| |||||||||||||
|
Home
|
For other articles and previous issues click here. June 17, 2002 PULP
PROTECTION: SECURING PAPER-BASED MEDICAL RECORDS Much focus has been placed on fortifying
electronic transmissions, but let’s not ignore that old standby:
paper. The Health Insurance Portability and Accountability Act (HIPAA) is an extension of this age-old concern, consisting largely of common-sense requirements to ensure the continuing confidentiality of patients’ medical information in all of its forms. The regulations stemmed from growing concerns about the security of electronically stored and transmitted data. Since its inception, though, the rule has expanded to include not only electronic medical records, but also oral communications (to be examined in the next issue of For the Record) and paper medical records. For years, a debate has been waged over the safety and security of paper vs. electronic records in the medical community. On one side is the argument that paper records are easier to manage and control because access is necessarily limited. By their nature, paper records are impervious to computer hackers, and, unless they are manually converted to electronic form, there is far less potential for the errors that occur during the transcription process. Electronic records, others say, are more efficient because most billing, including Medicare and Medicaid, is done electronically. Electronic records are less likely to be misplaced or lost and allow for safety precautions, such as computerized monitoring of prescriptions to prevent allergic reactions or undesirable drug interactions. In the end, most believe that there is, and may always be, a place for both electronic and paper records in the medical industry. The records of many smaller practices and rural hospitals continue to be paper-based. However, because they make billing more efficient, the majority of large urban practice groups and hospitals have already made the switch to electronic records, according to Michael R. Costa, attorney and associate at Greenberg Traurig, LLP, in Boston, Mass. However, he adds, most of these organizations maintain warehouses where they store paper records that have been transcribed to electronic form. “There is resistance from some about going to a completely electronic format because there are still some questions about privacy,” Costa says. “There is definitely still a place for paper-based medical records, but the focus from now on will be on making sure that information can be adequately secured.” There is a distinct trend toward the use of electronic records in the medical industry, agrees C. Frederick Geilfuss, partner in the health law department of Foley & Lardner, in Milwaukee, Wis. While many larger providers have already begun the shift, he has not encountered any institutions that have made a complete transition—an event that he believes is still in the distant future. “There are quite a few doctors out there who are not technologically minded and who prefer paper records,” he explains. Changing from paper to electronic records requires organization, as well as technology, because a switch made on a going-forward basis would result in two sets of medical records—paper and electronic—with an increased potential for confusion. HIM professionals using paper-based systems are confronted by many of the same challenges regarding HIPAA compliance as their colleagues who have switched to electronic records. Although the legislation was originally intended to ensure security and privacy of electronically stored and transmitted information, it has evolved to include all types of communications. “HIPAA extends to any manifestation of patient confidentiality, including what people do in medical offices and what they say about confidential information,” explains Henry E. Schwartz, partner in the business and corporate department in the Baltimore, Md., office of Blank, Rome, Comisky, and McCauley, LLP. “Healthcare providers will all be involved in the electronic storage and transmission of information, but that information will also exist or be communicated in other ways, such as paper, telephone, and conversations.” Under HIPAA, physicians are required to obtain signed consent forms from patients before distributing medical information. Additionally, providers will be required to give patients written information about the office policies and procedures that are in place to ensure confidentiality of medical records. These requirements will make it more difficult for healthcare organizations to segregate electronic and paper-based security practices, Schwartz says. These HIPAA-generated forms will likely be electronically generated and stored, but they will also remain on record as hard copies. “This results in a crossover that means people will have to consider all of the rules,” he says, “regardless of whether they are using primarily electronic- or paper-based systems.” The HIPAA security requirements for paper-based records are the same as those that apply to oral communications and electronic information, Costa explains. It will be necessary to ensure that the minimal amount of information is disclosed at any time, and providers will need to adhere to restrictions about uses of patient information for medical research and quality assurance purposes. Monetary penalties for noncompliance can range from $10,000 to $250,000, depending upon whether disclosure of information is accidental or for commercial profit, he says. There are also criminal penalties ranging from five to ten years in prison for willful release of patient information without patient consent. This new legislation has resulted in a heightened awareness of the need for security—measures that most entities were taking all along, says Geilfuss. “The regulation includes guidelines and requirements for an industry that has, for the most part, always been compliant,” he explains. “Still, the legislation is very broad and adds extensive requirements and the attendant expenses for providers, even those who have consistently maintained the confidentiality of medical information.” Most medical providers have long-standing policies that limit access to medical records, but, with an increasing number of institutions changing over to electronic systems and with the resulting ability to rapidly disseminate patient medical information, many people felt legislation was vital to ensure continuing protection. While securing paper medical records in either an office or at an off-site facility is often lock-and-key simple, it is always important to monitor and limit employee access to vital and confidential information. “There is really nothing new under the sun, as far as security measures, for paper medical records,” says Schwartz. “Medical information has always been confidential, and, in the larger sense, HIPAA didn’t change that.” Although HIPAA does not specify the means by which requirements must be met, most security measures are simply based on common sense, beginning with an assessment of office practices in order to determine the current state of security for written and oral information, he says. Among the measures that Schwartz recommends are locking medical records files and restricting physical access to them; implementing a policy to ensure that no one enters medical files without authorization and reason to do so; developing a fax policy to ensure that faxed medical information is received by the person for whom it was intended; and, perhaps most simply, not leaving medical files on desks or tables around the office. “It’s great that medical records are protected when they are in a storage cabinet,” Schwartz comments, “but what happens when someone takes them out to look at them? Does the person leave them lying around while he or she leaves to get a cup of coffee?” He also suggests involving staff members in discussions about confidentiality policies and procedures to reinforce the reasons for security goals and to clarify the best methods for arriving at them. “What you are looking at is a common-sense approach,” he explains. “Every provider needs to talk with his or her staff about the practicalities of these policies—to let them know that they need to protect this information; slips in confidentiality are not acceptable.” As bulky paper records accrue, many healthcare organizations opt to store them in off-site warehouses or storage facilities. Historically, this has not presented any problems of which Schwartz is aware, but he cautions administrators to include security policies in contracts with off-site storage providers. He adds that, when disposed of, paper medical records should always be shredded. “If anyone gets ahold of them,” he advises, “they should be unreadable and unrecognizable.” Technologically speaking, the medical
community has reached a point where it is possible to secure electronic
medical records through various encryption and protection products.
Throughout the industry, there is a strong trend toward streamlining
and reducing administrative costs. One way to do that, Costa says,
is to reduce the administrative and financial burdens of paper-based
information, including transcription, storage, and faxing. “There
is a real push to convert to a completely electronic format,”
he explains. “You can see evidence of it in the fact that people
are paying bills and using more Internet services than ever. We
are moving toward an electronic age, not only in our personal lives,
but also in healthcare.” “Security of healthcare records is 80% administrative and 20% technical,” says Christopher T. Batterman, director of marketing at Spacesaver Corp. in Fort Atkinson, Wis. “Much of the work in this area falls on the individual because it is the responsibility of HIM professionals to maintain the integrity, security, and availability of medical records.” To address the technical aspects of securing paper medical records, Spacesaver offers several accessories, including lockable drawers that can be retrofitted to existing open shelving. High-density mobile storage units that allow for different configurations of filing units are another option—one that solves the dual problems of security and limited storage space. By integrating electronic security devices with this system, providers can also establish a personal identification number (PIN) system to restrict employees’ access to only those files they need to see. “Using a PIN to access a filing system eliminates the need for keys and the possibility of losing them,” Batterman adds. “Providers can also program PINs into different aisles or units so that only specific information relevant to an employee’s job will be accessible.” Rotary cabinets, an alternative to mobile file units, are also a good choice for meeting HIPAA requirements and have been in use for approximately 30 years, according to James Lavin, national sales manager for Richards-Wilcox Inc., manufacturer of Times-2 Speed Files. Rotary cabinets contain two or more shelves within a housing, which rotates like a “lazy Susan” and accommodates the end-tab files most often used in medical practices, he explains. The cabinets not only save space, but they can also be used as room dividers and accessed by workstations on two sides. Susan Niemiec, marketing manager at Richards-Wilcox, adds that new filing solutions often contain elements that make them a practical method for meeting HIPAA requirements. These include lockable security drawers within the unit to accommodate binders, CD-ROMs, and zip disks. “HIPAA does not specify what measures providers have to take, but locking records in a room or cabinet is an excellent way to ensure their security,” she explains. Because most physicians and dentists store medical records in high-traffic reception areas, Niemiec adds, purchasing a lockable unit that provides easy and efficient access to information is especially important. — HF Tips
for Protecting Paper Medical Records |
 |
3801 Schuylkill Rd • Spring City, PA 19475 Publishers of For the Record All rights reserved. |