name
like Fake Test and indicating that they are deceased).
If you are testing
on a system under consideration, this is not an issue since it will not be
someone’s “live” system. However, in this case, closely question the vendor to
make sure that what you are looking at is an accurate representation of what you
would get at installation. Often, trade show demonstrations are not
full-featured systems or may be “tuned” for speed or simplicity. Some vendors,
though, deliberately mislead by showing you a system that may only be in
development but not deployable. You do not want to base a purchase decision on
a bait-and-switch presentation.
Second, let us look at a specific medical record requirement. One fundamental
requirement of a medical record is that the authorship of documentation is
readily apparent and recorded accurately. Each user must be uniquely identified
in the system in some manner and their identity linked to the specific
documentation that they record. One could possibly do this non-electronically
but the most straightforward way, and the best use of the technology is still to
have each user have his or her own unique system ID.
To run a simple test on Authorship:
Create a new
encounter for Fake Test. Using a Unique ID #1 (such as a nurse or MA), record
typical intake information such presenting complaint, vitals, etc. Then pick
some clinical information that can appropriate change in a second interview,
such as on intake the patient is recorded as being a smoker and history of ulcer
(peptic). Transfer the encounter to Unique ID #2 (Physician, PA, APRN, etc.) and
record different findings from those of ID #1 as commonly occurs upon closer
questioning, the intake information was not correct, it was a duodenal ulcer,
not peptic, etc., or patient actually quit smoking a year ago. Complete the
encounter and close it, and look at the final documentation.
1. Is all info recorded by User #1 recorded appropriately to their ID?
2. Is it clear or
at least available in some fashion what the original documentation was for #1 as
distinct from #2 before changes made by the latter?
3. Is all info
recorded by User #2 assigned to #2?
Some EHRs will not allow identification of who documented what, showing that the
person who signs the encounter (User #2 in this case) did all the documentation.
Similarly, some EHRs will show that all the documentation was done at the time
it was signed, and not show when the documentation actually began.
Depending on how a given system behaves, your office may have to establish
certain rules of use. For example, some systems will show the correct date on a
partially completed note that is saved. Users may be tempted to avoid having
incomplete notes by leaving them open and then completing them the next day. The
problem is that then the system may date the encounter the later date. This can
cause problems such as the date of service on the bill is different than the
date documented and signed by the provider. In this case, the system may be set
up to close all encounters at some hour of the day (say, 11:59PM) so that the
date of service will still be correct, with the encounter showing completion,
appropriately, the next day. (The ideal, though, is clearly to complete notes on
the date of service.)
In any case, the main message here is that an often-overlooked task in due
diligence in EHR evaluation is or to assure the system behaves, or can be used
in a manner that shows appropriate adherence to basic medical records rules. If
your office staff includes medical records expertise, make sure to involve them
in your process. If you do not have access to such a professional, you might
consider arranging assistance through your medical society or hospital medical
staff, or contact your state chapter of American Health Information Management
Association.
This is a topic of intense interest to ADIC as, among other things, our
government (your tax dollars and mine) are going to be subsidizing the
implementation of EHRs to the tune of hundreds of millions of dollars. This,
beginning before effective standards are in place, will inevitably lead to the
installation of EHRs that cannot create a bona fide medical record. Don’t be
one of the many who will be lamenting this major purchase decision of a core
business tool and calculating the risk of a record that will not stand up to
audit or to court challenge. Buy smart.
RDGelzer
Advocates for Documentation Integrity and Compliance (ADIC)
www.docintegrity.com
rdgelzer@docintegrity.com
Copyright 2005 Advocates
for Documentation Integrity and Compliance, LLC.
Reprints by permission
For More Information Contact:
Advocates for Documentation Integrity and Compliance
500 Beach Street, Revere, Massachusetts 02151
Tel: 781-289-0629
FAX:
Internet:
info@docintegrity.com
