Health Care Information Systems

Module 12: Computerized Medical Record & Legal Considerations of Information

The following objectives should be met by the end of this module:

1. Provide a definition of a computerized medical record
2. Describe the functions and and resource requirements for clinical data systems
3. List and describe the six types of clinical data systems
4. Review data categories of data elements required by a clinical data system
5. Define the Institute of Medicine's (1991) key elements to a computerized medical record
6. Understand implementation and staff acceptance of the computerized medical record
7. Define data repositories and list advantages
8. Review and discuss
   • Confidentiality and security concerns of the CMR
   • Release of information and access to the CMR
   • Health record storage and retention
   • Risk management in the event of a disaste

These notes are intended only to supplement your readings. The best way to ensure each module is absorbed is to complete all the readings prior to reviewing these lecture notes. I will try to highlight what I believe to be the most important topics from your module readings. If you have any questions or concerns or there is something you do not understand, please ask me. You can either post on the webboard the question you have (that way others can benefit from the response), or you can e-mail me if you want a more private response. Either way it is extremely important that you have a complete and thorough understanding of the material for the module.

The clinical data system is the source of all the information and is the infrastructure for the portion we know as the computerized medical record. Data that is needed by this system is either historical information (provided by the patient), information obtained by the physical exam, and/or the results of tests or procedures performed on the patient. Clinical data systems can be categorized as follows:

• Computerized medical record (CMR)
• Summaries of clinical and administrative data
• Disease registries
• Department specific data
• Medical literature and Decision support systems
• Patient carried records

The CMR is the most important function of the clinical data systems in a health service environment. Ideally, each record should contain all the medical information on an individual patient on a continuous basis beginning with birth to the most recent encounter. This information should be available wherever and whenever the patient is seeking care.

As discussed in a previous module, the Computer-based Patient Record Institute (CPRI) is a non-profit organization committed to the development and implementation of computer-based patient records. The belief is that the CMR (or computerized patient record) has the ability to improve health care access, quality, cost and satisfaction. The following description of the scope, characteristics, and general functionality of the CMR is based upon CPRI's findings.

The computerized medical record must be recognized as the record that replaces the paper health record as the primary record of care to be effective. This record must meet all clinical, legal, and administrative requirements. It can be used for much more than just a health recor. It is also a collection of medical data useful for health care planning, research, and analysis by authorized users. Data can be collected in the CMR as either text, numbers, sounds, images, or full-motion video, thus allowing a fully integrated view of the individual health of the patient. All of the health data should be assembled in a chronological order in the CMR. The potential benefits of a complete and integrated CMR are multiple for the HSO and the community it serves.

The CMR should include all elements to facilitate the capture, storage, processing, communication, security and presentation of patient record information. The information should support both direct health care and the health care delivery system. The CMR can support direct patient care by supplying information based on individual needs, supporting caregiver data entry, offering reminders and alerts, and providing electronic access to health care literature and scientific information. Fully integrated CMRs support the health care system by facilitating communication and education, streamlining and automating the administration of healthcare, making data available for analysis and research, supporting policy and public health responsibilities, and demonstrating appropriate and necessary care based on health outcomes, and finally managing and containing the costs of health care.

A CMR selected for the health care system should be selected based on that system's needs. Above and beyond the needs of the system, the Institute of Medicine in 1991 provided 12 key features of the CMR. These features are:

1. Defining the problem list
2. Measuring the health status
3. Documenting clinical reasoning
4. Allowing linkage of data
5. Confidentiality
6. Maintain continuous data access
7. Supporting simultaneous multi-user views
8. Links to other clinical resources
9. Enhancing clinical problem solving
10. Facilitating direct data entry by staff
11. Decision support capability
12. Flexibility and expandability

In 1997 the National Research Council (NRC) released "For the Record: Protecting Electronic Health Information". The report stressed "that industry standards, regulatory action, and pressure from consumers all are needed to bolster the privacy and security of patient records. This report gave recommendations in five areas of health information security determined by a select committee. The areas include (1) improving privacy and security practices, (2) creating an industrywide security infrastructure, (3) addressing systemic concerns related to privacy and security, (4) developing patient identifies, and (5) meeting future technologic needs. These five areas were further separated into recommendations that organizations should now adopt, those that can be implemented, and those needed for future implementation.

In installation of a computerized medical record both confidentiality and integrity should be maintained. Confidentiality refers to the control over who has access to the information. Integrity "means that information and programs are changed only in a specified and authorized manner, that the computer resources operate correctly, and that the data in them are not subject to unauthorized changes". This includes destruction of medical records due to disasters, computer viruses, and other acts of sabotage. The Joint Commission on Accreditation of Healthcare Organizations (JCAHO) regulates clinical information in HSOs to safeguard against loss, destruction, and unauthorized access or use and preserve confidentiality.

The legal obligation to protect this health care information is based upon:

• state statutes and common law
• health care provider's duty to maintain patient confidentiality
• confidentiality of alcohol and drug abuse patient records
• Medicare regulations
• accreditation standards
• ethical standards promoted by trade and professional associations

Security measures for the system itself include technical measures, system management and administrative procedures. When combined these three security measures can safeguard the system itself and the data it contains. Technical safeguards include personal identification and user verification, access control software and audit trails, computer architecture, communications linkage safeguards, and encryption. Outside users of the system also pose a threat to security and may be more difficult to control than providing security to internal users. Dial-up networking, third party payors, sharing of disks and programs, and downloaded viruses are all methods that sabotage can occur from external sources. Durability of medical information is essential also and is based upon two conditions. Durable information must be on a medium on which the information can be stored for for at least the minimum time a provider is required to retain medical records. The provider must also be able to access old records created or maintained on older, and perhaps obsolete technology.

Automated patient medical records serve as a diary of a practitioner's actions. They can and are used frequently as evidence in court. Because of the widespread use of medical records as evidence, courts have developed standards for judging the "trustworthiness of computerized records". Health care records are regarded as "hearsay" because they are written statements made outside of the courtroom. Business records are an exception to the hearsay rule because they must be kept regularly in the ordinary course of business. A computerized medical record can be used in court and not referred to as "hearsay" based on the business record assumption. If they are to be accepted by the courts they must have the date and time of entry and the identify of the person making the entry. If errors are made, the system must keep both the updated entry and the original entry. Non-erasable compact disks or read-only memory can be used in this type of system. The best-evidence rule is also relevant to the entry of medical records in a court of law. This rule expresses a judicial preference for the original of a writing if the contents of a writing are in dispute.

With the widespread use of communication systems, risks for the confidentiality of medical records is high. Devices such as fax machines, cellular phones, pagers, e-mail and voice mail all pose threats to security. Different controls have been developed for each type of device and are reviewed on pages 188-189 of your readings.

There are also requirements based on state licensure laws, accreditation standards and federal guidelines that state what records must be kept, for how long, and who has access to them. Destruction of the record, when it is done, should also follow a standard policy to maintain proper management of the record system. Finally, in the event of a disaster, risk management techniques should be emphasized to reduce the loss of that data.