4. PRACTICE GUIDELINES FOR LTC HEALTH INFORMATION AND RECORD SYSTEMS

.

1. RECORD SYSTEMS, ORGANIZATION AND MAINTENANCE:

A medical record must be maintained for every resident in a long term care facility. It is critical that every facility have formalized systems in place for the maintenance of records that are systematically organized and readily accessible.  With long term care providers at varying stages of automating their clinical documentation, there may be some portions of a record maintained electronically and some in paper format. This section of the report will deal with maintenance of the paper medical record and special considerations related to maintenance of electronic or hybrid records.

A hybrid record is a system with functional components that include both paper and electronic documents and use both manual and electronic processes.   Software products, as well as human and fiscal resources of a facility, vary in the ability to implement and support a fully electronic health record (EHR).  Facilities can migrate to an EHR by staggering the automation of various components of the clinical record, such as the MDS, care plan or physician orders, while maintaining the remainder of the record in a paper format.  Fully automating a component of clinical documentation entails not only creating the information electronically, but the ability to: electronically authenticate, correct, retrieve, and archive the information,  destroy the electronic information in accordance with record retention policies, produce hardcopy output of the electronic information as necessary for litigation or other warranted use, and adhere to federal and state requirements for maintaining the privacy and security of protected health information.   Within the facility you must determine if components of your clinical record that are entered into a computer system, such as the MDS or care plan, will be printed and placed in the paper record or only be maintained electronically.  Either method is acceptable as long as it is in accordance with federal and state laws and regulations, and is consistent with facility policy (see CMS Survey & Certification Memo S&C-04-46 of September 9, 2004).  It is helpful to establish a grid or matrix that identifies all components of the clinical record and whether, for purposes of the legal health record, that component is maintained in electronic or paper format.  Such a grid can be useful in ensuring all document types are addressed in planning the transition from hybrid to fully electronic health records.  In addition, the grid can serve as a tool for communicating the paper or electronic status of document types to staff and, therefore, ongoing maintenance of the grid is important.  Recommended content for a facility legal health record grid includes: type and name of the document media source considered as the legal health record (i.e. paper or electronic) software application used to create and maintain the document start date for electronic storage of the document last date for printing document for inclusion in paper record An abbreviated sample of a legal health record grid is found below in Table 1.

Complete Medical Record in a Hybrid EHR Environment: Part I: Managing the Transition; AHIMA Practice Brief, October 2003

The AHIMA Practice Brief Series “The Complete Medical Record in a Hybrid EHR Environment” (2003) presents a comprehensive review of issues related to a hybrid record system.  The series addresses: Managing the Transition (Part I) Managing Access and Disclosure (Part II) Authorship of and Printing the Health Record (Part III) Legal Source Legend (Appendix) Review of this Practice Brief series is strongly encouraged.

TABLE 1:   LEGAL SOURCE LEGEND FOR HYBRID HEALTH RECORD   Report/Document Types Media Type for Legal Record: (P)aper/ (E)lectronic Software Application Source for Electronic Document Start Date for Electronic Storage of Document Last Date for Routine Printing of Document IDENTIFICATION & ADMISSION DOCUMENTATION Admission Record/Facesheet P & E Specify Application 1/1/2005   Pre-admission Screening (PASARR) P       Admission Agreement P       CLINICAL ASSESSMENTS Nursing Admission Assessment E Specify Application 2/1/2005 4/1/2005 Fall Assessment E Specify Application 2/1/2005 4/1/2005 MINIMUM DATA SET AND CARE PLAN MDS E Specify Application 1/1/2005 3/1/2005 Care Plan P       Care Plan Signature Record P       PHYSICIAN ORDERS Monthly Recap P       Telephone Orders P

The following practice guidelines establish a baseline for the systems that should be in place for maintaining the clinical record in both paper and electronic formats.

1. Maintaining a Unit Record

A unit record and unit numbering system is recommended for long term care facilities. With a unit record, the patient is assigned a medical record number on the first admission to the facility.  This number is retained for each subsequent admission/readmission, and is used for both paper and electronic portions of the record. Though there may be multiple volumes, folders and formats, the patient’s entire medical record is filed as a unit under one number. (Health Information Management, Huffman)

 

In long term care, the record(s) from previous admissions should be brought forward and filed in the same area as the current admission. Bringing previous records forward provides the most comprehensive picture of the resident’s medical history and therapy. The previous records should be readily accessible to staff for use in the assessment and care planning process.

 

When a resident is readmitted, all records from previous admissions should be pulled forward and maintained in the overflow files.  Records from previous admissions should be separated from other discharged/closed records to prevent the inadvertent destruction of the record(s) prior to the required medical records retention period (see section 4.6 for discussion of retention guidelines).  The medical records from previous stays remain in their original file folder and are retained, chronologically, with other records for residents currently in the facility. The records from one discharge to another are not combined into one folder.

 

If the previous records cannot be brought forward and kept in the same area as the current record, the facility must have a process in place to ensure that previous records are not inadvertently destroyed prior to the required retention period for the record.

Some software products have been setup to assign a new number with each readmission to the facility.  In this situation, the previous records should be brought forward and filed under the latest number assigned to the resident.   If information from a prior admission(s) is in an electronic format, the information must be viewable upon readmission and staff need to be made aware of its availability.

 

2. Assigning a Medical Record Number

    

   HIM STANDARD: The healthcare organization has a policy that requires a separate, unique health record for each resident.

   Each resident admitted to the long term care facility should be assigned a unique medical record number. The following are general rules to follow when assigning medical record numbers:

   • Assign a medical record number only when a resident is admitted. This will prevent numbers from being assigned when the resident is not actually admitted to the facility.

• If a resident was assigned a number, but was not admitted, make a notation in the admission/discharge register (see section 4.11.2) that the resident was not admitted.  Do not reuse the number.

• Assign numbers chronologically. Each new admission is assigned the next sequential number.

• Always verify in the master patient index (see section 4.11) that the resident has not been in the facility previously.

• If a resident has multiple admissions, the facility can assign a modifier to the medical record number to designate each admission, such as 1234-a, 1234-b or 1234-1, 1234-2.   

• When a resident is re-admitted, the original medical record number is used.

• No additional entry is needed in the medical record number log, but the readmission is noted on the master patient index card.

Special considerations for healthcare campuses or continuums of care (i.e. facilities with nursing home and assisted living components, continuing care retirement communities, etc.):

How the facility uses the medical record number is a key consideration when assigning numbers in a facility with different care settings.  Is the medical record number used for filing sequence (i.e. patient records are filed in numerical sequence based on the medical record number) or is the medical record number only used for purposes of patient identification?

• If the medical record number is used for filing sequence, a separate number should be assigned to each of the different care settings, such as a separate medical record number for the SNF stay and a separate medical record number for the Assisted Living stay.  On readmission to either the SNF or AL, the number originally assigned in that setting would be used again.

• If the medical record number is used only for patient identification, the facility may want to consider assigning a single medical record number to be used for records created in any of the different care settings, issuing in essence a “campus” number.  A modifier may be used to indicate the specific care setting to which the patient is being admitted.  For example, if the resident is being admitted to the Assisted Living portion of the facility, the suffix “AL” may be added to the number to designate the Assisted Living stay, creating the number 1234(AL).

 

Special considerations for multi-facility organizations:

 

Accurate identification of customers being served, the frequency of customer use of specific services, and the profitability of such services are strong motivators for corporations to consider adoption of an enterprise identifier.  An enterprise identifier is the primary identifier used by the corporation to identify the resident across facilities in the enterprise.  It is used at the corporate level to link and identify residents, while the medical record number is still used for identification at the facility level.

General: Electronic systems should provide fields for medical record numbers that are of adequate length and type (i.e. alphanumeric vs numeric only) to support the numbering convention of the facility.  If the system cannot support existing numbering conventions and a new numbering system is initiated, the facility will have to cross-reference the new number on the master patient index and the resident’s medical record folders.   Electronic systems should also have the ability to automatically assign sequential numbers for new admissions and search for prior admissions of the resident to the facility.  It is important to remember that the system can only search for prior admissions based on the data available.  It may still be necessary to search the manual patient master index for prior admission status if the system data base is of a limited timeframe.   Finally, electronic systems should support collection of demographic information and pre-admission assessments prior to resident admission to the facility.  Such pre-admission information should be distinct from “resident” information and would not be associated with a medical record number until such time as the resident is admitted to the facility.   Enterprise Identifiers: Use of enterprise identifiers requires all facilities to search the corporate database for previous admissions to avoid assigning more that one number to a resident previously admitted within the organization.  Effective use of enterprise identifiers hinges on accurate identification of the resident to avoid duplicate, overlap, or overlay entries in the corporate database.  The matching algorithm used to determine if the resident exists in the corporate database is critical to avoiding errors in assignment of identifiers.  Three types of algorithms are currently available: deterministic, rules-based, and probabilistic. These concepts are discussed in detail in the AHIMA Practice Brief Building an Enterprise Master Person Index from January 2004.

 

3. Maintaining Records in a Continuum of Care:

For healthcare campuses or continuums it is recommended that separate records are maintained for each of the different care settings. For example, a separate record is maintained for assisted living, one for the NF/SNF, another for home care, a record for outpatients, etc.  Creation of a new record is not recommended when a resident changes levels of care within the nursing home, i.e. moves from SNF to NF.  .

 

When transferring between care settings (i.e. assisted living to SNF), it is recommended that an interdisciplinary transfer form or discharge instructions be completed to ensure continuity of care. Include copies of relevant documentation to facilitate the assessment and care planning process.

 

Health information staff should be responsible for record management.  This includes creation, maintenance, storage, retention, and destruction of the medical records maintained by the campus.  The assignment of responsibility helps to ensure that the medical records for each of the care settings are maintained in an organized and systematic filing and retrieval system.

 

To assist with tracking medical record numbers/campus numbers, admissions, discharges and transfers,  there should be a campus-wide master patient index or some other mechanism to link all paper, electronic and hybrid records to the resident. 

Electronic systems should have the ability to maintain a campus-wide patient master index.

 

4. Defining What is Part of the Medical Record

The medical record in a long term care facility reflects the multi-disciplinary approach to assessment, care planning and care delivery. The medical record includes, but is not limited to, the following types of information: resident identification, admission/readmission documentation, advance directives and consents, history and physical exams and other related hospital records, assessments, MDS, care plan, physicians orders, physician and professional consult progress notes, nursing documentation/progress notes, medication and treatment records, reports from lab, x-rays and other diagnostic tests, rehabilitation and restorative therapy records, social service documentation, activity documentation, nutrition services documentation, and other miscellaneous records including correspondence and administrative documents.

 

Facility policy should specifically outline in the format of a chart order the exact documents and records that will be considered part of the medical record.

If portions of the record will be retained in an electronic medical record system, policies should differentiate between those records that will be paper-based and those that are electronic. (see Section 4.1 overview)

5. Maintenance of the Medical Record

It is critical that both the active record and the overflow records are maintained in a systematically organized fashion. This means that all records have an established chart order or order of filing that is followed. All records (records on the nursing station, overflow records, and discharge records) should be readily accessible, maintained in an organized chart order, filed in an easily retrievable manner, and maintained in folders or chart holders sufficient in size for the volume of the record. The chart holders and folders should be kept neat, clean and orderly. Products are available for cleaning/disinfecting the chart holders (binders).  Cleaning is recommended periodically during the stay and upon discharge.

 

It is recommended that a chart order or order of filing with thinning guidelines be kept in the record and at the nursing station to direct staff to the proper location of forms.

In hybrid or electronic record environments, procedures must be clearly defined regarding how staff are to handle interruptions in the ability to electronically chart due to situations such as power failure or system failure.  Issues to address include: Is manual charting created during the time the system is down If manual charting is created, is it maintained as part of the legal health record Is manual charting replicated as a “copy” in the electronic documentation once the system is accessible What type of notation is made in the electronic documentation to identify any manual charting created during the system down time.

6. Identification (Name and Number) on pages of the Medical Record

From a legal perspective, each page or individual documents (i.e. shingled telephone order) in the medical record should contain resident identification information. At a minimum, both the resident name and medical record number should be on each form. If labels/label paper is used, resident identification information must be included on the label. The resident name and number should be placed on both sides of a two-sided form/page because records are frequently copied.  Identification information appearing on both sides of a form helps to ensure that the copy is not lost or misplaced.  If the back of the form is blank, no identification information is required on the blank side.  There should not be documentation on the back of a one-sided form.  If, for any reason, documentation is placed on the back of a one-sided form, a label or identifying information must be added and any blank space on the form lined or X’d out to prevent further documentation that may be out of sequence.

 

Resident identification information can be noted on forms by methods such as writing on the page in permanent ink, stamping by an addressograph, or affixing a printed or manually completed label. Regardless of the method used, identification information should not obscure any content on the form. Resident specific documents printed from a computer system to be filed in the medical record, such as physician orders, care plans, etc.,  should include resident identification information on each page.

In electronic or hybrid environments, it is important that core resident identification information appear on each screen view of the resident’s clinical information as well as on each page of hard copy output.  Again, at a minimum, both the resident name and medical record number should be present.

7. Common Forms and Thinning Guidelines

   HIM STANDARD: The healthcare organization has a policy that establishes a uniform chart order for health records.

   This section outlines common forms found in a long term care record and provides guidelines for thinning the record contents.  While form titles listed and the location of the forms in the record may differ from facility practice, but the thinning guideline would remain appropriate for the type of documentation identified.

    

   Thinning the medical record is a process of removing documents older than a certain date and moving them into a secondary record known as the overflow record.  The establishment of thinning guidelines is a standard of practice for the long term care profession. Federal regulations at 42 C.F.R. § 483.75 (l)(5) require that clinical records include (1) sufficient information to identify the resident; (2) a record of the resident’s assessment; (3) the plan of care and services provided; (4) the results of any pre-admission screening conducted by the State; and (5) progress notes. Some states may have specific regulations that address what can be thinned from the active record. Check licensure rules to determine if state law delineates a specific thinning guideline.

    

   The goal of the thinning guideline is to retain documentation in the resident’s chart that reflects the current plan of care and services provided, as well as maintaining a record of manageable size for use by the care providers. Unless required by state regulations, it is not necessary to keep the original assessment or progress notes in the record. Recommended guidelines for thinning call for retaining the two most recent assessments in the active record.  The overflow record should be appropriately secured and easily accessible to clinical staff for review of any admission or other type of documentation.

    

   Section 4.3.6 presents information on considerations related to leaving records “open” versus “closing” records when a resident has been temporarily discharged (such as for hospitalization) and return to the facility is anticipated.  If a facility has established a policy to leave the record “open” during temporary discharge, then they will also need to identify practices for thinning of documents such as old admission forms or advance directives from the record which is being continued following readmission,.

   In a hybrid record, thinning will only apply to documents identified for inclusion in the paper medical record.  Electronically stored forms, documents, and information must be retained and accessible as needed for providing care, quality review, survey, etc.   The facility needs to have a thorough understanding of any processes for automatically archiving data that have been built into their clinical information system, as well as processes for retrieving the archival information.  All components of an electronic record need to reside on the system in accordance with facility retention guidelines.   Clinical information in the electronic system may not be presented in the same format as the hard copy record.  In an electronic record, data elements will be sorted and pulled to populate a variety of views, forms or reports.  It will become more important to identify data elements that are common to a variety of reports.  Duplicative entry of data elements should be eliminated as the database or data dictionary is built and accessible.

   1. Integrating Hospital Documents into the Long Term Care Record

      Records from a hospital or other healthcare provider (i.e. another LTC facility) that are sent with a resident to provide information for continued care and treatment should be retained by the facility. It is recommended that pertinent information such as the history and physical, discharge summary, and transfer form be kept in the active medical record. All other documents sent (copies of progress notes, labs, consults, etc.) should be kept in the active record for  1 month to provide information when establishing the current plan of care and treatment and then thinned and retained in the resident’s overflow record. The records provided on admission, readmission, or return from the hospital are part of the facility record. See section 4.9.7.1 of this report for guidance on how to handle release of information or redisclosure of hospital and other healthcare provider documents.

       

      While the federal conditions of participation do not require LTC facilities to obtain a resident History & Physical (see Section 6.8.4), many times state licensure rules or facility policy impose this requirement.  A copy of the history and physical from the hospital is commonly accepted as the history and physical on admission to a LTC facility.  If the hospital physician is also the attending physician, the hospital H&P must be signed and dated by that physician.  When the hospital physician is not the attending physician, the hospital H&P must be reviewed by the attending physician, changes in condition, if any, noted and the attending physician must sign and date the H&P.  When necessary, physicians are expected to update the hospital H&P, hospital discharge summary or to write a progress note that documents the resident’s condition at the time of admission to the facility.  “Electronic” H&Ps that have been faxed or e-mailed from the hospital and printed by the facility would require signature as outlined above.

   As with paper copies of hospital documents, electronic documents provided upon transfer from the hospital will need to be integrated into the resident’s record.  If the legal health record is paper based, the electronic documents should be printed and filed in the record as discussed above.  If the legal health record is in electronic format, the electronic information from the hospital should be integrated in a manner such that the source is clearly identified, but the information is retrieved, archived, and destroyed as part of the resident record.

   2. Thinning the Medical Record

   Each facility should develop a schedule for thinning the medical records. It is generally recommended that records are thinned quarterly and as needed. Using the MDS/care conference schedule, and thinning after the care conference, can provide calendar for thinning Only documents that are signed and complete are thinned.

    

   Once the record has been thinned a notation may be made in the record. For example, a label can be placed in the inside cover of the chart that states the date the record was thinned. The records thinned from the chart should be filed in the overflow record immediately to assure that resident records are always accessible and easily retrievable. 

   .

By listing a form in the following chart order, we are identifying documents commonly found in the medical record. This should not be interpreted as a recommendation or requirement that the form be a mandatory part of the long term care record. See section 6.0 for required types and content of documentation and the associated regulatory reference.

COMMON CHART FORM*	RECOMMENDED THINNING GUIDELINE (State Regulations May Be More Stringent And Supersede These Guidelines)**
Identification and Admission Documentation Admission Record/Facesheet Pre-admission Screening (PASARR) Preadmission Assessment/Intake Admission Agreement (new agreement not required on readmission after temporary discharge with return anticipated) Admission Consent	Current Facesheet Most Current 3 months after admission Financial/Administrative file     Permanent
History and Physical and Hospital Records H&P Hospital Discharge Summary Hospital Transfer Form Other Hospital Records  (All hospital records received should be retained as part of the facility clinical record) Immunization Records	Most Current Most Current Last Hospital Stay Retain pertinent records for 1 month after hospitalization & then thin   Permanent
Advance Directives/Legal Documents CPR Directive DNR Order from physician Resident Self Determination Act Acknowledgement. Living will Advance Directive Durable Power of Attorney Guardianship/Conservator Legal incapacitation Consents, Acknowledgements (For example, Physical Restraints Consent, Admission Consents, Consent to Treat, Consent to Photograph, MDS Consent, MDS Acknowledgement, Release of Information Consent, Release of Responsibility/Leave of Absence)	Most Current Most Current Most Current Most Current Most Current Most Current Most Current Most Current Most Current
Clinical Assessments (At a minimum, retain most recent assessment plus one previous) Nursing Assessment Wound and Skin Assessments Fall Assessment Bowel and Bladder Assessment Pain Assessment Mini-Mental/Cognitive Exam Restraint Assessment	6 months to 1 year 6 months to 1 year 6 months to 1 year 6 months to 1 year 6 months to 1 year 6 months to 1 year 6 months to 1 year
Minimum Data Set and Care Plan MDS Care plan Specialty Care Plans ie: hospice/dialysis Care Plan Signature Records (if used) Care plan recap (if used)	15 months readily available Current care plan Current plan Current plan Current plan
Physicians Orders Monthly Recaps or Renewals Telephone Orders Interim orders Protocols or Standing Order Policies (if used) Fax Orders	3 months 3 months 3 months Current 3 months
Physician and Professional Progress Notes/Consults Physician Progress Notes Cumulative Problem/Diagnosis List Annual Exams Other specialists/consultation Dental Progress Notes/Exams Podiatry Progress Notes/Exams Psychological Evaluation	1 year Most recent Most recent 1 year 1 year 1 year Current
Nursing Notes/Interdisciplinary Notes Nursing Notes or Interdisciplinary Notes Nursing Summary Forms/Flowsheets	3 months 6 months 3 months
Medication, Treatment and Other Flowsheets Monthly Medication and Treatment Records Vitals Sign Record Weights Record Intake and Output Records Behavior Monitoring Records Other Flow Sheets (Diabetic site rotation, etc) Pharmacist/Drug Reviews Recommendations	3 months 1 year 1 year 3 months 3 months 3 months 1 year
Lab, X Rays, and Special Reports Lab Reports (frequently ordered) Annual or interim Lab Reports X-Ray Reports Special Diagnostic Tests	3 months 1 year 1 year 1 year
Rehabilitative Therapy (PT, OT, SLP) Therapy Evaluation Therapy Certification/Recertification Progress Notes Discharge Summary Therapy Screen *Once therapy is discontinued thin therapy information for that discipline except the evaluation and discharge summary.	Most Recent 3 months 3 months Most Recent Most Recent
Rehab Nursing Rehab Screen Rehab Nursing Assessment Progress Notes/Treatment Records	Most Recent Most Recent 3 months
Activities (Therapeutic Recreation) Progress notes Assessments	6 months to 1 year Most Recent
Dietary (Nutrition Services) Progress notes Assessments	6 months to 1 year Most Recent
Social Service History Progress notes Assessments	Permanent 6 months to 1 year Most Recent
HIPAA Documents HIPAA Requests Accounting of Disclosures (if applicable) Requests for Amendment Requests for Alternative Communication Requests for Restriction of Access to PHI HIPAA Complaints Request to Opt Out of NPP practices Authorization to Use and/or Disclose Protected                   Health Information	Most Current Most Current Most Current Most Current Most Current Most Current Most Current Most Current
Miscellaneous/Legal Clothing list or Inventory List (If required)	Most Current
*Common Chart Forms – The chart forms and location are not meant to represent a recommended chart order or forms. Chart order and the types of forms used are facility-specific. The forms named represent common types of documentation found in a long term care record.
** Thinning Guidelines – These guidelines are recommendations and provide a baseline. Each facility should adapt and develop thinning guidelines that meet the needs of their resident population and staff needs.

8. Maintaining the Overflow Record of Thinned Documents

The overflow record is considered part of the resident’s active medical record. The overflow records which contain the documentation thinned from the chart must be systematically organized (a chart order should be established) and readily accessible. Because it is not always possible to keep all documentation in the chart holder at the nursing station, the thinned information is generally kept in the HIM department.

Standards for maintaining the overflow medical record:

SYSTEMATICALLY ORGANIZED:

• For ease in locating documents a chart order should be developed for overflow records. It is recommended that the overflow chart order be the same as the discharge chart order to facilitate quick assembly upon discharge. All like forms should be filed together (i.e. all nurses notes together in date order). Use index tabs if desired to indicate the sections of the chart (index tabs from an office supply company work well in thinned charts). Tabs will make retrieval and filing of documents easier.
• Contents of records should be maintained in date order. Facility policies should define if forms will be filed in chronological or reverse chronological order. Filing in chronological order is has been considered the gold standard, but reverse chronological order has now become more widely used and can save a considerable amount of time by eliminating the need to reverse the order of the documents when thinning or closing the record.  If reverse chronological order is adopted, the chart order remains the same for active, thinned and discharged/closed records.  Either method is acceptable but the facility must define in a policy which of the methods will be used and consistently apply that method.
• Overflow records should be filed alphabetically by resident last name.

 

READILY ACCESSIBLE:

• Overflow records should be filed in a location that is secure and readily accessible.
• When overflow records are removed a chart locator or tracking system must be used to identify the individual removing the chart, the date, and the location.

9. Maintaining a "Soft Chart" or "Shadow Record" and Other Types of Records:

Soft charts are resident-specific records maintained by a discipline that contain extra notes, observations and copies of documentation kept in the medical record. This record is not usually integrated with the resident’s legal medical record. The soft chart is often a working duplicate of the medical record but may also contain information that should be in the legal medical record, but is documented in the soft record and never transferred to the legal record.  

 

Soft charts are discouraged. The facility is put at legal risk because a soft record is discoverable in a legal process and could contain contradictory or damaging information. There is potentially a loss of critical information  when information is documented in the soft record and never transferred to the legal medical record.

.

If facility administration approves the use of soft charts, policies should be developed to manage the records with the same structure and organization as the resident’s legal medical record. The following systems should be developed for each type of soft chart:

 

• Implement systems to ensure that the records are physically secure such as retaining information in locked file cabinets with access by limited staff.

• Develop policies to address the confidentiality of information and documents contained in the record.

• Identify these records on the retention and destruction schedules.

 

Social Service and Financial Files:

Separate social service and financial files are commonly maintained by long term care facilities. Both of these types of records are acceptable. They contain information that is highly sensitive and often not related to resident care. If your facility uses separate files for these two areas, develop policies to define what information is retained in each type of record. There is a risk with a social service file that information which should be documented in the medical record is kept only in the social service record and not accessible to other care providers. Policies should also define security, confidentiality, retention and destruction.

 

Communication Records/Shift Worksheets:

Communication and Shift Records are a common form of communication between nursing staff working on different shifts. They usually contain multiple residents on one page and are not considered a formal part of the medical record. These records are acceptable but standards should be in place to assure that the medical record also reflects the resident’s condition, nursing observations, and assessment that are often found in the communication records. It is critical that the medical record contain the same information as the worksheets on condition, observation and assessments.

Facility policy should establish retention and destruction procedures. Determine where the reports will be stored, how they will be collected, how long they will be retained, and when they will be destroyed. In absence of a state law, it is recommended that shift reports be retained for 30 days and then destroyed.

Outpatient Records and Records Maintained by Vendors:

When vendors such as a therapy provider is contracted with a facility, it is acceptable for a the company to maintain their own medical record. The facility must ensure that the vendor providing outpatient services through the facility has appropriate policies in place to deal with security, confidentiality, retention and destruction.

If facility staff is providing outpatient services, the facility must develop and manage the record systems and procedures to assure security, confidentiality, retention and destruction. If the facility employs the therapists, it is not recommended that they have a separate therapy chart (soft chart). All documentation should be maintained in the medical record.

Communication Records/Shift Worksheets In a hybrid record, consideration should be given to which staff members have a need for access to different areas within the electronic record. If identified in the development stages, it is easier to identify safeguards that can be built into the electronic portions of the record to deny access based on assigned responsibilities. Access levels can be assigned based on these responsibilities.    In preparing for the electronic record, team members should also consider the possibility of built in “alerts” and “task lists” that can be automatically generated to specific employees.  This will enable information to be shared in real time.  When possible, entry of information into a specific area should generate or enable the author to generate information to others affected by the action.  For example, when a new admission is received, an alert should go to dietary so that they can prepare for the resident’s integration into the nutritional system and plan to include the resident in the meals going forward.      Outpatient Records and Records Maintained by Vendors In a hybrid record, electronic records maintained by therapy providers must be addressed in facility policies and procedures and the procedures clearly defined for use of electronic signatures.   In the electronic environment, data entry could be mapped to provide pertinent information to all appropriate areas within the electronic record.

 

10. Forms Control Processes

HIM STANDARD: • A procedure has been established to address issues related to the establishment and completion of all health record forms and data entry screens.

.

A process should be in place to review and approve new or revised forms. There should be a formal process such as a forms committee to carry out the following functions:

.

• Title, index, and maintain a master of each form.
• Review and approve new forms. New forms should be reviewed for:
  • Content,
  • Potential duplication of information already being captured in another area or form, and
  • Inclusion of basic identification information on all pages of form: Title of form, resident name, medical record number, page numbers ( page x of y) if applicable, form control number if applicable, and revision date.
  • Format appropriate for type of chart holder used (i.e. when form is placed in chart holder, information is not presented upside down)
• Review and approve revisions to forms.
• Identify forms which should be deleted or inactivated and ensure that the form is no longer available for use.

 

In the hybrid environment, the forms committee will still function in the same manner as mentioned in the paper record, but it will also begin to take on the responsibility of guiding the process of building and maintaining the data dictionary to eliminate duplication of entries and appropriate mapping to documents and forms.  As facilities move closer to a totally electronic record, the forms committee will transition into this new responsibility.   Note: Also take responsibility for screen design, customized views, report output, understand user interaction with the system

 

 

 

2. AUDITS AND QUALITY MONITORING

The content, completion, timeliness and accuracy of medical record documentation has a direct impact on the evaluation of the quality of assessment, planning and delivery of quality services.  Documentation has a universal effect on organizational operation, evaluation of care and services, compliance, reimbursement, and survey compliance..  The quality and type of care and services delivered to the resident are determined in part through documentation.  On-going planning and assessment rely heavily on the quality and accuracy of the documentation in the chart.  The medical record is also used to serve as a source document for legal proceedings. 

 

Proactive concurrent monitoring of the completion, timeliness and accuracy of the medical record documentation is critical. Both the need for good documentation and risk factors hindering quality, support the importance of on-going, scheduled audits and monitoring for every resident’s medical record.  Some of the alerts and quality assurance monitors may be included in the clinical and administrative software used. The quality monitoring process will focus on the combination of using manual and computerized clinical and billing data as well as standards/requirements.

 

Establishing the qualitative and quantitative monitoring process is expected to be tailored to the facility, their needs, the services they provide, workflow issues at the facility, survey findings and overall management of the facility.  The monitoring process will not remain static but will move from focus to focus based on the Quality Assurance model of the facility..

1. Internal Qualitative vs. Quantitative Audits and Monitoring

.

There are various types of audits/ monitoring systems” – qualitative, quantitative and self monitoring including manual and automated methods.  Qualitative audits look at the quality of documentation assessing adherence to clinical practice guidelines, evaluating consistency in charting, and adherence to regulations, standards and interpretations.  This type of audit is usually completed by a staff member or consultant who has professional training, education or experience.  Qualitative audits adhere to the standards of practice, qualitative resident care protocols both internal and those prescribed by the regulatory agencies.  Qualitative protocols include increased knowledge and skills of the reviewer to evaluate documentation that focuses on the clinical practice and standards.  The results or findings from the qualitative monitoring provide the data for quality assurance reviews of the quality of care in relationship to the standards, clinical practices and the regulatory requirements. 

 

Facility staff can be trained and internal systems can be established for self-monitoring to complete quantitative audits which focus on whether a document is complete (all sections of a form), authenticated, or timely. This type of audit is more objective than a qualitative audit.

 

Increased self –reliance and self-monitoring is within the reach of the clinical staff documenting using the following methods:

1. Self-audting, before you put the pen down look for those clinical interventions, observations or assessment that would demonstrate the quality of care you just provided or planning for the future
2. Look at the automated edits or warning/alerts for inconsistencies of documentation based on the software criteria
3. Set an expectation to periodically run reports to identify areas of deficiencies or information to evaluate the documentation, examples, un-noted orders report, alerts for individuals – to check against the charting planned or just completed
4. Establish shift to shift or person to person monitoring of documentation with a “sign-off” either manual/or electronic to indicate self-monitoring.  Some examples are medication and treatment, ADL monitoring, “

 On an on-going basis, facilities should have quantitative and qualitative monitoring in place to assure complete and timely records.  Admission, concurrent and discharge record monitoring assures that analysis is completed throughout the residents stay.  The goal to continuous monitoring throughout a residents stay is to identify problems or omissions when correction is possible.  Analyzing the record on discharge makes it virtually impossible to legally and ethically address or correct documentation problems when it can still impact the resident during their stay while maintaining the integrity of the medical record.  For example, if an assessment is not completed on admission nothing can be done on discharge, but if it is found during an admission audit the assessment can still be completed in order for the facility to provide appropriate care and services for the resident. Signatures for manual systems shall meet the requirements for a full signature, initials that are referenced by the clinician’s full name including title or via the use of an electronic signature that is defined by the eHR standards.

1.   External Qualitative and Quantitative Audits

Audits of health record information may be performed for the licensing and certification process, for legal reviews from licensing boards and for billing reviews.

2. Assessing the Quality of Documentation

When completing a qualitative audit, the reviewer should have the ability to assess the following issues, identify strengths and weaknesses, and provide suggestions to correct future documentation discrepancies.

• Consistency in documentation between progress notes, assessments, care plans, etc. 
• Duplication or redundancy in documentation.
• Contradiction in documentation without a clear reason for the differences.  This may occur between two disciplines or within one discipline such as nursing where multiple staff members document on a similar issue.
• Documentation that is missing key elements for the proper assessment or planning of a problem.
• Documentation reflects application of appropriate practice guidelines, standards, regulations, reimbursement rules, and clinical protocols across all disciplines.
• Understanding of the reason for all types of documentation in a long term care record and the underlying guidelines, standards, regulations, or clinical practice protocols.

 

A health information consultant should have the ability to provide a qualitative and quantitative analysis of the documentation content of the medical record, identify potential workflow issues and provide feedback and suggestions for resolution.

3. Routine Audits/Monitoring (Criteria and Timeframes)

.

Every long term care facility should have systems in place for monitoring completion of their documentation on an on-going basis.  At a minimum, records should be reviewed on admission and hospital return, concurrently on a monthly/quarterly basis, and upon discharge/death.  Not all audit findings will be correctable.  For findings that cannot be corrected, the information should be gathered for training/retraining, system evaluation and improvement.  The Quality Assurance process should incorporate the findings into their overall quality management program.

 

The criteria in the following table can be used to develop and tailor audit and monitoring tools.

	Quantitative Monitoring	Qualitative Monitoring
Admit/Return first 24 hours	Consent to Treatment signed on admission Transfer Form or Order to Admit Received. Admission orders transcribed accurately from transfer form.’ All orders required per facility policy are verified or clarified by the attending physician notified. If transfer form not signed by physician, orders are verified by telephone or fax order. A diagnosis or reason is identified for admission i.e., diagnosis supports the medical necessity of admission and the billing requirements, each medication, ancillary service, and treatment with billable supplies that are ordered. (Diagnosis in text of order, on diagnosis list, or through supporting physician documentation). Orders are transcribed accurately to MAR and TAR. All medication orders include the name of the med, dose, frequency, route, and if appropriate the duration.  PRN orders should include reasons for administration.  Admission orders are signed and noted by a nurse as appropriate in accordance with facility procedure. An initial nursing assessment/admission note  is completed to include i.e., time of admission, how resident was admitted,  condition of resident, assessment of major body systems, skin, pain Care plan is initiated  including primary reason for admission or immediate needs, diet and nursing care. Initial Medicare Certification is completed if applicable. Allergies are identified and checked for consistency among all the documents. Discharge plan is initiated if  applicable (i.e. as required by Joint Commission Accreditation)	Physician Orders:  Legible Follow standards of practice Abbreviations on approved list Orders not in conflict Labs ordered for appropriate screening of specific drugs
Admit/Return 24 – 48 hours	Face sheet or demographic information on record. Admit – Consent to Treat signed on admission H&P and Discharge summary requested from hospital if applicable if not sent with resident.  If H&P not completed prior to admission, an exam is scheduled per state requirements.  Resident capacity identified. Advanced directive acknowledgement is completed. A copy of the directive is in the record if applicable, physician orders coincide with resident directives. Inventory of personal effects is completed if applicable. Nursing Assessments completed or updated and others assessments required per facility policy are completed immediately upon admission are complete, timely and authenticated. (No missed sections or questions on the assessment without explanation).  Note:  A Nursing Assessment may be started on admission and completed within 24 hours. Admission vital signs, height, and weight are documented. Admission paperwork such as consents, consent to treat, privacy statement acknowledgement, bill of rights acknowledgement, etc. Are completed per facility policy. PASARR documentation on record or review scheduled. Admission PPD read or TB test ordered.  If not, documentation indicates if contraindicated or previously completed within an acceptable timeframe. Although it is not recommended to accept an order for restraints on admission, if physical restraints are ordered upon admission the order should include the type of physical restraint/device, the reason for use, the frequency of use and the restrictions for use.  Complete an initial assessment the use of the restraint and a determination made for the time of re-review.  Informed consent has been obtained from the resident or their representative. Diagnosis list/other method of diagnosis identification have been started and accurate ICD codes assigned consistent with reason for admission/Medicare. Labs, x-rays, consultation visits, etc.  that were ordered upon admission have been scheduled. Assessments and monitoring records were initiated or completed per facility policy:  Common assessments include skin risk, fall risk, bowel & bladder monitoring, intake and output records, self-administration of meds, pain assessments, interdisciplinary assessments (dietary, activities, social service, chaplain), teaching/resident education plans, oral/dental assessment, restorative nursing assessments. If therapy has been ordered, the plan of treatment/evaluation has been initiated no later than 48 hours.  Physician orders have been clarified to include the specific therapy plan. Diagnoses used for therapy used are identified and consistent with reason for admission/Medicare, etc.	Primary reason for admission, is identified at the time of admission, with initial care plan that reflects those conditions, alerts and risk factors are clear with monitoring at the time of admission
Admit/Return 14-21 days	The assessments listed in the 24-48 hour audit that were not initiated in that time frame should be audited during the 14-21 day audit. This can be accomplished by a self- completion manual document and/or tracked in the eHR with reports provided Items that were not complete on the admit and 24-48 hour audits are checked. 14 day Medicare Recertification has been completed if applicable. The 2nd step of the PPD/TB test was administered and read (if applicable). The MDSs (both OBRA/regulatory and PPS if applicable).  See the MDS audit criteria for specifics. Care plan is complete by day 21 (should be available for use by day 21)
RAI Process	The RAI process should be audited by someone independent of the process to assure compliance with completion and timeliness timeframes.  Recommend auditing each MDS (OBRA/Regulatory and PPS). Basic tracking form complete and signed. All questions on the MDS are appropriately answered. On admission, MDS Face Sheet completed, signed and dated. A-3 Assessment Reference date within the proper range. R2b date and dates of staff completing the MDS are not prior to the A-3 date.  Staff dates cannot be after the R2b date. Staff signatures include their title, sections completed and date completed. When a computer print-out of the MDS is placed in the chart, the signature dates should reflect the date the staff actually completed the sections of the MDS, not the print-out date.  If a hand-written version of the MDS is used as an input tool, it is retained in the thin chart. Triggered RAPs are identified in section V. For RAPs triggered, assessment documentation is shown in the location of information column. Date in VB2 is no later than day 14 after the start of the assessment period.  (Admission no later than day 14, quarterly no more than 92 days between R2b dates, and annual no more than 366 days from last annual VB2 date). Date in VB3 is no more than 7 days after VB2. RAP documentation/assessments are completed prior to Vb2. If a RAP is identified to be care planned, the issue is addressed on the resident’s plan of care. Significant Change If possible significant change note indicates monitoring to determine need for Full MDS or reason for no new MDS Significant change assessment completed within 14 days after significant change in status is noted. Basic tracking form completed, signed, dated Care Plan Updated Readmissions Readmission/Return and Discharge Tracking forms are completed within 7 days of the event. Previous face sheet copied and left on prior record, original brought forward to readmission record New MDS if significant change is noted upon readmission, if no significant change, same MDS continues Significant change Permanent – Full MDS completed within 14 days. Previous 15 months MDS copied and brought forward (or may be maintained electronically) Abbreviated Assessment Used only for PPS/MDS Assessment If admission assessment box is checked (Section A8a), abbreviated assessment for not used. MDS Corrections Significant error, correction form completed Code 4 entered in AA8a of Correction form Printed, signed, dated copy of correction form attached to front of appropriate MDS/Tracking forms RAP Triggers recalculated Incorrect MDS manually corrected/corrections dated, signed. Care Plan updated to reflect changes Corrected MDS documents are called to the attention of the business office to assure that adjustment bills are completed if necessary	The supporting documentation in the medical record is consistent with the MDS scoring.   The RAP note/documentation addresses the following:  nature of the condition, complications and risk factors that affect the decision to proceed to care planning, factors that must be considered in developing individualized care plan interventions, need for referrals, whether a new care plan, care plan revision, or continuation of current care plan is necessary to address the problem identified   Verify latest version of MDS software updated per maintenance contract, staff trained
MDS Validation Reports	The validation report is reviewed after each submission and appropriate follow-up is conducted to address errors.
Concurrent or Quarterly	Admission Record/Face Sheet: Check if any changes have been made on the face sheet page or any areas are inaccurate.  Reprint a new face sheet if there are changes or inaccuracies. Diagnosis List Updated And Coded: Check if new diagnoses have been written on the diagnosis list. Check physicians orders, progress notes, referrals, etc. to see if the physician has documented any                 new diagnoses.  Code new diagnoses, input into the computer, and print a new list. RAI Process:  See RAI Audit Criteria Care Plan Current and Complete: Care conference held within 7 days of the MDS (either quarterly or full). All those in attendance signed the attendance record. Care plan is either updated or rewritten or reprinted if there are too many changes and it is difficult to read/use. Nursing Assessment and Monitoring: Assessments completed per policy. All entries are signed and dated.  Monitoring records are completed and authenticated – no open holes or breaks in documentation. Restorative Program (if applicable):  actual treatment time is documented for rehab nursing service delivery record, an assessment has been completed.  Progress notes reflect residents status and progress.  The care plan reflects restorative program and goals. Nursing Documentation:  Nurses notes are signed and dated changes in condition  i.e., incidents/falls, new behavioral manifestation, new skin condition, condition requiring antibiotics;  to include a description of the condition, update of the CP if indicated and documented follow up,  ongoing observations re: conditions identified on the CP,  and supporting documentation for Medicare coverage completed. Weekly/monthly summary or case mix charting completed as applicable. Physician Orders – Renewals:  Physician has signed and dated the renewals in the specified timeframe (?)  Orders did not expire before being resigned. Nursing noted orders upon return per facility policy. Telephone and Fax Orders:  All telephone orders are complete, signed and dated. All original telephone orders have been returned within the appropriate time frame. All orders given by a physician has a corresponding signed order (TO, fax order, signed physician referral, etc.). Physical Restraints:  If ordered, current assessment completed, informed consent documented, order matches device in use. Documentation includes alternatives tried before restraint used. Psychotropic, Antipsychotic, Antidepressant, Hypnotic medication Monitoring:  If ordered, monitoring assessments completed, signed and authenticated.  Side effect monitoring completed.  Dose reduction documentation or justification on record.  Physician Visits: Visits are made timely. Progress notes written or dictated notes sent back and filed.  Notes are authenticated and dated.  Required NP/PA and physician visits alternate.  Physician referrals are complete and noted by the nurse receiving.  Orders on physician referral have been verified with the attending if appropriate and transcribed accurately. Documentation of consults for dental, vision, podiatry, audiology/hearing aid, and psychological services are in record when applicable.  Physician progress notes reference diagnosis/condition that support medical necessity of admission, principal care/services; and support the evaluation and management current procedural terminology code (CPT).  Consults are related to a diagnosis/condition for referral, report includes recommendations that are followed up. Vital Sign Records: Vitals completed and recorded in a timeframe consistent with facility policy and state regulation where applicable.  Weights recorded monthly or per facility policy/state regulation where applicable. Changes in weight (5% in 30 days/10% in 6 mo.) noted in record for possible significant change assessment.  Referrals are made to dietary and physician.  Action follow up.  CP reviewed/updated, progress review follow up on weight also evaluate consistent increase/decrease. Medication and Treatment Record:  Look for open holes on the MAR/TARs before end of each shift.  PRN records signed, reason and result documented.  Other flowsheets are complete. If deficiencies found, self monitoring established. Staff is scheduled to complete their documentation and provide self-monitoring systems. All flowsheets and MAR/TARs have resident name, MR#, month and year identified on every page. Pharmacist review conducted monthly. Medication disposal/destruction records are complete. Documentation signed and dated. Labs:  All orders for labs (routine and stat) have a corresponding lab report in chart.  Labs are noted and dated by nursing.  Lab results are communicated to physician. Social Service Documentation:  Each quarter a progress note or assessment form is completed at the time of care conference noting changes to be made to the care plan.  Updates are completed on the Social History.  Entries on all documentation are signed and dated. Dietary/Nutrition Documentation:  Each quarter a progress note or assessment form is completed at the time of care conference noting changes to be made to the care plan.  Intake monitoring records are completed as appropriate.  All entries are signed and dated. Activity Documentation: Each quarter a progress note or assessment form is completed at the time of care conference noting changes to be made to the care plan.  All entries are signed and dated.  Rehabilitation Documentation (PT, OT, SLP): Documentation for each therapy is filed together (all PT doc. together, etc.)  For residents currently treated, service delivery record are completed, treatment time documented, signed and dated, progress notes are written at least every seven days, the physician plan of care/evaluation/cert/recert has been completed and signed by the therapist and physician.  A current physician order is on record matching the current treatment plan.	Care Plan Content: All RAPs indicated to proceed to the care plan are addressed on the care plan.  Goals are measurable and objective. Care Plan and interventions that match the needs of the resident are initiated on admission for the primary reason/s for admission and those high risk areas based on the assessment findings. Charting reflects the care plan           Restorative Program: Progress notes reflect residents status and progress.  The care plan reflects restorative program and goals.                                                                                                                                                                           Med/Tx records; if documentation incomplete, the passing of medication/treatment process is an issue. Implement self-monitoring. Develop policies and procedures/tools to accomplish the self monitoring.  Pharmacy Committee monitors progress from Pharmacist review.               The lab results are followed up with the physician to assure orders applicable to the lab results   Social Services  notes reflect evaluation of behavioral issues; follow up on Hx, input from family, visits with resident and social intervention on care plan.   Dietary/Nutrition percentage evaluated, labs followed up, weights considered, skin condition considered, care plan reflects current resident status.     Activity documentation reflects resident’s interest from assessment, participation alternation trials if not involved, recognizes behavioral manifestations and plan activities accordingly.
	Chart Thinned:  The chart is thinned per thinning schedule  Forms are repaired Chart is cleaned and organized	Chart has a file order that indicates location of records, i.e., an automated document.
Resident Transferred to ER or Acute	Gather all loose forms,  collect the medical record and place in a location that is secure and unavailable for current charting. Review the record for completeness of the final transfer note/inter-facility transfer report, current status of the resident at the time of transfer, follow up as needed. Check for signatures, time, completeness of the medical record and all loose forms, i.e., ADL sheets, medication/treatment records, therapy records, etc. Note: A new record may or may not be initiated on return from the acute hospital.  If the resident returns from the Emergency Room the same record will be continued.	Assure the record is intact. Secure the record in a location that is not available to staff who are taking care of current residents. Identify how the electronic record is “checked out” when the resident is out to the ER or short term admission to an acute hospital.
Discharge Analysis	Chart in placed in discharge chart order per facility policy. All Forms have Name/MR#: Discharge Plan of Care or Discharge Instructions or Transfer Form: All sections are completed. Signed and dated by appropriate discipline(s) Resident received a copy of discharge plan/instructions which has been written in layman’s terms. Recap of stay documented for planned discharged. Physician Discharge Summary completed if required by State law.  Physician discharge summary may reference the Interdisciplinary Discharge Summary and Plan of Care; signed by the physician and includes the final diagnosis and prognosis initiated by facility staff.  Physician completed, signed and returned within 30 days of discharge unless other timeframe required by State law. Discharge Order:  Discharge order obtained on day of discharge Order included discharge destination, if meds sent when transferring to another facility include statement in order.  Order upon death states to release the body or documentation of physician notification on record.  Discharge order has been signed, dated and returned by the physician Orders: Renewals / TO's:  All renewals have been returned and signed All TO's have been returned and signed.  Facility policy should define how to handle orders that have not been returned. Discharge documentation:  There is documentation of events leading to discharge or death:   Nurse wrote a note at the time of discharge.  The note leading to discharge/death includes assessment, observations, intervention and detailed documentation of nursing process that lead to death/discharge (as applicable). Disposition of Personal Belongings:  Inventory of Personal Belongings completed on discharge; or documentation of belongings sent with resident or picked up by the family documented in notes. DC Diagnoses coded and indexed per facility policy. MDS Discharge Tracking form completed within 7 days of discharge. DEATH ONLY: Nurses notes reflect physician notification Nurses notes reflect family notification Mortician Receipt completed.	Qualitatively and for time saving reasons, consider filing manual discharge record in the same order as the inhouse record.  For automated records, identify  via a slip sheet in the manual record those “record in transition” see the eHR for “specific documentation and specify
Privacy and Security	Is PHI protected? Are destruction processes being followed? Is the health record signout process used? Are the residents provided with the Notice of Privacy practices on admission? Are resident privacy practices available upon request? Are computer system precautions in place to prevent inappropriate sharing of PHI? Have all employees completed HIPAA training? Have all volunteers completed HIPAA training? Automated records are available only to staff identified top have access by thePrivacy & Security grid.

.

.

4. Focus Audits and Monitoring Systems

.

There are other beneficial audit and monitoring systems, many of which should be in place on an on-going basis.  Focus audits should be implemented based on the needs and issues of a facility.  The following table lists the common monitoring and focus audits found in long term care facilities. 

.

..

	Quantitative Monitoring Criteria	Qualitative Monitoring Criteria
Acute Problems/24 Hour Board (completed daily)	Review the 24 hour log, Nursing identify new orders via computer, alert log or other system reflective of the computer system. For each resident and problem identified check to see if corresponding documentation was completed such as nurses note, monitoring record, physician, family, resident notifications, CP upgrade, etc.	Not only verify that the documentation was done, but also analyze what was documented based on the condition.  Does a note contain information applicable to the problem, should other issues been addressed referrals needed  should the documentation have included an assessment or plan?  Was plan updated as applicable?
Weights	Implement an on-going monitoring system when weights are recorded to note significant weight loss changes or there is a trend over time.	If a significant weight loss or trend has occurred review the documentation content to determine if the assessment and plan are complete and appropriate and if referrals were approved.
Physician Visits	Monitoring system to assure that physician visits are made and documented every 30 days for the first three visits and then every 60 days thereafter.  Assure dictation is returned if applicable.	Content of the progress note addresses or supports resident issues.
Physician Orders	Reviewed and signed by the physician within specified time frame (30 or 60 days).	Diagnosis can be associated with orders; Check for duplication of medications or treatments in treating a diagnosis.
MAR/TAR	Documentation completed at time of administration or within 24 hours if documentation omission occurs.	Reason and results are documented for PRN administration. Self-monitoring identifies who assumed the med/tx documentation if manual, (sign on and off).  eHR includes an edit/alert system to remind nurses to complete entries.
Physical Restraints	Assessment completed and reviewed/updated at least quarterly.  Consent obtained from resident or responsible party.  Physician order obtained.	Reason for restraint is appropriate to justify use.
Skin/Pressure Sore	Assessment completed and reviewed/updated weekly until healed.	Documentation shows improvement or modification of plan if no improvement and follows the criteria for survey guidance on this subject.
Psychotropic, Antipsychotic, and Hypnotic Medication Use	Assessment completed and reviewed/updated at least every 6 months.  Physician order obtained.  Consent obtained from resident o responsible party.	Diagnosis associated with medication is listed in the federal regulations as appropriate.  Continued justification for administration of medication is documented.  Annual dose reduction considerations are documented.
Lab Result Monitoring	Results of physician orders for all labs are in the medical record.	Documentation reflects that abnormal lab results are communicated with physician.

.

5. Integrating Audits/Monitoring into the QA/QI Program

.

In order for an audit and monitoring program to be effective the data collected should be managed, analyzed, and reported.  Findings from both focus audits/monitoring and on-going systems should be reported at the Quality Assurance Committee (QA) meeting.  Trends or problem areas should be identified and action taken to correct the negative finding.  Using a quality improvement process, the problems identified through the audit should be analyzed, causation factors identified , system evaluated, measures taken to correct the problem, and further monitoring to determine compliance. 

 

It is recommended that audit findings are plotted or graphed over time to show potential negative trends, the result of improvement efforts, or results of on-going monitoring.  Not every audit or monitoring criteria warrants reporting and graphing.  Facility administration, health information practitioners and the QA committee should determine which audit criteria are appropriate for on-going reporting and graphing.

 

1. Role of HIM on the Quality Committee

 

HIM staff should be a permanent member of the Quality Committee responsible to routinely present results of qualitative and quantitative documentation audits and trending reports of the results.  HIM may lead the quality function.

 

It is critical that the health information coordinator/manager actively participates in the Quality Assurance Committee and process.  Once on-going audit and monitoring processes are established, there is a system in place that can be adapted to the changing needs of the facility.  For example, if a potential problem area is identified on the quality indicator report, the audit tools can be adapted to monitor related documentation issues as one method to analyze a possible problem.  The elements of an effective audit and quality monitoring system include flexibility to adapt to the changing needs of the facility, formal reporting and correction methods, and administrative acknowledgement of the importance of proactive monitoring systems.

 

Other duties of HIM staff on the Quality Committee are listed as follows:

 

• Report lost records or portions (hard copy); automation/electronic record breech.
• Recommend filing of incomplete records and electronic record quality assurance processes according to federal and state regulations and policy and procedures.
• Lead quality improvement teams.
• Participate as a member in quality improvement teams.
• Complete compliance audits as necessary.
• Complete state survey plan of current audits as necessary.
• Present the quality monitoring schedule for the year and revised as priorities indicate.
• Participate in writing state survey plans of correction as appropriate.
• Track and trend incomplete documentation.

 

6. Retention of Audits, Checklists, and Monitoring Records

 

If checklists are placed on the chart, it is acceptable to leave them on the record, but only for the timeframe defined on the tool and then it should be removed (eg. An admission checklist that is completed by day 7 should be removed right after the 7th day).  It is not recommended the audit forms be left in the chart even discharge audit tools. 

 

The retention policies for the facility should define how long audits, checklists, and monitoring records should be retained based on the need and further use for the information.  Generally, once the tool is completed and the findings are used for statistical analysis where applicable, the checklists/audit forms can be destroyed.  If an audit is used in conjunction with a survey correction plan or monitoring a quality indicator, adjust the retention schedule appropriately.

7. Auditing the Electronic Health  Record

When transitioning from a paper record to a hybrid record (part paper, part electronic) to an electronic record (paperless), care must be taken to carefully plan an electronic record keeping system that permits performance improvement monitoring as part of an overall system that also supports performance of other required HIM functions.  The Health Information Consultant and designee should be involved throughout the planning process to give practical input from an HIM standpoint.  Many of the audits can be used to determine edits and alerts within the documentation system.

When you already have an EHR or partial EHR (or if you are planning an EHR) the following should be considered:

• What are the outcomes or expectations from the facility for monitoring documentation?

• Determine which data elements that match the quality indicators and the criteria for evaluating each of these items.

• What reports do you now have and what reports can be written?

• If an error is found in the EHR how do you correct?  How do you flag, close, amend and append information.  Example:  Entered in error and reference the document, date and time.

• Error reports are prepared for follow up; what, who.

• Assignment of follow up and monitoring, correction process in place.

• Method of electronic signatures, what system will be used?

• Will you use an EHR from a computer based system, integration of a document management system, downloading documents such as word/excel, faxed and other documents from other organizations.

• How will you identify records in a variety of databases, can these databases be integrated or do you need to go to different programs to find the information.

• Data entry vs. double entry.  When do you have this occur?  Consider getting different modules of different systems integrated vs. replacing an entire system.

• Is it possible to redesign forms that eliminate some narrative charting using check boxes instead?  Could part or all of a qualitative audit be done using edits or alerts for some parts of the record?

• Audit trail of which entered data vs. the acces/security grid identifies the persons who access or enter data are equal to the authorizations.

• Identify tables, menus that can be modified both for documentation and for monitoring.

• Reminders, calendaring, assignments, use any notifications that are in the system, look at notifications when the staff sign on if something is due, saves auditing.

• Protocols established for documentation, ask questions re:  areas not completed that are high priority are identified as required fields/data.

• Can quantitative audits be done by using a series of edits?  For example, when a signature is missing on a med sheet, when the nurse attempts to sign off at the end of the shift an error report is created prompting to go back and correct the omission.

• Can reports be created using electronic auditing that could also be used to trend data suitable for use in the QI process?

 

As parts of the record change from paper to electronic format, so should the policies and procedures relating to documentation monitoring.  The health information consultant and health information designee will need to be trained on how to access information for auditing and their computer access privileges and restrictions updated to reflect the process changes as the record becomes entirely paperless.

 

8. External Audits

Preparation is the key to having a successful outcome to an external audit.  Skilled Nursing Facilities are or may be subject to a number of audits by outside agencies including Licensing and Certification, the OIG (for Corporate Compliance and HIPAA Privacy enforcement), CMS (for HIPAA Security enforcement), a Fiscal Intermediary or other Insurer (Medical review to support billing) or perhaps by the facility’s corporation for compliance reviews.                                                                                 

1. Use a team effort to prepare your responses to each type of review. Knowing what documentation will be needed, where to get it and how to present it to the surveyor or auditor is critical.  Training staff on what to retrieve and how to retrieve and presenting it to the surveyor or auditor is an important part of managing the survey or audit process. 

   1. Use screen prints to provide instructions on how to retrieve electronic data and how to locate other types of data.

   2. Train a number of staff members on how to work with a surveyor or auditor in order to make the process as smooth as possible.

2. Use your annual survey, quality indicators, corporate compliance surveys, Quality Assurance Data, monitor trending results, Consultant Reports and Medical Review (Billing) Request Log, etc. to guide you in determining what your problems have been in the past, what your plans of corrections were and what progress you have made in correcting those issues.

3. Use a survey preparation checklist to make ensure that all required documentation is ready for the survey entrance conference.

   1. The HIM Department may be responsible for printing the HCFA-802 Resident Roster/Sample matrix and the HCFA-672 Resident Census and Conditions.  The HIM Director as well as at least one other designated person should be familiar with how to produce these reports on demand.

   2. Have a matrix of which forms are maintained electronically and which are on paper when using a hybrid record.  The chart should have a notation that specific documentation is maintained electronically.

   3. Certificates of destruction of records and DHS permission to file records offsite should be available.

   4. The HIM Policy and Procedure Manual should be available and up to date

4. Develop a grid that lists the types of possible audits or surveys, a listing of what supporting documentation will be required during the survey or audit and a reference to the location of that documentation.

3. DISCHARGE RECORD PROCESSING

.

HIM Standard: 

• The healthcare organization’s and health information management’s service, whether health records are paper based, hybrid or fully electronic, policies and procedures comply with federal and state regulations and accepted standards of practice to ensure records are accurate, complete and systematically organized
• The healthcare organization’s and health information management’s service, whether health records are paper based, hybrid or fully electronic, policies and procedures comply with federal and state regulations and accepted standards of practice to ensure records are protected against loss, destruction and unauthorized use
• The health information management service should implement audit and monitoring systems to ensure the health record is complete prior to final record closure and filing of a discharge record

1. DISCHARGE RECORD PROCESSING

Processing of discharge records is an important aspect in management of health record systems.  This section reviews the fundamental processes that should be in place when managing discharge records.

1. Discharge Record Assembly

Discharge assembly is the process of gathering all health records for a resident upon discharge and assembling the health record into one combined chart (which can have multiple volumes) in the established discharge chart order. The established order provides for a discharge record that is systematically organized. It is recommended that a discharge chart order or order of filing be placed in each record to facilitate location and retrieval of information.

Accessing Records from Multiple Locations:

When assembling the discharge record access health records from all locations. For example, all overflow records for the resident, therapy records not yet filed in the chart, records kept in a separate notebook/cardex such as the MDS or care plan, records that are not kept in the chart such as an individual resident’s sign-out log kept in a sign-out book, and other records that have not yet been filed in the chart.

Discharge Chart Order:

Place the records in discharge chart order.  Facility policy should define a specific discharge chart order that is used consistently for all discharge records.  It is recommended that the discharge chart order remain the same as the in-house chart order to eliminate unnecessary time moving sections of the chart around.  The only change that is recommended for the discharge chart order is to place the discharge documentation (discharge plan of care, transfer form, etc) at the front of the chart behind the face sheet/admission record.  If there are records not normally kept in the chart during the resident stay, but filed on discharge, they should be added to the discharge chart order.

The key to the assembly process is to establish one consistent chart order and date order for the forms and follow it consistently through all discharge records to establish systematically organized records that facilitate ease in retrieval of information.  The following are the accepted methods for organizing discharge records.

• Charts placed in discharge chart order running in chronological order.
• Charts placed in discharge chart order running in reverse-chronological order.
• Another approach when used systematically may reduce staff time yet allow for an organized record by placing the active chart in discharge chart order and maintain as volume one of the discharge record (either chronological or reverse chronological date order). The overflow records become the subsequent volumes of the discharge chart. A chart order or order of filing is placed at the front of volume one. The overflow records are placed in a defined chart and date order to use this method for assembling discharge records.

Date Order for Discharge Records:

There are two acceptable methods for the order of filing chart forms -- chronological date order (oldest records filed first) or reverse chronological date order (most recent records filed first). It is considered technically correct to file the discharge health records in chronological order by form on the chart order (for example, all nurses notes kept together in chronological order, all physician orders recaps in chronological order, etc.)

If defined by facility policy and consistently applied through the discharge record, forms could be filed in reverse-chronological order. If using a reverse-chronological order, all records in the discharge chart and on the discharge chart order should follow this organization.

Fastening Discharge Records:

To prevent loss or destruction of individual records, it is recommended that all discharge records be fastened in some manner.  The most common methods include:

• Two-pronged metal fasteners. If using a standard file folder, the prong should fasten the records to the file folder.
• Specialty fastener rubber bands that are used for record storage. They have a life-span equal to the retention period for the medical records and fasten the records around both the length and width of the pages.
• Pocket accordion folders in combination with a metal fastener or rubber band fastener. If using a metal fastener, it should not be fastened to the file folder since records must be lifted out of the pocket folder for review.

Discharge Record Folders and Labeling:

Discharge records should be placed in file folders that are labeled with resident identification information.  The type of file folder used should be dictated by the storage method used for filing. For example, if using shelf filing the file folder should have a side tab to place resident identification information.  If using drawer style file cabinets, the file folder used should have a top tab for resident identification information.

At a minimum the discharge record file folder should be labeled with the following information: Resident full name, admission date, discharge date, health record number and volume number. Other information which could be included on the label is the physician name and the discharge disposition (discharged home, another nursing home, expired, etc.). The number of volumes should be included on all discharge records even if there is only one record and should note both the volume number of that folder and the total volumes for that record (volume 1 of 2, etc.). It is recommended that a label with the discharge year be placed on the file folder to be used as a reference in the retention and destruction process.

Other information and labels can be placed on the file folder to aid in filing and locating a record. Depending on how sophisticated of a filing system is used, color coded labels with information such as the first three letters of the last name or numbers in the health record number provide additional assurances that records are filed correctly and can be located easily.

In maintaining a unit record, the health records from a previous stay should be pulled forward and kept with the current admission.  Once the resident has been discharged from their most recent admission, the records from previous stays should be filed with the last admission. Do not integrate the records from a previous stay with the last admission.  Keep the previous records in their initial file folders.  Relabel the folder with the year from the most recent discharge.  File the records from the previous stay in chronological order behind the last volume of the most recent stay.

2. Discharge Record Analysis

.

HIM Standard: 

• The facility has a process for analyzing a discharge record whether hard copy, hybrid or an electronic health record (EHR)  by completing an audit of required discharge documentation before it is filed as a complete discharge record or before it is moved to an inactive resident data base within the data repository.

   

When completing discharge analysis the following steps should be completed:

• Initiate a discharge audit form to record audit findings and deficiencies.
• Check all pages of the health record for resident name and health record number. This will assure that a document if separated from the record can be traced back to the correct resident.  Make sure that all documents belong to the correct resident.
• Complete a discharge audit focusing on those elements outlined in discharge analysis in section 4.2.3 – Audits and Quality Monitoring.
• For hybrid records, identify portions of the record that are maintained within the data repository and not printed as a hard copy record  Refer to section 4.1 Table 1 Legal Source Legend for the hybrid record.  A copy of this type of legend or similar documentation should be placed within the discharge record
• Identify on the discharge audit those items that are missing or incomplete. Identify items that have been mailed or are waiting return.

If the discharge audit is kept on the incomplete record, it should be removed before filing it with the other completed discharge records or when the record is requested by an outside party.

 

3. Timely Completion of a Discharge Record

.

.

HIM STANDARD:

• Written policies on record completion comply with and are consistent with accreditation standards, regulatory requirements, and medical staff guidelines.

Records should be assembled, analyzed, and completed within 30 days of discharge unless state law specifies another time frame. A record should be removed from the station as soon as possible after discharge.  Records should be removed within 24 – 48 hours, but no more than 72 hours after discharge.  The initial assembly and analysis should take place within 5 days of discharge.  This allows the remaining time to follow up on deficiencies and track documents that are mailed for completion and/or signature and still allow for timely completion of the discharge record.

 

4. Incomplete and Delinquent Records

.

.

HIM STANDARD:

• Written policies outline the organization’s standards for the timely and accurate reporting of delinquent records.

Upon discharge analysis, records that have specific deficiencies that can be completed by a health care provider are considered incomplete.  After the audit has been completed, the providers should be notified of the incomplete records.  They should be informed of the expectation to complete these records within a specific timeframe (within the 30 day or state-specific timeframe for timely completion of discharge records). Records should be monitored within the 30 day period to assure deficiencies are completed.  If records have been mailed and were not returned in a timely manner follow up requests should be made for their return in time to meet the 30 day deadline.

After an incomplete health record remains open after a defined period of time (over 30 days or over the state-defined timeframe), the health record is considered delinquent.  A long term care facility can develop a quality assurance monitor by calculating the delinquent record rate or reporting the number of delinquent records each month.  To calculate the delinquent record rate divide the total number of delinquent records by the average number of discharges in a defined period.  For example, if there are 30 total delinquent records and the average number of discharges for a 30-day period is 45 then the delinquent record rate is 67%.

An on-going quality improvement process should be used to monitor the types of deficiencies in discharge records and the reasons for records to become delinquent, identify the causes for the deficiencies and delinquencies, and then implement corrective measures.  The number of delinquent records, delinquent record rate and reasons for delinquency can be reported at the Quality Assurance Committee meetings.  Completing a running chart with the number of delinquent records and delinquent record rate each month can show a pattern over time.

When records cannot be completed, a process should be established to review and approve of records to be filed with the other discharge records as incomplete.  A permission to file an incomplete record form should be filed in the health record which identifies the reason the record is filed as incomplete.  The form should contain at a minimum the following information:  Resident Name, Case Number, Admit and Discharge Date, Statement similar to the following; “The following portion(s) of the record are incomplete due to:, signature of HIM staff, signature of Administrator.

5. Maintaining A Control Log for Discharge Records

It is important to maintain a monitoring system or control log for managing the completion of discharge records. The following table can be used to track records through the process:

Discharge Date	Resident Name	Assembled	Analyzed	Coded	Completed	Miscellaneous

 

6. When to Close a Record on Temporary Absence

HIM Standard:

The facility will have a policy which defines health record closure or maintaining an  open record upon the resident’[s temporary leave of absence  (LOA).

 

Federal law does not dictate when records must be closed and when they remain open on a temporary absence.  Most state laws do not address this issue, however, if there is a specific state statute, follow the regulation.  A temporary absence would be such events as a temporary leave of absence with or without a paid bed hold or a transfer/discharge to the hospital with the expectation of return with or without a paid bed hold.

Long term care facilities should determine how they will handle closing records upon a temporary absence and consistently apply the policy in their facility.  A good rule of thumb to help decide when to keep a record open upon a temporary absence is how the MDS discharge tracking form is completed.  If it is indicated on the MDS discharge tracking form that the resident is not anticipated to return the chart should be closed and the resident discharged.  If it is anticipated that the resident will return, facility policies should define whether the record will remain open or be closed.  Facility policies should specify how each of the following situations will be handled and consistently applied. Policies may be different for each type of temporary discharge and/or by payer type.

• Hospitalization with paid bed hold
• Hospitalization without paid bed hold
• Leave of absence with paid bed hold
• Leave of absence without paid bed hold
• Other types of temporary absences as defined by facility policy

There are advantages and disadvantages to each option outlined below.

• Keeping a Record Open Upon Discharge for a Temporary Absence:  One option is to keep the record open during a temporary absence rather than closing the record on the discharge/transfer date. The advantage to keeping the record open is to minimize the time in readmitting and reassessing the resident.  The information prior to the temporary absence continues to be available rather than in another record that is less accessible. The disadvantage of leaving the record open is the lack of consistency between the admission and discharge date, the financial record, and the health record.
  
  If the record remains open, policies should define the maximum length of time a record will remain open.  Some payers such as Medicaid may define a bed hold period which can be followed in developing a time frame on keeping a record open.  In absence of a state or payer specific guideline, keep a record open for no more than 14 days.  If the resident has not returned within a 14 day period, the chart should be closed.  The discharge date is the date the resident left the facility.
  
  When the chart remains open, the health record should be removed from the nursing station or flagged for an absence or leave.  If the software system provides an application for identifying the resident as temporary LOA, the resident’s EHR portion of the record should be directed to this file at the time of daily census.  This will help prevent staff from charting when the resident is no longer in the facility.  A common practice is to redline the chart with a hospitalization.  The pages in the record used for cumulative or on-going documentation such as progress notes, orders, flowsheets, or medication and treatment records are lined with a red pen with the temporary LOA dates noted. This provides a visual break or flag in the record.
  
  Upon return from a temporary absence, facility policy should also define the documentation to be completed when the resident returns. The reason for the discharge will affect the type of documentation to be completed.  A return from a 5 day leave of absence will probably not require the same type of reassessment as a return from a 5 day hospital stay.  When the resident is readmitted, all of the current assessments and care plan should be reviewed and updated, a readmission physical assessment completed, an assessment for significant change in condition, readmission/assessment notes written by all disciplines, and new physician orders initiated.

 

• Closing the Record with a Temporary Absence:  Another option is to close the record upon the discharge date for the temporary absence.  Closing the record keeps the admission and discharge dates consistent with the financial record and health record. If the record is closed, records from the last stay must be brought forward to the new record to assure access to important clinical information and provide continuity of care.

 

When pulling documentation forward to the new record a copy of the following documentation at a minimum should be made:  most recent MDS (if resident was expected to return from the temporary absence, the MDS schedule should resume not start over), advanced directives, social history, immunization records, leisure interest survey, copy of last progress notes, preadmission screening documentation (PASARR).  The facility can further define additional information as determined by the interdisciplinary team to bring forward upon closing the health record during a temporary LOA.

1. Closing Records with a Change in Level of Care

The health record should not be closed when there is a level of care change between NF and SNF – the same record should remain active through the level of care change. If a long term care provider offers services in a variety of licensure settings, organization policies should define how transfers between different levels of care will be handled. Transfers between similar levels like NF and SNF should not result in the closure of records.  Major changes in level of care such as a transfer between an assisted living facility to a SNF should result in the records being closed if the resident does not anticipate returning to their previous living situation. If a resident anticipates a return, organization policies can determine if records will remain open, the maximum length of time records will remain open, or if they will be closed.

 

2. Closing Records with a Payer Change

   The health record should not be closed upon change in payer such as a change from Medicare to private funds. A change in payment status does not warrant separating the health records into different stays. The financial office should have mechanisms to track dates of coverage by individual payers.

1. FILING AND RETRIEVAL

   .

   HIM STANDARDS:

   • The healthcare organization’s and health information management department’s filing systems, whether paper   based, hybrid or fully electronic, policies and procedures comply with federal and state regulations and accepted standards of practice to ensure that all health records and resident-identifiable data are well organized and readily available for resident care, research, education, and other authorized uses.
   • Policies and procedures exist to facilitate the prompt, consistent, uniform, and efficient filing of all health records and resident-identifiable data.
   • The filing system is designed and implemented to ensure the safety, security, and accuracy of health records and resident-identifiable data.
   • Policies and procedures exist to facilitate the prompt, consistent, uniform, and efficient retrieval of all health records and resident-identifiable data, and the policies and procedures ensure that confidentiality is maintained and that retrieval is performed only by authorized persons.
   • The retrieval system is designed and implemented to ensure that safety, security, and accuracy of health records and resident-identifiable data.
   • Every long term care facility should have an established a system for filing and retrieving of their health records. The sophistication of the filing system is dependent on the volume of filing, admissions, discharges, and requests for records. Only trained staff should have access to the records and perform the filing and retrieval functions.

    

1. Separate Location for Incomplete Records

Paper Based System
It is recommended that incomplete paper based health records be kept in a separate location in the department rather than integrated with all of the discharge medical records.  An incomplete record area facilitates ease in retrieval for staff responsible for completing records and also provides for easier monitoring of incomplete records.


  

 

 

Hybrid or Electronic System
If the health record is hybrid or fully electronic, it is recommended that a method be developed to flag incomplete records and determine access to such records.  Polices and procedures should also be developed to identify how e-signatures will effect your processing.  Determine if the vendor can help with automating the deficiency analysis along with ensuring the application can monitor and track, records or document completion.

If using a hybrid or electronic health record consider if parts of the electronic health record need to be printed during the duration of the stay or upon discharge.  This will depend on how the health record is defined within the organization and electronic storage capabilities.  Refer to section 4.1 Table 1 Legal Source Legend for the hybrid record.

.

2. Typical Filing Systems

.

Paper Based System
There are many acceptable methods for filing health records ranging from the simple (alphabetical to the complex (terminal digit filing).  The resident record can also be filed by room number on each unit for active residents.  The type of system selected is based on facility-specific factors such as the volume of filing, admissions, discharges, requests for records, filing space, storage (open shelf filing vs. file cabinets) and security concerns.

The following are the most common filing systems used in long term care for overflow records and discharge records.


Overflow records are filed alphabetically, with all forms organized in reverse chronological order based on the facility’s active chart order.  Overflow files can be subdivided with chart dividers to facilitate efficient file and retrieval of information   Subdividing the overflow files also enhances record assembly upon discharge.


Discharge records are filed alphabetically by discharge year.  This method is commonly used when there is limited space in the health information department to retain more than one year of discharge records.  Alphabetic filing provides the easiest method for retrieval of records.  Special systems are not required to locate a resident’s record.  This method offers the least security since anyone can locate a resident record.  However, with proper security of locking doors and/or file cabinets which house the records, this system allows for the most efficient system for retention and ultimate destruction of records as records can be boxed by year and removed.


Discharge records are filed alphabetically with multiple years integrated together.  A color-coded label is placed on the tab of the folder to indicate the discharge year. When there is adequate storage in the health information department, multiple years of records are integrated and filed alphabetically.  This method does require some movement of the records to allow for adequate space of filing additional records within the existing system.


Discharge records are filed numerically by health record number by discharge year.  Records are filed by health record number in numeric order for a single discharge year.  This method offers better security than alphabetic filing because the health record number must be known to a record.  Access is more difficult for supervisory staff who must access records when the health information department is closed.  A color-coded label is placed on the tab of the folder to indicate the discharge year.  Multiple years of discharges are integrated together and filed by health record number when there is more filing space in the health information office.


.



Hybrid System
When a medical record is both paper based and electronic combined, the policies and procedures should reflect the parts of the record stored in each medium.  Also, the policies and procedures should reflect which documents should be scanned for inclusion in the electronic portion of the record prior to completion.  If a portion of the record is paper based, a reference to the location of the electronic portion should be added to this chart.  (Refer to section 4.1 Table 1 - Legal Source Legend for the hybrid record.)

Electronic Record
The fully electronic record would be available in a variety of formats.  The electronic system should be able to separate the active from the inactive record within the data base.

3. Retrieval

.

Paper Based System
During normal business hours requests for thinned or discharged health records should be coordinated through the HIM staff.

It is recommended that a process be in place to track the locations and holders of the health record. This can be accomplished through a record check out system.  A reasonable length of time should be identified for which a record can be checked out.


 

 Hybrid or Electronic System
Appropriate access levels should be given based on the needs of the staff member to perform their job.  Completed records upon discharge would be locked and only available as read-only.  There should be a limited number of staff members with printing capabilities.

After Hours Retrieval – Paper Based System
Every facility should have a process in place for after hour retrieval of records in case of an emergency.  Because evening and night shift staff may have to complete deficient discharge records or have access to an overflow record, the supervisor should have keys to access the department and be trained in retrieval, the sign-out process, and other security measures.  Department procedures should track who has keys to the department and documentation of their training on filing and retrieval procedures.

 

After Hours Retrieval – Hybrid or Electronic System
If using a hybrid or electronic health record consider if parts of the electronic health record need to be printed during the duration of the stay or upon discharge.  This will depend on how the health record is defined within the organization and electronic storage capabilities.

4. Filing

Paper based system
Filing of all documents that should be part of the complete health record are added to the discharge record, preferably prior to completion.  As with the addition of any document to the record, care should be taken to verify the resident name prior to inserting the document in the record.

 

 

 Hybrid system
The facility policies and procedures should determine which parts of the record will be paper based and which parts are stored in a data repository.  This policy should also determine whether or not additional documents should be added as paper based documents or scanned into the data repository. If documents are added to the electronic portion of the record after this has been completed, these should be added as addendums. Refer to section 4.1 Table 1 Legal Source Legend for the hybrid record.

Electronic record
The facility policies and procedures should allow for the capture of additional material for the electronic record through a system of scanning to the file.  If the record has been determined to be complete and additional paperwork is discovered, these documents should be added as addendums.

5. STORAGE SYSTEMS:

   HIM STANDARD:

   • Policies and procedures exist to facilitate the storage of both active and inactive health records and resident-identifiable data and are evaluated periodically to ensure that health records and data are well organized, are kept confidential and secure, and are readily available for resident care, research, education, and other authorized uses.
   • The storage system is designed and implemented to ensure the safety, security, and accuracy of health records and resident identifiable data. 
   • When storage plans are developed, consideration is given to the amount of space needed and available, the expected future demand for storage space, the costs of various storage alternatives and associated personnel, and the healthcare organization’s health record and data retention policies.
   • Storage systems need to address the hardware equipment that operates the electronic information systems.  This area may be referred to as the wiring closet, server room etc.  Large organizations may refer to this area as the data center.  Generally, the servers, cables and other equipment that operate electronic information systems must be stored in a designated area with appropriate physical safeguards and access limited to authorized employees.
   • Long term care facilities must invest in adequate storage systems and storage space for their health records and hardware that operate electronic information systems. The storage methods and systems must be secure and protect the confidentiality of resident information maintained both in paper and electronic format. The storage system and space must be adequate to protect the physical integrity of the record and hardware equipment and prevent loss, destruction, and unauthorized use.

   1. Storage System Options:

      Health record storage systems should be of professional quality to house and protect the health records.  Office supply and health record file and storage vendors offer various products ranging from simple file cabinets to mobile file storage systems.  The most common found in long term care are open shelf filing systems (with or without locking doors) or metal drawer file cabinets. The storage method selected is dependent on the security of the health information office and the amount of storage.  If the office is to be shared with another staff member or department not in health information, the shelves or file cabinets must be lockable and kept locked whenever health information staff are not in attendance.

   The goal in each facility should be to keep accessible as many years as possible of discharge records.

   • Open shelf filing: Open shelf filing is a common filing method for health records in various practice settings in health care.  Open shelf filing allows for easy access to files.  The file folders used with open shelf filing must have side tabs for viewing demographic information for identification.  If medical record files are retained in the health information office that is not shared with other staff or in a separate locked file room, open shelf filing without lockable doors is acceptable.  The office should always be locked when staff is not in attendance.  If the office is shared, the open shelf filing should have doors that are lockable.  When the health information staff member is out of the office, all health records should be in locked files.
   • File cabinets: Two, four or five drawer metal file cabinets are also commonly used in long term care facilities.  File cabinets work well when there are few discharges in a year and storage space is minimal.  Because file cabinets are bigger and bulkier than open shelf filing, they are not the optimal choice for large storage rooms or offices with a large volume of discharge health records.  Locked file cabinets should be used when the health information office is shared with another staff member.  The cabinets should be locked whenever the health information staff is not in the office.

    

   2. Security Issues: Locking of Office and Storage Areas

      The health information office and storage areas must be kept secure at all times if health records are filed and stored in that area. If the office is only used for health information staff, open shelf filing can be used in the office.

   When health information staff leaves the office, all doors or access to the office must be locked. The office should not be unattended when there are records on open shelving. If the office is not to be locked, then all filing shelves or file cabinets must be locked. No records should be out in the open and left unattended.

   If the office is to be shared with another staff member or department not in health information, the shelves or file cabinets must be lockable and kept locked whenever health information staff is not in attendance.

   Storage areas outside of the health information office should be locked with access limited to only those who need access.  Health information department policies should identify who has keys and training on access, security, and the log-out process for records and access to the information processing area.

   Storage areas that house the electronic information systems hardware need to have appropriate physical safeguards in place to protect the hardware and prevent unauthorized access. Appropriate physical safeguards may include access controls (locks, token, biometric controls) raised flooring, dry pipe sprinklers, temperature controls and a back-up electrical source/generator.

   3. Alternative Storage Areas

      When space is not adequate in the health information office to store all discharge health records for the defined retention period, it is necessary to locate alternative storage. Optimally the storage should be in the facility to facilitate retrieval, but when storage space is limited it may be necessary to utilize storage space outside of the facility. When an alternative storage space is needed, the space selected must be secure and must protect the records from damage, loss or destruction.

   Storage rooms must be organized allowing for ease in location and retrieval of records and documents. Similar documents should be retained together. One method for tracking the location of documents that are retained is to maintain an index log for records/documents (other than personnel files and health records) which identifies the contents of different storage containers and locations.  A log would contain information on the box number and a description including dates of items in the box.

   • Storage Boxes: When it becomes necessary to store inactive discharge records and other resident-specific documents, storage boxes may be used. Storage boxes should not be considered for recent years of discharge records when records are accessed more frequently. Storage boxes purchased should be of adequate quality and durability for record/document storage purposes.
     
     If storage boxes are used they must be adequately labeled with the content of the box, the year, and the year the records may be destroyed (per facility retention guidelines). It is recommended that similar types of documents are kept together in a storage box to facilitate ease in destruction.
     
     When storage boxes are used, they should not be stacked on top of each other.  Boxes should be placed on shelves to facilitate easy retrieval of records and documents.  Boxes should be placed off the floor and below sprinkler heads following state fire safety standards.  In absence of a standard, boxes should be at least 18" off of the floor and 18" below sprinkler heads.
     

    

   • Storage Rooms: If storage rooms are used for health records and other confidential records, they should be kept organized with adequate shelving, lighting and security. Multiple use storage rooms in which multiple staff members have access or keys must have a separate area that is caged and locked to protect the security of confidential records and documents. The storage room environment should not cause damage to the records and documents (such as moisture or rodents). It is acceptable to use storage boxes, but it would be optimal to use metal files or cabinets.
     

    

   • Storage Buildings/Sheds/Rented Storage:  When storage buildings or sheds are used for confidential documents, records and documents must be secure and protected from loss or destruction.  The same standards apply to storage buildings, sheds and rented storage that applies for storage rooms within a facility.  If multiple staff have access to the shed and store items, the records and documents must be placed in a separate locked area with access by select staff.  The storage building must protect records from the elements such as moisture and rodents. The storage area must be organized to facilitate location and retrieval of information.  Although it is acceptable to use storage boxes, it is optimal to use metal cabinets or files.
     
     In some states prior approval is required from the Department of Health for use of off-site storage.
     

    

   • Storage Companies:  If a storage company is selected, they should have written policies on the security and safety of confidential records and documents.  If using a storage company there should be a written contract or agreement in place outlining the storage company’s responsibility in securing documents, protecting documents from loss or destruction, and outlining how facilities will access records and the time frame for obtaining records.  Additionally, business associate language must be incorporated into the main contract or attached as an addendum.  The long term care facility should have a list of all resident health records and other documents retained at the storage company and have mechanism to access to those records in an emergency situation.
     
     
     
   • Redundant/Back up Information Sites:  When a redundant electronic information system is utilized, this should be housed in a location that is a reasonable distance away from the primary information processing area.  Policies and procedures should address specific positions that may access the storage media, retention time periods for the backed-up information and appropriate destruction practices.

    

   • Storage of Back-up Media:  If an electronic information system is utilized, the information is generally backed-up on a regular basis.  Back up media may include tapes, CDs, diskettes or other some other type of storage medium. Special precautions must be implemented to ensure the safeguarding and availability of storage media.

   • Storage media should be stored at an off-site location or at a different, secure location within the campus.
     

    

   • If the media is stored off-site a bonded company should be utilized. An appropriate contract should be obtained and business associate language incorporated into the contract or attached as an addendum.  The selected company should be located in a location that is a reasonable distance away from the primary information processing area.
     

   • Policies and procedures should address specific positions that may access the storage media, retention time periods for the backed-up information and appropriate destruction practices.

    

    

6. RETENTION

   HIM STANDARD:

   .

   • The healthcare organization’s and health information management department’s health record and data retention systems, policies, procedures, and specified periods of retention comply with federal and state regulations; certification, licensure and accepted standards of practice.
   • The retention system is designed and implemented to ensure the safety, security, and accuracy of health records and resident-identifiable data, and it considers the needs of all legitimate users of health records and resident-identifiable data.
   • Health information management department provides assistance to other departments in developing retention schedules for their records, data, indexes, and reports.

   Facility policy should define a specific retention schedule for different types of records based on federal and state law and professional practice standards. The policy should be consistently applied and records destroyed after the retention period has expired. Storage areas should be organized and storage boxes labeled with the content, year of documents, and year records/documents can be destroyed.

   1. Retention Guidelines

      The following retention schedule outlines federal guidelines and recommended retention guidelines. If State law requires a different retention period, the more stringent between federal and state must be followed. After considering the required retention period, every facility should define in policy their specific retention period not to be less than the period defined by state or federal law.

Document Type	Federal Regulation	State Regulations	AHIMA Recommended Guideline
Health Record	(F515) 5yrs after discharge when there is no requirement by state law; For minors, 3 years after the resident reaches legal age as defined by state law. Medicare residents – 5 years after the month the cost report is filed  (CMS Skilled Nursing Facility Manual – Pub 12)	See Exhibit A AHIMA Practice Brief Table 4:  State Laws or Regulations Pertaining to Retention of Health Information	10 years based on False Claims Act (31 USC 3729-3733) Section 3731:  Statute of Limitations; a claim of fraud can be made up to 10 years from the date of violation, materials must be made available for inspection which includes financial and health records
Financial Record	Medicare residents – 5 years after the month the cost report is filed. (CMS Skilled Nursing Facility Manual – Pub 12)		Refer to above recommendation 10 year retention period
Master Patient Index			Permanent
Admission/Discharge Register			Permanent
OSHA Records/ Employee Medical Records	Duration of employment plus 30 years
HIPAA Related Documents (i.e. Accounting of Disclosure, Request for Amendment, Requested  Restrictions, etc.)	6 years (HIPAA Privacy Rule) or length of record  retention if documents kept in the medical record – whichever is longer

 

7. DESTRUCTION

   HIM STANDARD:

   • The healthcare organization’s and health information management department’s health record and data destruction systems, policies, and procedures comply with federal and state regulations and accepted standards of practice.
   • Policies and procedures exist to facilitate the destruction of health records and protected health information stored in paper or electronic format using an acceptable method of destruction after the appropriate retention period.
   • Destruction of any record involved in an open investigation, audit or litigation is not permitted
   • The destruction system is designed and implemented to ensure the security and confidentiality of the health records and protected health information being destroyed.

    

   Every long term care facility should have a policy and procedure established to destroy records or confidential documents, whether in paper or electronic format, that are beyond their retention period.  Destruction should be done at least annually based on a proper written retention schedule that encompasses federal and state regulations.   The policies and procedures and the destruction schedule should demonstrate that records are destroyed in the normal course of business, as consistency and documentation are key components of record management.  A destruction program that documents both appropriate retention and destruction of documents protects the facility/organization from legal liability.  At least annually, every facility should review the documents on the retention guideline and destroy records as appropriate. It is recommended that the Executive Director/Administrator be notified and approve of records/documents to be destroyed.  (See Retention section 4.6)

.

.

.

1. Acceptable Methods of Destruction - Paper-based Records

Paper-based records containing resident-identifiable data must be destroyed in a manner that makes it impossible to reconstruct and read the information.  Records and protected health information cannot be disposed of in the garbage containers without some type of shredding or obliteration. Documents awaiting destruction should be housed in secure collection containers, with specific attention to location of the container and the locking capabilities.  Acceptable methods used today include shredding, incineration pulping and pulverization.

In addition to the records maintained for a specific retention period, there are other documents that should be destroyed after their usefulness has ended.  These secondary or incidental documents include duplicates, carbon copies, misprints, worksheets and documents containing billing statements. 

On-Site: The health information management staff should oversee any shredding of documents at the facility.  Cross cut shredders have a higher degree of security than strip-shred. Destruction companies do offer on-site services where trucks with industrial shredders come to the facility to perform the service.  A business associate agreement with the destruction company should detail the location of the destruction, method of destruction and require proof of destruction.

Off-Site: If the records are destroyed off-site through a destruction company, a business associate agreement should detail the safeguarding practices while the PHI is in transit, time that will elapse between acquisition and destruction, method of destruction and require proof of destruction.       

Note: Some states might require notification prior to destruction of health records and also might require the use of only approved destruction companies.  Check specific state laws prior to setting up destruction program.



1. Acceptable Methods of Destruction -  Electronic Records and Information:

Like paper-based records, electronically stored resident-identifiable data, such as MDS/RAI, MPI, Dietary, or other documents, must be destroyed in a manner that makes it impossible to reconstruct and read the information.  Acceptable methods used today include digital sanitation and physical destruction. 

Digital sanitation or overwriting is the most common, cost-effective process for destruction of data without rendering the hard drive useless.  Overwriting replaces existing data on a hard drive with meaningless data in such a way that the original data cannot be recovered. 1

Degaussing is another destruction method and this uses a process that erases the data by changing the magnetic alignment to random patterns that renders the previous data unrecoverable.

Physical destruction requires damaging the medium so that it is unusable in a computer and the data is no longer retrievable.

Methods of destruction and disposal should be reassessed periodically based on current technology, accepted practices, and the availability of timely and cost-effective destruction/disposal services.

 

If a service is used for disposal, the vendor should provide a Certificate of Destruction indicating the following:

 

• Computers and media that were decommissioned have been disposed of in accordance with environmental regulations, as computers and media may contain hazardous materials.

• Data stored on the decommissioned computer or media was destroyed per the previously stated method(s) prior to disposal.2

 

Computer Data and Media 2

 

Workstations, laptops, and servers use hard drives to store a wide variety of information.  PHI may be stored on a number of areas on a computer hard drive.  Simply deleting these files or folders containing this information does not necessarily erase the data. 

To ensure that all PHI has been removed, utility software that overwrites (digital sanitation) the entire disks drive must be used.  Remember, total data destruction does not occur until the backup tapes have been overwritten.                

 

If the computer is being redeployed internally or disposed of due to obsolescence, the utility software must be run against the computer’s hard drive, after which the hard drive may be reformatted and a standard software image loaded on the reformatted drive.

If the computer is being disposed of due to damage and is not possible to run the utility to overwrite the data, then the hard drive must be removed from the computer and physically destroyed. 

 

Other Storage Devices 2

 

Compact disks, diskettes and backup tapes containing PHI must be shredded, pulverized or otherwise physically destroyed before disposal. 

 

PDAs


Any PDA or other electronic device that does not have a hard drive must be reset to factory defaults prior to reuse

Sources:
1 Keating, Angie Singer. “Destroying Data the DoD Way: Military Standards Helap Ensure compliance for Electronic Data Security.” Journal of AHIMA 76, no.7 (July-August 2005): 54-55.62.
2 AHIMA Workgroup on Electronic Health Records Management.  “The Strategic Importance of Electronic Health Records Management. “The Strategic Importance of Electronic Health Records Management. Appendix A: Issues in Electronic Health Records Management” Journal of AHIMA 75, no.9 (October 2004): web extra.

2. Abstracting Paper Documents and Electronic Data Prior to Discharge

.

Unless required by state law it is not necessary to abstract paper documents or electronic data out of the record to retain on a permanent basis. The master patient index card and the destruction logs(manual or electronic)  contain basic demographic information and are to be retained on a permanent basis

3. Destruction Logs and Witnesses

Destruction Logs:  In addition to written policies and procedures on retention and destruction, it is recommended that a facility maintain documentation of the records/documents that are destroyed and the date information was destroyed. Two types of destruction logs are recommended.  These logs should be maintained permanently. 

1. Clinical Record Destruction Log - When clinical records are destroyed, documentation of the destruction process and individual records destroyed must be in place. There are a number of methods that can be used to document records that have been destroyed. A log is a common process used to document the resident's name and the minimal demographic information for records that are destroyed. This log should contain the following information:
1. Resident Name
2. Medical Record Number
3. Admission Date
4. Discharge Date
5. Date of Destruction
6. Method of Destruction
7. Destroyed by
8. Witness
   

 

2. Destruction Log for All Other Types of Documents - A log should be used to reference when different types of documents were destroyed, when they were destroyed and who they were destroyed by. Some examples of the elements that might be recorded in this log include:
1. Document Name
2. Facility Retention Period
3. Dates Destroyed
4. Method of Destruction
5. Destroyed by
6. Witnesses/Authorization
7. Destruction Date
   

Certificate of Destruction - If an off-site record storage company or destruction company destroy records, they should supply a certificate of destruction that is signed and witnessed and includes a list of the items destroyed, the date of destruction and method of destruction. The LTC facility should have a written business associate agreement with the destruction company detailing their procedures, document insurance coverage and their security measures.  If the specific items destroyed are not included on the certificate, then the certificate should be linked to this information to create an audit trail.  (I.e. type of record destroyed, year, box numbers, etc)  This could be as simple as filing the certificate of destruction with the destruction logs.  The certificate of destruction should be maintained permanently.

 

Sources: AHIMA Practice Brief, “Destruction of Patient Health Information” (updated November 2002.  Johnson, Robert J. “Information Destruction Programs: How You Can Defend Them and They Can Defend You.”  In Confidence 10:6 (June 2002), pg 3.  Mead, Kevin.  “Get Serious About Paper Record Destruction.” Journal of AHIMA 73, no.5: 58, 60.  Johnson, Robert.  “The Certificate of Destruction: What It Is, What It’s Not.”  Journal of AHIMA 76, no. 6 (June 2005): 54-55, 59.

4. Inadvertent Destruction of Records

There are two types of situations in which records could be inadvertently destroyed.  The first type is natural or man-made disasters, and would include flood, fire, hurricanes, tornadoes and explosions.  The second type are provider induced disasters or disasters caused by negligence.  Some examples of provider induced disasters are records destroyed by water due to storing the records on the floor, medical records lost or destroyed by computers or records inadvertently thrown away/destroyed.

If records are destroyed in either of the above situations, a risk assessment investigation should be conducted and documented as part of the Quality Assurance Committee which includes information about what caused the destruction and an action plan.  See Section 4.8.2 (lost records)

 

If records requested by The Centers for Medicare & Medicaid Services (CMS) have been destroyed, then there is a procedure established to determine if the circumstances of the destruction was unforeseen and should not count as a “no documentation error”.  Refer to the CMS web site for additional information and instructions. (e.g. Medlearn article on The CERT Process fro Handling a Provider’s Allegation of Medical Record Destruction #SE0547)

 

Also check for state specific requirements for handling lost or destroyed records.

 

8. PHYSICAL SECURITY OF MANUAL/PAPER RECORDS

   HIM STANDARD:

   • When the healthcare organization maintains all or portions of the record electronically they must have a security plan with policies and procedures that delineate how the facility will safeguard the premises, the exterior and interior of the building from unauthorized physical access and the software and equipment therein from unauthorized physical access, tampering, and theft.  The software must have a method of tracking access.
   • When the healthcare organization uses a manual record system they likewise must have protections of the record, including a manual record-tracking system, out guides and/or requisition slips are used consistently to indicate records removed from the files.
   • When the healthcare organization maintains portions of the record electronically, a system shall be used to indicate in the paper record that specific documentation is maintained elsewhere, and how to access that documentation.  Electronic access shall be granted based on assigned access privileges.

   • The process for accessing manual and electronic records shall be known by employees who would have such access or may be requested to identify methods of accessing and tracking both the manual and electronic health records

    

   1. Security Measures for Record Check Out-Manual

One of the most important physical security measures that must be in place in every long term care facility is a record sign-out system (log-out and/or outguides) for all types of medical records. Not only do the systems have to be in place, but they must also be enforced to be effective. Health information staff should monitor the sign-out practices and assure that records are returned promptly.

.

• Active Records: Outguides or a sign-out system must be in place on all nursing stations. Charts should not leave the unit without being signed out. Outguides work well because they are placed in the chart rack where the chart was removed. The authorized person who took the record must be identified along with the date and location.
• Overflow Records: Regardless of where overflow records are located in the facility, there must be a sign-out process to identify when a record has been removed, who took the record, and where it is located.
• Discharge Records: A sign-out system must be in place when a record is removed from the health information department or record storage area.

 

2. Maintaining Security of Electronic Record Access

HIM STANDARD: 

• When the healthcare organization uses electronic record access control procedures for verifying access authorization, regular review of audit logs, system activity, access reports, and security incident tracking reports are used consistently to monitor for intrusion or any unauthorized access.
• Training on the organization’s electronic record security is provided to all healthcare employees empowered to request or who may receive requests to access to health records.

 

Facilities with electronic records or hybrid (partially electronic) records must establish policies and procedures for verifying access authorizations before granting physical access, which include documented instructions for validating the access privileges of an individual before granting those privileges. Need-to-know (Minimum Necessary) procedures for personnel access should be defined so that a user shall have access only to the data needed to perform a particular function.  Need-to-know is also a criterion for removal of user accounts included in the requirements for termination procedures. Staff members should not be allowed access to information beyond the scope of their current job functions.

 

A computer role based access grid should be established that delineates both the access privileges and limitations based on the employee’s position. Access privileges must be able to be changed as changes in the system, applications or forms are implemented or changes in access needs for individuals or classes of employees change.

 

Information must also be classified to indicate what level of access control is indicated. 

 

For example:

• Public = No restrictions on access; Examples brochures, Notice of Privacy Practices
• Internal = Access by employees only, based on need to know; Examples: policies and procedures
• Confidential = Role based Access only; Protected Health Information;
• Sensitive = Role Base Assigned Access only ; HIV test results, Psychiatric or Alcohol Abuse

 

The Workstation is another integral part of electronic record physical security. HIPAA Security requires that the facility have a policy and guidelines on workstation use (documented instructions and procedures delineating the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific computer terminal site or type of site, dependent upon the sensitivity of the information accessed from that site).”    Users should be guided as to unauthorized viewing. The policy might show that users need to log off when they leave the workstation unattended during their shift and before they end their shift for the day. As an alternative to logging off, password-protected screensavers could also be used to secure an unattended workstation.

 

The physical attributes of the workstation site must also be addressed. Some examples of this may be:

• Locking cage to enclose CPU case when left unattended
• Locking room where the workstation is located when not in use
• Protecting all removable media (e.g. diskettes, CD-ROMs, backup tapes, etc.) from unauthorized use
• Prohibiting the practice of writing down User IDs and/or Passwords where others can find and/or use them.

 

Workstation sites that have access to sensitive data and/or workstation sites that are in a public area may need extra physical attribute policies to maximize the security of the site.  Special consideration must also be given to protection of information stored in portable devices such as laptop computers and PDAs that guard against theft, loss or unauthorized use.

 

Other considerations for control of physical access to electronic records include but are not limited to:

• Equipment control: Bringing hardware and software into and out of a facility and maintaining a record of that equipment including, but not limited to, the marking, handling, and disposal of hardware and storage media.
• Facility security plan: A plan to safeguard the premises and the exterior and interior of the building from unauthorized physical access and the equipment therein from unauthorized physical access, tampering, and theft.
• Physical access authorization verification: Access authorization verification must include instructions for validating the access privileges of an entity before granting those privileges.
• Maintenance records: The process for the documentation of repairs and modifications to the physical components of a facility, such as hardware, software, walls, doors, and locks.
• Personnel access need-to-know procedures: Procedures must ensure that a user has access only to the data he or she needs to perform a particular function.
• Visitor sign-in and escort procedures: Escort procedures must include procedures governing the reception and hosting of visitors, “if appropriate”.
• Testing and revision: Procedures for restricting program testing and revision to formally authorized personnel.
• Scanned documents or other specialized program of record management must have the same level of access privileges to prevent unauthorized physical access and the equipment therein from unauthorized physical access, tampering, and theft.

 

3. What to do if a Record is Lost , Destroyed or Stolen:

.

Even with the best preventative systems in place medical records, in full or in part, can be inadvertently lost, destroyed, or stolen. To limit or minimize the harm, systems must to be in place and enforced which protect the records. 

 

When records are lost or missing, an exhaustive search should be conducted to locate the documents or records. Once records are found, evaluate the system failure that resulted in the loss of records and implement corrective measures to prevent it from occurring again.

 

After an exhaustive search for lost records or in situations where the records are known to be destroyed or stolen, the next step is to reconstruct the record if possible.

 

Reconstruct the information by:

• Reprinting documents from any databases, such as the facility clinical computer system (MDS, care plans, etc), pharmacy (current physician orders), laboratory, and radiology databases or data backup services.
• Go to your computer backup system or your corporate server or backup of your automated document management system back (imagining, etc.)
• Retranscribe documents from the dictation system if used (check with attending physician or consultant for copies of dictated progress notes or consultative reports).
• Obtaining copies from recipients of previously distributed reports/documents, such as those sent to a physicians' offices, hospital, other healthcare facilities, or the business office. 
• Obtain copies of reports generated by a healthcare facility (hospital) that relate to the resident’s stay (history and physical, discharge summary, emergency room reports, etc.).
• If the current record is missing, have staff complete baseline assessments for the resident, complete a comprehensive assessment and a new care plan.  Have each discipline write a summary note with the resident history and progress over the course of their stay.  Verify physician orders with attending physician and have reconstructed orders signed.

 

If unable to reconstruct part or all of a resident's health information, document the date, the information lost, and the event precipitating the loss in the resident's record. When appropriate, document what and how information was reconstructed. Authenticate the entry as per facility policy. When information is disclosed that would have normally included the missing portion, include a copy of the entry documenting the loss of that information.


4. Disaster Plans

   .

   HIM STANDARD:

   • A disaster plan for recovering health records damaged by fire, flood, or other destructive events in is place.
   • The disaster plan includes revisions for recovering healthcare records on different types of storage media.
   • The disaster plan includes provisions for a backup system, offsite access such as hosting, corporate storage and retrieval, to provide the healthcare organization’s staff necessary access to health records during emergency situations.
   • The disaster plan must outline alternative procedures to be utilized for continuity of care during the emergency and the procedure when there is restoration of the automated system.

    

   Every long term care facility should have a disaster plan in place to deal with unexpected events and outline how health information/medical records will be protected from damage.  A well thought out disaster plan will minimize disruption, ensure stability, and provide for orderly recovery when faced with an unforeseen event.

    

   A plan should be in place to deal with water damage (flood, sewage back-up, sprinkler damage, etc), fire, power failures (electronic medical records and clinical information systems), resident evacuation, and other natural disasters common to your area such as a hurricane or tornado. 

    

   AHIMA has the following practice brief on disaster planning which details the steps to take in preparing for potential adverse events.

   Research

   • Perform a literature search on disasters and disaster planning relative to medical records or health information. Search the archives of your favorite health information listservs or Web sites. Check the Internet to see if other health organizations have posted disaster plans on their Web sites. Collect sample health information disaster plans from peers.
   • Talk to colleagues who have experienced the types of disasters your facility could expect.
   • Contact several fire/water/storm damage restoration companies to determine the services available in your area and obtain any instructional information they can provide. Services may include document, electronic media, and equipment restoration as well as storage. These companies can often be located in the yellow pages under "fire/water damage restoration" or in the Disaster Recovery Yellow Pages.e   
   • Determine to what extent the facility's insurance covers the costs associated with moving health information, operating elsewhere, recovering damaged information, or lost revenue secondary to the inability to restore information. In addition, determine whether your insurer offers consultation and advice on disaster planning. Many insurers provide this at little or no cost to their clients.

    

   Drafting the Plan

   • List the various types of disasters that might directly impair the operation of the facility, such as fire, explosion, tornado, hurricane, flood, earthquake, severe storm, bioterrorism, or extended power failure.
   • List your department's core processes. For example, at a large hospital, the core processes might be maintenance of a correct master patient index (MPI), assembly, deficiency analysis, coding, abstracting, release of information, transcribing dictation, chart tracking, locating and provision, and generating birth certificates.

    

   For each plausible disaster and core process, generate a contingency plan. The document might include:

   • facility name
   • department name
   • contingency plan originator
   • date
   • the major function being addressed, such as chart tracking and location and provision
   • the disaster being considered, such as a hurricane
   • assumptions about the disaster, such as how will the disaster affect utilities; staffing and the ability of staff to report to work; security of health information and the facility itself; hardware and software; equipment and supplies; other departments; and residents presenting to the facility for treatment
   • description of the existing process used for the major function being addressed
   • an if/then scenario stating what will happen if a specific function cannot be performed
   • interdependencies, such as which processes depend on the provision of certain information or services
   • solutions and alternatives, including steps that can be taken to minimize damage or disruption before the disaster, ensure stability, or provide for orderly recovery
   • the limitations and benefits of each solution or alternative
   • activities that will need to be performed before the disaster in order to make this alternative possible, such as equipment acquisition, implementation of back-up systems, and development of disaster-related forms, materials, procedures, and staff training
   • the names of the individuals responsible for performing these activities
   • a list of individuals and departments with phone numbers to be contacted or notified relative to the disaster and implementation of this particular contingency plan

    

   Implementing the Plan

   • Perform the preparatory activities listed in each of the contingency plans.
   • Share the preliminary plans with the facility's safety officer and risk manager.
   • Develop written agreements with potential disaster recovery vendors or alternative service providers and locations as needed.
   • Provide staff with the training and tools necessary to implement the plan.
   • Test the plan.
   • Reevaluate and revise the plan and corresponding procedures based on the input of staff, the safety officer, and the risk manager, and on simulated disaster trials.
   • Include disaster training as part of staff orientation.
   • Measure staff competency by asking staff to describe or demonstrate their roles and responsibilities during specific disasters. Include competencies in staff performance standards.
   • Conduct drills at least semiannually.
   • Review and update the plan at least annually.
   • Repeat training and test competencies at least annually.

    

   Restoring Damaged Records

   In the event records are damaged in an actual disaster, contact a fire/water/storm damage restoration company. If services are contracted, the contract must provide that the business partner will:

   • specify the method of recovery
   • not use or further disclose the information other than as permitted or required by the contract
   • use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the contract
   • report to the contracting organization any inappropriate use or disclosure of the information of which it becomes aware
   • ensure that any subcontractors or agents with access to the information agree to the same restrictions and conditions
   • indemnify the healthcare facility from loss due to unauthorized disclosure
   • upon termination of the contract, return or destroy all health information received from the contracting organization and retain no copies
   • specify the time that will elapse between acquisition and return of information and equipment
   • authorize the contracting entity to terminate the contract if the business partner violates any material term of the contract

    

   To the extent records cannot be reconstructed by the damage restoration company, reconstruct the information by:

   • reprinting documents from any undamaged databases, such as admission, transcription, laboratory, and radiology databases or data backup services
   • retranscribing documents from the dictation system
   • obtaining copies from recipients of previously distributed copies, such as physicians' offices, other healthcare facilities, or the business office

    

   If unable to reconstruct part or all of a resident's health information, document the date, the information lost, and the event precipitating the loss in the resident's record. When appropriate, document what and how information was reconstructed. Authenticate the entry as per facility policy. When information is disclosed that would have normally included the missing portion, include a copy of the entry documenting the loss of that information.
   
   Create and retain a record of the disaster event and a list of resident records affected, with recovery efforts, successes, and failures. This will allow for easy retrieval of general information regarding the past event should any legal or accreditation issues arise.

    

   Post Disaster

   Following the disaster, meet with staff and allow them the opportunity to:

   • evaluate departmental performance and identify opportunities for improvement
   • begin the grieving and healing process that may follow emotionally charged disasters

    

.

.

9. CONFIDENTIALITY AND RELEASE OF INFORMATION

   .

   HIM STANDARD:

   .

   • The medium in which protected health  information are stored, whether paper based or computer based, is the property of the healthcare organization and is maintained to serve the resident, the healthcare professional, and the healthcare organization in accordance with legal, accrediting, licensing, regulatory, and ethical standards.

   • Residents’ protected health information, regardless of the medium in which they are stored, belong to the resident and are protected accordingly.

   • Confidentiality policies and procedures specify that protected health information is used within the healthcare organization only for the purposes for which the data and information were collected. 

   • Disclosure of protected health information is restricted to those individuals who possess knowledge of applicable federal and state laws and regulations and training in the legal ramifications of subpoenas and court orders. 

   One of the most critical roles of the health information department is to monitor and apply regulations, professional practice standards, and facility procedures for protecting resident confidentiality, information security, and release of information.  A comprehensive set of policies and procedures to comply with the Heatlh Insurance Portability and Accountability (HIPAA) privacy and security rules in regards to confidentiality and release of information must be in place in all long term care facilities.  The following guidelines provide direction on common issues related to confidentiality and release of information.  The guidelines take into consideration federal laws and professional practice standards, but not individual state regulations.  If there is a state specific law with more stringent requirements or that allows greater privacy protections, follow the laws of your state.

    

   Federal Regulation:  42 C.F.R. § 483.75 (4) states:  The facility must keep confidential all information contained in the residents’ records, regardless of the form or storage method of the records, except when release is required by – (i) transfer to another health care institution; (ii) law; (iii) third party payment contract; or (iv) the resident.

    

   HIPAA is a federal law that requires healthcare facilities and payers who utilize standardized transactions (such as electronic billing) to comply with the Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Rule).  The HIPAA privacy rule became final on April 14, 2001 with compliance required by April 14, 2003.  This section refers to various components of the privacy rule, but does not go into full detail on all requirements.  It is recommended that health information practitioners obtain a copy and review the entire HIPAA privacy rule. Copies can be obtained through the Administrative Simplification website at http://aspe.os.dhhs.gov/admnsimp/ . Additional compliance guidance regarding the HIPAA Privacy Rule and answers to Frequently Asked  Questions can be located at the Office For Civil Rights website at  http://www.hhs.gov/ocr/hipaa/.

    

   1. Identification of Confidential vs. Non-confidential Information

   HIM STANDARD:

   • Residents’ protected health information is regarded as confidential and made available only to users authorized within the healthcare organization, users authorized by the resident or his/her legal representative, and users authorized by law.
   • Confidentiality policies and procedures differentiate between confidential and non-confidential data and information.
   • Policies and procedures address the heightened level of confidentiality provided to healthcare information related to behavioral health, substance abuse treatment, sexual or physical abuse, HIV/AIDS, abortion, and adoption.

    

   Defintion:

   Protected Health Information (Individually Identifiable Health Information) is information that is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual that (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

   The confidentiality/release of information policy should define what information is considered non-confidential and may be disclosed without a HIPAA compliant authorization and that which is considered confidential. The policy should contain information that is maintained in both paper and electronic format.  State law may define non-confidential information.  Federal law restricts disclosure of information related to drug and alcohol abuse treatment.  Under the HIPAA privacy rule, disclosure of directory information is permitted without resident’s authorization as long as the resident has had an opportunity to agree or restrict its use.  Directory information may be disclosed to individuals who ask for the resident by name. Healthcare facilities are under no obligation to disclose even non-confidential information; policies should define the facility practice.  The resident population should be considered when deciding what is considered non-confidential.  Special consideration may be given to celebrities, facilities who treat HIV/AIDS residents, behavioral health facilities, etc.  Under the HIPAA privacy rule, 

    

   .

   • Non-confidential or directory information is considered to be common knowledge such as name of the resident, location in the facility (room number), their condition described in general terms (critical, stable, good, fair, transferred, treated and released, or expired) , and religious affiliation (only available to members of the clergy).  
   • Confidential information is information made available during the course of a confidential relationship between the resident and healthcare professional.  Confidential information includes – but is not limited to – all clinical data and the resident’s address on discharge.  Confidential information  may be disclosed only when the resident, or the resident’s legal representative, gives written authorization, or when federal or state law, subpoena, or court order requires such disclosure.1 

   Facility policies should give direction to staff on releasing non-confidential and confidential information.  Since these situations often occur at the receptionist desk or at the nursing station, staff should receive special training in dealing with requests and deciding what is acceptable to release and what is not.

    

2. Resident Access to Their Records

HIM STANDARD:

• Subject only to specific legal constraints (such as those governing minors and persons adjudicated incompetent), a resident or his/her legal representative has access to and is provided photocopies of his/her health record upon written request with reasonable notice and payment of a reasonable fee.
• Policies and procedures have been established to enable the resident to review, amend, restrict access to or correct his/her health record.

 

Definition:

Designated Record Set means (1) a group of records maintained by or for a covered entity that is (i) the medical records and billing records about individuals maintained by or for a covered health care providers; (ii) the enrollment, payment, claims adjudication, and case or medical management record system maintained by or for a health plan; or (iii) used, in whole or in part, by or for the covered entity to make decisions about individuals. (2) The term record means any item, collection or grouping of information that includes protected health information and is maintained, collected, used or disseminated by or for a covered entity.

 

By federal law, residents or their legal representative in a long term care facility have the right to access their designated record set. Facility policies should provide guidance on who is considered a legal representative based on State law (i.e. guardian, conservator, durable power of attorney, etc.) Facility procedures should also outline how each request – whether a review of the medical record or request for photocopies -- will be handled.  

 

C.F.R. § 483.10(b)(i) states that “the resident or his or her legal representative has the right, upon oral or written request, to access all records pertaining to himself or herself including current clinical records within 24 hours (excluding weekends and holidays).”  In the event the resident or the representative wants a copy of the medical records, the facility is required to make copies, after 2 working days advance notice, “at a cost not to exceed the community standard.”  42 C.F.R. § 483.10(b)(ii).

 

The federal regulation for nursing homes (483.10(b)(i)) requires a more stringent time frame and should be followed when acting on a request by the current resident/legal representative to access records.  The HIPAA Privacy Rule timelines can be followed when responding to requests from former residents or their legal representatives.

 

Under the HIPAA privacy rule, the resident has the right of access to inspect and obtain a copy of their protected health information in a designated record set as long as the information/record is maintained. The privacy rule allows facilities a longer timeframe to respond to requests to inspect or obtain copies. The facility may follow the privacy rule timeframes when responding to requests from former residents. The facility must act on the request no later than 30 days after receipt.  If records or information are not maintained on-site, the facility has up to 60 days to act on the request.  If the facility is unable to respond within the 30 or 60 days, the facility may have one time extension of no more than 30 days. The facility must notify the requesting party in writing of the reason/s for the delay and the date when the request will be completed. Again, the facility is only allowed one time extension.

 

Steps In Handling A Request To Access/View Designated Record Set:

 

When a request is made by the resident or another party to view information within the designated record set, those requests should be directed to the health information coordinator.  Selecting one person or a department to handle requests will help to assure that the policy is carried out uniformly and information isn’t inappropriately disclosed or withheld.


If the requestor has the legal authority to view the record, a meeting should be set up within the 24 hours required by law for a current resident.  If the requestor cannot accommodate a meeting within the 24 hour time frame, the review should be set up at a mutually agreed upon time.  Since the resident or their legal representative have the right to review their records under federal law, it is not necessary to get approval from their attending physician.


Prior to the meeting, the record should be reviewed to ensure that is complete, accurate and organized. This also helps the facility to become familiar with the content and identify any potential areas of concern. Facility policy should address how to handle re-disclosure of protected health information received from another facility (i.e. hospital from a prior stay or another nursing home).


If components of the designated record set are maintained electronically in a hybrid medical record, determine how access will be provided to the electronic components of the medical record.  
 

During the meeting, a staff member should be in attendance at all times.  The staff member can be from the health information department or a designee such as nursing or social service.  The staff member present at the meeting is there to answer questions and to assure that the record is not altered in any way or documents removed/destroyed.  The resident/legal representative should be allowed to review and read the record without intervention from the staff member present. 


If copies are requested during this meeting, an authorization to use or disclose health information form should be signed with the specific documents and dates listed.  The facility’s copy charge policy should be disclosed to the resident/legal representative at the time of the request

 

 

Steps in Handling A Request for Copies of Designated Record Set:

 

See the sections on Handling a Request for Medical Records and Copy Fees for Medical Records.  The request for copies must be documented on a HIPAA compliant authorization form and signed by the resident or legal representative (for tracking purposes).  The request should specifically state what records are to be copied.  Review the copy fee policy with the resident/legal representative and if known, provide the estimated cost to fulfill the request before copies are made. 

 

3. Confidentiality Training and Agreements with Employees and Volunteers

.

HIM STANDARD:

.

• Education and training programs provided to members of the healthcare organization as a whole and to specific departments address the confidentiality of residents’ protected health information.
• Confidentiality policies and procedures are incorporated into new employee orientations and routinely reviewed as part of each employee’s ongoing education.
• Education and training programs on confidentiality address the responsibilities of staff to protect the resident’s right to privacy and their responsibilities to safeguard protected health information.
• Confidentiality agreements are signed by everyone connected with the healthcare organization who may have access to confidential healthcare information and resident-identifiable data. It is recommended that agreements are updated annually.
• Agreements with home-based employees state that the employees assume the same responsibility as regular employees for maintaining the confidentiality of all residents’ protected health information within their control.
• Education and training programs provided to members of the healthcare organization as a whole and to specific departments address the release of residents’ protected health information.

 

Long term care facilities should have confidentiality training programs in place for all employees and volunteers.  Under the privacy rule, training must be provided within a reasonable time after hire. It is recommended the training is reviewed annually with employees/volunteers.  Training should address the employee’s responsibility in maintaining the resident’s privacy, the facility’s confidentiality and release of information policies, common situations which an employee may face which could result in a breach of confidentiality and the consequences if a breach occurs or policy is not followed.  All employees should have some basic training on their responsibility.  Staff members who handle requests for information should have additional training to address the situations they will face in their position.

 

Definition:

Workforce means employees, volunteers, trainees and other persons whose conduct, in the performance of work for a facility, is under the direct control of the facility, whether or not they are paid by the facility.

 

Under the HIPAA privacy rule, facilities must train all members of its workforce on their policies and procedures related to the privacy rule.  The training should be based on employee's job function and access or exposure to protected health information.  All new members of the workforce must be trained within a reasonable period of time after hire.  Retraining must occur when there is a policy or procedure change that affects an employee's job.  In all instances, the facility must document that training was provided.

 

In addition to training, long term care facilities should have members of the HIPAA defined workforce – who includes employees, students, and volunteers sign a confidentiality agreement at the time of employment after they have received training. Facility policies should address the frequency for obtaining updates to the agreement (i.e. annually after training).  It is not recommended that confidentiality statements/agreements be incorporated into employee handbooks where the employee signs a blanket statement at the end. It is recommended that confidentiality agreements should be separate from the employee handbook to stress the importance of maintaining resident privacy and the potential action if privacy is breached.

 

The following sample provides language developed by AHIMA for discussion purposes only and published in the book, Release and Disclosure, Guidelines Regarding Maintenance and Disclosure of Health Information by Mary Brandt, MBA, RHIA, CHE.  It should not be used without review by your organization’s legal counsel to ensure compliance with local and state laws.

Employee/Student/Volunteer Nondisclosure Agreement [Name of healthcare facility] has a legal and ethical responsibility to safeguard the privacy of all residents and to protect the confidentiality of their health information.  In the course of my employment/assignment at [healthcare facility], I may come into possession of confidential resident information, even though I may not be directly involved in providing resident services.   I understand that such information must be maintained in the strictest confidence.  As a condition of my employment/assignment, I hereby agree that, unless directed by my supervisor, I will not at any time during or after my employment/assignment with [name of healthcare facility] disclose any resident information to any person whatsoever or permit any person whatsoever to examine or make copies of any resident reports or other documents prepared by me, coming into my possession, or under my control, or use resident information, other than as necessary in the course of my employment/assignment.   When resident information must be discussed with other healthcare practitioners in the course of my work, I will use discretion to ensure that such conversations cannot be overheard by others who are not involved in the resident’s care.   I understand that violation of this agreement may result in corrective action, up to and including discharge.   [Signature and date of employee, student, or volunteer]

4. Resident Identification Boards at Nursing Stations and Other Facility Locations

   Communication boards may be used to communicate within a facility and may contain protected health information. Common uses of communication boards include staff assignments, sharing information with other shifts, census information, etc. These communication boards that contain residents’ protected health information  must be in an area that is not viewable to residents, unauthorized staff members or the public. As a general rule, the only resident communication boards that should be viewable to the public provide directory information (room number).

    

5. Maintaining an Access/Disclosure Grid for Employees, Contractors and Outside Parties

   HIM STANDARD:

   • With regard to access to residents’ protected health information, the healthcare organization’s and health information management department’s policies differentiate among levels of authorized users within the healthcare organization, users within the healthcare organization’s provider network, and third-party users external to the healthcare organization and its provider network.
   • Contracts for services external to the healthcare organization must include business associate language that state that the companies providing the services assume responsibility for maintaining the confidentiality of all protected health information within their control.
   • Policies and procedures identify when disclosure of protected health information may be made without the resident’s authorization and differentiate between mandatory disclosure (for example, reporting of child abuse) and permissive disclosure (for example, access by healthcare staff).
   • Policies and procedures define those circumstances that require resident authorization prior to disclosure of information and those that do not require resident authorization.
   • Policies and procedures identify those communicable diseases and other public health threats that require reporting to the appropriate governmental agency and the mechanism by which the reporting is to be done.

    

   Definition:

   Minimum necessary means that when a facility uses or discloses protected health information or requests protected health information from another covered entity, the facility must make a reasonable effort to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

    

   Part of the facility policies on minimum necessary and confidentiality should be an access grid that outlines which employees and contractors are considered authorized users of the information contained in the designated record set and any restrictions or limitations on what can be accessed.  The grid should identify the authorized user by department and position and the limitations on access to information.  If subcontractors are used for certain services (billing service, dietary, etc.) language needs to be included in the contracts outlining the employee’s responsibility to maintain resident confidentiality and their authority to access the designated record set.

    

   Employee/Contractor Access to Protected Health Information

Position	Access to Records Granted	Scope/Limitations
Administrator/Executive Director	Yes	No limitations
Director of Nursing Services	Yes	No limitations
RAI Coordinator	Yes	Full access to records but only residents on their case load
Staff Nurse	Yes	Full access to records but only residents on their case load
Nursing Assistant	Limited	Care plan and documentation flowsheets only
Health Information Services	Yes	No limitations
Health Information Consultant	Limited	As directed by the facility
Business Office Manager	Limited	Access only to clinical information required for billing purposes
Director of Laundry	Limited	Access only to information necessary to do job
Therapy Staff	Yes	Access to records but only to those residents on their case load/receiving therapy treatment
Pastor	Limited	Access only to information necessary to do job and only for those residents requesting pastoral services
Receptionist	No
Maintenance	No
This table is not all-inclusive and is for discussion/illustration purposes only.  Positions, access and scope should be determined by each facility.  No recommendations are made through this illustration.

 



A second access grid should also be developed for access to clinical information computer systems.  The grid would serve the same purpose of outlining who has access to the system and what screens or programs are available to the position.

Employee/Contractor Access to Clinical Information Computer System
Position	Access to System	Scope/Limitations*	Read Only or Read/Write
Administrator/Executive Director	Yes	Billing and Clinical	Read/Write
Director of Nursing Services	Limited	Clinical Only	Read/Write
RAI Coordinator	Limited	Clinical Only	Read/Write
Staff Nurse	Limited	Clinical Only	Read/Write
Nursing Assistant	No
Health Information Services	Yes	Billing and Clinical	Read/Write
Health Information Consultant	Limited	Access as directed by facility	Read Only
Business Office Manager	Yes	Billing Limited Clinical	Read/Write Read Only
Director of Laundry	No
Therapy Staff	Limited	Clinical Only	Read/Write
Pastor	No
Receptionist	Limited	Demographics Only	Read Only
Maintenance	No
This table is not all-inclusive and is for discussion/illustration purposes only.  Positions, access and scope should be determined by each facility.  No recommendations are made through this illustration.

 

*As computer systems access control becomes more sophisticated, the scope and limitation should be more specific to the specific programs and screens in the system.  

 

In addition to an access grid for employees and contractors, a grid should be included which outlines access to the designated record set by other types of providers, agencies or third-party users.  This grid should outline whether an authorization to use or disclose health information form is required to be signed before information is disclosed or released and when reporting/disclosure is mandatory by law.  Both federal and state regulations need to be incorporated into the facility policy and procedure and access grid.  

 

The federal regulation (42 CFR § 483.75(4)) requires that the facility must keep confidential all information contained in the residents’ records, regardless of the form or storage method of the records, except when release is required by – (i) transfer to another health care institution; (ii) law; (iii) third party payment contract; or (iv) the resident

 

The disclosure grid should outline access to protected health information by the following individuals/entities and whether an authorization from the resident is required to release information.

 

Completion of this grid should be based on applicable federal and state laws the following are guidelines:

Disclosure Grid
Requestor or Outside Party	Authorization Required	Copy Charges Allowed
Accrediting Agencies (JCAHO, CARF)	No	No
Attorney	Yes	Yes
Attorney for Facility/Corporation	No	No
Courts of Law (Court Order)	No	Yes
Employer of Resident	Yes	Yes
Family members Family members with demonstrated involvement in care	Yes No – for verbal updates related to involvement in care	Yes No
Federal, State, and Local Government, and Voluntary Welfare Agencies	No – when reporting is required by law	No – when reporting is required by law
Funeral Homes	No – when releasing remains	No
Health Department	No	No
Healthcare Practitioners	No -  for continuity of care purposes when involved in residents care and treatment Yes – if not involved in care and treatment	No – for continuity of care and continued treatment. Yes – if not involved in care and treatment
Healthcare Providers (hospitals, LTC facilities, home health/hospice agencies, etc.)	No – for continuity of care purposes	No – for continuity of care purposes
Insurance Companies and Third Party Payers	No – for third party payment purposes	No – for third party payment purposes
Insurance Companies for Facility/Corporation	No	No
Law Enforcement Officials	Dependent on state law
Medical Examiner/Coroner	No – if reporting is required by law
Ombudsman	Dependent on state law
Research	Dependent on Research Project & IRB Approval/Waiver	No – if project is approved by facility
Residents	No	Yes

 

The column “Copy Charges Allowed” should be reviewed carefully and compared to the requirements in the privacy rule and any other applicable state of federal regulations. While is may be acceptable to charge for copies, facilities may exercise discretion and judgment when determining whether or not to charge a resident, his/her legal representative or other requesting party for copies.

6. Handling a Request for Health Information contained in the Designated Record Set 

HIM STANDARDS: Requests for healthcare information require a valid (HIPAA compliant) authorization to disclose protected health information, unless the disclosure is required for treatment, payment or healthcare operations.

 

All requests for information should be handled by the health information department to assure uniform application of the facility policy and adherence to applicable laws and practice standards.   When a request for information is made, the following issues should be considered before releasing information:

 

• Is an authorization to use or disclose health information required to be signed by the resident or their legal representative?
• What is the nature of the information requested?
• Is the information considered confidential or non-confidential?
• What is the purpose of the request?
• What is the authority of the person or agency requesting the information?
• Are there any revocations or notices to withhold information on file?

 

Consent for Use and Disclosure of Protected Health Information:

 

The HIPAA privacy rule does not require the facility to obtain the resident's consent prior to using or disclosing protected health information to carry out treatment, payment, or health care operations. The HIPAA Privacy Rule states that your facility may choose to obtain consent. The decision to obtain consent should be defined the facility’s policies and procedures

 

7. Redisclosure upon Transfer to Another Healthcare Facility

If the hospital or another facility’s records provide important information for the continued care of the resident, those records should be sent to the next facility/agency that will be providing care. The privacy rule allows for redisclosure of resident’s protected health information.  Your facility should have a policy in place to ensure redisclosure is handled in a consistent manner. A LTC facility should send the most recent hospital history and physical report and discharge summary upon transfer to another facility if the information provides insight into the resident’s current health status or would be beneficial in the continued diagnosis and treatment.  Other documents should be redisclosed based on the content and relevance to the resident’s continued care and treatment.  Refer to the Frequently Asked Questions available on the Office For Civil Rights web site at http://www.hhs.gov/ocr/hipaa/ for additional information regarding this topic.

 

1. Unless otherwise required by state law, incorporate in your own facility’s designated record set the health information generated by other healthcare providers needed for patient diagnosis and treatment.
2. Become knowledgeable about and implement organizational compliance with federal and state laws and regulations that address redisclosure. Any redisclosure must comply with federal and state laws and regulations.
3. Consult with legal counsel when federal and state redisclosure requirements differ and it’s unclear which should prevail.
4. Develop facility policies and procedures that address redisclosure. Be sure to include the requirement that prior to disclosure, the disclosing staff member verify the authority of the person to receive the information.
5. Modify existing authorization forms to incorporate required language in the HIPAA final privacy rule.
6. In general, healthcare providers should:
   1. Redisclose to other healthcare providers PHI when it is necessary to ensure the health and safety of the patient
   2. Redisclose requested health information to patients when necessary, but after first encouraging the patient to obtain the most complete and accurate copies from the originating healthcare provider
   3. Redisclose PHI when necessary to comply with a valid authorization
   4. Redisclose PHI when necessary to comply with a legal process. Only redisclose PHI located within your legal health record (the designated record set). Note that you may be compelled by the legal discovery process to release additional individually identifiable health information if access to the information is deemed necessary for the stated purpose 2
7. Ask legal counsel to review draft policies and procedures prior to implementation.
8. Educate staff on new or revised policies and procedures relative to redisclosure.
9. Implement policies and procedures and monitor compliance.
10. When in doubt about a potential redisclosure, consult legal counsel.
11. When asked to certify or testify about the authenticity of redisclosed health information, state that the information was received from another healthcare facility’s medical record through normal business practices, your facility received the information in good faith, and that you cannot knowledgeably speak about the record-keeping practices of the originating organization.
12. Modify existing certification forms when indicated.

 

Source: Rhodes, Harry, and Gwen Hughes. "Redisclosure of Patient Health Information (AHIMA Practice Brief)." Journal of AHIMA 74, no.4 (April 2003): 56A-C.

8. Handling Telephone Requests for Information

   When a request for a resident’s health information is received by telephone, the person receiving the request must decide if they have the authority to handle the request, decide whether information can be disclosed without an authorization, and verify that the individual has a right to receive the information.  With the exception of requests related to the resident’s current care and treatment, other types of telephone requests should be directed to the health information management department.  

    

   Telephone requests can be honored without an authorization if they are for the purposes of treatment, payment or health care operations. This may occur when a resident’s protected health information is needed for a transfer to another health care institution (for continuity of care purposes), when required by law, for third party payment, or when requested by the resident (including the legal representative). 

    

   Regardless of the situation, if the caller’s identity is unknown, steps should be taken to verify the caller’s identity. This can be accomplished by requesting the caller’s name, address and, if applicable, company information.  The facility staff member should look up the information, verify that it is accurate and return the call based on the information looked up.

9. Transmitting Resident Information via Facsimile

HIM STANDARD:   Policies and procedures establish the circumstances under which transmission of resident-identifiable data and healthcare information by facsimile machine is appropriate (such as when the original document or mail-delivered photocopies will not serve the purposes of the requestor).

.

When the fax machine is used to release of transmit resident health information, safeguards must be in place to protect the resident’s confidentiality.  If a LTC facility uses the fax machine to transmit information, they must have a policy and procedure in place directing staff on the proper procedures.

 

• A fax cover letter must always be used when sending resident information.  The cover letter should indicate whom the fax is sent to, whom it is from, the number of pages, and a confidentiality statement.  A facility should never send resident information (whether medical record documents or a narrative summary/notes) without a cover sheet.
• The fax cover letter should provide specific directions on the steps to take if the fax was sent to the wrong location/person. If a facsimile transmission fails to reach the recipient, check the internal logging system of the facsimile machine to obtain the number to which the transmission was sent. If the sender becomes aware that a fax was misdirected, contact the receiver and ask that the material be returned or destroyed. Investigate misdirected faxes as a risk management occurrence or security incident; include the accidental disclosure of patient health information in the accounting of disclosures log. Mitigate the accidental disclosure and determine the need to contact the patient, organization's legal counsel, and risk management carrier.
• Preprogram fax numbers into the machine whenever possible to minimize the chance of entering an incorrect fax number resulting in a misdirected fax. Request that frequent recipients notify your facility of any fax number changes.
• Place fax machines in secure areas.
• If faxing is used to correspond with the physician and a response is needed, maintain a monitoring system to assure that a response is received.  If an immediate response is needed or the resident’s condition requires immediate intervention, the telephone should be used to contact the physician rather than the fax machine.
• Some type of verification process should be in place to assure that the fax was transmitted.  Verification may vary from a report generated by the fax machine to a call back from the receiving party.  The type of verification used should be dependent on what was sent and who it was sent to.  
• Facility policy should outline the types of information that cannot be faxed. For instance, it may not be appropriate to fax highly sensitive information (HIV/AIDS status, drug or alcohol abuse information, etc.).
• Establish guidelines to address retention of information transmitted via facsimile and whether it should become part of the patient's health record (e.g., is the document part of a designated record set or a business record?).
• Take precautions to preserve the quality of faxed documents. Fax copies may fade and may need to be photocopied. Extra precautions are necessary when thermal paper is used to ensure legible copies are retained as long as the medical record is retained.
• Include in your organization's notice of information practices uses and disclosures of individually identifiable health information made via fax machine or software where appropriate (see the AHIMA practice brief "Notice of Privacy Practices").
• Obtain a written authorization for any use or disclosure of individually identifiable health information made via fax machine or software when not otherwise authorized by the individual's consent to treatment, payment, and healthcare operations, or federal or state law or regulation.

 

Source: Davis, Nancy, et al.. "Facsimile Transmission of Health Information." (AHIMA Practice Brief, updated August 2006).

.

.

10. Responding to a Subpoena or Court Order

    It is critical that state law is followed in processing a subpoena. In addition, the privacy rule has specific requirements that must be met prior to responding to a subpoena. (Refer to the privacy rule 42 C.F.R. § 164.512 (e).) The following provide general guidelines in handling a subpoena when it is received.  Facility policies should be tailored to specific state statutes and the privacy rule. Generally, your facility should work with legal counsel to ensure a subpoena is valid and your facility responds appropriately.

     

    • Check that the subpoena is signed by a representative of the court (usually the Clerk of Court).
    • Determine if satisfactory assurances are received with the subpoena. Contact your facility’s legal counsel to ensure appropriate satisfactory assurances have been received or a qualified protective order is present or requested.
    • If a subpoena is received notify facility administration and the facility legal counsel per facility policy.  Some corporate offices require that the corporate legal department be notified and approve the release before records are sent.
    • Review the entire medical record to make sure that all sections in the record are present and in the proper sequence.  For a discharge record, do not make any alterations in the record or allow anyone else to make additions, corrections, or deletions after the subpoena has been received.  
    • If the entire medical record is requested, number the pages of the original medical record (including shingled copies), verify that the records all belong to the correct resident, and check that the resident name and medical record number are on all pages including both sides of forms.  Make the requested copy after approval from administration/legal counsel if required by facility policy. Make a second copy for facility use/legal counsel.
    • If the record is for a discharge resident and for litigation purposes, the records should be removed from the storage/filing area and placed in a locked location until the litigation process is complete.
    • Deliver the copy of the record to the location listed on the subpoena.
    • Upon return from court, write a note on the subpoena identifying by whom the subpoena was answered, the date and time, the attorney’s name, and note that a copy of the medical records was left with the court.
    • If the original record is requested, contact the Clerk of Court to determine if a copy is acceptable.  If the original is required for court -- 
    • Create a Receipt for Medical Records and keep one copy for the facility and one for the person accepting the record on behalf of the court.  Include on the receipt an inventory of the medical record content.  For example, nurses notes – 20 pages, physician orders – 10 pages, total pages – 30.
    • Place the original record in a folder with the receipt and label as the “Original Medical Record.”
    • Deliver both the original record and the copy to the location listed on the subpoena. 
    • Remain with the original record at all times until you are sworn in.
    • Request the Court Official to review the copy to see if they will accept the copy in place of the original.  If the Judge or Hearing Officer refuses to accept the copy in place of the original, leave the original record.  Request that the original record be returned to the facility when the case is completed.
    • Obtain a signature of the original copy of the Receipt for Medical Records from the Clerk of Court.  Keep the original copy of the receipt.
    • Leave the copy of the receipt with the record held by the Court.
    • Upon return from court, write a note on the subpoena identifying by whom the subpoena was answered, the date and time, the attorney’s name, and that the original medical record was left with the court.
    • File the subpoena and the signed receipt in the resident/resident’s medical record file folder until the record is returned.
    • After the record is returned, check the record against the receipt to make sure that all pages are present.  Reassemble the record in proper order, if necessary.  Note the date returned on the receipt/subpoena and file the original record in the permanent file.

     

     

11. Removing Original Records from the Facility

HIM STANDARD: Original health records may not be physically removed except in accordance with the healthcare organization’s policies.

.

The original medical record should never be removed from the facility.   Facility policies should specifically address removal of records and prohibit any employee, contractor or agent from removing resident medical records (in full or in part) from the facility.  When records are requested for legal proceedings, it is acceptable to submit a copy of the original.  If the original record is specifically requested for a legal proceeding, every effort should be made to submit a copy.  For example, contact the court requesting that a copy versus the original be submitted or go to court with the original record and a copy.  Request that the copy be placed into evidence rather than the original record.  If the original must be placed into evidence, then the copy can be used by the facility.

 

If it is absolutely necessary to remove the original record, measures should be in place to physically protect the original.  One possible method is to utilize the storage bags with plastic locks that can be purchased through medical record supply companies.  The bag can be locked at the facility and the lock broken once at the destination.  If the original record does have to be removed from the facility, it should always stay in the custody of a facility representative who takes full responsibility for its safe-keeping.

12. Notice of Information Practices

    .

    The HIPAA privacy rule requires facilities to provide the resident with a Notice of Information Practices also referred to as a Notice of Privacy Practices. This Notice must describe how the facility  uses or  discloses residents’  protected health information, the resident's rights with respect to his/her PHI, and the facility's legal duties under the privacy rule.  The notice must be provided at the time of admission to the facility.  The notice must be written in plain language and contain the following elements: (See HIPAA privacy rule for specifics under each section)

     

    • Header: "This notice describes how medical information about you may be used and disclosed and how you can get access to this information.  Please read it carefully."
    • Uses and disclosures
    • Separate statements for certain uses or disclosures
    • Individual rights
    • Covered entity's duties (facility's duties)
    • Complaints
    • Contact information
    • Effective date
    • Other optional information as described in the HIPAA privacy rule

     

    A good faith effort must be made to obtain acknowledgement of receipt of the Notice. If your facility is unable to obtain acknowledgment, document actions taken to obtain acknowledgement and why you were unable to obtain acknowledgement.

     

    If a resident is admitted in an emergency situation, provide the Notice as soon as reasonably practicable after the emergency situation.

     

    The Notice must be posted in your facility; in addition, you must have copies of the Notice available for interested parties (perspective residents, visitors, family members, etc.) to have upon request.

     

    If your organization maintains a public Web site, the Notice must be posted on the Web site.

     

    Changes to the Notice:

    • Content (material changes) to the Notice cannot be implemented prior to the effective date of the revised Notice.
    • Your facility’s Notice should include a statement that it reserves the right to make changes to the Notice and how an updated Notice can be obtained. This will allow the facility to make changes to the Notice without having to redistribute the Notice to current residents. If your Notice does not contain this type of statement, it must provide an updated Notice to current residents.

     

    A copy of each version of your facility’s Notice must be retained for six years from the date it was last in effect.

13. Designation of a Privacy Officer

    .

    HIPAA requires the designation of a privacy official who is responsible for the development and implementation of the policies and procedures of the facility related to the privacy rule. The facility must also designate a contact person or office who is responsible for receiving complaints related to the facility's privacy practices.  The privacy official and contact person does not have to be the same individual.  The rule does not require specific training or expertise. 

AHIMA's published model position description for the Privacy Officer.

10. CODING AND REIMBURSEMENT

HIM STANDARD: The healthcare organization’s diagnosis and procedure coding guidelines for all resident types are based on current ICD-9-CM, CPT and HCPCS classification systems to ensure the accuracy and retrievability of pertinent information. The director of the health information management department supervises or monitors any diagnosis coding done outside the department to ensure the complete and accurate description of resident services. The director of the health information management department (or a designee) provides training and/or consultation to non- health information management staff who assign or analyze diagnoses codes.

Regulatory Requirements:

Under the federal Health Insurance Portability and Accountability Act (HIPAA) Transaction and Code Sets Standard (TCS), Subpart J, medical data code sets were adopted as the following code sets standards: 

 

1. International Classification of Diseases, 9th Edition, Clinical Modification, (ICD-9-CM), Volumes 1 and 2 (including the Official ICD-9-CM Guidelines for Coding and Reporting) for diseases, injuries, impairments, other health problems and their manifestations, and causes of injury, disease, impairment, or other health problems.