What Are Electronic Health Record Systems?
Prior to electronic health records (EHR), all medical records were kept as paper copies in manual filing systems with each clinician’s (doctor, nurse practitioner, etc.) office and hospital, clinic, or surgery center that a patient utilized over the course of the patient’s healthcare. From the healthiest individuals who only sought episodic care to treat things such as ear infections and the flu to the sickest individuals with multiple illnesses and comorbid conditions, their medical histories (care notes, lab results, medications, etc.) were all written and maintained on paper in various locations.
In the mid-1960s, various technology and engineering companies began developing EHR systems. This was not an overnight one-stop shop for medical records. Many independent systems were developed for medical specialty areas that performed to improve care, but they each were independent systems. These standalone systems (called “subsystems”) were in many cases connected to a core medical record system. In many large healthcare systems, this has meant that up to 400 independent subsystems were linked to form a consolidated view of a patient’s medical record. In many cases, the billing component of healthcare services was not integrated into the EHR system until long after the systems were created, resulting in unique compliance challenges for compliant records and billing.
As EHRs advanced and funding increased to implement these systems, the field of EHR system developers reduced and consolidated, and today a few more fully integrated systems are primarily utilized by healthcare organizations. Although these systems all have primary functionality (which house patient encounters and episodes of care, orders, lab tests, radiological images, billing and collection records, etc.), all have also been implemented uniquely by different healthcare organizations. The core systems, as well as the implemented customizations at each entity, increase compliance and other risks, which must be mitigated.
Often EHR system implementation involves building the new system to do things as the organization did them in the past (either through paper documentation or older EHR systems), which can create or even further compliance issues and concerns. There are also features built within each EHR core system, which were developed by well-meaning engineers with clinician input, that can be manipulated by in-house system designers. These features are intended to increase productivity and reduce documentation and other burdens, but they cause increased documentation risks.
EHR systems have revolutionized healthcare in many ways: theoretically providing real-time access to complete medical records and history to healthcare providers and patients; increasing the capability to diagnose diseases, reduce medical errors, and improve outcomes; allowing multiple clinicians access to medical record information at the same time; and many other ways.
Most EHR systems allow for a wide variety of implementation, from out-of-the-box (standard) implementation to customized implementation. Compliance needs to be involved in decisions about a healthcare organization’s EHR system from the start. Even out-of-the-box implementations can have features that do not align with good internal controls and processes. The higher the customization, the higher the compliance risk. With a fully integrated EHR system (where one system has clinician documentation (for clinic and inpatient services), billing module(s), subsystems such as radiology, etc.), there are increased opportunities for a single change in the system to help or fix one situation that may impact downstream processes or outputs. Therefore, it is critical that compliance professionals be included in development, deployment, and ongoing changes with EHR systems.
EHR systems promise capabilities to streamline documentation; however, most clinicians find documentation in these systems to be extremely labor and time extensive. This has caused many tools and templates to be developed, which tend to increase compliance risks and the need for compliance to be involved at the beginning of an EHR implementation as well as when templates and other tools are updated.
Risk Area Governance
Joint Commission and the Centers for Medicare & Medicaid Services
Both have medical record signature requirements that extend to paper and electronic signatures. EHRs must have the ability to track various forms of authentication (of orders, reviews, documentation, etc.). The signature must include the date and time.
Health Information Technology for Economic and Clinical Health (HITECH) Act, 42 U.S.C. § 1395w-4(o)(2)
This act provides the U.S. Department of Health & Human Services with the authority to establish programs to improve healthcare quality, safety, and efficiency through the promotion of health IT, including EHRs and private and secure electronic health information exchange. EHRs must comply with various provisions of the HITECH Act. The act also increased penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.[2]
Many rules govern documentation standards for medical records to support billing for medical services. These include the following: False Claims Act (FCA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Joint Commission and the Centers for Medicare & Medicaid Services (CMS), and 42 C.F.R. § 482.24 , Condition of participation: Medical record services.
False Claims Act,31 U.S.C. §§ 3729-3733
The FCA makes it a crime for any person or organization to knowingly make a false record or file a false claim regarding any healthcare program that is funded directly by the United States government or any state healthcare system. There has been a significant increase in FCA cases regarding allegations of false claims to Medicare and Medicaid, pursuant to the Electronic Health Records Incentive Program. In addition, the FCA has also been triggered related to fraudulent arrangements tied to implementation and use of EHRs. Inappropriately configured EHRs can cause false claims to be submitted due to documentation inconsistencies or inaccuracies.[3]
Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936
HIPAA rules relate to privacy, security, and EHRs. EHRs must have appropriate controls to protect the data internally and externally. It is imperative that health systems have access controls, encryption, and the ability to track all access to records.[4]
CMS Condition of Participation: Medical Record Services, 42 C.F.R. § 482.24
This rule requires hospitals to have administrative responsibilities for medical records and that a medical record has to be maintained for every individual evaluated or treated.[5]