© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 1
2 Chapter 13: Information Systems
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 3 Introduction Interrelationship between HIM and information technology (IT) Complex new technologies house protected health information (PHI) Legal issues related to IT and electronic health records (EHR) –Accreditation –Licensure –Liability
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 4 Electronic Health Records (EHR) Transformation from paper-based patient records to EHR –Improve availability and accessibility of data –Space saving –Increasing demands from external forces Regulatory agencies Accrediting organizations Insurance companies –Government efforts in health care reform –Avoid mistakes, reduce costs, improve care
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 5 Legal Health Record The legal business record generated at or for a health care organization Patient’s paper file contains more than health record: –Correspondence –Requests for release of information EHR may be similarly complex –Master patient indexes –Practice guidelines and prompts –Not part of patient health record Only legal health record is to be produced
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 6 Legal Health Record Focus of EHR should be –Documentation of delivery of health services Health care providers must define what will be included in EHR: –Subsets included vary with practice setting –Contain patient-specific data and documentation generated by provider –Memorialize patient care delivered Administrative data not part of legal EHR –Audit trails –Statistical reports
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 7 Legal EHR: Accreditation and Licensure Issues Currently govern how transition to EHR will take place –Licensing authorities authorize provider practice in a state –Accreditation agencies set standards for provider compliance Federal government has not completed efforts to regulate transition process –Has established a definition of EHR in the ARRA
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 8 Legal EHR: Accreditation and Licensure Issue ARRA definition: –EHR is created, gathered, managed, and consulted by authorized health care clinicians and staff –Includes demographic and clinical information –May provide clinical support, physician order entry, and capture/query relevant to quality –Used to exchange and integrate electronic health information with other sources
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 9 Legal EHR: Accreditation and Licensure Issue Core functions of EHR described by IOM –Health information and data –Results management –Effective communications –Clinical decision support –Order entry and management –Patient support –Reporting and population health management –Administrative processes
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 10 Legal EHR Issues: Creation and Storage Issue: does state law allow the storage of health information in electronic medium? –Some states expressly authorize Permission to keep records in electronic form may be established in statute or administrative law –Other states are silent on the issue of EHR Permit “usable” or “acceptable” form –State laws may seemingly prohibit EHR Expressly require certain media: original file or microfilm HIM must check with licensing authority to understand interpretation of state law
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 11 Legal EHR Issues: Authentication All entries in patient record must be authored and authenticated Technology present in EHR helpful –Electronic signatures or computer-generated signature codes for authentication Impact of statutes/regulations on acceptability of electronic signatures: –If expressly authorized, electronic signatures are clearly permitted –If require physician signature: must look to licensing agency’s current interpretation to determine effect
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 12 Legal EHR Issues: Authentication Electronic Signatures in Global and National Commerce Act of 2001 (E-SIGN) –Federal law dealing with interstate and foreign commerce –Electronic signatures may not act as legal bar to contracts of other records Accrediting organizations –Medicare Conditions of Participation and Joint Commission –Expressly recognize authentication by computer methods –Must use software that creates signature unique to author
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 13 Legal EHR Issues: Liability Issues Two categories of concern 1.Admissibility issues Where EHR serves as proof in lawsuit involving quality of care Focus rests on whether EHR may be admitted into evidence 2.Safety and security of EHR Where unauthorized access to or careless handling of patient information creates liability Focus on related legal requirements
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 14 Liability Issues: Admissible Evidence Issue of admissibility: whenever EHR will be used in lawsuit to prove or disprove a fact Court determines whether use as evidence is proper –Hearsay Rule may exclude: Out of court statement offered to prove truth of matter –Business Record Exception may enable use Record was kept in ordinary course of business At or near the time event was recorded By person with first-hand knowledge Custodian of records testifies about record keeping
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 15 Liability Issues: Admissible Evidence Health information manager may testify –Under the business records exception To the foundation, trustworthiness, and accuracy of the record –Explain paper-based and electronic system How is data recorded and who makes entries Describe hardware, software, and quality control Access to system and making corrections –Explain computer printout of EHR Reliability of software and process for creation
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 16 Liability Issues: Security Regulate access and ensure preservation of data Health information concerns –Interruption or discontinuation of telemedicine session –Unauthorized access to patient record –Destruction of patient information –Privacy violations, breach of confidentiality
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 17 Liability Issues: Security IT security measures –Authentication: ensuring people are who they say they are –Permission: level of access given –Encryption: mechanism to prevent third parties from eavesdropping –Damage prevention: preventing malicious attempts to damage or destroy data –Disaster recovery: plans to resume operations in the event of a problem
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 18 Liability Issues: Security Duty of health care providers to safeguard patient information –JC, CMS, state law, and HIPAA require –Codes of ethics address –Breach of duty may result in liability claims: Breach of confidentiality Invasion of privacy Defamation Negligence
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 19 Liability Issues: Security Physical security: protections from the environment Temperature and humidity Power surges and failure protection Fire alarms and fireproof location Rules limiting access to terminals and storage Locked cabinets to prevent theft Maintenance requirements and logs maintained
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 20 Liability Issues: Security Personnel security: human aspects –Reference checks associated with hiring –Criminal background checks –History of security problems or computer hacking –Education on confidentiality policies –Expectations for proper computer access –Limited access to information –Signed acknowledgement of receipt of education –Disciplinary action for violation of policy
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 21 Liability Issues: Security Risk prevention techniques –Protect integrity and confidentiality of data –Restrict access –Determine who has access and what purpose –Computer passwords, keycards, IDs –Restrict copying functions –Security mechanisms in contracts with vendors –Confidentiality agreements within networks –Address potential for computer sabotage –Safeguard use of laptops and PDAs
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 22 Liability Issues: Security Obligation of third parties to safeguard PHI –HIPAA and ARRA address –Any contract with business associates includes Confidential nature of data Mechanisms to be used to safeguard data Indemnification if improper disclosure Safeguard portable computers Establish confidentiality agreements with network participants Prevent computer sabotage
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 23 Liability Issues: HIPAA Security Rule Establishes safeguards that –Protect confidentiality of data: only authorized persons may see –Ensure data integrity: protect from unauthorized creation, modification, deletion –Allow data to be available when needed 18 security standards –Specify use of integrity controls –Encryption technology for transmission of PHI –Information access techniques –Permission levels –Access controls
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 24 Liability Issues: HIPAA Security Rule Administrative safeguards –Manage the development, implementation, and maintenance of security measures to protect PHI Through actions, policies, and procedures Focus on prevention, detection, containment, and correction Risk analysis of security practices must be done Identify how PHI is accessed and vulnerabilities Monitor users, protect PHI from viruses, change passwords, create contingency plans
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 25 Liability Issues: HIPAA Security Rule Physical safeguards –Protect electronic information systems and related buildings and equipment –Focus on systems, facilities, and equipment –Restrict individual access to facilities housing information systems –Establish access levels to physical space based on person's role or function –Establish disposal policies and procedures for tapes, storage devices, and other equipment
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 26 Liability Issues: HIPAA Security Rule Technical safeguards –Employ technological solutions to secure electronic PHI –Focus on technology to limit unauthorized access and ensure data integrity –Employ encryption technology with –Examine activities on computer network –Assign unique identifiers to end users to track their system use
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 27 Liability Issues: HIPAA Security Rule Training requirements –Educational program on computer security basics for all staff Managers, employees Agents, contractors, and maintenance personnel –Covered entity must maintain documentation That training provided Of periodic review, validation, updates to program Requires information security policies –Define framework for program –Who, what, where, when, and how of info security
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 28 Liability Issues: HIPAA Security Rule Relationship with HIPAA Privacy Rule –Different approaches to serve same goal: protect PHI –Privacy rule provides patients more control over PHI –Security rule focuses on technical requirements –Both assign responsibility for compliance to an individual within the covered entity Security officer Privacy officer
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 29 Electronic Health Issues: Internet Research/learning regarding health care –Health care providers use Internet to information related to improvement of care E-health organizations –Collect and display identifiable information –Patients participate as e-consumers –Safeguards to protect PHI must be in place –Statutes, rules, and regulations apply
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 30 Electronic Health Issues: Electronic Mail Popularity of continues to grow Health care field has incorporated its use into many business practices Never a private form of communication –May be collected, stored, and reviewed Laws and regulations on privacy of health information apply (HIPAA, Medicare, JC) Plan for security measures –Address patient confidentiality –Instructions on permissible content and sensitivity –Encryption algorithms
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 31 Electronic Health Issues: Digital Imaging Scanning paper documents to electronic storage Multiple advantages for health care Image becomes available to multiple users Becomes viewable through server or browser State laws may address storage, confidentiality, retention, and/or security of PHI
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 32 Electronic Health Issues: Telemedicine Using electronic communication and IT to provide care from a distance Remote areas with limited access to care –Connect patients with providers –Allow diagnosis, treatment, monitoring of patients Many unsolved legal issues arise regarding –Licensure of provider when patient in another state –Creation of physician and patient relationship –Liability for technical failures –Which state’s law applies