Medical Records continue to be a primary source of information containing patient-specific information to provide effective care, develop treatment guidelines, determine ability to pay for care, bill third-party payers, and anonymously conduct research studies. Any hospital must maintain a medical record for each inpatient and outpatient. It needs to be available during inpatient care, for outpatient visits, and at other times as needed and it must be up to date to ensure communication of the latest information. Thus, the medical record containing medical, nursing and other patient care notes is an essential communication tool that is useful to support the continuity of the patient’s care and must always be available so that it can be shared among all of the patient’s health care practitioners at all times.
Since the Medical Record is always available to all the patient’s health care practitioners, a hospital must create written privacy policies and procedures, which clarify who has the right to access protected information, how protected information will be used within the covered entity, when protected information may be disclosed, and employees must be trained on such privacy policies and procedures to ensure confidentiality of patient information.
An example when written privacy policies and procedures must be created is epitomized in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the United States of America.
Electronic Medical Records (EMR) like paper based medical records, must also be available to all the patient’s health care practitioners. In order to maintain patient confidentiality, the patient’s health care practitioners must be granted need-to-know status to gain access to the EMR. However there are exceptions, like when attending and resident doctors who are involved in current treatment episodes or on an emergency basis can also gain access through a security override feature incorporated into the EMR system.
It is very important that when all of the patient’s health care practitioners and/or other employee or medical staff member are granted access to the EMR, he or she receives training on system security, appropriate access to and utilisation of patient information, password protection features, existence of audit trails and access monitoring, and consequences of inappropriate access and/or most importantly, breach of patient confidentiality.
Many hospitals also require that their employees and medical staff members sign a statement indicating that they understand the confidential nature of patient information and the need to keep the information and their password secure.
Thus, every hospital must, regardless of its level of computerisation, need to have a comprehensive information security policy which defines the hospital’s commitment to confidentiality for patients, members of the community and its employees. It provides a blueprint for defining standards and procedures and it establishes a standard of care with respect to the handling of its confidential informational resources. A confidentiality committee with the task of developing a comprehensive information security policy should be appointed by the hospital’s leaders.
The issue of confidentiality is so important so much so that a preprinted confidentiality statement on the outside of the medical records file folder usually alerts users that patient information in the medical record is confidential and cannot be removed from the facility without proper authority.
If you are a Health Information Management (HIM) / Medical Records (MR) practitioner practising at a hospital which is already Joint Commission International (JCI) accredited or seeking JCI accreditation status or undergoing re-survey for JCI accreditation status, then he or she must be aware that the JCI Standard MCI.7 requires that “The patient’s record(s) is available to the health care practitioners to facilitate the communication of essential information.”
In all instances, the HIM / MR department at any type of hospital is responsible for allowing appropriate access to patient information in support of clinical practice, health services, and medical research, while at the same time maintaining confidentiality of patient and provider data.
This is also true when the HIM / MR department at a hospital which is already JCI accredited or seeking JCI accreditation status or undergoing re-survey for JCI accreditation status, is responsible to collect medical records selected and for allowing appropriate access to patient information in support of a Medical Records Review session.
To end, HIM / MR practitioners please take note that the JCI Standard MCI.7 is among the five (5) JCI MCI standards within the Communication Between Practitioners Within and Outside of the Organisation block of the JCI MCI Chapter.
- Caroline, BR & Mary, TK 2012, Textbook of basic nursing, 10th edn, Wolters Kluwer Health, Lippincott Williams & Wilkins, Philadelphia, USA
- Joint Commission International, 2010, Joint Commission International Accreditation Standards For Hospitals, 4th edn, JCI, USA
- Michelle, AG & Mary, JB 2011, Essentials of Health Information Management: Principles and Practices, 2nd edn, Delmar, Cengage Learning, NY, USA
- Neil, SS (ed.) 2011, Electronic Medical Records A Practical Guide for Primary Care, Humana Press, New York, USA