Survival Tips for the migration to Electronic Medical Records
At the time of this writing (October 2009) it is unclear what new healthcare legislation will pass and when. The debate has prompted a great deal of discussion about the American healthcare industry moving to electronic medical records. One thing is certain; more change is inevitable and the genie is out of the bottle. Electronic recordkeeping will be adopted over time and I am here with some survival tips.
A word of caution…the field of records and information management is loaded with exceptions. As I lack the space to cover them all, read the following with the understanding it is accurate in more than 90% of situations and will provide you with a good base of understanding. The website www.RIMeducation.com contains white papers, articles and video of conference sessions which elaborate on the nuances and a more thorough analysis.
I attended an AHIMA Legal Summit over the summer and was surprised at the focus on the definition of a “legal health record”. There was a presumption that providers could collectively define a subset of electronic data that would be readily provided to the courts when requested and that this would completely satisfy legal discovery requirements. I was not surprised however, that there was no shortage of attorneys and judges present to set the record straight.
When it comes to records and courts, the bottom line is that if you have it, it is discoverable and under the right conditions you will have to produce it in court. The “it” can be a paper form completed by a nurse, admission data entered into a computer application, or a scribbled drawing of a bone injury that two physicians drew on the back of a napkin over lunch.
So, just what is a record? Years ago, there were very rigid, academic definitions of a record that focused on intrinsic historic value and evidence of business transactions. Given the explosion of electronically stored information (ESI) and the tsunami of eDiscovery across corporate America, a more practical definition is that anything that you choose to keep is a record—and we subdivide these records into official records and ancillary records. Official records are those that we consciously choose to keep for business, legal and/or regulatory purposes (such as hospital admissions) while ancillary records are those that we create or capture as a normal part of our everyday jobs but don’t intend to preserve for any extended period of time (such as an email exchange with a prospective vendor regarding the functionality of an application).
Another way that records and information management (RIM) professionals slice electronic records is as structured and unstructured data. Structured data is stored in some predetermined format. ESI stored in databases by applications, such as hospital financial systems, is typically structured. We know a lot about structured data because someone in our organization or a vendor designed it. Years ago, almost all ESI was structured data entered through “green screen” dumb terminals. The advent of more user friendly technology over the past 25 years has led to an explosion of unstructured data which is controlled by the creator of the data. Word documents, spreadsheets, presentations, and project plans all represent forms of unstructured data. Enterprise Content Management (ECM) products have blossomed in recent years to address the need to manage the proliferation of unstructured data.
Now that we know what a record is, how do we manage it? The lifecycle of a record includes its creation/capture, identification/classification, storage/retrieval/usage, retention, hold, and ultimately disposal.
Hospitals create a patient record during the admission process and may capture a record by scanning a doctor’s orders. Identifying these records tells them what to do next in the business process, such as scheduling a lab appointment. Classifying them according to a record category tells them how long they should keep the record and may dictate some requirements around their storage, retrieval and usage. Two critical requirements involve authenticity and privacy. Authenticity seeks to ensure that a record is what it purports to be and has not been altered in some way to distort the truth. Privacy ensures that only the appropriate people can access and edit the record. Paper records can be stored in a physically secured area with access monitored by staff that ensures that only the appropriate people view them. They can log the retrieval and storage on a form to track the chain of custody. Alterations to paper records such as erasures and whiteout are generally identifiable. By contrast, ESI authenticity relies on an audit trail that identifies who accessed the record and what they changed. Likewise, system security ensures that only the authorized personnel have access to the record and control distribution such as emailing, cutting/pasting and printing. Check with your application vendors or internal staff to ensure that these audit trails exist and haven’t been eliminated to save space or improve system performance. They should be retained as long as the record. Some of your records are sure to be unstructured so check with your IT staff to validate the security and audit capability of your LAN drives, hard drives, email, wikis, blogs and anywhere else that these records may be stored. Be sure to consider appropriate internal access based on division of responsibilities and not just the prevention of unauthorized access from external parties.
The record classification process tells hospitals how long they must retain the records based on federal, state and local requirements or business need. Ensure that all of your official and ancillary records in structured and unstructured format have a retention period, but be practical and simplify. Knowing that you can keep a record longer than is required (exceptions in Europe), round up retention periods a little if necessary to reduce the number of different retention periods. Electronic records exist as separate data elements in multiple databases or separate documents on a server or in an enterprise content management system. They could be deleted separately if some have shorter retention periods than others, but will your HIT applications still function if some of the data is missing? If the retention is based on an event, such as date of last discharge, will your application reset the trigger? Will you still be able to read these records years from now as you implement new software releases, operating systems and other technology? Depending on the retention period, you may need to migrate these records to ensure their accessibility. Finally, you should recognize that routine backup tapes do not suffice as retention as they are typically on a rotation schedule (re-writing over old tapes) and the tapes themselves have a shelf life of only a few years.
The final steps in the records lifecycle are holds and disposition. Record hold orders (also known as legal hold orders or just hold orders) are issued in order to preserve specific records beyond their normal retention period in order to use them in legal matters, regulatory audits, internal investigations or some other exceptional need. For the purposes of this article, disposition means destruction or deletion and it includes all copies of a record. You do not have a complete records management program unless you dispose of records regularly. Likewise, you cannot dispose of records in good conscience without a solid record hold process.
Paper records subject to a hold are usually collected by the interested party (e.g., the Legal, Compliance or Ethics department of an organization). The same can be true with electronic records, especially with small volumes of unstructured data. One challenge is that at the time a hold is issued, it is often too vague to gather all the possible related records. Over time the specifics of the matter become clearer and the eligibility criteria refined but this may take several months or even years.
Structured data can be more complicated in that database may be too large to efficiently copy and hold separately. Additionally, if the hold order lasts for years, the copied database would have to be maintained with the live application (or the old application code preserved) such that the data can still be read years later. Another option is to preserve the data in place. This requires that your application be able to recognize records flagged for hold and suspend disposition of those while still deleting the rest of the eligible records. Check with your vendor and IT staff to ensure that your applications have hold processing and disposition functionality.
The individuals who possess the data and are responsible for ensuring its preservation are known as custodians. Check with your HR department to ensure that separation procedures for employees leaving your organization include informing the manager of records in their custody that are subject to hold. This is important for transfers as well if the employee will no longer have security access to the records in the new role. Disposing of records subject to a hold order is spoliation and your Legal and Compliance departments can tell you more about the dire consequences in a court of law.
Once a record has met its retention period and is not subject to a hold order it should be destroyed along with all copies of it. Regretfully, some organizations feel that the safest course of action is to preserve records forever, especially as the cost of storage drops. Nothing could be further from the truth. The legal and regulatory risk of over-retaining potentially incriminating data, combined with the eDiscovery expense of reviewing it, and the cost of maintaining it in an accessible form as technology changes over time all outweigh the cost of a disposition process. Do not let your IT staff and application vendors convince you otherwise.
Now that you understand the fundamentals of records and information management, you are probably concerned about your ability to satisfy the requirements. Remember that while all records are important and can save your bacon or cook your goose in a court of law, they are not all created equally. Your records and information management program should strive to apply appropriate performance standards in alignment with business priorities. Your goal should be a program that provides evidence of a “good faith effort”, increases business value while reducing risk, and is reasonable, sustainable and improves over time. You will need to prioritize your records based on risk (a factor of impact and probability) and blend it with your business drivers (new regulatory requirements), business strategy (growth through mergers and acquisitions), culture (centrally organized or operating as separate, independent facilities), and ease of implementation (where can we get some quick wins?).
Healthcare’s move to electronic records will not be fast, simple or painless. However, other industries have led the way over decades and healthcare professionals can leverage their knowledge and technology. While the regulations and terminology may differ, the fundamental principles and methodologies do not. Additionally, the federal government is providing some financial incentives. Though this may not be substantial for any single institution, it takes some of the sting away. Finally, no other industry in the world has the talented, educated, organized resources that healthcare has in its HIM and HIT professionals. As a result, I believe that we are well suited to navigate this challenging road ahead.
Bill is a management consultant with Cohasset Associates, Inc. He designed and implemented the global records management function at one of the financial service industry’s largest firms and has the unique experience of leading both records management and litigation support groups. Bill is a member of AHIMA, AIIM, ARMA and as member of the 2009-2010 EDRM Team is leading a sub-group to establish an information management reference model for healthcare. He manages www.RIMeducation.com to promote Records and Information Management education.
