Old
EHRs, Home-Grown EHRs, and Assuring Proper Archiving for Patient Records
Information
By Reed D. Gelzer, MD, MPH, CHCC
Some of the older EHRs, and
apparently some of the home-built systems, chose to lessen data storage
requirements or perhaps to achieve simplicity by omitting the ability to store
information about how a system actually works (or was working) at any given
time, past or present.
First, to help establish the context and the need, please read the AHIMA Brief
on "Maintaining a Legally Sound Health Record" and pay close attention to the
specific guidelines there. Keep notes on areas where you may have questions
about your own system and in preparation for addressing them in a methodical
way. (By the way, regarding "Maintaining...", watch for the updates that will
be published in three parts starting either in September or October 2005 You
can join AHIMA as an associate member for only $140 and get their journal, well
worth that cost IMO. In addition, they are very hungry to broaden their
membership and especially to gain physician, nursing, medical assistant, and
other professional input on how to convey many of these issues.
Back to the AHIMA Brief... Note the short description of the rules for medical
records and records on computers. Here is an example of a specific requirement
you will need to think through. A requirement in the Federal Rules of Evidence
for business records on computers is that the system be able to demonstrate its
mode of operation at the date in question for a particular event, such as an
encounter. Even most commercial EHRs do not have sufficient background information (also known as metadata) with sufficient specificity, to be able
to show how particular prompts, alerts, system behaviors, etc. worked at some
prior date. Therefore, if you are periodically altering or improving your
program in a way that substantially changes the way it behaves, hopefully you
are saving periodic iterations in some form. In order to secure this against
suspicion of tampering, a system either has to have very robust security
features and access logs, or one can just periodically create an image of the
system for off-site storage. (I am stretching the bounds of my technical
knowledge here, but I am told this can be done as a regular function of the
system's operations). There are companies that do this commercially, like
Iron Mountain, or you can consult
your attorney on other means to do it.
The most important thing is to:
-
Establish, in writing, what your compliance
program is for your medical records, including those on paper and on computer.
-
Where you make discretionary decisions, document why you chose to do so, as a
matter of due diligence.
I know it seems like a
pain, but think about your expectations for how other businesses protect their
records of your life. Would you be satisfied if your bank, your brokerage, etc.
kept their electronic records in the same state as your EHR maintains its
internal workings and the record’s security? The main thing is to know what you
are doing and why, and reference professional guidelines. Again, AHIMA has
practice guidelines you can refer to, as does your compliance training manual.
Keep in mind that these policies and procedures can also serve to establish your
disaster recovery process. That few hundred dollars you spend quarterly for
external storage of full-system back-ups will look awfully cheap compared to the
cost of a recovery service if you ever have a catastrophic failure. (Plus the
cost of refunding to insurers any payments you receive for encounters whose
documentation you lose, which they can theoretically demand if there is no
evidence that services were provided.)
When in doubt, establish a policy that is referenced and thoughtful, and review
it at least annually. If you are depending on your system to be part of your
legal health record, make sure it meets the basic standards for the legal health
record, whether you bought it or built it.
RDG
Advocates for Documentation
Integrity and Compliance
For More Information Contact:
Advocates for Documentation Integrity and Compliance
500 Beach Street, Revere, Massachusetts 02151
Tel: 781-289-0629
FAX:
Internet:
info@docintegrity.com
