Applied Sciences

Maintaining a Legally Sound Health Record: Paper and Electronic The health record is the legal business record for a healthcare organization. As such, it must be maintained in a manner that follows applicable regulations, accreditation standards, professional practice standards, and legal standards. The standards may vary based on practice setting, state statutes, and applicable case law. An attorney should review policies related to legal documentation issues to ensure adherence to the most current standards and case law.

HIM professionals should fully understand the principles of maintaining a legally sound health record and the potential ramifications when the record’s legal integrity is questioned. This practice brief will review the legal documentation guidelines for entries in and maintenance of the health record—both paper and electronic. Many of the guidelines that originally applied to paper-based health records translate to documentation in electronic health records (EHRs). In addition, new guidelines and functionalities have emerged specific to maintaining legally sound EHRs. It is of the utmost importance to maintain EHRs in a manner that will support a facility’s business and legal processes, otherwise duplicate paper processes will need to be maintained.

AHIMA convened an e-HIM® work group to re-evaluate and update the 2002 practice brief “Maintaining a Legally Sound Health Record” to address the transition many organizations face in the migration from paper to hybrid to fully electronic health records. Issues unique to EHRs are addressed specifically if they are different or require expansion. Many organizations use a hybrid record (which includes both paper and electronic documentation), scanning paper documents into an electronic document management system. Even though a scanned document ends up in an electronic state, the documentation principles for paper-based records still apply. If there are unique issues for scanned records, they are specified in this brief.

Authentication for Legal Admissibility

Generally, statements made outside the court by a party in a lawsuit are considered hearsay and not admissible as evidence. Documentation in the health record is technically hearsay; however, Federal Rules of Evidence (803(6)) and the Uniform Business and Public Records Act adopted by most states allow exception to the hearsay rule for records maintained in the regular course of business, including health records. All records must be identified and authenticated prior to admissibility in court.

Four basic principles must be met for the health record to be authenticated or deemed admissible as evidence. The record must have been:

Š Documented in the normal course of business (following normal routines) Š Kept in the regular course of business Š Made at or near the time of the matter recorded Š Made by a person within the business with knowledge of the acts, events, conditions, opinions, or diagnoses

appearing in it

Copyright © 2005 by The American Health Information Management Association. All Rights Reserved.

EHRs are admissible if the system that produced them is shown to be accurate and trustworthy. The Comprehensive Guide to Electronic Health Records outlines the following facts to support accuracy and trustworthiness:

Š Type of computer used and its acceptance as standard and efficient equipment Š The record’s method of operation Š The method and circumstances of preparation of the record, including:

» The sources of information on which it is based » The procedures for entering information into and retrieving information from the computer » The controls and checks used as well as the tests made to ensure the accuracy and reliability of the

record

» The information has not been altered1

As EHRs become more commonplace, the federal courts are beginning to differentiate the standards to be applied to authenticate EHRs, based on the type of information stored. For example, when a computer record contains the assertions of a person, such as a progress note or dictated report, the record must fit within the hearsay exception to be admissible. These records are referred to as computer-stored.

In contrast, computer-generated records contain the output of computer programs, untouched by human hands. Examples may include decision-support alerts and machine-generated test results. The admissibility issue here is not whether the information in the record is hearsay, but whether the computer program that generated the record was reliable and functioning properly (a question of authenticity). In most cases, the reliability of a computer program can be established by showing that users of the program actually do rely on it on a regular basis, such as in the ordinary course of business.

Testifying about Admissibility

Typically, the health record custodian is called upon to authenticate records by providing testimony about the process or system that produced the records. An organization’s record-keeping program should consist of policies, procedures, and methods that support the creation and maintenance of reliable, accurate records. If so, the records will be admissible into evidence.

Electronic and imaged health records. Case law and the Federal Rules of Evidence provide support to allow the output of an EHR system to be admissible in court. The rule states “if data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an ‘original.’”2 As a result, an accurate printout of computer data satisfies the best evidence rule, which ordinarily requires the production of an original to prove the content of a writing, recording, or photograph. Organizations that maintain EHRs should clearly define those systems that contain the legal EHR or portions of the EHR. Each of these systems should be configured and maintained, ensuring that entries originated in a manner consistent with HIM principles and their business rules, content, and output meet all standards of admissibility.

An important component of this effort is to establish methods to authenticate the electronic data stored in the EHR, namely to verify that data has not been altered or improperly modified consistent with Federal Rules of Evidence. HIPAA security implementation standards require organizations to authenticate protected electronic health information as a means of ensuring data integrity, including data at rest and transmitted data. Cryptographic applications commonly used to authenticate include message authentication codes and digital signatures.

Authorship

Copyright © 2005 by The American Health Information Management Association. All Rights Reserved.

Authorship is the origination of recorded information. This is an action attributed to a specific individual or entity, acting at a particular time. Authors are responsible for the completeness and accuracy of their entries in the health record.

AHIMA recommends that anyone documenting in the health record (regardless of media) have the authority and right to document as defined by the organization’s policies and procedures. Individuals must be trained and competent in the fundamental documentation practices of the organization and legal documentation standards. Organizations should define the level of record documentation expected of their practitioners based on the practitioners’ licensure, certification, and professional experience.

Authentication of Entries

Authentication shows authorship and assigns responsibility for an act, event, condition, opinion, or diagnosis. Health Level Seven (HL7) has defined a legally authenticated document or entry as “a status in which a document or entry

has been signed manually or electronically by the individual who is legally responsible for that document or entry.”3 Each organization should establish a definition of a legally authenticated entry and establish rules to promptly authenticate every entry in the health record by the author responsible for ordering, providing, or evaluating the service furnished.

Many states have regulations or rules of evidence that speak to specific characteristics required for authenticating entries. Before adopting any authentication method other than written signature, the organization should consult state statutes and regulations regarding authentication of entries. The medical staff bylaws (where applicable) or organizational policies should also approve computer authentication and authentication of scanned entries and specify the rules for use. Organizations automating health records in a state that does not expressly permit the use of computer keys to authenticate should seek permission from the applicable state agency.

Types of Signatures

For paper-based records, acceptable methods to identify the author generally include written signature, rubber stamp signature, or initials combined with a signature legend on the same document. Acceptable methods of identifying the author in EHRs generally include electronic or digital signatures or computer key. Acceptable methods for authenticating a scanned document may follow paper or electronic guidelines.

Signatures are the usual method to authenticate entries in a paper-based record. The Centers for Medicare and Medicaid Services (CMS) Interpretive Guidelines for Hospitals 482.24(c)(1) require name and discipline at a minimum. A healthcare organization can choose a more stringent standard requiring the author’s full name with title or credential to assist in proper identification of the writer. Healthcare organization policies should define the acceptable format for signatures in the health record.

A countersignature requires a professional to review and, if appropriate, approve action taken by another practitioner. Countersignatures should be used as required by state licensing or certification statutes related to professional scope of practice. The entries of individuals who are required to practice under the direct supervision of another professional should be countersigned by the individual who has authority to evaluate the entry. Once countersigned, the entry is legally adopted by the supervising professional as his or her own entry. For example, licensed nurses who do not have the authority to supervise should not countersign an entry for a graduate nurse who is not yet licensed. Practitioners who are asked to countersign should do so carefully. The CMS Interpretive Guidelines for Hospitals (482.24(c)(1)(I)) require that medical staff rules and regulations identify the types of documents or entries nonphysicians may complete that require a countersignature by a supervisor or attending medical staff member.

Copyright © 2005 by The American Health Information Management Association. All Rights Reserved.

Rubber stamp signatures are acceptable if allowed by state, federal, and reimbursement regulations. From a reimbursement perspective, some fiscal intermediaries have local policies prohibiting the use of rubber stamp signatures in the health record even though federal regulation allows their use. Healthcare organization policies should state if rubber stamp signatures are acceptable and define the circumstances for their use after review of state regulations and payer policies.

When rubber stamp signatures are used, a list of signatures should be maintained to cross reference each signature to an individual author. The individual whose signature the stamp represents should sign a statement that he or she is the only one who has the stamp and uses it. There can be no delegation to another individual for use of the stamp. Sanctions should be established for unauthorized or inappropriate use of signature stamps.

Initials can be used to authenticate entries such as flow sheets, medication records, or treatment records. They should not be used for such entries as narrative notes or assessments. Initials should never be used for entries where a signature is required by law. Authentication of entries by only initials should be avoided because of the difficulty in positively identifying the author of an entry based on initials alone and distinguishing that individual from others having the same initials.

If a healthcare organization chooses to use initials in any part of the record for authentication of an entry, there should be corresponding full identification of the initials on the same form or on a signature legend. A signature legend may be used to identify the author and full signature when initials are used to authenticate entries. Each author who initials an entry must have a corresponding full signature on record. For EHRs, apply recommendations for computer key signatures.

Fax signatures. The acceptance of fax documents and signatures is dependent on state, federal, and reimbursement regulations. Unless specifically prohibited by state regulations or healthcare organization policy, fax signatures are acceptable. The Federal Rules of Evidence and the Uniform Rules of Evidence allow for reproduced records used during the course of business to be admissible as evidence unless there is a genuine question about their authenticity or circumstances dictate that the originals be admissible rather than the reproductions. Some states have adopted the Uniform Photographic Copies of Business and Public Records Act, which allows for the admissibility of a reproduced business record without the original. The Uniform Business Records as Evidence Act also addresses the admissibility of reproductions. When a fax document or signature is included in the health record, the document with the original signature should be retrievable from the original source.

Electronic signatures are acceptable if allowed by state, federal, and reimbursement regulations. In 2000 the US government passed the Electronic Signatures in Global National Commerce Act, which gives electronic signatures the same legality as handwritten signatures for interstate commerce. State regulations and payer policies must be reviewed to ensure acceptability of electronic signatures when developing healthcare organization policies. ASTM and HL7 have standards for electronic signatures. Electronic signature software binds a signature or other mark to a specific electronic document. It requires user authentication such as a unique code, biometric, or password that verifies the identity of the signer in the system.

If electronic signatures are used in the EHR, the software program or technology should provide message integrity— assurance that the message sent or entry made by a user is the same as the one received or maintained by the system. If electronic signatures are used in the EHR, the software program or technology should also provide for nonrepudiation—assurance that the entry or message came from a particular user. It will be difficult for a party to deny the content of an entry or having created it.

A digital signature provides a digital guarantee that information has not been modified, as if it were protected by a

Copyright © 2005 by The American Health Information Management Association. All Rights Reserved.

tamper-proof seal that is broken if the content were altered.4

A computer key or other code is an acceptable method to authenticate entries in an EHR if allowed by state, federal, and reimbursement regulations. When computer codes are used, a list of codes should be maintained that links each code to an individual author. Authorized users should sign a statement ensuring that they alone will use the computer key. Sanctions should be established for unauthorized or inappropriate use of computer key.

Digital ink or digitized signatures differ from electronic signatures in that they use handwritten signatures on a pen pad. The actual written signature is converted into an electronic image. Digitized signatures are acceptable if allowed by state, federal, and reimbursement regulations. State regulations and payer policies must be reviewed to ensure acceptability of digitized signature when developing healthcare organization policies.

Specific Authentication Issues

There are a number of unique authentication scenarios and issues that organizations must address.

Auto-authentication. The author of each entry should take specific action to verify that the entry is his or her entry or that he or she is responsible for the entry and that the entry is accurate. Computer technology has provided opportunities to improve the speed and accuracy of the authentication process. However, authentication standards still require that the author attest to the accuracy of the entry. As a result, any auto-authentication technique that does not require the author review the entry is likely to fall short of federal and state authentication requirements and place the organization at legal risk.

Failure to disapprove an entry within a specific time period is not an acceptable method of authentication. A method should be in place to ensure that authors authenticate dictated documents after they are transcribed. Auto- authentication methods where the dictator is deemed to have authenticated a transcribed document if no corrections are requested within a specified period of time are not recommended.

Authenticating documents with multiple sections or completed by multiple individuals. Some documentation tools, particularly assessments, are set up to be completed by multiple staff members at different times. As with any entry, there must be a mechanism to determine who completed information on the document. At a minimum, there should be a signature area at the end of the document for staff to sign and date. Staff who have completed sections of the assessment should either indicate the sections they completed at the signature line or initial the sections they completed.

Some EHR documentation tools, particularly assessments, are also intended to be completed by multiple staff members at different times. Here too there must be a mechanism to determine who completed information in the document.

Documenting care provided by a colleague. Individuals providing care are responsible for documenting that care. Documentation must reflect who performed the action. Patient care carried out by another provider, as well as clinical information supplied by another person to the writer of the entry, should be clearly attributed to the source.

Some EHR systems provide the capability to indicate differences between the person who enters information and the author of a document. In either case, documentation must reflect who performed the action. If documentation of care is entered for another provider, at a minimum the document should contain the identification of the person who entered the information along with the date the entry was made and authentication by the actual provider of care with the corresponding date of authentication.

Copyright © 2005 by The American Health Information Management Association. All Rights Reserved.

Documentation Principles

Regardless of the format, text entries, canned phrases, or templates should follow fundamental principles for the quality of the entry. Content should be specific, objective, and complete.

Use specific language and avoid vague or generalized language. Do not speculate. The record should always reflect factual information (what is known versus what is thought or presumed), and it should be written using factual statements. Examples of generalizations and vague words include patient doing well, appears to be, confused, anxious, status quo, stable, as usual. If an author must speculate (i.e., diagnosis is undetermined), the documentation should clearly identify speculation versus factual information.

Chart objective facts and avoid using personal opinions. By documenting what can be seen, heard, touched, and smelled, entries will be specific and objective. Describe signs and symptoms, use quotation marks when quoting the patient, and document the patient’s response to care.

Document the complete facts and pertinent information related to an event, course of treatment, patient condition, response to care, and deviation from standard treatment (including the reason for it). Make sure the entry is complete and contains all significant information. If the original entry is incomplete, follow guidelines for making a late entry, addendum, or clarification.

Other Documentation Issues

Organizational policies must address the use of approved abbreviations in the health record. A second emerging documentation issue is the cut and paste functionality in EHRs. Organizations must consider whether they will allow cutting and pasting and how they will handle cut-and-paste content from one entry to another.

Use of abbreviations. Every healthcare organization should have a goal to limit or eliminate the use of abbreviations in medical record documentation as part of its patient safety efforts. Healthcare organizations should set a standard for acceptable abbreviations to be used in the health record and develop an organization-specific abbreviation list. Only those abbreviations approved by the organization should be used in the health record. When there is more than one meaning for an approved abbreviation, chose one meaning or identify the context in which the abbreviation is to be used. Every organization should have a list of abbreviations, acronyms, and symbols that should not be used.

EHRs. Abbreviations should be eliminated as information is formatted for the EHR. Electronic order sets, document templates for point-and-click or direct charting, voice recognition, or transcribed documents can be formatted or programmed to eliminate abbreviations.

Cut, copy, and paste functionality is not generally regarded as legitimately available in the paper record. Analogous functions in paper records include photocopying a note, cropping it, and pasting or gluing it into the record. The primary issue with the cut, copy, and paste functionality in the EHR is one of authorship—who is the author and what is the date of origination for a copied entry?

Cutting and pasting saves time; however, it also poses several risks:

Š Cutting and pasting the note to the wrong encounter or the wrong patient record Š Lack of identification of the original author and date Š The acceptability of cutting and pasting the original author’s note without his or her knowledge or permission

Organizations should develop policy and procedures related to cutting, copying, and pasting documentation in their

Copyright © 2005 by The American Health Information Management Association. All Rights Reserved.

EHR systems. By following these guidelines and training clinical staff, providers can allow cutting and pasting within certain boundaries.

Š In general, the original source author and date must be evidenced in copied information. If users are allowed to copy forward from a previous entry by another person, an attribution statement referring to the original document, date, and author should be attached or incorporated where applicable.

Š Cutting, copying, and pasting must not be perceived as “OK unless proven otherwise” but instead should be considered “not OK until proven otherwise.”

Š Each potential function must be evaluated for policy or procedure acceptance or rejection by a practice. Š In some settings, copy and paste may be acceptable for legal record purposes but not for others (clinical trials

data, quality assurance data, pay-for-performance data). Š In the hybrid environment, audit tracking of copy and paste may not be available because it involves different

systems. Š In some contexts, it is never legitimate, including settings where the actual function takes personal health

information outside the security environment. Š Some systems have an intermediate step allowing information to be brought forward but require another

validation step. Š As a mitigation step, boilerplate text or libraries may be devised to describe common or routine information as

agreed upon by the organizational standards.

Linking Each Patient to a Record

Every page in the health record or computerized record screen must identify patients by name and health record number. Patient name and number must be on both sides of every page as well as on every form and computerized printout. Paper and computer-generated forms with multiple pages must have the patient name and number on all pages.

EHRs. Each data field in the health record must be linked to the patient’s name and health record number. Patient name and number must be on every page of printed, viewed, or otherwise transmitted information. The system in use must have a means of authenticating information reported from other systems.

Referencing another patient in the paper record. If it is necessary to refer to another patient to describe an event, the patient’s name should not be used—the record number should be referenced in its place.

Timeliness and Chronology of Entries

Timeliness of an entry is critical to the admissibility of a health record in court as required by the Uniform Rules of Evidence. Entries should be made as soon as possible after an event or observation is made. An entry shall never be made in advance. If it is necessary to summarize events that occurred over a period of time (such as a shift), the notation shall indicate the actual time the entry was made with the narrative documentation identifying the time events occurred, if time is pertinent to the situation.

Timeliness of an entry presumes that the medium to which the entry is made is accessible. The principle of availability has been recognized as also consistent with timeliness, with the understanding that an entry would be made as soon as the record or system is available.

EHRs. Facilities must define what constitutes the legal health record in their organizational policies. Procedures must be in place to define timeliness for each component of the EHR system where there are no real-time automated links between subsystems.

Copyright © 2005 by The American Health Information Management Association. All Rights Reserved.

Order now and get 10% discount on all orders above $50 now!!The professional are ready and willing handle your assignment.

ORDER NOW »»