Maintenance of Medical Records
Maintenance of Medical Records
Patients have a fundamental right to privacy and for physicians and staff to respect their confidentiality (American Medical Association, n.d.). The maintenance of medical records is an important part of providing lifelong, quality care, but breaches of confidentiality can happen when these records fall into the wrong hands, whether intentionally or unintentionally. While this has always been true, the risk of such a breach occurring has been greatly elevated with use of electronic health records (Balestra, 2017).
The use of medical scribes is one gray area regarding non-clinical staff encountering health information. On one hand, the use of the scribes can free up time for providers to engage with patients face-to-face; this is valuable in a time when providers spend more time documenting in the EHR than in patient-facing care (Balestra, 2017). However, scribes (non-clinical staff) are then allowed access to otherwise confidential health information. This might disrupt the provider-patient dynamic; it’s possible that patients might not fully disclose helpful information in the presence of a third party. As a result, their treatment may suffer (Sulmasy et al., 2017).
Health information should be accessed on a need-to-know basis. As such, there should be few circumstances that warrant non-clinical healthcare staff to have permission to view this information. In the situations where this is warranted, access should be limited to only that information which is needed to complete the task. For example, personnel in the billing department might have access to diagnostic codes, but not narrative notes. It is recommended that clinics define and standardize their workflow prior to selecting and implementing an EHR (Ozair et al., 2015). In doing so, access to necessary parts of the EHR (and those parts only) can be built into the interface for each user depending on their role. In order to protect patient confidentiality, health IT systems should be designed with security as a top priority. Firewalls, data encryption, and two-factor authentication should be used ubiquitously.There should be a clear cut policy delineating the expectations for accessing health information and consequences for users who violate these expectations. Health IT systems should include a mechanism for auditing use. Ideally, the auditor would be able to ascertain who accessed what part of the EHR, when, for how long, and for what purpose.
References:
American Medical Association. (n.d.). Code of Medical Ethics Opinion 1.1.3. Retrieved from: https://www.ama-assn.org/delivering-care/ethics/patient-rights#:~:text=To%20courtesy%2C%20respect%2C%20dignity%2C,and%20costs%20of%20forgoing%20treatment .
Balestra, M. L. (2017). Electronic Health Records: Patient Care and Ethical and Legal Implications for Nurse Practitioners. The Journal for Nurse Practitioners, 13(2), 105–111. https://doi.org/10.1016/j.nurpra.2016.09.010
Ozair, F.F., Jamshed, N., Sharma, A., & Aggarwal, P. (2015). Ethical issues in electronic health records: A general overview. Perspectives in Clinical Research, 6(2), 73-76.DOI: 10.4103/2229-3485.153997
Sulmasy, L. S., López, A. M., & Horwitch, C. A. (2017). Ethical implications of the electronic health record: In the service of the patient. Journal of General Internal Medicine, 32(8), 935–939. https://doi.org/10.1007/s11606-017-4030-1
Should clinical and non-clinical healthcare staff have the same permissions for viewing health information? Why or why not?
It depends on the non-clinical role whether someone should have the same permissions for viewing health information. A patient unit clerk or someone in charge of registering patients may have limited access to patient demographic, chief complaints, or access to patient insurance information in the Emergency Department. However, they do not need access to patient history or clinician notes. A coding auditor, for example, may need access to physician or nursing notes to validate that charges/coding on a patient’s account is correct based on clinician documentation.
What should confidentiality policies related to health IT systems include?
The security management process and security requirements by the Health Insurance Portability and Accountability Act of 1996 (HIPPA) protect patient privacy with provisions to safeguard patient information (Balestra, 2017). Patients should be given a choice as to whether allow personal health information to be available to others, to whom, and how. Confidentiality policies should also include annual employee competency training on confidentiality and protection of patient privacy regarding patient E.H.R. Individuals affected by a breach of information should be notified by covered entities or C.E.’s (health plans, healthcare clearinghouses, and clinicians) (healthit.gov). Protecting patient privacy is a shared responsibility, and policies related to I.T. systems should reassure patients that full adherence to confidentiality and security standards are being met. References: Balestra, M. L. (2017). Electronic Health Records: Patient Care and Ethical and Legal Implications for Nurse Practitioners. The Journal for Nurse Practitioners, 13(2), 105–111. https://doi.org/10.1016/j.nurpra.2016.09.010
The Office of the National Coordinator for Health Information Technology Health IT Playbook (2020, March 11). Privacy and Security. https://www.healthit.gov/playbook/privacy-and- security/
· The purpose of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to establish national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge (CDC, 2018).
· HIPAA contains standards for individuals’ rights to understand and control how their health information is used. A primary task is to ensure that individuals’ health information is adequately protected while sharing health information with multiple providers to ensure up-to-date patient information is available. Easier access to medical records through patient portals promotes autonomy, inclusion, and well-being.
· Balestra (2017) discusses the importance of patient privacy, cyber security, liability, and access to information. For example, as a clinical instructor for the University of Hawaii, the students are not allowed the same level of access to a patient’s chart as an RN at the bedside. It is reasonable for the health care organization to assume some risk with students as a teaching facility. However, the organization has determined that some risks are not valued, and restrictions are placed to prevent catastrophic errors or inappropriate exposure to sensitive information.
· Careful consideration should be given to anyone requesting access to EHRs. Job descriptions, the department where one works, licensing, facility access, and yearly corporate compliance training should all be considered. Therefore, equal access to patient information is inappropriate and should be determined based on need.
· IT systems confidentiality policies should include limited access to sensitive patient information, ensure cyber security by using password protection and dual verification measures, yearly corporate compliance training, and limiting the use of thumb drives and other outside sources that can introduce malicious viruses and place data at risk for phishing schemes (ACHE, 2021).
References American College of Healthcare Executives. (2021, December 6). Health Information Confidentiality. Retrieved April 18, 2022, from https://www.ache.org/about-ache/our-story/our-commitments/ethics/ache-code-of-ethics/health-information-confidentiality Balestra, M. L. (2017). Electronic Health Records: Patient Care and Ethical and Legal Implications for Nurse Practitioners. The Journal for Nurse Practitioners, 13(2), 105-111. http://dx.doi.org/10.1016/j.nurpra.2016.09.010 Centers for Disease Control and Prevention. (2018, September 14). Health Insurance Portability and Accountability Act of 1996 (HIPAA) | CDC. CDC. Retrieved April 18, 2022, from https://www.cdc.gov/phlp/publications/topic/hipaa.html
