1. Roadmap to Quality Documentation Presented by Rhonda Anderson, RHIA President Anderson Health Information Systems, Inc. office@ahis.net ACCESS SECURITY Electronic Health Records

2. DUE DILIGENCE Most of you may have already done this: Identified products you are interested in Contact vendors and set up demonstrations Make an assessment of your current practice and your needs; what will you need to change about your current workflow?

3. THINGS TO CONSIDER Does the system provide you with what you need to continue your current practice? What about regulatory compliance? Initial cost?

4. KEEP IN MIND An effective electronic health record system must consist of the basic requirements of a valid, legal medical record that supports clinical and business purposes. Does the system you are looking at meet the basic rules of medical record documentation?

5. YOU HAVE PURCHASED A NEW SYSTEM NOW… THE FUN BEGINS

6. DEFINING YOUR RECORD

7. WHAT IS AN ELECTRONIC HEALTH RECORD? A longitudinal record, patient health information generated by one or more encounters in any care delivery system. Included in this information are patient demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data and radiology reports. The EHR automates and streamlines the clinician’s workflow. The EHR has the ability to generate a complete record of a clinical patient encounter, as well as supporting other care-related activities directly or indirectly via interface- including evidence-based decision support, quality management and outcomes reporting Reference- Adam Greene, JD, MPH – AHIMA

8. SECURITY

9. HIPAA “does not provide adequate general IT security”, HITECH provides guidelines for preventing breaches (unauthorized access) When conducting a risk analysis, focus on HIGH RISK areas Unprotected wireless networks Shared user accounts Lack of system event logging or review Excessive user access and electronic record administrator rights Sufficient technical requirements You MUST monitor system activities and make needed adjustments as a matter of routine, not just after complaints

10. NO SAFE HARBOR Part of the American Recovery and Reinvestment Act of 2009 Applies the HIPAA privacy and security rules and their penalties to HIPAA business associates Creates a new breach reporting requirement for HIPPA CEs and BAs Effective Date February 2009 Part of the American Recovery and Reinvestment Act of 2009 Applies the HIPAA privacy and security rules and their penalties to HIPAA business associates Creates a new breach reporting requirement for HIPPA CEs and BAs Effective Date February 2009 California legislature that enforces reporting requirements for unlawful or unauthorized access, use or disclosure of a patient’s medical information Reporting requirement within 5 days of discovery Effective Date 2009 California legislature that enforces reporting requirements for unlawful or unauthorized access, use or disclosure of a patient’s medical information Reporting requirement within 5 days of discovery Effective Date 2009 Health Insurance Portability and Accountability Act Guidance for Privacy and Security of protected health information 45CFR 160 -164 Effective Date 2003 Health Insurance Portability and Accountability Act Guidance for Privacy and Security of protected health information 45CFR 160 -164 Effective Date 2003 HIPAA SB 541 HITECH ACT

11. OCR- Office for Civil Rights Enforces HIPAA privacy, security, and breach notification laws HITECH Act provided for huge penalties (tens of millions of dollars)

12. HIPPA civil penalties under new HITECH provisions Effective November 30, 2009 Violation CategoryEach Violation All such violations of an identical provision in a calendar year Did not know$100-50,000$1,500,000 Reasonable Cause$1,000-50,0001,500,000 Willful neglect corrected within 30 days $10,000-50,0001,500,000 Willful neglect - not corrected$50,0001,500,000

13. HIPAA / HITECH and EHRs

14. THE GOOD Greater control over uses and disclosures Greater control over minimum necessary and security Automated rules for uses and disclosures Greater transparency Potential detection of breaches More robust safeguards

15. THE BAD Greater patient involvement …..does this mean less provider control? Creates some challenges with release of information With Patient’s having access to their information and wanting to make amendments, how does it maintain the integrity of the record. Under the HIPAA Privacy rule (45 CFR 164.524) residents have a right to inspect and obtain copies of their information, request privacy protections and request amendments. This includes PHI in any paper or electronic format.

16. THE UGLY Greater volume of disclosures Are all staff aware of disclosure rules, how is this monitored? Potential for improper uses/disclosures magnified (e.g., more large breaches) More complex security issues – the need for role based access and limitations Monitoring integrity and security

17. DATA INTEGRITY What is Data Integrity? In the context of data security it is data that is protected from accidental or unauthorized intentional change. As we discuss the electronic health record, you will see how integrity plays a very important role in compliance with HIPAA and the Medicare Conditions of Participation.

18. DATA INTEGRITY Compliance or Technical Issue? A process of creating and maintaining the best official resident record. A roadmap to quality documentation.

19. HOW TO MANAGE RECORD INTEGRITY Deleting- allowing delete functions is not recommended, facilities should have clear policies and procedures to deal with correction of errors. If you allow deletion of data, how is this tracked? How do you handle when there has been a major error such as charting on the wrong patient?

20. AMMENDMENTS How will you handle corrections? Does the system track changes? How do you know if a document has been changed? Clearly if there is no tracking of changes this violates the first rule of corrections to medical records “Never obliterate an entry”

21. Copy and paste – misuse of copy / paste functionalities can have a direct impact on patient care. Outdated, inaccurate information to the current status of the resident can greatly affect the integrity of the record for medico-legal purposes. Prepopulating – Prepolulation of data onto a new document based on the last document (i.e. assessments) is an acceptable practice but author responsibilities must be clearly delineated to ensure information is reviewed, updated and verified before authentication.

22. DATA INTEGRITY

23. WHAT WOULD YOU DO? Your system allows for prepopulation of assessments. A discipline has opened new assessments for several residents and saved them under a new date without verifying or changing any of the information. How would you identify that this has happened? How would you verify the information is incorrect / correct? How would you identify other areas affected by this? i.e. billing, MDS What would you do to correct the problem?

24. VERSIONING Once an original document is corrected or amended, does your system identify the different versions as they are created? How do you identify documents with different versions?

25. Monitoring

26. BE THE GATEKEEPER Who is accessing, creating or modifying your record? The HIPAA Security Rule 45 CFR §164.312(a)(1) –implement technical procedures to allow access only to those persons or programs that have been granted access rights 45 CFR §164.312(d) –implement procedures to verify that a person or entity seeking access to ePHI is the person claimed (i.e., who he, she, or it purports to be) 45 CFR §164.312(b) –implement mechanisms that record and examine activity in information systems that contain or use ePHI

27. TRACKING Do you know what documents have been viewed, altered, destroyed or released? 45 CFR §164.312(c) –protect ePHI from alteration or destruction in an unauthorized manner (at rest) 45 CFR §164.312(e)(2) –implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of (in motion)

28. ACCESS Who is in charge of managing access to your system? How is access restricted after an employee leaves your facility? How do you manage access for new employees? How do you monitor and manage unauthorized access? How do you handle access by surveyors? –What privileges do you give them?

29. RESIDENT ACCESS TO RECORDS

31. DOCUMENTATION

32. Documentation principles do not change because you have an electronic health record Late entries, amendments, addendums are still handled in the same manner as with paper records

33. AUTHENTICATION The Medicare Conditions of Participation 42 CFR §482.24(c)(1): All entries in the medical record must be dated, timed, and authenticated, in written or electronic form, by the person responsible for providing or evaluating the service provided. For authentication, in written or electronic form, a method must be established to identify the author. A system of auto-authentication in which a physician or other practitioner authenticates an entry that he or she cannot review, e.g., because it has not yet been transcribed, or the electronic entry cannot be displayed, is not consistent with these requirements

34. There must be a method of determining that the practitioner did, in fact, authenticate the entry after it was created. Where an electronic medical record is in use, the facility must demonstrate how it prevents alterations of record entries after they have been authenticated. (Interpretive Guidelines)

35. Source vs. Output Example: You are completing an assessment using decision support tools within your system; some of the answers have criteria such as specific diagnoses the resident may have. The answer is the resident has 2 of the diagnoses listed on the decision support question – This information is visible on the computer screen if you pull up the assessment but once you print only the 2 is visible on the “output” document.

36. WHAT IS YOUR LEGAL MEDICAL RECORD? end Printing, does the screen view translate into a document? If the data the clinician sees on the floor when treating the patient (SOURCE) cannot be reproduced exactly in the same detail at a later time (OUTPUT), then the SOURCE data, and NOT the OUTPUT data, is the “legal” EHR – this should be part of your testing, what happens to the screen data is entered into when that document is printed? Your record must be: Sequential Date/time oriented

37. THE LEGAL SCENE Release of Information / Search & Retrieve Validate timeframes this has not changed with the adoption of eHR, most facilities have a hybrid record, both paper and electronic records must be looked at and released as needed If there are multiple admissions, does your system distinguish old and new information? How will you track the information released? How will you ensure accuracy i.e. right patient, right timeframe, right documents? Presenting your record If you have decided that your screen view is your legal record, how will you put together a record for disclosure? Explaining your record Your policies and procedures must be clear as to the designated record set and your legal health record.

38. The Role of HIM Professionals

39. QUALITY ASSURANCE

40. HIM Department Workflow While some of the basic functions of the medical records department will remain the same, the process to complete these functions will Change. Under utilization of system generated reports and alerts is one of the biggest issues when facilities adopt a new eHR. Let’s have a look at some of the basic tasks…….

41. Some auditing processed may be automated – flags, alerts etc. HIM staff must ensure these are followed up and completed, instead of flagging a document they can send an electronic reminder to complete the documentation. Filing will no longer mean placing a hardcopy paper inside a folder but it may mean scanning and indexing Record retention will transform from the shed out back or the off- site storage. Retention guidelines and access restrictions will still have to be maintained and monitored. Release of information will transform from copying to making information available in a variety of media such as secure email, electronic access etc.

42. AUDITING In order to maintain compliance with quality of care, patient safety, regulatory compliance, reimbursement, and maintain a legal record, records still require concurrent review from admission thru discharge Regardless of the media in which the medical record is maintained, HIM staff are still responsible for ensuring the content, completion, timeliness and accuracy of documentation.

43. DOWNTIME

44. HANDLING DOWNTIME EHR Downtime Paper forms used while system is down. How will you incorporate into the eHR? How will you identify that there was downtime within the eHR?

45. Policies and Procedures As you transition from paper to electronic records your policies and procedures must be updated to reflect your current practice

46. To be or not to be (electronic)

47. THE BENEFITS With more and more LTC facilities adopting electronic health records it is important to consider the benefits…… Patient Safety, Quality and Accessibility Reduction in medication errors Prompts and alerts to nursing regarding follow up i.e. PRN medications System audits to remind staff of incomplete or untimely documentation Legibility Templates can guide documentation so all elements are addressed

48. Meeting Consumer Expectations / Increased Customer Service Although the Residents of the facility may not be electronically savvy, their children and grandchildren use electronic devices daily. Being able to communicate and access information is important to the younger generation Improved data collection and analysis and workflow Easy access to most current information at all times Report generation

49. THE CHALLENGES Not all elements in an template may apply to all residents Poor typing skills Poor computer skills Ignoring of alerts Untimely documentation – there will be a record now

50. Paving the Road

51. Trainin g Planning Monitorin g Testing Implementation Plan

52. Implementation checklist: Divide your facility into tasks: for example nursing notes and physician’s orders could be rolled out first, this is how you would plan for that: Decide on a date for implementation Implement security safeguards against improper use – passwords, role defined access, audit trails etc. WHO WILL BE IN CHARGE OF THIS? Develop a training schedule that accommodates all staff involved in the transition Your schedule should include enough training time for repeat trainings as needed Identify super users Ensure step by step instructions are available for staff use Define your legal health record Update any necessary policies and procedures Testing – very important to ensure success