Roadmap to Quality Documentation

Presented by Rhonda Anderson, RHIA

President Anderson Health Information

Systems, Inc. office@ahis.net

ACCESS

SECURITY

Electronic Health Records

DUE DILIGENCE

Most of you may have already done this:

•Identified products you are interested in

•Contact vendors and set up demonstrations

•Make an assessment of your current practice and your needs; what will you need to change about your current workflow?

THINGS TO CONSIDER

• Does the system provide you with what you need to continue your current practice?

• What about regulatory compliance?

• Initial cost?

KEEP IN MIND

• An effective electronic health record system must consist of the basic requirements of a valid, legal medical record that supports clinical and business purposes.

• Does the system you are looking at meet the basic rules of medical record documentation?

YOU HAVE PURCHASED A NEW SYSTEM

NOW… THE FUN BEGINS

DEFINING YOUR RECORD

WHAT IS AN ELECTRONIC HEALTH RECORD?

A longitudinal record , patient health information generated by one or more encounters in any care delivery system. Included in this information are patient demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data and radiology reports. The EHR automates and streamlines the clinician’s workflow. The EHR has the ability to generate a complete record of a clinical patient encounter, as well as supporting other care-related activities directly or indirectly via interface- including evidence-based decision support, quality management and outcomes reporting

Reference- Adam Greene, JD, MPH – AHIMA

SECURITY

SECURITY

HIPAA “does not provide adequate general IT security”, HITECH provides guidelines for preventing breaches (unauthorized access)

When conducting a risk analysis, focus on HIGH RISK areas

• Unprotected wireless networks

• Shared user accounts

• Lack of system event logging or review

• Excessive user access and electronic record administrator rights

• Sufficient technical requirements

You MUST monitor system activities and make needed adjustments as a matter of routine, not just after complaints

NO SAFE HARBOR

Part of the American Recovery and

Reinvestment Act of 2009

Applies the HIPAA privacy and security rules and

their penalties to HIPAA business associates

Creates a new breach reporting requirement for

HIPPA CEs and BAs

Effective Date February 2009

Part of the American Recovery and

Reinvestment Act of 2009

Applies the HIPAA privacy and security rules and

their penalties to HIPAA business associates

Creates a new breach reporting requirement for

HIPPA CEs and BAs

Effective Date February 2009

California legislature that enforces reporting

requirements for unlawful or

unauthorized access, use or disclosure of a

patient’s medical information

Reporting requirement within 5 days of

discovery

Effective Date 2009

California legislature that enforces reporting

requirements for unlawful or

unauthorized access, use or disclosure of a

patient’s medical information

Reporting requirement within 5 days of

discovery

Effective Date 2009

Health Insurance Portability and

Accountability Act

Guidance for Privacy and Security of protected health

information

45CFR 160 -164

Effective Date 2003

Health Insurance Portability and

Accountability Act

Guidance for Privacy and Security of protected health

information

45CFR 160 -164

Effective Date 2003

HIPAA HIPAA

SB 541SB 541

HITECH ACT HITECH ACT

OCR- Office for Civil Rights

• Enforces HIPAA privacy, security, and breach notification laws

• HITECH Act provided for huge penalties (tens of millions of dollars)

HIPPA civil penalties under new HITECH provisions

Effective November 30, 2009

Violation Category Each ViolationAll such violations of an identical provision in a

calendar year

Did not know $100-50,000 $1,500,000

Reasonable Cause $1,000-50,000 1,500,000

Willful neglect corrected within 30 days

$10,000-50,000 1,500,000

Willful neglect - not corrected $50,000 1,500,000

HIPAA / HITECH and EHRs

THE GOOD

• Greater control over uses and disclosures

• Greater control over minimum necessary and security

• Automated rules for uses and disclosures

• Greater transparency

• Potential detection of breaches

• More robust safeguards

THE BAD

• Greater patient involvement …..does this mean less provider control?

• Creates some challenges with release of information

• With Patient’s having access to their information and wanting to make amendments, how does it maintain the integrity of the record.

• Under the HIPAA Privacy rule (45 CFR 164.524) residents have a right to inspect and obtain copies of their information, request privacy protections and request amendments. This includes PHI in any paper or electronic format.

THE UGLY

• Greater volume of disclosures

• Are all staff aware of disclosure rules, how is this monitored?

• Potential for improper uses/disclosures magnified (e.g., more large breaches)

• More complex security issues – the need for role based access and limitations

• Monitoring integrity and security

DATA INTEGRITY

• What is Data Integrity?

• In the context of data security it is data that is protected from accidental or unauthorized intentional change.

• As we discuss the electronic health record, you will see how integrity plays a very important role in compliance with HIPAA and the Medicare Conditions of Participation.

DATA INTEGRITY

Compliance or Technical Issue?

A process of creating and maintaining the best official resident record.

A roadmap to quality documentation.

HOW TO MANAGE RECORD INTEGRITY

• Deleting- allowing delete functions is not recommended, facilities should have clear policies and procedures to deal with correction of errors.

• If you allow deletion of data, how is this tracked?

• How do you handle when there has been a major error such as charting on the wrong patient?

• AMMENDMENTS

• How will you handle corrections?

• Does the system track changes?

• How do you know if a document has been changed?

• Clearly if there is no tracking of changes this violates the first rule of corrections to medical records

“Never obliterate an entry”

• Copy and paste – misuse of copy / paste functionalities can have a direct impact on patient care. Outdated, inaccurate information to the current status of the resident can greatly affect the integrity of the record for medico-legal purposes.

• Prepopulating – Prepolulation of data onto a new document based on the last document (i.e. assessments) is an acceptable practice but author responsibilities must be clearly delineated to ensure information is reviewed, updated and verified before authentication.

DATA INTEGRITY

WHAT WOULD YOU DO?

• Your system allows for prepopulation of assessments. A discipline has opened new assessments for several residents and saved them under a new date without verifying or changing any of the information.

How would you identify that this has happened?

How would you verify the information is incorrect / correct?

How would you identify other areas affected by this? i.e. billing, MDS

What would you do to correct the problem?

VERSIONING

• Once an original document is corrected or amended, does your system identify the different versions as they are created?

• How do you identify documents with different versions?

Monitoring

BE THE GATEKEEPER

• Who is accessing, creating or modifying your record?

• The HIPAA Security Rule

• 45 CFR §164.312(a)(1) –implement technical procedures to allow access only to those persons or programs that have been granted access rights

• 45 CFR §164.312(d) –implement procedures to verify that a person or entity seeking access to ePHI is the person claimed (i.e., who he, she, or it purports to be)

• 45 CFR §164.312(b) –implement mechanisms that record and examine activity in information systems that contain or use ePHI

TRACKING

Do you know what documents have been viewed, altered, destroyed

or released?

• 45 CFR §164.312(c) –protect ePHI from alteration or destruction in an unauthorized manner (at rest)

• 45 CFR §164.312(e)(2) –implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of (in motion)

ACCESS

• Who is in charge of managing access to your system?

• How is access restricted after an employee leaves your facility?

• How do you manage access for new employees?

• How do you monitor and manage unauthorized access?

• How do you handle access by surveyors?

– What privileges do you give them?

RESIDENT ACCESS TO RECORDS

DOCUMENTATION

DOCUMENTATION

Documentation principles do not change because you have an electronic health record

Late entries, amendments, addendums are still handled in the same manner as with paper records

AUTHENTICATION

• The Medicare Conditions of Participation

• 42 CFR §482.24(c)(1): All entries in the medical record must be dated, timed, and authenticated, in written or electronic form, by the person responsible for providing or evaluating the service provided. For authentication, in written or electronic form, a method must be established to identify the author. A system of auto-authentication in which a physician or other practitioner authenticates an entry that he or she cannot review, e.g., because it has not yet been transcribed, or the electronic entry cannot be displayed, is not consistent with these requirements

• There must be a method of determining that the practitioner did, in fact, authenticate the entry after it was created.

• Where an electronic medical record is in use, the facility must demonstrate how it prevents alterations of record entries after they have been authenticated. (Interpretive Guidelines)

Source vs. Output

Example:

• You are completing an assessment using decision support tools within your system; some of the answers have criteria such as specific diagnoses the resident may have. The answer is the resident has 2 of the diagnoses listed on the decision support question – This information is visible on the computer screen if you pull up the assessment but once you print only the 2 is visible on the “output” document.

• WHAT IS YOUR LEGAL MEDICAL RECORD? end

• Printing, does the screen view translate into a document?

• If the data the clinician sees on the floor when treating the patient (SOURCE) cannot be reproduced exactly in the same detail at a later time (OUTPUT), then the SOURCE data, and NOT the OUTPUT data, is the “legal” EHR – this should be part of your testing, what happens to the screen data is entered into when that document is printed?

Your record must be:

Sequential

Date/time oriented

THE LEGAL SCENE

• Release of Information / Search & Retrieve Validate timeframes this has not changed with the adoption of eHR, most

facilities have a hybrid record, both paper and electronic records must be looked at and released as needed

If there are multiple admissions, does your system distinguish old and new information?

How will you track the information released?

How will you ensure accuracy i.e. right patient, right timeframe, right documents?

• Presenting your record If you have decided that your screen view is your legal record, how will you put

together a record for disclosure?

• Explaining your record Your policies and procedures must be clear as to the designated record set and

your legal health record.

The Role of HIM Professionals

QUALITY ASSURANCE

HIM Department Workflow

While some of the basic functions of the medical records department will remain the same, the process to complete these functions will Change.

Under utilization of system generated reports and alerts is one of the biggest issues when facilities adopt a new eHR.

Let’s have a look at some of the basic tasks…….

• Some auditing processed may be automated – flags, alerts etc.

• HIM staff must ensure these are followed up and completed, instead of flagging a document they can send an electronic reminder to complete the documentation.

• Filing will no longer mean placing a hardcopy paper inside a folder but it may mean scanning and indexing

• Record retention will transform from the shed out back or the off-site storage. Retention guidelines and access restrictions will still have to be maintained and monitored.

• Release of information will transform from copying to making information available in a variety of media such as secure email, electronic access etc.

AUDITING

In order to maintain compliance with quality of care, patient safety,

regulatory compliance, reimbursement, and maintain a legal record,

records still require concurrent review from admission thru

discharge

Regardless of the media in which the medical record is maintained,

HIM staff are still responsible for ensuring the content, completion,

timeliness and accuracy of documentation.

DOWNTIME

HANDLING DOWNTIME

• EHR Downtime

Paper forms used while system is down. How will you incorporate into the eHR? How will you identify that there was downtime within the eHR?

Policies and Procedures

As you transition from paper to electronic records

your policies and procedures must be updated to

reflect your current practice

To be or not to be (electronic)

THE BENEFITS

With more and more LTC facilities adopting electronic health records it is important to consider the benefits……

Patient Safety, Quality and Accessibility

• Reduction in medication errors

• Prompts and alerts to nursing regarding follow up i.e. PRN medications

• System audits to remind staff of incomplete or untimely documentation

• Legibility

• Templates can guide documentation so all elements are addressed

Meeting Consumer Expectations / Increased Customer Service

• Although the Residents of the facility may not be electronically savvy, their children and grandchildren use electronic devices daily.

• Being able to communicate and access information is important to the younger generation

Improved data collection and analysis and workflow

• Easy access to most current information at all times

• Report generation

THE CHALLENGES

• Not all elements in an template may apply to all residents

• Poor typing skills

• Poor computer skills

• Ignoring of alerts

• Untimely documentation – there will be a record now

Paving the Road

Training

Planning Monitoring Testin

g

Implementation Plan

• Implementation checklist: • Divide your facility into tasks: for example nursing notes and physician’s

orders could be rolled out first, this is how you would plan for that: • Decide on a date for implementation • Implement security safeguards against improper use – passwords, role

defined access, audit trails etc. WHO WILL BE IN CHARGE OF THIS? • Develop a training schedule that accommodates all staff involved in the

transition • Your schedule should include enough training time for repeat trainings

as needed • Identify super users • Ensure step by step instructions are available for staff use • Define your legal health record• Update any necessary policies and procedures • Testing – very important to ensure success