August 31, 2018
Author: Diane S. Robben, Esq.
Organization: Sandberg Phoenix & von Gontard P.C.
I. Business Associates – Updates from HIPAA/HITECH
In late January of 2013, The Department of Health and Human Services issued the longawaited final revisions to the HIPAA rules, with the final regulations under the HITECH Act.1 These final rules made a number of changes to the current HIPAA privacy, security, breach notification and enforcement requirements. The changes went into effect in March of 2013, and the compliance deadline was September 23, 2013. Despite the passage of time, many health care providers and Business Associates still have not updated (or implemented) a HIPPA Compliance plan with all the required documentation. The promise of more HIPAA audits to begin later this year, getting your HIPAA compliance program in order is crucial.
With regard to Business Associates, the definition has been expanded to include vendors who create, receive maintain, or transmit PHI in order to perform a function on behalf of a covered entity. The addition of those companies who “maintain” PHI, even if they do not regularly view it, has broadened the reaches of HIPAA. This expanded definition has resulted in many new and existing vendors now being considered business associates, with direct liability for compliance and increased responsibilities.
For instance, cloud computing companies that help with storage of electronic medical records and data are now considered business associates and are required to enter into written business associate agreements. Even if they do not routinely access the protected health information, they have the opportunity to, so the rules consider them business associates. Your true conduits of information, such as the US Postal Service, UPS or Fed Ex, or digital couriers are not considered business associates. It is advisable to make a list of all vendors that meet this expanded definition to ensure your entity has updated written business associate agreements in place. When analyzing the vendors who perform services for you, note that one’s status as a business associate is based on roles and responsibilities, not upon whether one enters into a business associate agreement or contract. Therefore, if a covered entity gets push back from a Business Associate who is utilizing your PHI to perform a service for you, such as auditing or scanning, remind them they are already acting as a Business Associate regardless if the document is signed. However, the burden is on the Covered Entity to ensure a written Business Associate Agreement is in place.
Another new provision of the final HITECH rules is to expand business associate reaches to subcontractors of a business associate who create, receive, maintain, or transmit PHI on behalf of the business associate. The business associate will need to have a written agreement in place with all subcontractors with whom it shares protected health information, holding them to the same responsibilities under HIPAA.
Pursuant to the new rules, Business Associates, as well as the subcontractors that they do business with, are directly liable for compliance with the HIPAA security rules and certain requirements of the HIPAA privacy rules. The new rules also require amendment of business associate agreements (BAA) to address certain requirements. There is a tiered implementation schedule for covered entities and business associates to come into compliance. Generally, compliance with the new rules is required 180 days after the effective date of the HITECH Final
Rules (3/26/13), which was September 23, 2013. Additional time is allowed to enter into conforming business associate agreements if the BAA’s were in compliance with the pre-final rules, in which case they will have one year to come into compliance, or by September 23, 2014. If a BAA came up for renewal or was modified prior to September 23, 2013, it needs to be in compliance with the new Final rules. Finally, BAA’s not otherwise modified or renewed prior to September 23, 2014 must be brought into compliance by that date. So, bottom line, all of your BAA’s need to be compliance with the HITECH changes by September 23 of this year. Business Associates Agreements must be in writing and establish the permitted uses and required uses and disclosures of protected health information (PHI). The written BAA must also state that the BA is obligated not to use or further disclose PHI other than as permitted or required by the BAA or as required by law. You will want to be sure to include provisions regarding the required health plan disclosure restrictions for payment in full, remuneration limits under sales and marketing exceptions, if applicable, within your written BAA. Also, when updating your BAA you should consider any covered entity minimum necessary policies and procedures that would be applicable to the BA. The BA also must be obligated to use appropriate safeguards and comply with the Security Rules standards and specifications for electronic-PHI, and ensure their subcontractors comply as well. Those subcontractors need to have a BAA with the BA agreeing to at least the same restrictions and conditions that apply to the BA.
It is important that the BA be required to report in a timely fashion to the Covered Entity any security incidents, including breaches of unsecured PHI, or any use of disclosure of information not provided for by contract of which the BA becomes aware. Knowledge of the BA of an incident is imputed to the Covered Entity, which is mandated by law to engage in a breach notification analysis and timely report if necessary. BA’s are also obligated to comply with the Privacy Rules in carrying out their obligations and the written BAA should set those out in detail. If applicable, the BA should make the PHI available for individual rights under the Privacy Rule, including right to access the records, for amendment and incorporate amended PHI, and to provide an accounting of disclosures. The BA also should be required to make its internal practices, books and records on use and disclosure of PHI available to the HHS to determine the covered entity’s compliance with the Privacy Rule. Be sure to also include termination provisions within the BAA that address returning or destruction of PHI, and the grounds for termination.
Health care is becoming more complex and sophisticated. Business Associates that have kept up with the changing environment will have implemented security and privacy provisions to ensure the integrity and confidentiality of the PHI that they access on behalf of covered entities.
For your more high risk Business Associates, such as your IT company, billing, coding, or auditing, it is crucial you develop a solid relationship and understand the protections they have put in place. The Business Associates are to have implemented written policies and procedures, just like the covered entities. We recommend you request to see the policies and procedures, as well as evidence of training with these more risky vendors. After all, it is your PHI that they are handling, and ultimately your liability, now in addition to the Business Associate. Therefore, a little due diligence on the front end will serve you well in the event of a breach.
Also, you will want to review the indemnification and hold harmless provisions of the Business Associate Agreement. It is recommended you ensure the Business Associate has obtained adequate cyber liability/data breach insurance coverage. In the event of a breach of PHI that is caused by the Business Associate, the covered entity will want to be able to see indemnification under the Business Associate’s insurance. As previously discussed, the fines and penalties for a HIPAA breach have increased tremendously. These fines, coupled with the potential third party civil liability, lost revenue, costs for legal services, and down time can add up quickly. Ensure you are adequately protected.
II. Record Keeping and Retention Guidelines and Association Guidelines for Document Management
A. Duty to Create and Maintain Records
While the duty to retain medical records for purposes of ensuring quality care may be obvious to most health care providers, the integrity and veracity of the medical records can often make or break the defense of a claim in court. In trial, there are often four truths: the patient’s truth, the health care provider’s truth, the jury’s truth, and what is in the medical records. An influencing, if not critical, element of a successful malpractice defense may be the integrity, content, and professional appearance of the relevant medical records on which the health care provider must rely. The written record should thus objectively and fully document the patient’s illness and treatment. This truth reins regardless of whether you utilize paper records or an electronic medical record.
Healthcare providers, including hospitals, physician practices, nursing homes, home health providers, etc. all have legal obligations to maintain and preserve medical records. This is critical in defense of future medical malpractice claims. Improper record keeping has significant consequences. The improper release of medical records and the improper destruction of records can lead to civil and/or criminal liability. In Illinois, any individual who willfully or wantonly discloses hospital or medical record information is guilty of a Class A misdemeanor. 210 ILCS 85/6.17(i). Willful or wanton means a course of action that shows an actual or deliberate intention to cause harm, or if not intentional, shows an utter indifference to or conscious disregard for the safety of others or their property. Organizations and individuals may be held responsible in civil proceedings, and therefore monetarily, if medical records are released without a valid authorization or in accordance with the law. Anyone helping another to wrongfully disclose the medical records may be held personally liable. A hospital may be held liable for an employee’s wrongful production of a patient’s medical records. Insurance does not typically cover this type of event, which may lead to an outcome that is financially devastating to the hospital and the individuals responsible. Jury awards have been seen as high as $300,000 to $400,000 for improper release of information.
B. Spoliation of Evidence
Equally troubling is what happens if the medical records, or a portion, cannot be located. Not only is there a duty to make medical records by various healthcare providers, there is a similar duty to preserve them. Because physicians and hospitals are now subject to statutory and regulatory obligations to maintain medical records and to safeguard the integrity of those records, a failure in either respect may result in legal liability in the context of a malpractice suit and perhaps also from the standpoint of an independent liability based upon a nondisclosure of information that should have been maintained and disclosed by the provider.
Spoliation is the intentional destruction, mutilation, alteration or concealment of evidence. See Black's Law Dictionary 1409 (7th ed. 1999). The term includes both intentional and negligent losses of evidence. In the context of medical malpractice litigation, the absence of a relevant medical record which the health care provider should be able to produce, but which is missing for whatever reason, can spell the difference between winning and losing the case.
Historically, spoliation referred to the intentional or deliberate destruction of evidence with fraudulent intent, but recently has been broadened to cover innocent or inadvertent loss of evidence which is critical to a court proceeding. Penalties for spoliation will be imposed upon a party to a lawsuit who is responsible for the loss of evidence. Nonparties are not subject to punishment. If a litigant is guilty of spoliation, the trial judge has wide discretion in determining what sanction is appropriate. Penalties will not generally be imposed if a party discards items in good faith pursuant to its normal business in the absence of notice of pending litigation or a specific claim. If, however, there is reason to believe that the documents or evidence might be needed for present or future litigation, and if that evidence is lost or destroyed, the litigant can be subject to severe sanctions. Indeed, if it is believed that the loss or destruction of physical evidence was willful, for the purpose of preventing its use in an official court proceeding, the penalties may even become criminal.
The Illinois Supreme Court recognizes negligent spoliation of evidence, or improper destruction of evidence, as a separate cause of action. Boyd v. Travelers Insurance Co., 166 Ill.2d 188, 652 N.E.2d 267, 209 Ill.Dec. 727 (1995). In this case, the plaintiff was using a propane catalytic heater in a van to keep warm when it exploded injuring the plaintiff. 652 N.E.2d at 269, 209 Ill.Dec at 729. The plaintiff filed a workers’ compensation claim against his employer and the workers’ compensation insurer. Id. The insurer told the plaintiff that it needed the heater to investigate the workers’ compensation claim and that it would inspect and test the heater. Id. When the heater was requested from the insurer, it was unable to be located, and the plaintiff was then unable to bring his claim the manufacturer of the heater. Id.
On appeal to the Illinois Supreme Court, the Court recognized the destruction of evidence as a cause of action under existing negligence laws. This means the plaintiff must prove the defendant owed the plaintiff a duty, the defendant breached that duty, which resulted in an injury caused by the breach, and damages. Id. at 194-95, 652 N.E.2d at 270, 209 Ill.Dec at 730. See also Dardeen v. Kuehling, 213 Ill. 2d 329, 335-36 (2004). The causation and damage elements require the plaintiff to demonstrate that “but for the defendant’s loss or destruction of the evidence, the plaintiff had a reasonable probability of succeeding in the underlying lawsuit.” Id. at 196, 652 N.E.2d at 271, 209 Ill.Dec at 731. While the cause of action in Boyd was for products liability, the Illinois Supreme Court also recognizes negligent spoliation in medical malpractice cases and applies the same elements. Miller v. Gupta, 174 Ill2d 120, 672 N.E.2d 1229, 220 Ill.Dec. 217 (1996) (x-rays inadvertently destroyed when housekeeping thought they were to be thrown out). A spoliation of evidence claim could also arise between co-defendants (e.g., in a failure to diagnose case where a physician relies upon a hospital to transcribe his or her dictation but inadvertently loses the dictation, and with it any evidence that the physician performed a thorough medical examination and evaluation).
More recently, the Illinois courts have further defined what the plaintiff must show to prevail on a spoliation of evidence claim. In Midwest Trust Services, Inc. v. Catholic Health Partners Services, No. 1-06-2257, the court found the plaintiff must show that but for the missing evidence, it had a reasonable probability of succeeding in the underlying medical malpractice case. In Midwest Trust, the estate of a man who died of a heart attack about 48 hours after he underwent cervical fusion surgery brought an Illinois medical malpractice lawsuit against the hospital and doctors. The estate also filed a “spoliation of evidence” claim, alleging that the hospital failed to preserve an “occurrence report,” which is typically created after a death at the hospital within 48 hours of surgery. The estate also alleged that the hospital failed to preserve “cardiac-monitoring strips” generated on the date the decedent was admitted to the hospital for surgery. The estate alleged that the failure to preserve this evidence impaired its ability to prove the underlying medical malpractice action.
The estate went to trial in its medical malpractice action. The jury returned a verdict in favor of two defendants, but was unable to reach a verdict against the remaining defendants and a mistrial was declared. After the case was remanded, the estate amended its spoliation claim to assert that “but for” the defendant’s acts or omissions, it “would have prevailed” in the underlying medical malpractice case. The trial court granted the defendants’ summary judgment in favor of the hospital because it found that the loss of the cardiac-monitoring strips did not cause the estate to be unable to prove its medical negligence case. Even without this evidence, the plaintiff’s medical expert witness was able to render his standard-of-care opinions against the hospital.
On appeal, the appellate court stated that the “primary issue” in the spoliation action was whether the loss, destruction or altercation of the cardiac-monitoring strips prevented the plaintiff from proving its case against the hospital in the underlying medical malpractice action.
The court held that the estate failed to show that “but for” the missing cardiac-monitoring strips, it had a “reasonable probability of succeeding” in its medical malpractice action against the hospital. The appellate court found that the estate’s medical expert witness, a cardiologist, testified that after a review of the decedent’s medical records he had sufficient information to form an opinion based upon a reasonable degree of medical certainty that the hospital deviated from the standard of care, without reviewing the cardiac-monitoring strips. Accordingly, the appellate court held the trial court did not err in granting summary judgment in favor of the hospital.
Obviously if plaintiff’s experts had opined they were unable to draw conclusions or render opinions due to the missing medical records, the outcome in this case may have been different. This case emphasizes the need to have proper records storage and retention policies so as to avoid a possible spoliation of evidence claim. Boyd v. Travelers Insurance Co., 166 Ill. 2d 188, 194-95 (1995). Accordingly, a plaintiff claiming spoliation of evidence must prove that: (1) the defendant owed the plaintiff a duty to preserve the evidence; (2) the defendant breached that duty by losing or destroying the evidence; (3) the loss or destruction of the evidence was the proximate cause of the plaintiff’s inability to prove an underlying lawsuit; and (4) as a result, the plaintiff suffered actual damages. Dardeen, 213 Ill. 2d at 336; Boyd, 166 Ill. 2d at 194, 196. The improper destruction of evidence, including medical records, which make it so a plaintiff is unable to bring his or her case, can result in the hospital being civilly liable to the patient. This can result even though the records, if kept, may have cleared the hospital and practitioner of negligence in an underlying medical malpractice claim.
These cases demonstrate the importance of maintaining the medical records of your patients, and ensuring they are retrievable in the event of a later lawsuit. It is often impractical to maintain records indefinitely and there are guidelines that set out retention periods that can provide you with a valid defense to a spoliation of evidence claim.
C. Statutory Retention Requirements
The Illinois Hospital Licensing Act requires that medical records be maintained on every patient according to hospital policy and for a period of not less than ten years. 210 ILCS 85/6.17(c). If the hospital is notified in writing by a patient’s attorney before the expiration of the ten year period informing the hospital of future or pending litigation involving the record of the patient, then the hospital is obligated to maintain that record until either the hospital is notified in writing by the plaintiff’s attorney that the case has been concluded or twelve years, whichever occurs first. Id. The statute takes into account the extended statute of limitations to which minors are entitled in some instances. See 735 ILCS 5/13-212.
Additionally, the Illinois X-Ray Retention Act requires that x-rays should be maintained for five years. 210 ILCS 90/1. However, if the hospital is notified within the five year period that litigation is anticipated or pending involving the particular x-ray, then the hospital shall keep the x-ray, or a minified copy, in its regular records until it is given notice from those parties of record that the case has been concluded or for a period of twelve years from the time the x-ray was produced, whichever is first.
D. American Health Information Management Association Retention Guidelines
The following table contains the guidelines from the American Health Information Management Association. These are not laws, but rather should be viewed as recommendations developed by the organization based on a survey of laws across the nation.
Health Information Recommended Retention Period
Diagnostic Images 5 years
Disease Index 10 years
Fetal Heart Monitor Records 10 years after the infant reaches the age of majority
Master Patient/Person Index Permanently
Operative Index 10 years
Patients Health/Medical Records (Adults) 10 years after the most recent encounter
Patients Health/Medical Records (Minors) Age of majority plus the statute of limitations
Physician Index 10 years
Register of Births Permanently
Register of Deaths Permanently
Register of Surgical Procedures Permanently
E. Destruction of Patient Health Information
Just as important as maintaining system for properly storing and accessing medical records, is having a detailed protocol for how medical records and patient information will be destroyed once the retention period has expired. CVS Pharmacy paid $2.5 million dollars for HIPAA violation when it was discovered they had a practice of discarding patient information, such as identifying information on pill bottle labels and other paperwork, in industrial trash containers outside selected stores that were not secure and could be accessed by the public.
Naturally, records involved in any open investigation, audit or litigation should not be destroyed. You should ensure you have a “litigation hold” program in place to preserve all the necessary documentation and evidence in the event of litigation being filed. For those records that are ready for destruction, the following recommendations should be followed. Destroy the records so there is no possibility of reconstruction of the information. Appropriate methods for destroying paper records, including burning, shredding, pulping, and pulverizing. Use recycling or pulverizing for destroying microfilm or microfiche. Pulverize discs. Computer data – consult your IT expert.
It is also important that you document the destruction with proper log books. The log should include information such as the date of destruction, method of destruction, description of the disposed of records (including media type(s)), inclusive dates covered, a statement that the records were destroyed in the normal course of business; and the signatures of the individuals supervising and witnessing the destruction.
I also recommend a Certificate of Destruction be prepared for each patient record. This certificate and other destruction documentation should be maintained permanently. It is important for the institution to maintain these documents to be able to prove the records were destroyed in the hospital’s regular course of business. Absent this documentation, it is possible a Court could allow a spoliation of evidence claim, where a negative inference could be made and the jury could infer in a negligence suit that if the records were available, they would show the facility acted improperly in the treating the patient.
If contracting out your destruction services, be aware there are requirements within HIPAA that must be complied with. There must be a Business Associate Agreement in place between the destruction company and the hospital, ensuring compliance with HIPAA privacy rules. Furthermore, the contract should indemnify the healthcare facility from loss due to unauthorized disclosure, require the company to maintain liability insurance in specified amounts at all times the contract is in effect, and provide proof of destruction. The contract should also specify the method of destruction and the timing of when destruction will take place after they acquire the data.
III. Guidelines for Defining the Legal Health Record for Disclosure Purposes
In years past, the definition of a patient’s legal health record was fairly straight forward – the manila colored folder that contained all of the paper documents generated while a patient was at the hospital (together with the radiology films and results of other imaging studies). However, with the advent of various electronic media and the Internet, the definition of the legal health record has evolved and presents a challenge to health care providers alike. The need to ensure information is accessible for its ultimate purposes, regardless of the technologies employed or users involved, remains critical.
It is important for each organization to define the content of the legal health record that best fits its facility and develop policies and protocols to ensure uniformity. Considerations for the content of the legal health record should include ease of access to different components of patient care information, guidance from medical staff and the organizations’ legal counsel, community standards of care, federal regulations, state law and regulations, standards of accrediting agencies, and the requirements of third-party payers.
The legal health record is generated at or for a healthcare organization as its business record and is the record that will be disclosed upon request. It is the documentation of healthcare services that have been rendered to a patient during any aspect of healthcare delivery in any type of healthcare organization. The legal health record includes individually identifiable data, stored on any medium, and collected and directly used in documenting healthcare or health status.
Furthermore, it is records of care in any health-related setting used by healthcare professionals
while providing patient care service for administrative, business or payment purposes. It may be
paper based, electronic or computer based, or a hybrid of the two.
The American Health Information Management Association provides a comprehensive
list of the types of data considered to be part of the legal health record. This includes:
• Advance Directives
• Allergy records
• Alerts and reminders
• Analog and digital patient photographs for identification purposes only
• Anesthesia records
• Care plans
• Consent forms for care, treatment and research
• Consultation reports
• Diagnostic images
• Discharge instructions
• Discharge summaries
• Email messages containing patient-provider or provider-provider communication regarding care or treatment of specific patients
• Emergency department records
• Fetal monitoring strips from which interpretations are derived
• Functional status assessment
• Graphic records
• History and physical examination records
• Immunization records
• Instant messages containing patient-provider or provider-provider communication regarding care or treatment of specific patients
• Intake and output records
• Medication administration records
• Medication orders
• Medication profiles
• Minimum data sets (MDS,OASIS, IRF PAI)
• Nursing assessments
• Operative and procedure reports
• Orders for treatment, including diagnostic tests for laboratory and radiology
• Pathology reports
• Patient-submitted documentation
• Patient education or teaching documents
• Patient identifies (medical record number)
• Photographs (digital and analog)
• Post-it notes and annotations containing patient-provider or provider-provider communication regarding care or treatment of specific patients;
• Practice guidelines or protocols and clinical pathways that imbed patient data
• Problem lists
• Progress notes and documentation (multidisciplinary, excluding psychotherapy notes)
• Psychology and psychiatric assessments and summaries (excluding psychotherapy notes)
• Records received from another healthcare provider if they were relied on to provide healthcare to the patient
• Research records of tests and treatments
• Respiratory therapy, physical therapy, speech therapy and occupational therapy records
• Results of test and studies from laboratory and radiology
• Standing orders
• Telephone message containing patient-provider or provider-provider communications regarding care or treatment of specific patients
• Telephone orders
• Trauma tapes
• Verbal orders
• Wave forms such as ECGs and EMGs from which interpretations are derived
• Any other information required by Medicare Conditions of Participation, state provider licensure statutes or rules, or by any third-party payer as a condition of reimbursement.
Overall, defining the legal health record requires determining how the information is used and whether it is reasonable to expect the information to be routinely released when a request for complete medical record is received. It does not matter in which medium it is stored. However, it is important to be able to gather the information in its entirety.
When electronic methods go down, health care providers need to have a method of documenting health care services, often referred to as Downtime Procedure Documents. For many hospitals and physician offices, this means going back to the paper flow sheets. When the electronic system is restored, electronic charting will continue. However, it is important to ensure the paper sheets are scanned in or somehow made a part of the electronic legal health record.
Another consideration is what to do with the hybrid chart, containing both electronic charting and paper documentation signed by the patient. Many hospitals have created a system of scanning in paper documents and linking them to the electronic health record, so that there is just one medium. It is important for the hospital or health care institution to ensure quality and accurate scanning procedures are implemented and followed.
Documents typically not included within the Legal Health Record include, include Administrative Data and Documents. The American Health Information Management Association defines Administrative Data and Documents as include patient-identifiable data used for administrative, regulatory, healthcare operations, and payment purposes. This is often the left-hand side of the chart. Examples include:
• Abbreviation and do-not-use abbreviation lists
• Audit trails related to the EHR
• Authorization forms for release of information
• Birth and death certificate worksheets
• Correspondence concerning requests for records
• Databases containing patient information
• Event history and audit trails
• Financial and insurance forms
• Incident or patient safety reports
• Indices (disease, operation, death)
• Institutional review board lists
• Logs
• Notice of privacy practices acknowledgements
• Patient-identifiable claims
• Patient-identifiable data reviewed for quality assurance or utilization management
• Protocols and clinical pathways, practice guidelines, and other knowledge sources that do not imbed patient data
• Psychotherapy notes
• Registries
• Staff roles and access rights
• Work lists and works-in-progress
(AHIMA e-HIM Work Group on the Legal Health Record. “Update: Guidelines for Defining the Legal Health Record for Disclosure Purposes.” Journal of AHIMA 76, no. 8 (September 2005): 64A-G).
Do not include peer review, risk management or legal consultation documentation in the chart. These documents are privileged and confidential and should be maintained in a separate location. Also, be careful about maintaining credit card information in the charts that may be open and accessible to others in the office. Just as there are privacy regulations for confidential health information, entities are also governed by various FTC requirements to ensure the confidentiality of financial information as well.
Overall, the health care institution should have defined and specific policies to ensure adequate and confidential handling of the medical records, and consistency throughout. Health information professionals are faced with ever-changing challenges regarding medical records as the shift to electronic medical records becomes more of a priority.
IV. Documentation Guidelines for Risk Management, Physicians and Nurses
A comprehensive discussion of all suggestions and recommendations of proper documentation in the medical chart is beyond the scope of this article. However, what follows are some general tips to help ensure the integrity of the medical record and its use later in the courtroom to defend against a medical malpractice claim.
Some suggestions for improving the credibility of the medical records and to diminish the likelihood of an adverse inference include:
• Assure that all entries are made timely. Late entries or entries made “after-thefact” are suspicious, and plaintiff’s attorneys love to attribute some ill motive or cover-up with the delay. Furthermore, logic suggests that the more time between the events and the entry the more likely the information will be incomplete, inaccurate or contradictory of other information in the chart.
• Entries should be clear, objective and legible, and include the identity of the person who made the entry. With EMR’s this issue has been significantly reduced.
• Entries should be factual and not judgmental. Ensure sufficient factual information is provided without passing judgment or rendering opinions.
• When doing narratives, physicians should use a standard form of charting, such as
“SOAP,” which includes
o The patient’s “S”ubjective complaints;
o The “O”bjective findings;
o The physician’s “A”ssessment; and
o The “P”lan for the patient’s treatment.
• Be sure to review and edit all entries. Typographical errors look sloppy, careless and a disregard for attention to detail. If the notes are careless, how is the care?
• Follow approved policies for errors and major changes.
o Typically there are protocols requiring a line through the entry, with the words “error” written above and the initials and date. The original entry should not be obliterated.
o Avoid using “white-out.” It literally and figuratively means a “cover-up.”
• Never use “post-its” or sticky notes. If it is important to record, then write it down.
• Do not include any peer review materials within the chart, or correspondence from attorneys. This may result in inadvertent disclosure and loss of the privileged status of those documents.
• Be able to retrieve the records – beware of “the shed.” Have a good filing system to be able to retrieve/recall charts. In addition to ensuring the integrity of the entries themselves, there are also good risk management practices for ensuring the proper maintenance and retention of medical records, as well as physical evidence that is likely to be used in a future lawsuit. Some suggested best practices include:
• Do not release originals of records, specimens, or radiology films unless required by a court order. Have a policy in place that addresses removal of medical records and prohibit any employee, contractor, physician or agent from removing records (in full or in part) from the premises. When records are requested for legal proceedings, every effort should be made to submit a copy. If the original is subpoenaed to be brought to court, have someone from the hospital escort the chart to court, present it, and bring it back. Do not turn over originals!
• Develop a good tracking and sign-out procedure to prevent loss of medical records. Confirm in writing the return of original films, records, slides, or specimens.
• Secure records storage areas or systems and limit the number of persons with access to only those with authorization.
• If medical records are being transferred or converted to another medium (i.e. scanned into the computer, or transferred onto disc/microfiche), implement a verification system to ensure there was no alteration, missed pages or errors, and that they are readily retrievable.
• Retain copies of all radiology films taken, including inadequate films or scout films. Keep them all together in the same jacket.
• Develop a policy for sequestering or “lock-up” of the original chart when a sentinel event has occurred to preserve its integrity and limit access.
• Be aware of your document retention and destruction policies. Be sure to follow them, and do not destroy documents in the normal course of business if you have any reason to believe they will be required for litigation. If you are placed on notice of a claim, the fact that the retention period has run will not protect you from a spoliation claim if you destroy the records.
V. Use of Medical Records at Trial
In the context of defending a medical malpractice case, the medical records can make or break a case. The information can be helpful or harmful to the defense, and how they are presented and utilized can be key. Assume that everything that is included in the medical record is admissible. Therefore, it is important to choose your words and phrasing carefully. Also, there may be only parts of the record that are used, and not the entire portion. Therefore, be mindful of things being taken out of context.
With the increased use of technology in the courtroom, anticipate the records will be larger than life, on the big screen in front of the jury. Furthermore, the medical record is often used as its own witness, discounting what the parties to the ligation are now saying years later when they have obvious agendas and motives to their explanations.
The use of metadata for auditing and tracking the timing of entries is becoming more common. Most EMR’s are able to generate reports that show when original entries were made, any alterations to the entries, when they were finalized, when they were accessed and what location the healthcare provider was at when the information was put in. Therefore, your staff need to be mindful of this if they are ever deposed and have to recreate how they entered information. Plaintiff’s attorneys are becoming more savvy and requesting this information.
The audit trails are also a way to determine if someone is accessing information that they should not, which could be a potential HIPAA Breach.
1 78 Fed. Reg. 5,566 (Jan. 25, 2013).