Best Practices to Modify Electronic Health Records While … · We inform you that any federal tax advice contained in this written communication (including any attachments) is not

Best Practices to Modify Electronic

Health Records While Maintaining Record

IntegrityPresented By:

This manual was created for online viewing. State specific information in this manual is used for illustration and is an example only.

mail: P.O. Box 509 Eau Claire, WI 54702-0509 • telephone: 866-352-9539 • fax: 715-802-1131email: [email protected] • website: www.lorman.com • seminar id: 404003

Margaret Young Levi and Kathie M. McDonald-McClureWyatt Tarrant & Combs LLP

Take advantage of this special offer for $50 off of a Lorman

live webinar!

C O N V E N I E N T:Lorman offers a wide variety of live webinars covering current issues affecting numerous industries. Learn the latest on legal compliance, cost savings and strategies, and business trends.

E X P E R I E N C E D :Learn about today’s hot topics presented by our expert speakers who represent prominent firms and have years of industry experience and knowledge.

C U R R E N T :In today’s business world, staying current of the ever-changing regulations is absolutely necessary in order to advance in your field. Earn continuing education credits, educate your entire team and ask questions of the speakers. For a complete listing of upcoming live webinars visit www.lorman.com.

SPECIAL OFFER

$50 OFFYOUR NEXT Discount Code Y1719669This offer can not be used in combination with other discounts.

LIVE WEBINAR

Best Practices to Modify Electronic

Health Records While Maintaining Record

Integrity

©2018 Lorman Education Services. All Rights Reserved.

All Rights Reserved. Lorman programs are copyrighted and may not be recorded or transcribed in whole or part without its express prior written permission. Your attendance at a Lorman seminar constitutes your agreement not to record or transcribe all or any part of it.

Full terms and conditions available at www.lorman.com/terms.php.

This publication is designed to provide general information on the topic presented. It is sold with the understanding that the publisher is not engaged in rendering any legal or professional services. The opinions or viewpoints expressed by faculty members do not necessarily reflect those of Lorman Education Services. These materials were

prepared by the faculty who are solely responsible for the correctness and appropriateness of the content. Although this manual is prepared by professionals, the content and information provided should not be used as a substitute for professional services, and such content and information does not constitute legal or other professional

advice. If legal or other professional advice is required, the services of a professional should be sought. Lorman Education Services is in no way responsible or liable for any advice or information provided by the faculty.

This disclosure may be required by the Circular 230 regulations of the U.S. Treasury and the Internal Revenue Service. We inform you that any federal tax advice contained in this written communication (including any attachments) is not intended to be used, and cannot be used, for the purpose of (i) avoiding federal tax penalties imposed by

the federal government or (ii) promoting, marketing or recommending to another party any tax related matters addressed herein.

mail: P.O. Box 509 Eau Claire, WI 54702-0509 • telephone: 866-352-9539 • fax: 715-802-1131email: [email protected] • website: www.lorman.com • seminar id: 404003

Prepared By:Margaret Young Levi and Kathie M. McDonald-McClure

Wyatt Tarrant & Combs LLP

Learn What You Want, When You Want From Our Entire

Course Library

UNLIMITED ACCESS

ON-THE-GO LEARNING

We Offer Accredited Training Including CLE, CPE, HRCI, ENG and Many More

A L L - A C C E S S P A S SLORMAN EDUCATION SERVICES

Learn at Your Own Pace From Your Computer,

Tablet or Mobile Device

lorman.com/pass

GET CERTIFIED

Want to learn more? Contact a Lorman

All-Access Pass Specialist:

[email protected] or call 1-877-296-2169

1

2

EHR Integrity in the Crosshairs

Three Phases of Data Integrity in EHR Systems: Phase 1Ensuring accurate data entry (“garbage in > garbage out”)

The three “Rs”:

The right information

At the right time

For the right patient

Use a coding system that links to internationally approved medical standards that are updated daily

Avoid free text which is subject to human error

See “Ensuring Data Integrity in Electronic Health Records: A Quality Health Care Implication,” by P. Vimalachandran, H. Wang, Y. Zhang, B. Heyward, F. Whittaker, submitted to Cornell University Library (2 Feb 2018).

3

Three Phases of Data Integrity in EHR Systems: Phase 2

Ensuring data integrity by linking to the right patient

Interoperability of EHRs depends on uniform patient identification method.

Social Security Number, currently the only universal unique identifier.

Medicare is in the process of creating another unique identifier besides the SSN.


Three Phases of Data Integrity in EHR Systems: Phase 3Ensuring data integrity by ensuring security from unauthorized alteration.

Protecting from unauthorized access

Unauthorized access > alterations that compromise data accuracy and reliability

Employees mistakenly or intentionally alter data

Hackers directly or indirectly alter data (e.g., ransomware, identity theft)

Encryption, Block Chain, Pseudonymisation


4

The HIPAA Security Ruleand

“Integrity”

Security Rule Defines “Integrity”

45 CFR § 164.304 – Integrity is defined as:

Electronic data or information that is not altered or destroyed in an unauthorized manner.

5

Security Standards Require Protection of EHR Integrity45 CFR § 164.306 – Security Standards(a) General requirements. Covered entities and business associates must do the following:

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

Administrative Safeguards: Risk Analysis Must Assess Potential Risks to Integrity45 CFR § 164.308 – Administrative Safeguards

(a) A covered entity or business associate must . . . implement policies and procedures to prevent, detect, contain, and correct security violations.

(ii) Implementation specifications:

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

6

Technical Safeguards: Implement Controls to Ensure EHR Integrity45 CFR § 164.312(c) Technical safeguards. A covered entity must . . .

(i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.

Organizational Requirements: Group Health Plans Must Implement Safeguards for Integrity of ePHI45 CFR §164.314 Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to -

(i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan;….

7

“Integrity” Beyond Security

- or -How We Got Here!

The HITECH Act of 2009

Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”). Three primary goals:

1. Interoperability of electronic health records

2. Improve Individual Quality of Care and Communication

3. Improve Population Health

8

The HITECH Act Goals

EHR Adoption & Interoperability

Improved communication & coordination of care

Improved diagnostics & treatment

Improved patient care & outcomes

Overall improved population health

EHR Integrity Issues

9

EHR Integrity Issues Directly Related to “Time-Saving” Features

Cloning

Copy & Paste

Carry or Pull Forward Entries

Auto-Fill

Auto-Prompts

Default suggestions during data entry

Templates designed to meet reimbursement needs

EHR Integrity Issues Related to System Design & Human Factors

Patient Identification

Author Integrity

Data Validation After Dictation

Record Amendments

10

Integrity Issue: Cloning (Copy/Paste, Carry/Pull Forward)

Example: Nurse turned patient every two hours during her shift, and she copied and pasted her previous nursing progress notes every two hours. Each note said “patient positioned on her left side.” Patient developed pressure ulcer.

Integrity Issue: Cloning (Copy/Paste, Carry/Pull Forward)

AHIMA Position: Weigh efficiency and time savings against potential for inaccurate, fraudulent, unwieldy documentation. Use only in presence of strong technical and administrative controls. Safety actions to consider:

Organizational policies and procedures addressing proper use, considering gov’t, regulatory and industry standards

Comprehensive user training and education

Ongoing monitoring and enforcement of compliance

11

Integrity Issue: Cloning (Copy/Paste, Carry/Pull Forward)The Joint Commission (TJC) Patient Safety Alert –“Preventing copy-and-paste errors in EHRs” (Feb 2015)

Weigh benefits (improved efficiencies) against risks:Inaccurate or outdated data

Redundancy > difficult to identify current information

Inability to identify author and intent

Inability to identify when data was first created

Propagation of false information

Internally inconsistent progress notes

Unnecessarily lengthy progress notes

Integrity Issue: Cloning (Copy/Paste, Carry/Pull Forward)TJC Safety Alert (cont.) – Safety Actions to Consider:

TJC endorsed AHIMA’s safety actions recommended & added:

Work collaboratively with health care providers, medical societies and others to balance benefits & risks and develop training & education;

Monitor accuracy of clinical record & solicit provider feedback for addressing inaccurate or overly redundant documentation;

Conduct focused, ongoing professional performance evaluation with ties to clinical record accuracy;

Maintain robust quality review process for EHR misuse & errors –evaluate & identify patient safety improvement opportunities.

12

Integrity Issue: Cloning (Copy/Paste, Carry/Pull Forward)Additional Resources on Cloning:

OIG Studies on EHR Integrity – December 2013 and January 2014 (highlights the important role of audit logs)

AMA Study: “Characterizing the Source of Text in Electronic Health Record Progress Notes,” JAMA Intern Med. (Aug 2017)

NIST Study: “Examining the ‘Copy and Paste’ Function in the Use of Electronic Health Records,” NISTIR 8166 (Jan. 2017)

ECRI Partnership for Health IT Patient Safety: Copy and PasteThe Partnership makes four safe practice recommendations:

A. Provide a mechanism to make copy and paste material easily identifiable.

B. Ensure that the provenance of copy and paste material is readily available.

C. Ensure adequate staff training and education regarding the appropriate and safe use of copy and paste.

D. Ensure that copy and paste practices are regularly monitored, measured, and assessed.

See https://www.ecri.org/HITPartnership/Pages/Safe-Practices.aspx

13

Integrity Issue: Auto-Fill, Auto-Prompts & Default Suggestions

CMS Electronic Health Records Provider Fact Sheet:

“[F]eatures like auto-fill and auto-prompts can facilitate and improve provider documentation, but they can also be misused.”

Clinical record must document the differences and needs of the patient for each visit or encounter.

Recommendation: Use electronic signature or personal identification number (PIN) to help deter possible fraud, waste, and abuse that can occur with EHR use.

Integrity Issue: EHR Templates

EHR templates for medical charting, SOAP notes, patient intake, flowcharts and lab orders can save time but can pose risks if they:

Are not flexible and may not clinically fit the situation

Lack safeguards against presenting an inaccurate picture of patient’s condition at admission or over time

Create an redundancy or “over-documentation” situation

Are designed to meet reimbursement needs in a way that could be perceived as fraudulent

14

Integrity Issue: EHR Templates

A well-designed EHR template enhances compliance and patient care & safety if it:

Incorporates care guidelines

Incorporates mnemonics to help deliver evidence-based care

Automates reminders and investigations

Recommends appropriate tests and flags inappropriate ones

Enhances compliance with standards, policies and procedures

Integrity Issue: Templates Designed to Meet Reimbursement Needs

AHIMA recommends:Policies and procedures address the use of default templates

Audit process that ensures compliant billing

Involve HIM and clinical staff in the development and review of templates

Educate staff on the use of EHRs and templates

Document staff training

15

Integrity Issue: Patient ID

Increase in medical ID theft contributes to entry of erroneous data for the actual patient.

Selecting the wrong patient in the EHR on which to enter data has been frequent mistake.

Misinformation due to human error or ID theft can affect patient care.

Untangling mixed-up records is a pain!


AHIMA recommends Patient ID Integrity Program to prevent ID errors:

Consider whether the EHR’s front-end design naturally integrates with the way the organization intakes key demographic data. Work with the vendor to address discrepancies and make changes to match the data flow.

Identify all patient intake or entry points and ensure consistent and accurate intake process for key demographics at all intake points

Train employees on how to select a patient in the EHR and awareness for screens that may not show the patient ID.

16


AHIMA – Patient ID Integrity Program (cont.):

Use key demographics to link to other records within and across electronic data systems

In determining key demographics to use for linkage, consider using:

Sophisticated matching algorithms, biometrics, photographs, fingerprints

Multiple data elements to identify a patient (e.g., John Smith and John Smith, Jr. may both have same address)


AHIMA – Patient ID Integrity Program (cont.):

Work with EHR vendor to design special alerts to reduce potential patient safety risks, such as when a patient blood type or allergy does not match the patient’s undergoing treatment.

Use certified EHR with built-in CPOE safeguards to prevent medication errors.

Establish timeframe to correct errors once discovered.

17

ECRI: Partnership for Health IT Patient Safety

The Partnership arrived at eight safe practice recommendations in two areas of health IT to facilitate patient identification:

Attributes: The information-gathering aspects of patient identification, including the fields and the formats that are available to accommodate acquisition of required information.

Technology: New technologies to improve identification and ways to leverage existing technologies for safe patient identification.


ECRI: Partnership for Health IT Patient Safety

Eight safe practice recommendations to facilitate patient identification:

1. Include: Use standard identifier conventions in EHR fields.

2. Detect: Use confirmatory step to match patient to record throughout the encounter.

3. Evaluate: Use standard attributes and attribute formats in all transactions to improve matching.

4. Normalize: Use a standard display of patient attributes across the various systems.


18

ECRI: Partnership for Health IT Patient SafetyEight safe practice recommendations to facilitate patient identification (cont.)

5. Tailor: Include distinguishing information enhancing identification on screens, printouts, and those areas that require interventions.

6. Innovate: Integrate new technologies to facilitate and enhance identification.

7. Follow-up: Implement monitoring systems to readily detect identification errors.

8. Yield: Include high-specificity active alerts and notifications to facilitate proper identification.

Integrity Issue: Author Integrity

CMS warns: “Different providers may add information to the same progress note. When this occurs, each provider should be allowed to sign his or her entry, allowing verification of the amount of work performed and which provider performed the work.”

19

Integrity Issue: Author Integrity

AHIMA tips to protect author integrity: Verify authorship by selecting biometric identifier, PIN, badge or other unique identifier + password as log-in ID.

Establish policies requiring staff to protect log-in IDs and passwords and report breaches ASAP.

Implement access controls to ensure users have the authority to view and enter information on a record.

Retain original author identification and original entry date for a cloned record.

Ensure audit logs track date, time and users.

Assign responsibility for auditing logs.

Integrity Issue: Record Amendment

AHIMA toolkit, “Amendments in the Electronic Health Record,” provides guidance on maintaining the integrity and accuracy of an EHR. Best practices include adopting procedures on:

Addendums

Corrections

Late Entries

Retractions

Deletions, and

Re-sequencing or Reassignment

20

Specific EHR Integrity

Examples

Integrity Issue: Delayed Validation of Dictation Transcription

Example: Radiologist dictated report and the un-validated report was relied upon. Later, when the radiologist validated the report, he added a crucial “not” within the data entry, completely reversing the meaning of the report.

Establish process to ensure providers review, edit, and approve dictation in a timely manner.

Ensure all draft, un-validated reports, are clearly marked.

21

EHR Integrity Example: Clinical Notes & Date Association

Date & time of service and date & time of entry are both important.

Example: Physician examines patient on 5/23 and enters note on 5/25 that patient is allergic to drug X; another physician prescribes drug X on 5/24 without the benefit of the first physician’s 5/25 note of the drug allergy.

Late entries should be noted.

EHR Integrity Example: EHR Entry Date/Time versus the Peripheral Device Date/Time

Example: Facility has multiple peripherals tied to the EHR, but each one shows a different time. ECG ordered for patient with chest pain at 1:00p and ECG performed at 1:09p, but ECG clock is wrong and shows performed at 1:39p. This is outside best practice window of 10 minutes and may not be reimbursed.

Verify that EHR and all peripherals are linked and automatically enter correct date/time stamp.

22

EHR Integrity Example: Patient ID & Demographic Data Issue

Patient Arthur Dobson (age 84, with dementia) is scheduled to see Dr. Smith in a hospital outpatient clinic. Registration clerk asks only for patient name. Pulls up record of Arthur Dobson, Jr. (his son, aged 49) and places in queue for Dr. Smith by mistake.

Multiple identity elements should be used, name, address, DOB, SSN, … to identify the patient.

EHR Integrity Example: Data Entry Prompts That Are Optimized for Reimbursement

Example: Nursing home’s touch pad software is integrated with RAP and MDS. It prompts data entries optimized for reimbursement. Director finds that the software overstates therapy and underreports pain.

Add prompts to EHR to verify certain entries.

23

ECRI Partnership for Health IT Patient Safety: I-C-EThe Partnership makes three safe practice recommendations for developing, implementing, and integrating a health IT safety program:

1. Integrate: Identify ways to integrate health information technology (IT) safety into existing safety programs.

2. Collaborate: Convene the necessary stakeholders, including users, vendors, organizations, and patients to actively collaborate on safety.

3. Embed: Embed safety into the culture and daily workflow to achieve a unified vision of health IT safety.


EHR Data Integrity Liability Risks

24

EHR Data Integrity Liability Risks: Patient Harm

Theories of Liability

Negligence

Fraud

Qui Tam

EHR Data Integrity Liability Risks: False Claims

Federal & State Health Care

Program False Claims

Civil Monetary Penalties Liability

OIG and NIST studies

25

EHR Data Integrity Liability Risks: Commercial Payors

Commercial Payor Fraud

Breach of Contract Liability

EHR Data Integrity Liability Risks: Other Risks

HIPAA fines and penalties

State or Accreditation survey deficiency findings

Loss of Accreditation

26

Overview of EHR Integrity Best Practices

Checklist

Overview of Best Practices Checklist for EHR Integrity

Establish EHR Integrity Program

Perform Data Quality Audits

Implement & Enforce EHR Documentation Policies & Procedures

Utilize EHR Built-in Safeguards

Identify Safeguard Gaps & Work with Vendor to Address Gaps

Establish Process for Logging and Auditing EHR Activity

27

Best Practices for EHR IntegrityThe EHR Integrity Checklist, cont.

Train EHR Users Integrity Program Policies & Procedures:

EHR Security Requirements

EHR Documentation Requirements

Personal Responsibility for Security & Integrity

Enforce Disciplinary Policies for Violations

Review and Keep Abreast of Publications on EHR Integrity: Government (CMS, OIG, NIST); Industry (AHIMA, AMA); Patient Safety Focused (TJC, ECRI).

28

Notes

Documents

Best Practices to Modify Electronic Health Records While … · We inform you that any federal tax advice contained in this written communication (including any attachments) is not