ICANotes - Psychiatry Software, HIPAA

Why HIPAA Will Make Paper Records Obsolete
Ira Morganstern, M.D.

The Efficiencies of Electronic Medical Records :

As industries begin to communicate with each other electronically, the inefficiencies and limitations of paper transactions become increasingly apparent. For example, "Electronic transactions and elimination of inefficient paper forms…are expected to provide a net savings to the health care industry of $29.9 billion over 10 years."

A clearly expressed intention of HIPAA is to encourage the health care industry to take advantage of the efficiency of electronic exchanges of medical data, particularly transfers of information to Billers and then to Insurance Carriers.

Legislation was needed because, like railroad track widths in the 19 th century, too many different standards existed and hampered communication. So, HIPAA selected certain communications standards and certain code sets (eg: ICD-9 and CPT procedure codes) in an effort to facilitate the development of electronic communication in the health care industry.

Protecting the Confidentiality of the Electronic Medical Record:

However, putting medical information into electronic form evoked obvious concerns about confidentiality. For that reason, safeguards have been mandated to protect the confidentiality of electronic medical records. These safe-guards include the requirement for Password Protection, Audit Trails, Alerts, and the establishment of Password Associated Privileges. The further protection of Psychotherapy notes or other material in a way that can be stored but not considered part of the official psychiatric record is permitted, but not mandated.

User-Name/Password protection of confidential matter is too common a phenomenon to need description here. Biometric protection of confidential material is less common but likely to soon become more familiar. Inexpensive fingerprint recognition hardware and software already exists and is reliable. The use of these techniques helps assure the confidentiality of the medical record and prevents access to the computer work station from which those records can be accessed.

An Audit Trail might, for example, automatically record which patient record has been accessed, the date and time, and the user-name of the person who accessed the record.

An Alert might include a report generated automatically when an incorrect password is entered a certain amount of times. ( A "time-out" during which a password cannot be entered is a security feature, as it helps to thwart programs that depend on rapid computer actions to break a password code, but is not mandated.)

Password associated privileges allow different privileges to be associated with different disciplines. For example, a password that indicates that the user is a Medical Records professional might allow that individual to access and review and print medical records, but not to create new records or alter existing records.

The Insecurity of the Paper Record:

Once electronic record systems become more common, the deficiency of paper records, in terms of confidentiality, becomes apparent. The time honored Patient Chart requires no password (or finger print) to open, does not keep track of who has been reading it, does not send an alert when an improper attempt has been made to enter it, and does not limit the privileges of those who do access it. Anybody could rip out a page or cross out a word.

In consequence, paper records will quickly come to be seen as unacceptably insecure. (In fact, they certainly are. Consider the mental health worker of any discipline, curious about the Mayor's psychiatric record, who finds him or herself alone with the paper chart.)

The "Durability" of the Electronic Record:

Although Electronic Records seem ephemeral and easily lost, the facts prove otherwise. For example, the tragic events of 9-11 saw all on-site paper records completely destroyed while electronic records, with their ease of storage at off-site locations, survived. If deemed necessary or desirable, electronic records could be backed up off-site immediately.

The Necessity of Electronic Signature and Locking Software:

One remarkable quality of paper is that the data it holds can be altered in a non-detectable way only with extreme difficulty, if at all. Electronic records, on the other hand, are easily and almost undetectably modifiable by those with the privilege to work on them. For medical-legal reasons, among others, this is unacceptable

Electronic Signature and Locking software performs the following functions: It electronically signs the note in a way that is legally binding; it time-dates the note; it takes an exact "picture" of the note.

If an electronically signed and locked note is opened and then closed unaltered, there is no problem. However, if the signed note is opened and altered, then the change is detected and the note must be re-signed, re-locked, and re-dated. Then, there will be two notes; the original and the altered copy, each time-day-dated and signed.

Alternatively, the original signed note would be unalterable, except by entry of the creator's password. If the note were changed by the author it would have to be re-signed and dated. Anyone other then the original author would be unable to make changes to the note, except as a signed addendum. In this way, the legal integrity of the finished note is maintained.

Conclusion:

HIPAA's emphasis on the confidentiality of the medical record highlights the fact that paper records are highly insecure, and for that reason unsatisfactory. Electronic Medical Records, by comparison, are highly secure and, when Electronically Signed and locked, achieve the same level of medical-legal integrity as paper records. Furthermore, when properly backed up off-site Electronic Records achieve a level of physical security difficulty for paper to match. Under these circumstances, the establishment of electronic records and the eventual demise of the paper record as we know it becomes an inevitability.

HHS Fact Sheet, 1-22-2002 , "Administrative Simplification under HIPAA: National Standards for Transactions, Security, and Privacy."

Federal Register/ Vol. 63, No. 155, August 12, 1998 Department of Health and Human Services, 45 CFR Part 142, "Security and Electronic Signature Standards; Proposed Rule."