Update: Guidelines for Defining the Legal Health Record for Disclosure
Purposes
Historically, the definition of the legal health record was fairly
straightforward: the contents of the paper chart (together with radiology
films or the results of other imaging studies) formed the healthcare
provider’s
legal business record. Patients had limited interest in or access to
the information contained in their records.
However, with the advent
of various electronic media, the Internet, and the consumer’s enhanced
role in compiling their health information, the definition of the legal
health record has become more complex. The need to ensure information
is accessible for its ultimate purposes, regardless of the technologies
employed or users involved, remains. Therefore, the definition of the
legal health record must be reassessed in light of new technologies,
users, and uses.
Each organization must define the content of the legal
health record to best fit its system capabilities and legal environment.
Considerations for the content of the legal health record should include
ease of access to different components of patient care information, guidance
from the medical staff and the organization’s legal counsel, community
standards of care, federal regulations, state law and regulations, standards
of accrediting agencies, and the requirements of third-party payers.
A
patient’s health record plays many roles in addition to those involved
in caring for a patient where documentation of the patient’s health
history, health status (sickness and wellness), observations, measurements,
and prognosis are recorded. This documentation allows the record to serve
as the legal record substantiating healthcare services provided to the
patient. It also serves as a method of communication among healthcare
providers caring for a patient and provides supporting documentation
for reimbursement of services provided to a patient.
The legal health
record is a subset of the entire patient database, which serves as the
legal business record for the organization. The roles of the legal health
record are to:
- Support the decisions made in a patient’s care
- Support the revenue
sought from third-party payers
- Document the services provided as legal
testimony regarding the patient’s illness or injury, response
to treatment, and caregiver decisions
Recognizing the challenges associated with the impact of technology
on the legal health record, AHIMA formed a work group of members from
provider settings, law practices, information technology vendors, and
information systems consultants to develop guidelines to assist organizations
in defining their health records for legal applications.
This practice
brief discusses the issues involved in ensuring that a health record
serves the legal needs of the provider or facility whether in a paper-based,
hybrid (a combination of paper and electronic), or fully electronic state.
The rules that permit the patient’s health
record to constitute the legal business record must be taken into account,
and the organization must be able to fulfill its obligations with the
legal health record regardless of the physical state of the health record.
It is imperative that healthcare organizations define their legal health
records. There is no one-size-fits-all definition of the legal health
record. Laws and regulations governing the content vary by practice setting
and state. However, there are common principles to be followed in creating
a definition.
Definition of the Legal Health Record
The legal health record is generated
at or for a healthcare organization as its business record and is the
record that will be disclosed upon request. It does not affect the discoverability
of other information held by the organization. The custodian of the legal
health record is the health information manager in collaboration with
information technology personnel. HIM professionals oversee the operational
functions related to collecting, protecting, and archiving the legal
health record, while information technology staff manage the technical
infrastructure of the electronic health record.
The legal health record
is the documentation of healthcare services provided to an individual
during any aspect of healthcare delivery in any type of healthcare organization.
It is consumer- or patient-centric. The legal health record contains
individually identifiable data, stored on any medium, and collected and
directly used in documenting healthcare or health status.
Legal health
records must meet accepted standards as defined by applicable Centers
for Medicare and Medicaid Services Conditions of Participation, federal
regulations, state laws, and standards of accrediting agencies such as
the Joint Commission on Accreditation of Healthcare Organizations, as
well as the policies of the healthcare provider.1
Legal health records
are records of care in any health-related setting used by healthcare
professionals while providing patient care service or for administrative,
business, or payment purposes. Some types of documentation that comprise
the legal health record may physically exist in separate and multiple
paper-based or electronic or computer-based databases.
The Legal Paper-based
Health Record
The 2001 practice brief “Definition of the Health
Record for Legal Purposes” defines the legal paper-based health
record as “the
legal business record generated at or for a healthcare organization.
This record would be released upon request.”2
The Legal Hybrid Health
Record
When the legal health record consists of information created as
paper documents and information created in electronic media, it is considered
to be in a hybrid environment. Organizational policies should document
the information that is considered the legal health record and identify
the source (paper or electronic) of that information. A matrix can be
used for this purpose.3 Policies should also indicate when the record
is considered complete. The hybrid record transition plan and policy
should define the “legal source of truth,” reflecting whether
the legal record is paper, hybrid, or fully electronic. This policy provides
for a specific schedule that provides both retrospective and prospective
dates wherein the user can identify the source legal record.
The paper
portion of the legal health record is collected and archived in paper
or plastic folders. Electronic portions of the record are collected and
archived in source systems or in electronic folders in the EHR system.
There must be a clear indication of the locations where portions of a
patient record are located.
Electronic versus Legal Health Records
An electronic health record (EHR)
system is generally thought of as the portal through which clinicians
access a patient’s health record,
order treatments or therapy, and document care delivered to patients.
Many healthcare providers have eliminated the paper record and use EHR
systems as their organizations’ legal records (although a paper
record may be “published” for release of information purposes).
Many other organizations are planning a similar transition. EHR systems
allow providers to gather multiple types of data about a patient (e.g.,
clinical, financial, administrative, and research).
Healthcare informaticists
agree that an EHR system is not one or even two or more products. Rather,
an EHR system consists of a plethora of integrated component information
systems and technologies. The electronic files that make up the EHR system’s
component information systems and technologies consist of different data
types, and the data in the files consist of different data formats. (See
“Data
Formats of the EHR,” below, for a description of format types.)
Data Formats of the EHR
Some data formats are structured and some are unstructured. For example, the data elements in a patient's automated laboratory order, result, or demographic and financial information system are coded and alphanumeric. Their fields are predefined and limited. In other words, the type of data is discrete, and the format of these data is structured. Consequently, when a healthcare professional searches a database for one or more coded, discrete data elements based on the search parameters, the engine can easily find, retrieve, and manipulate the element.
However, the format of the data contained in a patient's transcribed radiology or pathology result, history and physical, or clinical note system using word-processing technology is unstructured. Free-text data, as opposed to discrete, structured data, are generated by word processors, and their fields are not predefined and limited. Consequently, when a healthcare professional searches unstructured text, the search engine cannot easily find, retrieve, and manipulate one or more data elements embedded in the text.
Likewise, the format of the data contained in a patient's dictated radiology or pathology result, history and physical, or clinical note system using speech recognition technology (real-time speech in, text out) is unstructured. However, the speech recognition technology's engine takes the unstructured, free-text speech data and codifies the data, often with the help of templates. Hence, the format of the outputted text data becomes structured, with predefined and limited fields. Search engines then easily can find, retrieve, and manipulate one or more data elements embedded in the text.
Diagnostic image data stored in a diagnostic image management system, such as a picture archiving and communications system, represent a different type of data: bit-mapped data. However, the format of bit-mapped data is also unstructured. Saving each bit of the original image creates the image file. In other words, the image is a raster image, the smallest unit of which is a picture element or pixel. Together, hundreds of pixels simulate the image. Examples of digital modalities that generate digital diagnostic image data are digitized x-rays or computed radiography and computed tomography, magnetic resonance, and nuclear medicine scans. Most diagnostic image data remain based on analog, photographic films, such as analog x-rays. To digitize these data, these analog films must be digitally scanned, using film digitizers.
Document image data are yet another type of data; document image data are bit mapped, and the format is unstructured. These data are stored in an electronic document management system. These data are based on analog paper documents or on analog photographic film documents. Most often, analog paper-based documents contain handwritten notes, marks, or signatures. However, such documents can include preprinted documents (such as forms), photocopies of original documents, or computer-generated documents available only in hard copy. Analog photographic film-based documents are processed using an analog camera and film, similar to analog x-rays. Therefore, both the analog paper-based and the photographic film-based documents must be digitally scanned, using scanning devices that are similar to fax machines.
The EHR system's component information systems and technologies consist of additional data types, the formats of which also are unstructured.
Real audio data consist of sound bytes, such as digital heart sounds.
Motion or streaming video or frame data, such as cardiac catheterizations (cine), consist of digitized film attributes, such as fast forwarding.
The files that consist of vector graphic (or signal-tracing) data are created by saving lines plotted between a series of points, accounting for the familiar ECGs, EEGs, and fetal traces.
|
As
such, portions of the legal EHR may be located in various electronic
systems. These input systems may include laboratory information systems,
pharmacy information systems, picture archiving and communications systems
(PACS), cardiology information systems, results reporting systems, computerized
provider order entry systems, nurse care planning systems, word-processing
systems, and fetal trace monitoring systems.
Depending on their size
and structure, healthcare providers may store structured clinical and
administrative data in a database or clinical data repository. In addition,
healthcare providers may store unstructured patient clinical data in
separate databases or repositories (e.g., PACS archive, fetal trace archive)
and provide pointers from the clinical portal to these various repositories.
In this manner, architecturally, these databases are logically but not
physically linked.
Defining the Subset of Data that Constitutes the Legal
EHR
The challenge for HIM professionals in defining a legal health record
in an EHR system is to determine which data elements, electronic-structured
documents, images, audio files, and video files become part of the legal
electronic health record. The first step is to determine what legal entities
enforce regulations, guidelines, standards, or laws to the healthcare
organization defining its legal health record. Although these various
entities may have defined a legal record in paper terms (e.g., requiring
a medication sheet rather than an electronic medication administration
record), these entities’ definitions must become the basis for
the legal health record definition at the organization.
The second step
is to determine whether the records are created in the ordinary course
of business of the healthcare provider or entity.
The third step is creating
a matrix (or other document) that defines each element in the legal health
record. Such a matrix could include a column indicating whether that
particular element would be released on first request or subpoena.
HIPAA
and the Legal Health Record
The HIPAA privacy rule requires that organizations
identify their “designated
record set,” which is defined as “a group of records maintained
by or for a covered entity that is: (i) the medical records and billing
records about individuals maintained by or for a covered health care
provider; (ii) the enrollment, payment, claims adjudication or case or
medical management record systems maintained by or for a health plan;
or (iii) used, in whole or part, by or for the covered entity to make
decisions about individuals.”4 Healthcare providers are required
to define the data or documents that meet this definition. The legal
health record will be a subset of this designated record set that meets
the requirements for a business record used for legal purposes. Organizations
must list those specific data elements and documents within the designated
record set that comprise its legal health record. Source media (paper
versus electronic) should be defined. If electronic, the source system
should also be defined. The owners of these differential source data
should be reflected in the designated record set policy and should also
be documented. This matrix or document can include the column suggested
above as to whether it is released on first request or subpoena.
Information
from the legal health record is disclosed in response to authorized requests
for copies of a patient health record. Electronic records should be transmitted
in a method that minimizes the risk of a breach of security and protects
the patient’s privacy as defined
in the HIPAA privacy and security standards and by the privacy and security
policies of the healthcare provider. HIPAA does not define a preferred
method of electronic transmission. However, some states require that
copies of medical records provided to patients be in “human-perceptible
form,” which might limit the ability of the provider to transmit
the electronic portions of the legal health record directly to third
parties (such as a personal health record vendor, for example).
Facility
policies should also address copying paper records, printing copies of
electronic documents, and transmitting of protected health information
to authorized requestors via courier, mail, fax, e-mail, and other processes.
In addition, facility policies must address, in accordance with HIPAA
privacy standards, the method for documenting errors, corrections, or
addendums in both paper and electronic documents and ensure that original
and amended versions of a document are available and produced for official
(or certified) copies of health records.
Considerations for Defining
the Legal Health Record for Legal Purposes
As stated previously, there
is no one-size-fits-all definition of the legal record because laws and
regulations governing the content vary by practice setting and by state.
However, there are common principles to be followed in creating a definition.
This section addresses health record issues to assist healthcare organizations
in defining the content of their legal records. Final definition of the
legal health record rests with individual healthcare organizations and
their legal counsels.
Alerts, Reminders, and Pop-Ups
Alerts, reminders, pop-ups, and similar
tools are used as aides in the clinical decision-making process. The
tools themselves are not considered part of the legal health record;
however, associated documentation is considered a component. For example,
a provider is alerted to perform a diabetic foot exam on a diabetic patient.
The initial alert that prompts the provider is not part of the legal
health record, but the subsequent action taken by the provider, including
the condition acted upon and the associated note detailing the exam,
is considered part of the record.
Similarly, any annotations, notes,
and results created by the provider as a result of an alert, reminder,
or pop-up are also considered part of the legal health record. Once the
documentation, results, and graphs have been entered in an electronic
manner, those alerts acted upon and results become a permanent part of
the record and are maintained in a manner similar to any other information
contained within the legal health record.
Continuing Care Records
Continuing care records are records received
from another healthcare provider. Historically, these records were generally
not considered part of the legal health record unless they were used
in the provision of patient care. In the electronic health record it
may be difficult to determine if information was viewed or used in delivering
healthcare. It may be necessary to define such information as part of
the legal health record. Policies should reflect the proper disposition
of health records from external sources (e.g., other healthcare providers)
if they are not integrated into the electronic and legal health record.
Data
and Documents to Be Considered Part of the Record
- Advance directives
- Allergy records
- Alerts and reminders (see “Alerts, Reminders,
and Pop-Ups,” above)
- Analog and digital patient photographs for
identification purposes only
- Anesthesia records
- Care plans
- Consent forms for care, treatment, and research
- Consultation reports
- Diagnostic images
- Discharge instructions
- Discharge summaries
- E-mail messages containing patient-provider or
provider-provider communications regarding care or treatment of specific
patients5
- Emergency department records
- Fetal monitoring strips from which interpretations
are derived
- Functional status assessments
- Graphic records
- History and physical examination records
- Immunization records
- Instant messages containing patient-provider
or provider-provider communications regarding care or treatment
of specific patients6
- Intake and output records
- Medication administration records
- Medication orders
- Medication profiles
- Minimum data sets (MDS, OASIS, IRF PAI)
- Nursing assessments
- Operative and procedure reports
- Orders for treatment including diagnostic
tests for laboratory and radiology
- Pathology reports
- Patient-submitted documentation
- Patient education or teaching documents
- Patient identifiers (medical
record number)
- Photographs (digital and analog)
- Post-it notes and annotations containing
patient-provider or provider-provider communications regarding
care or treatment of specific patients
- Practice guidelines or protocols and clinical
pathways that imbed patient data
- Problem lists
- Progress notes and documentation (multidisciplinary,
excluding psychotherapy notes)
- Psychology and psychiatric assessments
and summaries (excluding psychotherapy notes)
- Records received from
another healthcare provider if they were relied on to provide healthcare
to the patient (see “Continuing Care Records,” above)
- Research records
of tests and treatments7
- Respiratory therapy, physical therapy, speech therapy,
and occupational therapy records
- Results of tests and studies from laboratory
and radiology
- Standing orders
- Telephone messages containing patient-provider or
provider-provider communications
regarding care or treatment of specific patients
- Telephone orders
- Trauma tapes
- Verbal orders
- Wave forms such as ECGs and EMGs from which interpretations
are derived
- Any other information required by the Medicare Conditions
of Participation, state
provider licensure statutes or rules, or by any third-party payer as a condition
of reimbursement
Data from Source
Systems
Source-system data
are the data from which
interpretations, summaries,
and notes are derived.
They may be designated part
of the legal health record,
whether or not they are integrated
into a single system or maintained
as part of the source system.
Records from source systems may be considered
part of the legal health record,
based on the content of the source system’s record.
Historically, reports or findings upon which clinical decision making
is based are parts of the legal health record. For example, the written
result of a test such as an x-ray, an ECG, or other similar procedures
are always part of the record, whether these reports are integrated into
a single system or part of a source system.
Working
notes used
by a provider
in completing
a final report are not
considered part of the
legal health record unless
they are made available
to others providing care
to a patient. However, documents
that are kept in a separate system
of record (such as notes from a particular
area of specialty that are kept separately
but are final products) are always
considered part of the record.
The determining factor in whether something
is to be considered part of
the legal health record is not where the information resides or the format
of the information, but rather how the information is used and whether
it is reasonable to expect the information to be routinely released when
a request for a complete medical record is received.
The legal health record
excludes health records that are not official business records of a healthcare
organization.
Downtime Procedure Documents
In the event that the EHR system is unavailable,
a process must be implemented to continue with
documentation of patient care and responses to that care. For most
facilities, this process will be paper-based.
Once the EHR
system is restored, the information from the downtime documents must
be made part of the EHR, which may incorporate data entry, scanning,
or recreating documents in various subsystems.
Emerging Issues
As EHR technology evolves, a number of challenges to
the definition of the legal health record are emerging.
Organizations must resolve these challenges with their legal counsel
and information technology departments. Many of these items have
not historically been included in the legal health record and will
entail new storage and retrieval costs if they are defined as part
of the record. Some examples of documents and data that should be
evaluated for inclusion or exclusion include:
- Audio files of dictation
- Audio files of patient telephone calls
- Nursing shift-to-shift reports
(handwritten or audio)
- Telephone consultation audio files
- Videos of office visits
- Videos of procedures
- Videos of telemedicine consultations
Personal Health Records
Orgnizational policy should address how personal
health information
will or will not be incorporated into the patient’s health record.
Copies of personal health records that are created, owned, and managed
by the patient and are provided to a healthcare organization should
be considered part of the legal health record, if so defined by the
organization and if the information is used to provide patient care
services, review patient data, or document observations, actions, or
instructions. This includes patient-owned, -managed, and -populated
tracking records, such as medication tracking records and glucose and
insulin tracking records. (See “Personal Health Record Formats”, below, for an outline
of formats.)
Personal Health Record Formats
PHRs electronically may include subsets of personal health information from provider organization databases into the electronic records of authorized patients, their families, other providers, and sometimes health payers and employers. A range of people and groups maintain the records, including the patients, their families, and other providers.
PHRs come in a variety of forms and formats, with no single sign or sponsorship model yet to emerge. Currently, the most common PHR variations and models include:
Shared data record: The shared data record model consumes the largest number of PHRs and is the most effective. Here, both provider (or employer or health plan) and patient maintain the record. In addition, the provider (or employer or health plan) supports the record. As such, the patient receives and adds information over time. The focus of this model is to keep track of health events, medications, or specific physiological indicators, such as exercise and nutrition.
EHR extensions: The EHR extension model extends the EHR into cyberspace so that an authorized patient can access the provider's record and check on the record's content. Often this model also allows an authorized patient to extract data from the healthcare provider's record. The record is still maintained by the provider but is available to the patient in an online format.
Provider-sponsored information management: The provider-sponsored information management model represents provider-sponsored information management by creating communication vehicles between patient and provider. Such vehicles can include reminders for immunizations or flu shots, appointment scheduling, prescription refill capabilities, and monitoring tools for disease management in which regular collection of data from the patient is required.
|
Documents
Not Included
in the Legal Health Record
Administrative Data and Documents
Administrative data and documents
should be provided the same
level of confidentiality as the legal
health record. However, administrative data
should not be considered part
of the legal health record and would
not be produced in response
to a subpoena for the medical record.
Healthcare organizations might
more appropriately consider some administrative
data and documents as working
documents.
Administrative data are patient-identifiable
data used for administrative, regulatory, healthcare
operation, and payment (financial) purposes.
Examples of administrative data include:
- Abbreviation and do-not-use abbreviation
lists
- Audit trails related to the EHR
- Authorization forms for release of
information
- Birth and death certificate worksheets
- Correspondence concerning requests
for records
- Databases containing patient information
- Event history and audit trails
- Financial and insurance forms
- Incident or patient safety reports
- Indices (disease, operation, death)
- Institutional review board lists
- Logs
- Notice of privacy practices acknowledgments (unless the organization
chooses to classify them as part of the health record)
- Patient-identifiable
claims
- Patient-identifiable data reviewed for quality assurance or
utilization
management
- Protocols and clinical pathways, practice guidelines, and other
knowledge sources that do not imbed patient data
- Psychotherapy notes
- Registries
- Staff roles and access rights
- Work lists and works-in-progress
Derived Data and Documents
Derived or administrative data are derived from the primary healthcare
record and contain selected data elements to aid in the provision, support,
evaluation, or advancement
of patient care. Derived data and documents should be provided the
same level of confidentiality as the legal health record. However, derived
data should not be considered part of the record and would not be produced
in response to a subpoena for the medical record.
Derived data consist of information
aggregated or summarized from
patient records so that there are no means to identify patients.
Examples of derived data are:
- Accreditation reports
- Anonymous patient data for research purposes
- Best-practice guidelines
created from aggregate patient data
- OASIS reports
- ORYX, Quality Indicator, Quality Measure, or other reports
- Public
health reports that do not contain patient-identifiable data
- Statistical
reports
- Transmission reports for MDS, OASIS, and IRF PAI
Notes
- For example, as defined by the Centers for Medicare and Medicaid
Services for hospitals found in Condition of Participation 482.24,
the medical record includes “at least written documents, computerized
electronic information, radiology film and scans, laboratory reports
and pathology slides, videos, audio recordings, and other forms of
information regarding the condition of a patient.”
- Amatayakul,
Margret, et al. “Definition of the Health Record
for Legal Purposes.” Journal of AHIMA 72, no. 9 (2001): 88A–H.
- AHIMA
e-HIMTM Work Group on Health Information Management in a Hybrid Environment. “The
Complete Medical Record in a Hybrid EHR Environment,” parts I–III.
October 2003. Available online in the FORE Library: HIM Body of Knowledge
at www.ahima.org.
- “Standards for Privacy of Individually Identifiable Health
Information; Final Rule.” 45 CFR Parts 160 and 164. Federal
Register 65, no. 250 (2000). Available online at http://aspe.hhs.gov/admnsimp.
- In
the paper world, conversations between a provider and patient or between
providers (e.g., hallway consultations) are not always recorded and
made part of the medical record. With many EHR systems, such conversations
can occur electronically via e-mail and instant messaging. In other systems,
records or portions of records can be forwarded to another provider’s
work queue for review and comment. HIM professionals need to work with
counsel and leaders of the medical staff to determine if such e-mails
and notations are to be included as part of the legal health record.
- Ibid.
- Organizational policies should differentiate whether research
records are part of the legal health record or if the research center
maintains its own records. This should be verified with the institutional
review board, since this may influence whether they are part of the
legal health record.
References
Ceners for Medicare and Medicaid Services. “Conditions
of Participation for Hospitals.” Available online at www.cms.hhs.gov/manuals/107_som/som107ap_a_hospitals.pdf.
HIMSS. “HIMSS
Electronic Health Record Definitional Model, Version 1.1.” Available
online at www.himss.org/content/files/ehrattributes070703.pdf.
Health
Level Seven. “The Legal Aspects of the Electronic Health Record.” Unpublished
work product of the HL7 work group on legal aspects of the EHR. May
2005.
“Standards for Privacy of Individually Identifiable Health
Information; Final Rule.” 45 CFR Part 164.501. Federal
Register 65, no. 250 (2003). Available online at www.hhs.gov/ocr/hipaa.
Prepared
by
Kathleen Addison, CCHRA(C)
James H. Braden, MBA
Jacqueline E. Cupp, RHIA
Darla Emmert, RHIT
Lois A. Hall, RHIT
Terri Hall, MHA, RHIT, CPC
Barbara Hess, MBA, CHP, PAHM
Deborah Kohn, RHIA, CHE, CPHIMS
Michele T. Kruse, MBA, RHIA
Kelly McLendon, RHIA
Julie McQueary, RHIA
Debra Musa, RHIT
Keith L. Olenik, MA, RHIA, CHP
Carol Ann Quinsey, RHIA, CHPS
Rebecca Reynolds, MHA, RHIA
Cheryl Servais, MPH, RHIA
Amy Watters, RHIA
Lou Ann Wiedemann, MS, RHIA
Melinda Wilkins, MEd, RHIA
Michele Wills, RHIA
Nancy E. Vogt, RHIT, CHP
Acknowledgments
Mary D. Brandt, MBA, RHIA, CHE, CHPS
Jill Callahan Dennis, JD, RHIA
Michelle Dougherty, RHIA, CHP
Kathy Giannangelo, RHIA, CCS
Karen G. Grant, RHIA, CHP
Matthew J. Greene, RHIA, CCS
Kathleen A. Frawley, JD, MS, RHIA
Barry S. Herrin, CHE, Esq.
Godwin O. Odia, MBA, RHIA
Donald Simborg
Andrea B. Thomas, MBA, RHIA, CPHS
Lydia M. Washington, MS, RHIA, CPHIMS
Carolann M. Weishar, RHIA
This work group was supported by a grant to FORE from Precyse Solutions,
Inc.
Article citation: AHIMA e-HIM Work Group on the Legal Health Record. "Update: Guidelines for Defining the Legal Health Record for Disclosure Purposes." Journal of AHIMA 76, no.8 (September 2005): 64A-G. |
|