false
Catalog
Medical Record Chapter: Meeting the CMS Hospital C ...
Medical Records Recording
Medical Records Recording
Back to course
[Please upgrade your browser to play this video content]
Video Transcription
Now I would like to introduce our speaker to get us started. Ms. Laura Dixon most recently served as the Director of Risk Management and Patient Safety for the Colorado region of Kaiser Permanente. Prior to joining Kaiser, she served as the Director of Facility, Patient Safety and Risk Management and Operations for COPEC from 2014 to 2020. In her role, Ms. Dixon provided patient safety and risk management consultation and training to facilities, practitioners and staff in multiple states. Ms. Dixon has more than 20 years of clinical experience in acute care facilities including critical care, coronary care, perioperative services and pain management. Prior to joining COPEC, she served as a Director, Western Region, Patient Safety and Risk Management for the Doctors' Company in Napa, California. In this capacity, she provided patient safety and risk management consultation to the physicians and staff for the Western United States. As a registered nurse and attorney, Laura holds a Bachelor of Science from Regis University, a Doctor of Jewish Prudence from Drake University College of Law and a registered nurse diploma from St. Luke's School of Professional Nursing. She is licensed to practice law in Colorado and in California. Thank you for being here with us today, Laura, and we invite you to go ahead and get us started. Okay. Thank you very much and welcome everyone. Again, our section today is on medical records. And I know some of you who work bedside and charted within the medical record field that it was the bane of our existence at times, but it did serve such a useful purpose. And it's not just to record what's going on with the patient, but also as a communication tool, which many of you do know about. And that's, you know, a lot of what CMS goes through when they are on site or one of the accrediting organizations. They go through those records to see the quality of care that you are providing. So as far as the disclaimer, I always have to put this one out there. The information I give you today is just that, just informational. It is not meant to be legal advice nor serve to establish an attorney-client relationship. So please reach out to your in-house counsel, legal counsel, legal representative for advice. And specifically, if there is any particular state law that might impact some of the information that we're talking about today. I do like to do a brief introduction on why we are here and the manual itself, which is a section on which we're covering. And of course, those of you who've gone through surveys, which most of you probably have, if not all, you know, you don't want to get one of these. And that's a statement of deficiencies where you then have to submit your plan of correction. And no facility, no provider ever wants to receive the notice of involuntary termination from the Medicare and Medicaid agreement. There's been some back and forth lately with voluntary, maybe Medicare and Medicaid in particular. But this is when CMS has come in, they've done their surveys, they found several deficiencies, and then the response from that facility or provider hasn't met the expectations. It didn't address what the problem was. Now as far as what CMS does, the regulation, what they work off of, first starts in the Federal Register. And then CMS has that responsibility to send out notice to their surveyors and us in a transmittal. Here's the new regulation. They also have to develop interpretive guidelines and survey procedures so that, again, their surveyors know what to do. What's the rationale behind a particular requirement? And then they update the manual. There are three types of survey, certification, validation, and then again, the one we don't want to get, which is a complaint survey. As far as the manual itself and trying to keep up with changes, I'd say over the past four years, there have been several changes that have come down as it applies to hospitals. So you might want to think about subscribing to the Federal Register. That way, you can get notices of when a new regulation comes out. Always make sure you have the most recent manual because there have been changes. For acutes, your last one came out in April of this year. Critical access, yours still hasn't been updated since 2020. It doesn't mean there aren't new regulations you have to abide by, but the manual itself and the updates. I'm going to talk about that during this program, one of those particular updates. If there is a new manual, look at the transmittal page because that will get you quickly to what's been revised, new, or been deleted. I would again suggest you do check that survey website monthly. That will tell you when the... critical access hospitals. I always recommend any hospital keep handy the Appendix Q, which is determining immediate jeopardy, and just an aside, Appendix Z, that is for emergency preparedness. Because in emergency preparedness, you do have to make account and some services available so that you can communicate with the medical records and keep them confidential. So again, as far as what the manual looks like for Appendix A, you'll see this last was issued in April 24. The transmittal, the link, once you're on site, once you're on that website, you can click that blue lettering and you will also see it for Appendix W, but that's what it looks like. And you will go to the revision number and you can click that and it takes you right to what those revisions were. So here's just an example of what that transmittal page looked like. Brief description, summary of the changes, and then again a listing of what was involved with that particular update. On the memos, I have again the link here. If you do have to copy paste those to your surf engine, but look for what applies to you. You'll see on this page it has nursing homes, it has long-term care. So again, be aware that not everything applies to hospitals, but as far as what one might, this is one for again a hospital, came out in July of last year, but it will tell you here's where it applies to, the date, and then a brief description of what's involved. I'm going to touch on deficiency reports very quickly because again you may have received one, but you can now access the data yourself. So if you're doing some benchmarking or just want to find out how things are going along with your hospital, if you're new to that role and you don't have the benefit of that information, you can access it. It includes acute and critical access along with the tag numbers, the address, etc. No, there is no plan of correction, but you can actually request that which one did that individual hospital submit. They're updated quarterly, and so to go to there, I kept the link here for you where it says hospitals. Scroll to the bottom because this includes critical access hospitals. You'll see that full text statement. They used to be one Excel document. It is now two, so make sure you get the right years because there's like from 2010 to 2017 and then 2017 to current. Again, it is updated quarterly, so what pops up here is just a description of that link and what it does look like. Okay, so what are we going to talk about first? I want to start with the access to medical records, and Lindsey mentioned we do have a couple questions. Again, these are all voluntary, but it leads into what I'm going to be discussing, and so I'll have Lindsey put it up and then have you do the polling on it. Perfect. Okay, so you should all see this question on your screen now that says we provide access to medical records, and you can check all that apply to your organization here. Only to parents or guardian, to patients, they're representatives but require written request, only after the physician has reviewed and approved access, or only if a staff member is present during review. And while you're taking a second answer that polling question, I know several of you may have joined after our initial introduction, so if you have questions for Laura as we go throughout the presentation, please be typing those into the Q&A option found there at the bottom of your Zoom window, or if for some reason you don't see that as an option, you can, of course, utilize the chat to type in your questions as well. And again, this is access to medical records, not a copy, but actually getting in and seeing what's going on within that medical record, because there were some changes that came about not too many years ago. Perfect, I think we've gotten some good responses here. All right, and share those results. Okay, good, good, good, good, good, good. Okay, so let's talk access. It's in the patient rights section, and discharge planning also discusses patients' right to access their medical records, and this is timely access. And it talks about when a patient requests access to records, and when you do have to have that release, that HIPAA-compliant authorization form. So what we need to do is make sure you're aware that there are some OCR, Office of Civil Rights, documents and requirements that are out there that still apply to this section, because OCR does know that there's a difference when a patient wants their records and when you do have to get that release. So as far as access to their current records, they can do this. They can just say, hey, I want to see my records. I want to see what's going on. That's great. That's the authorization. That's the only authorization that is required. Of course, they can send you an email or a letter saying, you know, I need to get access to my medical records. So what you need to do here, look at your medical records policy, what's included in there. Make sure it is updated. So if you have a patient who's in your hospital and they're sitting there and say, you know, I'd like to see what's going on. I'd like access to that information. Well, then you have to have a way to do that. That means we have to educate our providers, our nurses, maybe your HIM staff. How is that going to happen? How do we make that occur? And then especially their current medical records. I don't know if that's becoming more and more prevalent in the hospital where patients really want to see almost daily, hey, what's going on? What was documented about me? As far as the form and format, well, however they would like it. And this is what they're talking about specifically as for a copy. Are you going to go old school and give them a paper copy? That's fine. That works for you. Or are you going to put on a flash drive? Are you going to be able to email it? You just have to have that agreement between the patient or representative. Of course, if they're not available in that particular form, they want it sent by email, but your system won't allow that, then you have to do it by hard copy and just explain that's not how it works, how we can do that. So as far as access, it must be timely. Now, of course, HIPAA says if you've got these records stored offsite, give them 60 days for getting them not only access, but getting them a copy because that could take a while to get those. Otherwise, 30 days. But please check your state law. It could be shorter, not longer, but shorter. And of course, the entire record or specific portion. And don't forget, your records must include discharge planning documents. That could be nurse's notes that you put in there or discharge planning assessment that was completed. Those must be part of the record. Because CMS said, you know what, with our electronic records nowadays, that should be shorter than 30 days. It's not required yet, but it should be. And of course, we don't want to try and put roadblocks up for the patient to get their records. This section does overlap quite a bit with requirements from the Office of Civil Rights. And I always bring that up because CMS can't fine you. They cannot issue a monetary penalty against the hospital. But OCR can. And so that's where we're seeing many of those fines come through because they did not get a patient access or a copy of their records. Now, I do have some proposed regulations. These are not in effect yet. And I've just put a few of them here. There's several in the asterisk. I have them all listed in the appendix. But again, these are only proposed. So one of them, allow the patient to, of course, look at it in person and take notes or photos. They've all got cell phones. Of course, they're taking photos. Changing that time from 30 down to 15 when we can, excuse me, have to give them a copy without charge. There are certain regulations out there that require providers, hospitals, physicians to give patients a copy of their medical record without charge. And then changing that wording. Now, this is somewhat important, especially for those of you who work perhaps in emergency department or if you're working in behavioral health. There's a proposed change to some of the wording, expanding that ability for you to disclose PHI to avoid a threat to the health and safety when this harm is serious and reasonably foreseeable. Right now, it is serious and imminent. So they're really lowering the bar on that time frame that that risk of harm could occur. So just be aware, again, these have not gone into effect yet. On access, the Office of Civil Rights says patients who don't get them, well, they can file a complaint. And again, one in every 10 complaints is because patients don't get records or they don't get them timely. And now, OCR is coming after hospitals in order to try and get this fixed. The first one was $85,000. So it's the second one. We even had the ninth one, $100,000 because they didn't turn over the films or even access to the films. And you know, this one was just in January of this year where OCR opted medical because patients could not get access to their medical records. They're very serious about this. And so they definitely mean business that they're going after them. So what are the rights of individual patients under the OCR? Well, there is documentation out there that patients get right and access to their information. They can inspect their records. They can allow to email, make requests by fax. You just have to verify, okay, who sent this? That may be a simple phone call. You just cannot require the person to come in person and request those records. And you cannot require the person to mail you the authorization. You know, they're there and they sign it on site. Great, you're done. But just be aware, we don't want to put up those roadblocks. And having a patient send you in an authorization or a letter or a note that says, I want all my medical records from this date to this date. Okay, that's their authorization. Now, if you're trying to make them say, no, we're not going to release them until you absolutely sign our release, that might get you in trouble. So don't push that. If the patient has said, I want all of my medical records, is it the patient requesting it or their representative? You have to turn them over. They can request again, paper or electronic, whatever works within 30 days of the request. You can charge. You can actually charge for those medical records. And it also talks about in this information from OCR, when you could deny the request. And I will go through that when it talks about blocking. Copies of x-rays and other data that was collected during their care. And we all know we can't refuse it just because their bill is not paid. Now, somewhere along the line, there was some information that was out there that you can only charge $6.50. That's not true. No, no, no, no. But again, some of the states have established that level of how much can you charge, what's reasonable. And it could be even graduated amount. For example, $30 for the first 50 pages and then $0.25 for every page thereafter. That's why I can't check what your state statute says to be in compliance. HIPAA talks about the difference between access and when you have to have an authorization. Access, again, I want to go in and look and get access to my records. You may require a written request. But you cannot require it when that access rule applies. So again, they're sitting there saying, I want to see my medical records. I want access to them. There you go. Again, fee limitation, when you have to cern over certain requirements to them. So be aware of what the difference is between access and an authorization to release the records. Now, this one just came out. Came out. It was effective June of this year. And it talks about reproductive health. So I'm going to go through this. It has not been tested in the courts yet. So this is brand new. And we have to comply to it. Pretty much what this is saying is, as a provider, you cannot use or disclose health care information either to by your business associate. So make sure it's in your agreement with them. For the purpose from that other entity who's asking for it to conduct a criminal, civil, or administrative investigation, or impose any such liability. When the information that's being requested is from by a person or for a person, because they simply sought, obtained, or you're providing reproductive health care. And that's when such care is lawful under the circumstances. So here's an example. I live in Colorado. And in my state, reproductive health is protected. Other states, not so much. So if my hospital gets a request, say, from the AG's office or the police department from that other state that says, I need the medical records on this individual and in order to institute criminal charges based upon the health care I received in this state. In other words, let's say I wanted to go for termination of the pregnancy, which is legal in my state, but perhaps not in that state. Then they can't do it. But you cannot disclose that information because the other state is trying to prosecute me in that state where it is legal in my state. It also says that you cannot disclose the information for somebody who is, you know, trying to investigate this. It applies where your business associate has reasonably determined one or more of the following conditions exist. And I'm going to talk about these. So you have to be compliant by December of this year. Update your notice of privacy practices by February of 26. The link in here will take you right to this rule. So here are the required conditions. The care is lawful under the state where the patient was located at the time. It is protected. It may be required or authorized by federal law. It was provided by someone other than the covered entity or business associate that received the request. Under the presumption, the care that was provided was lawful. Now, again, my physician knows, let's say I got care by another doctor and my current doctor who got this request for the information because the person trying to get it is doing a workaround. It's trying to go to my current doctor and say, I need all of the records, including the records from Dr. B who provided the actual care. And they can say, nope, not going to do that. Now, there is an option that if you can prove that the care that was provided by that other entity was not lawful, then that's an exception. There has to be a substantial factual basis to know that the care I received by the other provider was not lawful. It's a very fine line of distinction. So here's some examples where you can disclose this. You're defending investigation on professional misconduct or negligence. You're trying to defend yourself in a criminal action or administrative procedure. The Board of Medicine has reached out or the Board of Nursing has reached out regarding those. Or it's going to the Inspector General because they're doing an audit for health care oversight. So again, there's very limited circumstances where you can or you must disclose it. And there must be an attestation also. And this has to be completed and signed by the person who's requesting it. So it applies when, again, there's health care oversight, administrative procedures, law enforcement, or you have to disclose to coroners and medical examiners. So here's what that attestation looks like. CMS has already prepared it for you. It's part of that website that I sent you on the couple of previous slides. So it is there that this is what they have to complete and send off to you. And again, unless you have really good solid basis to know that the care was not lawful, you have to have the attestation. I would have the attestation regardless just to cover yourselves. Okay, the interoperability and access. This is the open note rules. Most of you are probably very familiar with this. Came from the Cures Act. And really what the idea was they're trying to do is improve access to that information so patients can make better informed decisions. And of course, electronic notifications when a patient's admitted or discharged. And they also identified and finalized when you can block certain information. It is a very limited scope. Those of you who've worked in this know it is extremely limited. Not just very, but extremely. And really puts out new rules to prevent blocking practices such as anti-competitive behaviors. So as far as access, the rule is that you have to establish a cure, standards-based application, so that there's interface of all this information. So the patient can access it. And they can control that information. If you have a patient portal, you're probably doing this already. It's already there. So they can securely and get what information they need from their record. Now they can use a smartphone app if they want. That's up to them. Failure to make this information available electronically really equates to blocking. And you will be cited over it. So here's what has to be accessible. Pretty much everything for a patient. Very limited exceptions where they can get access without charge. Notes, HMPs, lab reports, progress notes, image narratives, pretty much within their entire record. Now on to blocking. So I do want to bring this up. It's in the Cures. It's under section 4004 of the Cures Act. And unless it's required by law or there is an exception to the rule, anything that is done to interfere with the patient's access or exchange of information or use of their EHI, and you know it's unreasonable, then it's going to be considered blocking. Now again, there are certain exclusions to this rule. Psychotherapy notes has not changed. That still continues to be separate. That is an exception. But they have to be recorded by that provider who is a mental health professional. Where they're talking to the patient, they're doing group or family or even private sessions. Those provider notes are not included in that part that must be made accessible. Or you put together information in anticipation of a civil, a criminal, or administrative action. And that is kept separate. There are four exceptions when it is even not considered blocking. Remember the previous two, the psychotherapy and getting ready for a lawsuit, those aren't included in this definition. Here's what's not also considered blocking. It may happen, but it's not blocking. You can block access in order to prevent harm. Maybe there's a privacy exception, a security exception, or an infeasibility. Starting with harm. You have to do both of these. A reasonable belief, it will reduce the risk of harm to the patient if they get it. And it's no broader than necessary to reduce that harm. It must be determined on an individual patient by patient basis and the exercise of the judgment by that provider. And there must be a current patient provider relationship. And this is harm that could arise from information that the provider knows or reasonably suspects is wrong. It's mismatch, misidentified, wrong patient, wrong chart. Happens a lot. Or it's just simply wrong for some other reason. Let's say they were doing their dictation and they realized, oh, I dictated the wrong chart or I put yes instead of no. Then maybe they do want to block that. Maybe. Otherwise, where the risk does occur, so it's maybe wrong information, the risk is there, then the provider has to put a practice into place that, of course, meets the patient rights according to federal law and that they have reviewed it and made a determination that this is bad. But the patient has a right to have that review reversed after the physician or the provider has gone back. You have to meet all of these in order to meet the harm blocking exception. As with anything, we have to have policy and procedures that follow this. That is based on relevant expertise. It is implemented in a consistent manner and it's non-discriminatory. And the determination is based on facts and circumstances known at the time they make that determination. So it can't be six years down the road. It has to be done at the time they made that blocking decision. That's the harm. Privacy is next. As with everything, and as we go through this, it will be the same basic information. It is implemented in a consistent, non-discriminatory manner. You have your policy and procedures you're following. And there's criteria to determine when you're going to restrict access. You also have to have training of all those involved in your policy and procedure. They have to be aware of what this thing says. And then documentation of what criteria did you use under the privacy exception. So if you get an authorization, and this is coming from an outside source, and you know it doesn't satisfy all of the elements for restricted access, then give that person a form that does meet all of those requirements. And of course, they can't, or you can't, improperly encourage the person to withhold their consent and authorization. Have a uniform policy and procedure. So again, these are when you're addressing those restrictive preconditions. If you get a request, don't turn over that information to, say, my ex or my soon-to-be ex. And you just have to make sure, and you can agree, not to share information as long as, you know, there's not improper encouragement. In other words, don't share that information with my ex's attorney and I'll pay you this amount of money. That's an improper encouragement. And then you document the request within a reasonable time frame. The only exception is if you have to do it according to law. So if mom and dad come into you and say, please don't share that information with Child Protective Services, they don't understand, and we're really doing the best we can. Well, under law, you are required to perhaps share that information, then you must share it. If you decide, you know what, I'm not going to agree with this request not to share, fine, you can terminate it. Just tell the person you're going to do this. It can also be when the person comes to you and say, yeah, go ahead, share it, that's fine. You may want to have it done in writing. If it's only verbal, document it as soon as possible so you have that contemporaneous to when it did occur. And otherwise, again, tell them you're terminating that agreement not to provide access. The third one is security. Now, this one's a little bit easier because some of us have probably gone through some of this. The practice to interview with access to protect security isn't considered blocking when really it's related to safeguard that confidentiality and integrity of that EHI. It is tailored to meet a specific risk that is being identified, again, implemented consistently, and you have a policy that they are following. The policy must be in writing. All of these actually have to be in writing in order for CMS to say, okay, you're doing what you're supposed to be doing. You do this in response to a security risk that you have identified and assessed that's been done on behalf of you and in line with one or more consensus-based standards or best practices. And there's an objective time frame so that you can identify and respond to those incidents. If you don't have a policy, which I do not encourage, if you don't have one, again, make sure that the determination is based on particular facts and circumstances. And you're really doing it to mitigate security risk of that information, and there's no other alternatives that are practicable under the circumstances. And then finally, we have our infeasibility. You can't do it. We have uncontrolled events. Maybe you had a disaster that hit, that impacted access to that record. Now, as far as segmentation, you can't unambiguously segment out the requested EHI from what's left over. In other words, it's so interweaved into there that you can't do it. That's your exception to not having it be blocking. And again, infeasible under the circumstances, there are several types. The cost in order to comply, you just can't do it. The technical resources are not available. The access type for which is needed, it's just infeasible. So there are several ones in here. In determining those circumstances, though, it won't take into account if the manner requested would have facilitated competition. If it does facilitate competition, you still have to do it. If you do not fulfill a request for access, then you have to give written notice within 10 business days of the receipt of the request. They've kind of narrowed that time frame down, again, 10 business days for you to respond to say, nope, I'm not given access, and here's the reason why. Again, it could be one of those four, harm, security, and feasibility. And I forgot the last one already. That's terrible. But those four items. All right. Now, under the conditions of participation, the reason that we're one of the main reasons we're here today, I did want to get some of those out of the way, because they will be addressed in a way as we're going through. You'll see on there, I've got tags 431 through 471 as in bold and italics. And the reason is, is that's not in the current manual. They're still out there, and we still must abide by them, but they're not in the manual. First one, you have to have a service with the administrative responsibility for the records, and you have to keep a record for every individual who either was treated or evaluated at your hospital. It is one service, and they're responsible for everything within your system, inpatient and outpatient. And again, you have to have a medical record, even if they leave AMA, they leave before being seen, request not to bill, because they're finding some of those AMAs may actually be an EMTALA violation. So if you can, the patient says, you know what, I'm not waiting around. I don't like this. I'm leaving. If you can get them to sign the form, great. Not too successful, but just document it as soon as possible that this is what happened, and the patient chose to leave after the warning signs of this is what could happen to you if you walk out the door. Of course, it includes everything that happens and everything that is documented or noted with this patient, whether it's a lab report, an x-ray film, computerized records, written records. Don't forget your fetal tracings, because that's part of the medical record. You use that data, that information to make a decision of that patient's care. The next one, you have to have an appropriate record system for the size and complexity of your service. You have to have enough personnel to make sure there's proper compilation, completion, filing, and retrieval. These folks have to have education. They have to have skills, maybe qualifications and experience, so they know what they're doing, that when they're releasing records, they're following what they have to do, state and or federal law or not releasing. Staff, we have to make sure it's properly coded and indexing, because that's huge when it comes time for QAPI. And of course, they must be employees of the hospital. This is those that are taking the medical record from the floor and doing all of that, the compilation, the coding, everything. If you have a service that comes in and copies your records, they don't need to be employees. You want a BA agreement with them for security of that information, but they don't have to be employees. And the surveyors, they look at the job description. They want to look at staffing schedules. Do you have enough staff at all times, 24-7, in order to meet the needs for that hospital? How you do it? Well, again, a record for each patient, accurately completed, promptly filed, obtained, and accessible. And you have to have a way to identify who's writing in that record. Keep a maintenance log of those signatures, your signature log, or however you're doing that, your key codes. Make sure, again, that you're protecting the security of those entries. So, if Dr. Jones is writing in it, we know it's Dr. Jones. It's not somebody else who's acting in there, acting as them. Of course, accurately written, meaning it's done on the right person and that it's promptly completed. What does your state law tell you? What does your policy say? No later than 30 days after discharge. And again, have everything that happened with that patient, treatment, their response, their evaluation, interventions, discharge planning information. It must be properly filed, retained. CMS says five years. Your state law may be longer. Your professional carrier may recommend a specific time frame, because usually by then, they're going to know if something comes up, like with kiddos or the children. When you have a birth injury, what's your state law say? When does that parent have to bring that action? And you want to be able to defend the care you gave. Of course, accessible, so those patients who were treated or evaluated at any of your locations, whether it's on-site or off-site within the past five years, because we need that available 24-7. When we're at coronary care, our cardiologists were constantly asking for the past records on the patient, and that could go back 20 years sometimes. But they definitely needed to have that immediately, and that was usually around midnight when, of course, the patient came in. Of course, we want to keep them protected from fire damage and threats. Here's something new that came out last year. You must conduct a security risk assessment. And this is under HIPAA. I'm going to talk about that later. But just be aware, this must be completed. It's no longer optional. Otherwise, have a system so that we know who's writing in the record, so we protect that security. Secure all entries. Have a way to identify the author. Make sure, preferably, their signatures are legible, especially if it's on paper. And make sure that entries aren't lost or destroyed or altered or reproduced. By the way, if you have someone who comes in and wants to look at the record, you can have someone sit with them. That's fine, because you may want to have someone with that patient who maybe didn't have the best outcome and is maybe looking to alter the record. If you have a way to prevent it, great. But you can have someone sit with them, if you so desire. As far as where you keep them, it's the same requirement. You have to make sure they're secure, that we keep them protected. And these standards apply whether, again, electronic or paper. We have to keep them in their original or legally reproducible form. So if you're going to keep it hard copy, okay, great. But if you're going to convert that to electronic, just make sure it can print out and it's readable. Five years, unless you've got something that extends it. Now, OSHA can go up to 20 years. So it may be quite a bit longer than what you normally would have under your state requirements. The surveyor, this is what they're going to do. First, they're going to ask, how do you keep records for five years? They will know your state law when they come in. Or if there's a particular city law that perhaps you have. They will look for records, and they want records from going back almost five years. They're looking for a prompt retrieval. Can you get them as quick as possible? How complete is the record? In other words, can they trace that patient's care from admission to discharge? And what's the form? Hard copy or reproducible form? Now, there are some federal laws on retention. I've got them listed out here, as far as how long you keep them and the citation reference. So rural health, if you've got a clinic out there, six years from the last date of entry. We're going to talk about critical access, yours are six years as opposed to five years. And ambulatory surgery, they don't really specify it under federal, so you might want to check your state law on that. Otherwise, we'd need a system of coding and indexing, because that's how you're going to retrieve that medical record. Maybe you'll have to do it by diagnosis and procedure, because this comes into play again with QAPI, but it's also crucial for utilization review, if they want to start reviewing those records. And then it has to be accessible for those who need them. ED, coronary intensive care, maybe they need it to find out, okay, what medications were ordered on discharge if the patient came back in through ER. And of course, we keep it confidential. How do we ensure that confidentiality? And this is information from copies or from the actual records. We only give it to those who really have a need to and have the authority to get them. So we have to make sure unauthorized people don't get access or alter them. Deactivate your former employees access badges, their codes, so they can't go in and do that. Originals, originals only released according to your laws, federal, state, or local. That could be a court order. Subpoenas, again, work with your counsel on that. Some of those subpoenas say, I want the original record, but if it's coming from out of state, it may not bear any weight. So that's why you need to work with your in-house counsel on this one in particular. The guidelines, the interpretive guidelines talk about when they can release without patient authorization, such as you're being audited, perhaps your professional carrier wants to come in and do a review. Payment, when the insurance companies need that information, but you have to have policies and procedures that limit what's going out, the minimum necessary. Now, if you do have, let's say you've got an example, you get a child and the ED provider's going, man, this doesn't look right. I'm really concerned. And then you do your mandatory reporting to Child Protective Services. Child Protective Services comes back and says, I want the entire medical record. Well, it's like, well, that doesn't make any sense when it's just, this is what we've reported. You just don't want to give them the entire record, carte blanche. There has to be a good factual basis for what they're looking for. Most of them are pretty good. At least I know those that I've had interaction with, they're good about, okay, give me the information that really raises the concern for you. Like how many times were they in the ED? How many times did you get a call maybe? Or were you aware that they were hospitalized for a similar issue? Then that could be the entire record actually. Of course, we have to prevent unauthorized access, hard copies, lock your cabinets. And this includes medical electronic records, those pass codes. So we don't have that issue of unauthorized access. And when you dispose of them, do it the right way, shred it, erase your hard drives, whatever you have to do in order to get rid of that information. We had had a physician who was released from his building, he didn't pay his rent. So they went in, the manager of the building went in and took all of the records, put them in boxes and put the boxes in the dumpster. And of course, we've been known to have high winds here in Colorado. And sure enough, it blew all those medical records around. So we had a quite a headache on our hands in order to try and get ahold of that information and secure it. So it wasn't done correctly. It mentioned the release of the original records only if you've got a court order or it's required by federal or state law. Electronic, make sure you know that removed or deleted. In other words, somebody doesn't get any access that they shouldn't have. And how you make sure it retains the original record, unless you have to get have to have it. The surveyor wants to see your policy. How does it limit access? How does it per, you know, make sure disclosure goes to those who are permitted to have access, in other words, a written release. They will also walk around, they want to see if records are secured. Can someone get in there and just look at the computer screen, or maybe get in and start flipping, you know, what's on top of the chart or top of the desk, and they're just kind of bored and want to see what's in that record. They want to see and will observe your security practices and precautions so that there is a way to prevent altering or deletion of your electronic medical record. I'm going to go through this next part fairly quickly, only because most of you know what has to go into a record. It must contain enough information to justify why is that patient there? Why are they admitted? Why do they have to stay there? What's going on with their diagnosis? How is the patient, how is their program progressing? What's their response to that medical record? How are they responding to those invasive procedures that we did? What are the labs, the test results, any consultations and assessments, radiology reports, any assessments you did for discharge planning? And, of course, it must be legible complete. That means it's dated, timed, and authenticated. Now, complete means there's enough information. First off, we know who's there. Why are they there? Support their diagnosis. They're here for this treatment. Justify their care. This is their course and how they responded, and we do it also to promote continuity of care. Again, because when they come back in in 15 days for that same problem, they're going to go back and look at that documentation so we can continue with that care, or maybe make an adjustment to that care. They really focused in, they being CMS, focused in on dating and timing entries a couple years ago. They found it very problematic. It wasn't done. All orders must be dated and signed, consults and progress notes, same thing, a date and time, and that's also for the nurse's notes because it establishes the baseline for future actions and assessments, and how did this fall out? If any of you have had the pleasure of going through a professional lawsuit, the attorneys really focus in on that time frame, that timeline of that patient's care. That's why dating and timing is so crucial to show, hey, we did what we were supposed to do. We met that standard of care. Of course, the dedication to identify who made that entry. Now, if you keep that list of written signatures, it's up to you where you keep it. Do you keep it in HR? Do you keep it in HIM? That's up to you where you keep that list, but you have to also have a method to require that author to make a specific action to authenticate every entry. The policies and procedures must spell out who can make the entries and how you prevent alterations after it is authenticated. Your physician has gone in, they've signed off and done it. They closed that entry. Now, they got to come back and make an addendum or they have to make a change to that entry because they put 0.5 instead of 5.0. How are you going to do that? It's already been authenticated. What's the process to go back in and make that addendum or that change to make the record accurate? Otherwise, they date, time, and authenticate everything. That could be the last page. If they're doing an order set, they would date and time the last page. Any changes, selections, have them sign it or initial it where they did make those changes. That's what we used to do. We would make a late entry or change. We'd mark through it, put our initials, and time it, and that was it. We were done, date and time. Then our second question, Lindsay. Okay, let's get that one up here on the screen for you. Okay, so y'all should see this one now that says, in our facility, verbal orders are discouraged, permitted, but only from physicians, permitted by any practitioner, only taken by registered nurses, taken by any nurse, or not allowed, period. Looks like we have one question, Laura, that asks, if a patient registers and then walks out of the ED, does this need to be counted in a record kept? Yeah, because they left without being seen. You just put a very brief entry into there which says, patient registered. When I went to call them, they left. It cannot be located. Close the file. That's done because, yeah, if they're registered, then CMS needs to see it. They need to see a record. Okay, and then another question about validation here. So, how would you suggest the best way is to validate that it actually is the patient requesting the records when they request via phone call? Yeah, you can do it two ways. One, you can ask a question that only the patient would know. Now, date of birth, they probably know. So find out something that really applies to them, to the best you can get to. The other one you can do is get another person on the phone, saying, who am I speaking with, blah, blah, blah, blah, blah. Then just let them know, okay, this is how we're going to document it. Sometimes they're pretty good about not getting it. The other one is, can you give me a number and I'll call you right back because I need to go look up something. That's how we found out. We had, it was the, I'm trying to, it was the mother of a staff member. And that staff member had been let go because of her, of how they were acting with their colleagues. And so what happened is the mother had called in and said, I'm so-and-so and I need records on this patient sent over to me right away. Well, it was on a patient that had complained about the staff member that was released. And so they said, eh, it doesn't sound like that person. I think I know that doctor's office. So what they did was they said, give me a minute and I'll call you right back. So they called back to the doctor's office, say, did you have somebody call us and ask for these records? And that's how they identified that it was a fraudulent call. That's one way you can do it. Find out, let me call you back at the number you have on file. What is the number you have on file? And sometimes that'll trip you that they can't give you the phone number. Because yeah, unfortunately it does occur. How can you validate who calls in? Now, if it's a written, you just, of course, compare the signatures and you're done. You just take reasonable steps. You're not the FBI, they know that. But if it raises something in the back of your neck, the hairs, you know something's going on and you can always ask for further authentication. And the last question I see is what patient protocols to be part of the medical record would be released? Or could be released? Would you repeat that for me, Lindsay? It says what? And I might need more information here and this came in anonymously. So the requester, he might give us a bit more information here, but it says, would patient protocols be a part of the medical record to be released? Patient protocols. If they're talking about protocols for care, that's what they're doing. I guess I need more information on what you mean by protocols. That would help. And again, we can take that offline if they want to ask you later, Lindsay, and send it to me. Absolutely. Okay. Absolutely. We can certainly do that. Okay, I'm gonna go ahead and end this poll and share those results for everybody. Great, and there's no real answer here because it's just that, again, what are we doing with our verbal orders? And the reason, first off with rubber stamps, say no, just say no to rubber stamps. No, unless it's an issue because of legibility. The provider has such a bad hand tremor or physical disability, they can't sign their name legibly. Okay, there is the Program Integrity Manual, and it does talk about that when perhaps you must use them because otherwise you can't read whose handwriting that is or whose signature stamp, but have a policy and procedures. Only one person, it is not delegated, and that person who has that signature stamp is responsible and must secure it because it could be a payment issue. Now, as of just a while ago, Medicare payment policy didn't allow use for rubber stamps. And a lot of the intermediaries, the insurance companies, they may also not allow it. They want that actual signature on there. But as far as signing off, don't use that system auto-authentication. Reviewed, dictated but not reviewed. That's inconsistent with those requirements. If you have to get something out in a hurry, then just say this is going out as is, it will be reviewed again, and any updates will be forwarded to that provider. But that's as a last resort. But there has to be some way that the practitioner did review and sign it. There must be, they have to be able to look at it, make sure it's accurate. If you have the time of transcription on the HMP, that's great, but still has to be dated and signed. And again, the only exception here is if your system automatically does it. So the physician's sitting there reviewing it, reviewing it, reviewing it, and it automatically enters the date and time for them, great, then you're good. Verbal orders, so let's go back to that. Any order, whether it's a verbal order, must be dated, signed, and authenticated promptly by that who ordered it. As long as your state law permits it, it's within their scope of practice to give that verbal order. And your bylaws, rules and regulations also say that they can do this. Now there's a verbal order section in the nursing chapter, couple tag numbers on it, and we discuss it then because it talks about what does the nurse have to make sure occurs with that verbal order. Now, there is another way you can authenticate a verbal order. Any practitioner who is involved in the care can do that, as long as the state law permits it. And otherwise, does a PA, can a PA in your state sign off on their physician's verbal order? If they can, and your rules and regulations say, great, then that's permitted. But it can also be restricted by specialty. Maybe some of those internal med physicians shouldn't be signing off on pediatric orders, just because body weight, size, dose, et cetera, may not be that familiar with it. Some are, then okay. Don't take a verbal order unless it's absolutely necessary. They're physicians at home, and you need the order now. Or they're in surgery, they're driving in, or they're tied up in another room. That's really the only time we should be taking verbal orders. Authentication promptly, look at your state law, or your policy and procedures. What is promptly? CMS did away with that 48-hour requirement, but have them signed off as soon as possible. So yes, indeed, that is what I ordered, because it is a patient safety issue. Never use it for convenience. That means you may need to look at your policies and your bylaws. In other words, what is the element? What are the elements of a complete verbal order? Who can give it? Who can receive it? And because you may want to have an RN be taking all of these orders. As far as who can give it, an MA from an office for IV meds, probably not a good idea. What are the limits, like chemo, or maybe some of your cardiotherapy drugs? Who can sign off, and the timeframes for authentication? Those are the essential elements of your verbal orders. Standing orders are a little different. You can use them, pre-printed, electronic, whatever you want to use. But two, a couple of things. One, they have to be reviewed and approved by your medical staff, nursing, and pharmacy before you use them in that clinical setting. You have to have policy and procedures, and how they're going to be put together. How is this going to approve them? Who's going to approve them? Who's going to keep an eye on them? How can staff initiate them? When and who's going to sign off? And how are you going to orient a new staff member? Each order must have, each of these standing orders have to have specific criteria. In other words, for the nurse or other staff member to initiate them. So it must be specific criteria. What is the patient's situation? You don't want to use standing orders in a way that requires your staff authorized to write orders and make a clinical decision that's outside their scope of practice. And as with anything, it has to have a way for authentication. Number four, policy and procedures. Then it has to be able to instruct nursing and other words and other individuals. When can they use them? What criteria? What are the conditions? And what are their responsibilities in initiating and execution of that standing order? And the processes where again, someone else can authenticate it. So for example, in critical care, we had standing orders for when a patient was admitted from the ER for a rule out in mind. And some of those standing orders included if the patient has ventricular tachycardia rhythm for this amount of time, you do this. And then if their heart rate drops below this, this is what you do. And then the last one, notify the physician. So it was always spelled out what we had to do, what we could do without having to track down the physician and get an order. And number five, you demonstrate that it's consistent with good practice, national guidelines, those who are recognized, and it's really upon you as the hospital to show there's a good sound basis for that standing order. And then finally, number six, you have to look at them periodically. Medical staff, nursing, pharmacy, is this still a good, useful standing order? Have the standards of care changed at a minimum annual? That's in the CMS interpretive guidelines. And policies, how do you correct it? How do you revise it? How do you modify it? On the review, you can have it done through your QAPI program. But again, medicine, nursing, and pharmacy must read, review, and act on that final report. So let's say this is delegated to QAPI to go back and look at all of the standing orders for pediatric patients admitted with status of medicus. Okay, great. But then medicine, nursing, and pharmacy has to go back over and read it and approve it. The review does consider, is it consistent with nationally recognized standards of care? And any preventable events with their use? Did we have a bad outcome? And did we use it and execute it consistent with the protocols? I'm sorry, we did have number seven. It must be added to the record at the time of initiation or as soon as possible. And make sure it's dated, timed, and authenticated by those who ordered it. The physician and policies on how you're going to authenticate it, get it done as soon as possible. Again, usually, and I always use coronary care because that was where I had the most experience, is that the ED doctor contacted the cardiologist. The cardiologist called in and said, use the standing orders for rule out MI. And then within a few hours, the physician was there, came up, signed off on the orders, and we were good to go. As far as these orders and these definitions, there's no standard definition. CMS uses them to say pre-printed electronic order sets protocols. They know that that could result in some confusion, but there are some that are not considered or covered as standing orders, such as a menu of options. So you can create it because in there, the staff can't start it until the physician goes in and chooses what they want. So as far as a nurse initiation, where a nurse can initiate a specific order, get policy and procedures and practice to meet the regulation, whatever you call it, and those defined clinical situations. Hybrids, they still require compliance with this section. And an order set that has a protocol for nurse initiation, such as KCL, well, that's fine, you can do that, but it has to meet all of those requirements for it to be considered. Other ones, well-defined clinical situations, appropriate for patient care. It's usually initiated as an emergency response or an evidence-based regime, where it's just not practicable to try and reach the provider, and appropriate. Rapid response team, code blue team. Triage, initiating that screening to stabilize your ED patients. Post-op recovery area, when you have PACU. Immunization, that's a standing order, but it can't be used when it's prohibited by federal or state law. And the best explanation here is there are no standing orders for the initiation of restraints or seclusion. I'm gonna repeat that, no standing orders for restraint or seclusion. You have to have that assessment done, and you have to get ahold of the physician. In an emergency, patient's thrashing, they're reaching out, yes, but then you have to get that order and get it done. And just some examples, like the subcute insulin order set on how those would play out. Just again, just an example. I have more in the appendix for you. I wanna do a history and physical update because there were some updates that came out. HNP done within the record within 24 hours of admission, no older than 30 days. And of course it's there before the patient goes to surgery, which requires anesthesia. Now you can do an updated exam to reflect any changes. You must do that. In the HNP was done, let's say by an outside provider, but in the record within 24 hours before the patient goes down. In the medical staff chapter, not the medical record, but the medical staff chapter, it's the same thing. Now the medical staff has to identify and adopt bylaws on who has a responsibility for that HNP. And it must include their requirement that it's no older than 30 days, done within 24 hours and on the chart before surgery. And is it going to allow an advanced practice provider to do it with state law blessing? The physician, if that's the case, if you have an advanced practice provider doing it, the physician is still responsible and must sign off on it. If the other provider does it. Now, as far as the options, documentation of the update, you can include in the progress note, a stamp, a checkbox, entry on the HNP form. There's some optional language. CMS actually did this, that the HNP reviewed, patient examined two key things and no change occurred. Nonetheless, there still has to be a complete HNP on the chart for each and every patient, unless it's an emergency, and then you document in the progress notes. That's where the entry goes. Now, here's the option, is an assessment. Now this is a little bit narrow focus here, but for those who only require an assessment, we still have to have it in the record after registration, but before the procedure that requires anesthesia, but you have to have bylaws and policy and procedures. These are outpatient surgeries or procedures. The medical staff develops that list of what is okay, which ones are they going to allow? They don't have to, couldn't require an HNP on all of them, but it's an option. Now this is in all five sections within the history and physical where it is noted, medical records, medical staff, and surgery. So otherwise, the record has to contain their diagnosis, any consultations, and it's available so that the providers can justify treatment, keep them there, and if there's going to be a revision. We also have to document complications, and that includes our hospital-associated infections, unfavorable reactions to drugs, anesthesia, events that do happen. Now, this is just my note. Train your practitioners on how to document those complications. Make sure it's done correctly, no jousting, but yet complete. Some of your providers are excellent at it. They're phenomenal, and you read it and go, okay, well, I can see how that could happen. Others need a little bit more hand-holding and doing that, and you probably know who they are within your facility, but make sure they're aware of how to document, and just as an aside note, that can make or break a professional action case on how it's documented. This is what we did, this is what happened, this is what we did in response to what happened, and the patient's status, plain and simple. There are three sections on informed consent. The section we're talking now, medical records, but it's also in patient rights and surgical. We have to have a properly executed consent for those that are specified by your medical staff. So you need a list of all your surgeries and procedures somewhere, so the medical staff knows which one requires it. Of course, any surgeries, unless it's an emergency, and then you document in the record, and this is inpatients and outpatients, and again, those specified by policy. Usually it's required when you have to do something invasive and those who have certain known risks. Here are the minimum elements, just the minimum elements for that consent. Then, or this is what you have to, name of your hospital, what's being done, who is doing it, the responsible practitioner. The benefits, risk, and alternatives were explained, signature of the patient, and date and time. When was that signed? Now, they did make some changes. It is in the surgery section. It is not in the medical records section. I don't know why they did it there, but they did. So here's what has to be for informed consent, and this happens to be when you have other individuals who might be in surgery, such as residents, and any other provider who might be doing, or there will be doing, examinations or basic procedures for educational and training purposes, and they list them out here, examinations or basic procedures that include breast, pelvic, prostate, rectal exams, and others that your state law may spell out, because we know this has come to light heavily recently, and in fact, a nurse experienced it, and that's what really started all of this. She went into surgery, and she knew it was her hospital. She knew it was a training hospital, but she specifically told them, you are not to do this while I'm under anesthesia, and after the procedure, she's in recovery, sure enough, the resident comes out and says, by the way, you're having your period. Now, the procedure was being done on a body part that had nowhere near the pelvic area, and that's how she found out that completely against her instructions, they did a pelvic exam while she was under anesthesia. She sued the hospital, she sued the doctor, and then that's when CMS really started to get involved and say, not okay, we have to do this, so that is now a requirement. Other elements, these are optional elements that you can consider for your consent form. Who did the informed consent discussion? The date, time, and signature, who witnessed the patient's signature? What was the indication or listing of the risk that you did discuss? Again, you have to list every one of them. There's that you had that discussion with the patient. A statement, other people will be performing important tasks per the policy, and that qualified practitioners may also perform parts of the anesthesia. So again, there's a couple items in there. Well, let's go on to what else must be in the record. I've covered this somewhat, but CMS, I guess, really wants to make sure we've got it, so it has to be orders, notes, reports of treatment, vitals, complications, x-rays, lab reports, anything else that we've done to monitor the patient's condition. And I always bring that up because sometimes, I know those fetal tracings can be very, very thick, but that's how we monitor the patient's condition, so we have to retain those as part of the record. Which brings me to my third question, Lindsay. Okay, let's get that one up here for you. Okay, this question should now be on your screen. It says, our facility requires discharge summaries, and you can check all that apply to your organization here. Be completed before the patient leaves the facility, be completed by a physician, be completed by any practitioner on the case, including the physician assistant and nurse practitioner, be completed timely, but that has been a problem, be completed within 30 days of the patient leaving the facility. We have a couple of questions here, Laura. This first one says, when another physician assumes the care of a patient, can this physician sign the verbal order that was initially given by another physician within that same group? Yes, yes, because they're part of the care, absolutely. Okay, how often should standing orders be reviewed? Again, that was annual. They did CMS, they did CMS, again, that was annual. They did CMS, that annual review. That can be, I know that can be onerous. It really can be, but I think CMS has taken into account how fast some of our healthcare is changing. Okay, and it says, just to clarify, did you say that we have to keep a physical signature logbook or electronic signatures? Oh, electronic. Some like to keep the physical in case somewhere along the line, something happens, your system goes down and there is a physical hard copy that they did the signature. And that's why they always suggest having that hard copy of that signature. It used to be where you printed your full name, you printed your professional signature, and then you signed as your professional signature. Like for me, it would have been Laura A. Dixon, that was my full name, and then Professional L. Dixon, RN, and that's what they did keep on staff. But that's, you know, they like to have that just in case there's a question of, is that really their signature? Perfect. And the last question I see here is, is it required for the surgeon to sign the consent? I'm going to say yes, because they're the ones who are responsible for that. They must, yeah. I don't see any other questions, but I'll go ahead and share those results. Okay, all right, good. So I like it that everybody's really, I appreciate everybody really participating in these, because it's, again, it's a lead-in to what I'm going to be covering. Discharge summary. Short answer, every record has to have one. What was the outcome? Where did the patient end up going? And what's going on follow-up care? And that could be just something as simple as head surgery, no complications, this is what we did, patients are going to go home, we'll follow up with their primary care provider in two weeks. Now, as far as the follow-up care, what are any hospital, post-hospital appointments? They may find it helps that if that's made ahead of time, because if you say, see your physician within one week, they call when they get home and they can't get in for a month, it's going to not help. That's why sometimes it helps to make sure that appointment's made before they leave. How are you going to meet those needs? Home killer, you're going to have PT come to your house, but if, you know, they do need that discharge planning, then who's going to do it? What list did you give them that for post-care provider list? Home health, long-term care, hospice, is it going to be nursing care? Who's going to be doing that for them? As far as who does it? Well, anyone who's qualified, a physician or other qualified practitioner. Does your state allow the PA or nurse practitioner to do it? Okay, they can delegate it, but the physician does have to sign off on it in order to complete that. And again, if it's somebody who's covering for that physician and doing that discharge summary, that's fine. They can do that too, but we have to have a final diagnosis. Records completed within 30 days, that's the same as joint commission. This includes inpatient, outpatient records. Again, the final diagnosis. Now, let's say a patient comes in, they're seen in the emergency department, and they leave. They've said, yep, I'm out of here, AMA. The final diagnosis is, you can say it's indeterminate based upon the patient's presentation and that they left against medical advice. This is what we saw at that time. It was a rule-out stroke. That could be the final diagnosis that they had. Now, here's the one I mentioned at the beginning, where these are the tag numbers and the requirements that are not in the current manual. There is the memo. I have listed, I believe it's in the appendix for you. Keep it handy, because you are still required to comply with this, even though it's not in the manual yet. If you use electronic medical records system, you have to show that it has a capacity, that it's fully operational for exchange of that patient health information, that this system can send a notification that includes their name, who treated them, and your institution. It sends notification when they registered in ED, if applicable, if they were admitted to inpatient service, if they were discharged from ED, or if they were transferred from ED to another place or inpatient, or if they were discharged home. Again, we have to send notice that this is where this patient's located. You may have more than one, because if they come in through ED and were admitted and then transferred, you've got at least three notifications at that time. There has to be a reasonable effort that you've done this to send notice to those who need to know about this patient. Those post-acute care providers, any practitioner who had responsibility for this patient, whether it's a PCP or someone else, those responsible for their care have to give notice, hey, this patient is here, or this patient has been discharged, and this is where they went. Now, there are sections that also pertain to health information management, and don't forget your documentation for what needs to go in in these areas. Medications, big one. Restraint and seclusion, 50 pages of standards, pre- and post-evaluation. These are other important sections for documentation. Notification to the OPO. You have to notify them in the event of a death or imminent death. You have to have documentation for grievances. Interpreters, you want to document when you use those during those critical parts of care. Patient rights, you have to document you gave notice of their patient rights. The plan of care has to be documented. Safe opioid use, what did you do? How did you assess the patient? Advanced directives, we have to have notice and documentation. They were given information. We have to have documentations when there's an allegation of abuse or neglect. There has to be some documentation somewhere that we disclose financial interest to the patient, or if there's no physician on duty. Sometimes, this is a quick checkbox on that notice of patient rights that we have to do for both of them. There's a lot that goes into documentation, not just patient. They direct patient care by nursing. There's a whole bunch more. I'm going to switch over to critical access hospitals. Not too many tag numbers here. They're very short, very similar to acutes. You have to maintain a system so that we can identify the author and protect the security of the record. We have to make sure they're not lost, stolen, altered. We limit access to only those who are authorized. List of signatures, signature cards, computer codes, be protected from and authorized by the governing body for these medical records, cross-reference, inpatient, outpatient. In critical access, if you transfer a patient to swing beds, you have swing beds, you can still use that same record. There just has to be some type of divider to know what portion was their inpatient and what portion was their swing bed stay. Same information as far as what goes into that record, what must be included for admission to discharge. All notes, documentation of their testing, their diagnostic testing, their graphics, and again, have a system so you can pull any record within the last six years. The surveyor will verify you have a record for every patient. How are they stored? By the way, if you have patient records and you're using a water suppression, fire suppression system, you might want to look at that for your medical records area. Some will use gas in their medical records because the water will destroy the ink on the paper. So if you're looking and you've got an older facility, make sure that that has been assessed. Make sure they're protected from theft also. Verify that it is adequately staffed and keeping confidentiality. The records, of course, must be legible, complete, readily accessible, documentation of everything when they talk accurate and complete, and a director of medical records appointed by the governing body. Like an acute, you have to have one unified service for all inpatient and outpatient records. You must have enough information about this patient, including social data, evidence of properly executed consent forms and medical history, assessment of their status, what are their needs, and then the brief summary of why they're there. What did you tell this patient? What was their instructions? Now this is the same information, and the one thing I do want to point out, Appendix W has not been updated since 2020. It does not have the same reference to consent for procedures that occur outside of the planned surgery. You might want to go ahead and add that to it, to your policy and procedures. Just because it's not in there, and again, CMS hasn't gotten around to applying this to critical access hospital surgical section, doesn't mean they won't. So you might want to be ahead of the game and consider adding that as far as your policy and procedure. Otherwise, we have to have that properly executed form as specified by those procedures from the medical staff, and that the patient or their representative has enough information to make that decision whether or not to go forward. The properly executed form has the same information and the same minimum requirements. The patient, your hospital name, what's happening, who's doing it, and the signature. The statement you explained it, then the optional ones, signature of the person witnessing the consent, who explained the procedure, and the date and the time you got the consent. The record must justify the admission, keeping them in there, the patient's progress, how they responded, not just medication, but all care and treatments. We have to keep confidentiality of records, make sure that no one who's not supposed to be in there isn't in there, and again, the six years. Now AHIMA has practice briefs. They could help you. I have them in the appendix for you. When I did this program, they had not required that you be a member of AHIMA, so there's some information in there that you can access without charge, and then just like an acute, you have to have a discharge summary, outcome of their stay, where did they go, and what care is needed. Now that could again be swing bed, so if they're in your hospital and they're going to swing bed, yes, they have to have a discharge summary. They have to have that completed in order to show this acute is done, now they're going to swing bed, and again, that's required for all stays. You can delegate that if the state law permits it, and there are discharge planning standards that you might want to refer to when it comes time to swing bed. Surveyor, they'll verify your staff has specified what procedures have to have an informed consent. That consent form has all of those mandatory elements. They will look at closed and open records. They want to see at least 10 percent of your average daily census, and they want to make sure they're complete and accurate, and the consent policies include not only what CMS says, maybe what your state law requires, or if you have an accrediting organization such as joint commission, are there additional standards that joint commission would require. History and physical, they can be delegated to other practitioners to complete if the state law permits it, but your policies and procedures have to okay that, and again, the physician still keeps full responsibility and has to sign off. Surveyor is going to look at your bylaws, when must they be done, and it's on the chart before they go to surgery, unless it's an emergency. Now, I have asked a couple questions of CMS in the past, and I was able to get some of their responses, so do they need an H&P when they're placed in swing bed when they had one done in acute? Well, they don't have to have an additional history and physical when they swing over to swing beds if they're in your hospital, but if they come from a different facility, yes, then they must have that history and physical. Is it required for observation patient? Yes. Short and sweet. So, those were the two questions that I did get a response. Otherwise, we have to have some description how the patient responded to your care, whether it's a nurse's notes, do we have complications, again, something we can monitor how that patient progressed, and then promptly filed and completed. So, what do they have to contain? Again, all orders, notes, reports of treatments, medical records, medication records, excuse me, including those allergic reactions, lab reports, radiology reports, vitals, anything else that you did to monitor the patient's condition. Entries have to be dated in time to authenticate it. Your medical staff policy says who can make entries and then how you're going to identify the author. Are you going to use written signature or computer code? Rubber stamps, again, they say it's best not to use them, but if they must, then that person has to sign off. They're the only ones who use it. Now, yes, given that they have really bad handwriting, it may be difficult, but you have to have that in writing that the practitioner said, I'm the only one who uses. Do not delegate it to someone else. We did have, some of you may have heard that there have been issues where the person who works with the physician, and I'm thinking outpatient, we had one in our pain management center where the nurse got a hold of the physician's signature and would sign off and use a stamp on the narcotic prescriptions. And the physician did it because they were going on vacation, didn't want to be disturbed. And then CMS came in and said, yeah, that's not okay. And it turns out that unfortunately the nurse had also used it for personal uses. That's another reason you don't want to, because the physician will be held responsible under those circumstances. Codes, great. Make sure that if you're using codes, that you know who's doing it, which signature is associated with that computer code. Sanctions, have those written out by your medical staff, that if you're going to be using this stamp and you're using it wrong, then this is what's going to happen. And policies to make sure that this is done before your record is considered closed and deemed acceptable. So that means all entries authenticated, that each author has been identified, timing of the entry, and auto-authentication. Again, this is when you auto-authenticate before the transcription that's not consistent with these requirements. So the physician, just go ahead and sign off. It's all okay. That's not going to be okay. Same rules for confidentiality, safeguard against loss, destruction, unauthorized use or dissemination. Limit access, release only when you have that authorization. And how are you going to maintain security of videos? How are you going to do that? How long are you going to keep those videos? And save with your computer stored information. Release, have a written policy and procedure discusses reuse and removal and what are the conditions. And of course, we always have to remember HIPAA and don't forget breach notification. If you have a breach of a certain number of patients, you have a certain level of requirements, how soon and how it's done. And of course, written consent for release of records. We retain our records six years from the last date of entry, longer when you have OSHA, maybe FDA. How you do it, hard copy, microfilm. By the way, if you need records in any pending litigation, you might want to check with your counsel on how long you want to keep those records. So the lawsuit can go on for years that we know that. And let's say that you've got a child that was injured, a birth injury, and then the lawsuit is brought six years later, statute of limitations, but then the lawsuit itself drags on for another five years. Then after that timeframe, if you've met your state mandatory retention of records and the lawsuit's done, all appeals are done, I'd follow your counsel's advice. Can I go ahead and destroy these records or should I keep them for an extended period of time? AHIMA, again, practice brief on those retention, and it ties in with the destruction policies also. They follow the electronic notifications the same. Again, they're not, it's not in Appendix W, it's not in the manual. So please keep that handy. It's the same thing for an acute, that you notify those who need to know this patient is admitted or they have been discharged. The patient name, treating physician, and the name of the institution sending it out. So I'm not going to repeat too much of this. It's the same requirements. If they're registered in ED or admitted or they're discharged, so you may have multiple ones. And again, reasonable effort to try and get this information transferred out to those post-care providers, whether it's a group or just one entity. And it really, the reason they're doing that is to really help with continuity of care so things aren't dropped. I go home, I need a hospital bed, that provider, that vendor is notified. I need this and I need it now. That's the reason they've done this. All right, now I'm going to move over to breach. The notification rule that we have, ERA, HITECH, they have strengthened our security protections and the breach notification. When you are required to notify patients if unsecured PHI has been accessed. Immediate notification to the victims of all breaches. You have to notify Health and Human Services of 500 victims or more. If not, you just send in an annual log to them. You may need to notify media of breaches of 500 or more. And that is a logistical nightmare and it doesn't help your reputation either. As far as now, they look at the harm threshold requirement. It's a four-part test with new penalties. I have a toolkit to help you comply. So as far as this harm, you need to evaluate the potential breach of that protected health information. You document good faith evaluation and a reasonable conclusion using that four-part test. What's the probability that this compromised PHI is going to cause harm? If it's low, you don't have a problem. If yes, patient has to be notified. It's a much lower standard now than what it was. It doesn't have to be a low probability that the PHI was compromised. And really, it's most likely to look at the result notifying more patients than you had before. So again, a low probability, it's an objective risk factor. And I'm going to get into the four factors here in a minute. So you have a breach that's presumed unless you can show it was a low probability, it was compromised based upon your risk assessment. So here are the four factors. One, the nature and extent of what was involved. What are the identifiers and the likelihood of re-identifying that patient information? Was it just the name? Or do we have a whole bunch more information? Social security card, social security number, credit card information? How much information? Was it actually acquired or reviewed? In other words, did they get in there? So let's say you have information sent to the wrong patient, but they returned the letter unopened by the post office, so really good chance it was never reviewed. Patient given the wrong discharge instruction, patient, the nurse notices it, grabs it back before the patient could see it. Maybe you've got a laptop that was accessed or stolen, and your forensic analysis says, no, they didn't get into anything. Our system held up. Three, the person who used it or who got the information. So you have to look at the recipient of that disclosure. Was it another physician? Was it a hospital? Someone who already has that duty to protect CHI. Impermissible disclosure for someone who's been trained or who worked in a hospital or BA. That's a lower probability than someone who just picked it up off the street. And then number four, what is the extent, the risk that you can mitigate that risk to the protected health information? Any mitigating issues that lead to believe in good faith and a reasonable conclusion that it wasn't disclosed, you're okay. You want to get assurances, something from that person who got it, that no copies were made or they destroyed it. Was it a physician? Was it another facility? Can we rely on them? That, yes, this information, I threw it away. I shredded it. I didn't use it because it can happen. So that is your four-part assessment test to determine the probability of risk. And if it's low, you're going to be okay. But one thing you must do is now a security risk assessment. This is from the Office of Civil Rights, 5 million in hacking fees because this was a health insurer. It's not just us, a health insurer, 5.1 because of their breach of health information. And we know it's just occurring more and more and more. Record-setting large security breaches. On an average, two large healthcare system breaches reported each day in 2023. So here are the requirements for your security rule. You are required to implement policy and procedures to prevent, detect, contain, and correct these security violations. Covered entities and their BAs, they still have to do this risk assessment because you wanna make sure you've got compliance. It's one of the four required implementation specifications to implement security management process standards. Now, I've got the links here for you for these requirements. The Office of Civil Rights with the Office of National Coordinator for Health Information Technology, they have a tool and guidance available for you. Some of you probably have already done this or had your IT people do it. So you have to develop policy and procedures to contain these violations. The risk analysis is one of the four required specifications. And again, they do give us instructions on how to implement it. So you must conduct an accurate and thorough assessment of your potential risk and vulnerabilities to the confidentiality of your PHI. It's a necessary tool to reach substantial compliance and the outcome of that analysis, that's a critical factor to determine if implementation specification of the equivalent is reasonable and appropriate. So the elements of a risk analysis, what's your scope? What's the potential risk of your vulnerability to that confidentiality? And it's all forms, whether it's paper or CDs or electronic. The data collecting, what are you collecting? How are you collecting it? Is it coming in from somewhere or are you transmitting it? What are the potential threats and the vulnerabilities? You know, that could be unique to your situation, but you have to identify and document those vulnerabilities and what would create a risk of inappropriate access. Assess your current security measures. What is the likelihood of a threat occurrence? For most of it's probably very likely and those you could reasonably anticipate. Your output, document your assessment of all threat and vulnerabilities with the likelihood of impact to that confidentiality and determine the potential impact of the threat occurrence. You know, what's the worst thing that could happen? What is the level of risk for all threats and vulnerability? And then make sure you're documenting it. You know, you have to have any special format, do you use electronic, paper, whatever it is, we just have to have documentation of that assessment. What did you find and how would you mitigate it? And then of course you wanna do a periodic review and update your assessment. Ongoing is best, conduct that analysis, identify when you have to do updates. Now, how often, they don't specify in the security rule, but if you've got new technology and business operations that you're looking at, okay. If you're changing ownership, definitely do an analysis, especially if you're buying a new facility and you've got turnover in your management or your staff, because you wanna make sure this stuff stays current and protected. My third question, yes, we have time for that, Lindsey, or my fourth one. We do and I'll go ahead and get that up here on your screen. Okay, this one should now be there where you can see that says our facility permits texting of, and you can check again all that apply to your organization here. Nothing, limited information, including patient status or location, orders, lab or diagnostic test results, patient status and other health information. We do have a couple of questions that come in as well, Laura. This one says, if you have an outpatient hospice unit, is a discharge summary required? Outpatient hospice, I guess the question is, are they considered admitted to hospice? That's a good question. I would have to check with CMS on that one for hospice. And we can certainly follow up with that as well. Yeah. Okay, and this next one says, does the patient need to be notified in writing for all disclosures? Disclosures of, you mean like for hospital ownership, MD not on site, I'm wondering if that's a disclosures. And again, you can put that in your notice of patient rights, that this hospital is owned by these physicians and, or there's not a physician on site 24 seven, and then you're done. But it has to be in writing. So that's usually the way I've seen it done. I've also seen it posted in the hallways. So we have to put up those. Okay, so they're clarified here, like for example, HIPAA disclosures, is a patient to be notified in writing of that? Of the HIPAA disclosures? Mm-hmm. Of the HIPAA disclosures? Mm-hmm. Okay, one more time, Lindsay, sorry. You're good at the HIPAA disclosure? Yeah. If the patient needs to be notified in writing. Oh, the HIPAA, you mean that I, because when I think HIPAA disclosures, I'm thinking this was the list of who asked for your records and who I gave it to. If you're saying disclosures, mm-hmm. Okay, so they're talking HIPAA disclosures. You have to make it available when the patient asks for it. So if I go in and say, who did you give over my information? That's when you have to give it to me in writing. If that's the question they're asking. Perfect, and this did come in anonymously. So if you would like to just maybe clarify your question, if you have additional questions, don't hesitate to type those in so we can make sure to give you the response that you need there. Okay, and then this is state-specific here. So we may have to follow up with what it says that our state indicates that six years from last date of service, if over the age of 18 are the most recent six years only required to be kept versus the last 10 years. Okay, you'll want to check with your council on that because the way it is written, it's the last date of service. So from 2024, if my math holds up right, it'd be 2018. Anything from 2017 going backwards, you probably wouldn't need to keep them. So I might as well just choose to keep it because patients come back. Yeah, and certainly as Laura mentioned, if you have very state-specific questions, I would encourage you to reach out to your state hospital association. If you are a member of a GHA, we'd be happy to help in any way that we can or definitely check with your legal counsel as well. Okay, I think that is the last question. So I'll go ahead and end this poll and share those results. Okay, and texting, nothing, great. Okay, so let's talk texting. And I'm also gonna do copy paste. In addition to that, these are just some of those little issues that pop up with documentation all the time. So the Department of Health and Human Services, they talk about preventing fraud. And that's the big thing behind copy paste and also that it's contractors, that's their racks. There are a few program integrity practices because they've noticed some vulnerabilities within the EHR. So there is additional guidance that auditors, they noted inconsistent to almost no guidance from CMS regarding copy paste. So how are we supposed to look at this? Because they found it's a huge issue with fraud and abuse. Now they did notice that copy paste, that does happen. It happens, carry forward happens too. And they're worried about the integrity of what's actually in there. So they said, we need an update for our attending physicians. So therefore, this is what they put out there that they propose an established general principle that says those who provide and bill for services to review and verify rather than re-document information that's already in the record by, whether it's by physicians, residents, medical students, anywhere else, just go in and verify it. And so there, now you can do an update for those attendings. And there's also CMS. Now, as far as what CMS is saying is that copy and cloning, that's how they put it in, copy paste recorded information into a new note, they know it's not been really talked about. And we know it does save time. And sometimes it just is a matter of changing the date without really looking at what happened. In those cases, that's not okay. And so be very careful. If you're going to even think about copy paste, maybe you can just say, no, we're not going to allow because something different could be. And again, changing the date without really reflecting what's going on is not acceptable. In short, they're saying it's treading on fraud. Joint Commission has put out also, they updated an issue, they call it quick safety. That's essentially what it's called. They talk about copy paste functions that it can improve efficiencies. It's quicker, no question about it, but that can be note bloat, can be wrong, error propagation, wrong record. I did find one, you may have heard this, where we had a young man who was admitted 16 years old. He came in for his football physical every year and he was 10 feet, five inches tall and he weighed 125 pounds. Now, some of us had an issue with that. We thought that was a little odd, but that kept getting repeated through this copy paste and carry over and carry forward and no one caught it. So that's why extremely careful because it was simply, it was wrong, just wrong. Joint Commission have a way to make copy paste materials easily identifiable. So if it is there, the person looking at it knows, hey, they just brought this over, it may not be correct. Staff, train them, what's appropriate and safe, monitor and assess its use by practitioners, have policy and procedures on its proper use and also monitor compliance. Now, this is not an all inclusive list. I just put some of these items out here for you to consider if you're going to let them do copy paste. Again, make sure they understand this is, oh, they're just putting this from the before so I didn't have to go back. Now, texting. In January of 18, they put out a memo. I have it in the appendix for you that they know texting's used and it's huge. It's so important for us to be able to text for communication. Now, at that time, CMS says no texting of orders. That's not compliant because how do you retain it? How do you get that thing into the record? How do you keep confidentiality and privacy and security and integrity of the existing system? Okay, so with those guidelines, most of us didn't have the ability for secure platforms. Well, in February of this year, in the memos in the appendix, now you can if you can show you have a HIPAA compliant, secure texting platform and it's in compliance with the conditions of participation. So what do you have to do? And I've combined criticals and acutes because we know that your records have to be accurately written, properly completed, properly filed, retained and accessible. How do you do that when the text is on a physician's phone? How do you do that? Well, you just have to have a system or whatever orders do come in, they're authenticated and we keep the integrity of those records and we secure the entries. So now they are saying we still consider computerized ordering the preferred method, but CMS knows alternatives exist and there have been improvements in our encryption and our interface capabilities. So we can transfer this data to the EHR. So orders that are entered through CPOE and that are immediately downloaded into the system, they're great, you can do that. It's dated, it's timed, it's authenticated and promptly pasted in there. So you can do that. If you're going to do this, you're going to allow texting of orders. You must be able to show that it's secure and encrypted and ensures the integrity for author identification and it minimizes risk to privacy and confidentiality. If you're going to do this, make sure you have policies, procedures and processes that routinely assess the security and integrity because you want to make sure it is maintained safe. So if your platform can allow that, great. If not, then you cannot allow for texting of orders. You can still do the usual, your patient B is ready for you when you are. You can still do that. The doctor just cannot text back, go ahead and administer the IVs and give them this medication, blah, blah, blah. That is not okay unless you can show your platform is secure. I don't know how many of you have that now, but CMS is starting to come around and recognize our technology is advancing quickly and we may be able to do this very fast. And just as an aside, check with your council on that also, what does your state law also permit it, the texting of orders. So now I'm glad we still have about 10 more minutes and here's my final, I'll just read through this real quick. We have a large multi-specialty hospital. The competition for patients. Patient B comes in following an MVA. They have requested the patient wants to be transferred to X because they know it, they prefer it over A and I want everything sent over to X electronically. Now this patient, they have to have additional surgery and inpatient care. A provides the same service as X. The ER physician who spoke with patient is asking him, please stay here at our hospital. We'll take care of you, we're good, we'll be fine. Patient said, nope, I'm out of here. Get me over to B and send all my information. Okay, that could happen. So hospital, they go ahead and transfer the patient to X, but the record didn't go at the same time. Now this includes radiology films taken at admission. So the admission physician over to X calls and says, hey, where's my records? I need this. You can send them electronically so I don't have to retake these x-rays of delayed care. So the call goes in to the HIM coordinator. So after two hours, we still have no records. Now, those of you who've treated patients for an MVA know they need surgery. We need to get them in there to prevent further either further or permanent damage to this patient. So after two hours, the clinical lead for surgery was called again and informed, hey, we still have no records and we're not gonna send them over because you are a competitor. And we asked the patient to say, you want them, you do them again. What should X do? And Lindsay, I'll leave it to you on how you want them to respond. Absolutely. So at this time, you can go ahead and be typing in your comments or thoughts in response to this final discussion question there into the chat. And then if you have any final questions for Laura regarding the material that she's presented today, go ahead and type those questions into the Q&A option found there at the bottom of your Zoom window. Or if you don't see that option, you can utilize the chat as well to type in just your general questions for Laura. And while we wait for you to type in your comments here for the final discussion question, there is one question in here at Laura that asks, does copy and paste rules and regs apply to electronic format where information is automatically pulled into a new visit? Yeah, the carry forward. Yeah, they didn't specifically address carry forward. But again, like with that situation on that one patient I described, read it, is it correct? Because that provider is responsible for what's in that carry forward information. And if it's wrong, they're responsible. Again, they haven't exactly called carry forward the same as copy paste. Copy paste, you have to do something. And you have to initiate that process. In other words, copy and then put over here and paste it. Carry forward is automatic. So make sure your system requires the physician to review it and sign off as, yep, that's correct. And I see it a lot of times with some of the current medical records where the patient when they're doing their pre-admission, they have to verify, here's all the medications I'm taking. No, I haven't been exposed to COVID. I haven't been out of the state. I haven't been out of the country. So that is automatically required and filled in. And that helps with that carry forward information. But then the physician, when I go in for my appointment, they go through and verify everything. And the system requires them to do that and then sign off on it. So essentially that's what the system has done for the carry forward. It's there, the provider just has to verify it, review and verify it. I see a comment here saying that I would ask to speak with the emergency department director of nursing. The hospital cannot hold the records. Right. Yeah, it's quite a battle between these two hospitals. So instead of really, okay, who's your focus here? Is it your patient or is your bottom line? And I don't wanna know the answer to that one, but finally they were able to get hold of physician, the ER physician, the doc called, the surgeon was in there and says, what's going on? I need to know. And he said, okay, he's got a fracture of this, this, and this, they ended up taking the x-rays again. Unfortunately he said, we can't wait on you guys. But they did, the patient filed a grievance because they had to have more x-rays taken because the previous hospital refused to send over the records when they were told, asked a couple of times to do it. He had no bad outcome, but it still delayed care a little bit because they had to redo it. And another cost to the patient. So Lindsay, we've got about four minutes, six minutes. I'm gonna show them a few of these resources, some of the websites that I have in here. I did wanna include, here's the final rule on protecting that reproductive health. Again, these have not been tested in court because it just went into place. The model attestation, you can pull that down. They have it already available. You don't have to reinvent it. Here are some of those new proposed regulations that they're still waiting on. I was very surprised. I didn't include some because it just didn't apply like armed forces. I didn't include that. And then the signature requirements that CMS does require. AHIMA, I like these guys. They're, this is their, this is what they do. This is their life, what they research, what they provide. You wanna have a destruction policy, so we know, and then that's your restriction, excuse me, and destruction information from AHIMA. So without making folks too dizzy, there's still about seven more slides, but I'll have you folks go through that at your leisure so we can go ahead and get you a few more minutes back. Lindsay, is there anything else you wanna add or any additional questions? And as Lindsay mentioned, something comes up after the fact, just tell Lindsay she's great about getting it to me and I'll follow up with her. Perfect, thank you, Laura. I did just go ahead and post some information there for you all in the chat as a reminder that you will receive that email from us tomorrow morning, but just note that it will come from educationnoreplyatzoom.us and so because it comes from that Zoom email, very often it seems to get called in your spam, quarantine, possibly your junk folders. So if you don't see that email in your inbox in the morning and you would just like to access the recording, you can actually do so by just using the same Zoom link that you use to join us for today's live presentation to also access that recording. And then again, just remember that the recording link is available for 60 days from today's date. And so you'll just need to click on that Zoom link, type in your information, it will prompt an email to come to us for approval. We approve those very quickly, but we ask that you give us one business day. And then once approved, again, you'll have full access to the recording for 60 days from today's date. Also included in that email tomorrow morning will be a link to the slides that Laura presented today, but I did go ahead and provide that link there for you in the chat to have as a resource now as well. And then if you are joining us as a member of the Georgia Hospital Association, please also pay special attention to the survey link that will be included in that email tomorrow morning. That is how you will obtain your certificate of attendance and any CE information. If you're joining us as a member of a partner state hospital association, I do encourage you to reach out to your contact within your state hospital association to obtain any information that they have to provide any continuing education credits for you as well. And as Laura just mentioned, if you have any questions that you would like to send over to us, please don't hesitate to send those to education at gha.org. I did include that email address there in the chat for you as well. We'll be happy to get those questions over to Laura. And she is wonderful about being very thorough and timely in her response. We so appreciate her for always going above and beyond and doing that for us. And I don't see any other pending questions. So thank you all so much for joining us today and thank you for submitting your questions. And as always, Laura, thank you so much for your time and the information that you shared with us. We look forward to having you all back with us for future sessions and hope you all have a wonderful afternoon and a wonderful rest of your week. Thank you, Laura. Thank you, everyone. Thank you, Lindsay. Bye-bye.
Video Summary
Summary:<br /><br />The presentation introduced Laura Dixon, an experienced professional in risk management and patient safety. Dixon provided an in-depth discussion on maintaining and managing medical records, emphasizing their dual role in communication and quality assurance. Key points included:<br /><br />1. **Medical Records Management**: Emphasized accuracy, promptness, and security in handling medical records. Noted the need for hospitals to conduct a security risk assessment as required by HIPAA and safeguard records from unauthorized access.<br /><br />2. **Record Accessibility**: Patients have rights to timely access to their medical records, and hospitals must facilitate this while ensuring HIPAA compliance. Used practical scenarios to illustrate how hospitals should handle such requests.<br /><br />3. **Texting Orders**: CMS now allows the texting of orders if the platform is secure, encrypted, and complies with HIPAA. Institutions must have policies and routinely assess these systems.<br /><br />4. **Consent and Compliance**: Discussed the requirement for informed consent documentation, including special considerations for procedures like surgery and research involvement, and how these should be updated with new regulations.<br /><br />5. **Historical and Physical (H&P) Requirements**: H&Ps must be documented within 24 hours of admission and reviewed if performed off-site. Highlighted the need for accuracy and timely updates, especially before surgeries.<br /><br />6. **Other Documentation**: Listed additional records that must be maintained, including discharge summaries, medication records, and notes on complications and patient responses to treatment.<br /><br />7. **Critical Access Hospitals**: Similar but slightly modified requirements for smaller facilities, focusing on documentation and the importance of accessibility and security of medical records.<br /><br />8. **Breach Notifications**: Outlined steps for breach assessments and notifications compliance with federal laws.<br /><br />The talk concluded with practical advice and scenarios reflecting real-world applications of these regulations, emphasizing patient care over competitive practices and the necessity of compliance to avoid legal ramifications.
Keywords
Laura Dixon
risk management
patient safety
medical records
HIPAA compliance
record accessibility
texting orders
informed consent
documentation
Historical and Physical
discharge summaries
medication records
Critical Access Hospitals
breach notifications
patient care
×
Please select your language
1
English