Download Course 102 - EHR Legal Aspects of HIT, EHR, and HIE

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Patient safety wikipedia , lookup

Health equity wikipedia , lookup

Rhetoric of health and medicine wikipedia , lookup

Electronic prescribing wikipedia , lookup

Transcript
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
Course 102 - CPHIT Certification
CPEHR/CPHIT/CPHIE CORE COURSE II: Legal and Regulatory Aspects of HIT,
EHR, and HIE
Course Objectives
The Legal and Regulatory Aspects of HIT, EHR, and HIE Course is a core course in the Health
IT Certification program. The healthcare delivery system is highly regulated. It is essential for
care delivery organizations (CDOs) to adhere to all laws and regulations with respect to their
information technology applications, and to track changes as new laws and regulations are
created and updated. Maintaining a current understanding of and adherence to legal and
regulatory affairs is important for maintaining any HIT, EHR, or HIE.
When one thinks about legal and regulatory aspects of HIT, EHR, and HIE, one generally thinks
about preserving confidentiality and the admissibility of electronic records in a court of law. This
course addresses these issues, but also a number of other practical legal and ethical matters.
Upon completion of this course, participants should be able to:

Identify sources of law and standards for HIT, EHR, and HIE in order to monitor future
changes.
Describe and plan for the basic requirements for retention, storage, accuracy, integrity, and
authentication to ensure that HIT, EHR, and HIE enable a legal health record
Identify the important aspects of maintaining privacy and security in use of HIT, EHR, and
HIE
Discuss ethical aspects relating to HIT, EHR, and HIE, such as use of e-mail, hybrid
records, and clinical decision support



Topics
Here are the topics covered in this course.
Topics covered in this course include sources of law, regulations, and standards so
participants know where to turn to study new laws and changes in law, can appreciate
the legal and evidentiary aspects of electronic forms of information, ensure appropriate
authentication when using any form of HIT, and consider professional and ethical tenets
relating to issues in HIT, EHR, and HIE which may not yet or ever will be addressed in
law.




Part 1
Part 2
Part 3
Part 4
Sources of Law, Regulations, and Standards
Legal and Evidentiary Aspects
Authentication
Professional and Ethical Aspects
Page 1 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
Part 1: Sources of Law, Regulations, and Standards
for HIT, EHR, and HIE
Sources of Law and Standards for
HIT, EHR, and HIE
The first topic in this Course explains where laws, regulations, and standards come from and how one
might avail themselves of further and continuing information concerning such that apply to HIT, EHR, and
HIE.
Being aware of applicable laws and standards as they pertain to HIT is of critical importance. Many
healthcare professionals and information systems experts think about privacy and security requirements –
but use of HIT, EHR, and HIE requires attention to more than just these two, albeit critical, aspects of the
law. Furthermore, such professionals are not students of the law and are busy people focused on their
primary job, which is not the law. As a result, they may overlook matters concerning documentation or
other legal and regulatory aspects of information management. Those planning for HIT, EHR, and HIE
implementation should assure that legal aspects are fully addressed. Specifically addressed in this
Course are sources and types of law that anyone involved in selecting and contracting for, using, or
overseeing information management aspects relative to HIT, EHR, and HIE should understand and
monitor for periodic change:







Applying Laws and Standards
Sources and Types of Law
Federal Regulatory Process
Examples of Federal Laws and Regulations Impacting HIT, EHR, and HIE
State Laws
“Voluntary” Standards
Case Law
Sources of Law and Standards for
HIT, EHR, and HIE




Health information technology (HIT) is a general concept describing information systems
supporting the management of health information for many purposes.
Electronic health record (EHR) is a specific concept relating to systems affording the ability to
capture data from multiple sources for clinical decision making at the point of care.
Health information exchange (HIE) is the seamless exchange of information across disparate
organizations
Health information organization (HIO) is an organization of hospitals, clinics, and others who
come together to formally exchange health information
Sources of Law
Laws that impact HIT can appear to be a jigsaw puzzle – as there are many sources of law, law is
dynamic, and different types of laws are sometimes contradictory. There are frequently questions of
which law takes precedence over others where there are conflicts. As healthcare crosses state
boundaries, each with its own set of laws, confusion can happen frequently. Law refers to the principles
Page 2 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
and regulations established by a government or other authority and applicable to a people, whether by
legislation or by custom enforced by judicial decision. Law is the source by which the legal system helps
members of a society settle disputes.
The U.S. Constitution, of course, is the highest law of the land and establishes the federal government’s
organizational structure and grants power to it. It also places limits on what federal and state
governments may do. Each state also has a constitution, which provides for similar direction. Although
the constitution establishes the overall framework, the federal and state governments and judiciary
systems promulgate much more specific laws and regulations.
The U.S. Constitution takes precedence over all conflicting state and local laws. However, there are
federal laws and regulations that give states certain rights to preempt federal law, if they wish, to make
stricter, or more stringent, laws.
Types of Law
Types of specific laws that impact EHRs include:



Statutory law is established by federal and state legislatures. It may be amended, repealed, or
expanded by the legislature, but may also be upheld or found by a court to violate or conflict with
state or federal constitution or law. A growing body of case law may contribute to the creation of
statutory law. In addition, law concerning use of information technology or EHR may be embedded
in statutory laws that relate primarily to other topics, such as hospital or professional licensure.
Administrative law is created by federal and state administrative agencies when delegated this
authority by a legislature. Agencies are empowered to enact regulations that have the same force
as statutory law. There are an increasing number of regulations pertaining to EHRs or associated
HIT.
Common law is the primary source of many legal rules and principles. Initially based on custom,
today, these are derived from court decisions where no applicable statute exists. This is also called
case law, and is one of the most common sources of law concerning new technology.
Three types of law impact EHRs: law generated by legislatures (statutory), law generated by
governmental agencies (administrative), and law developed from court decisions (case law)
Federal Regulatory Process
Regulations are developed through a defined process including public comment.
The Department of Health and Human Services (HHS) and various agencies within it promulgate
regulations; although other Departments also promulgate rules that may apply to healthcare. For
example, the Federal Bureau of Investigations (FBI), which is a part of the Department of Justice (DoJ),
has jurisdiction over criminal penalties where they may be called for in HHS regulations. The Drug
Enforcement Administration (DEA) is a part of the DoJ and has requirements relative to prescriptions for
narcotics. The Federal Trade Commission (FTC) has been tapped to provide data breach protections for
commercial personal health records (PHRs) under its authority to prevent unfair or deceptive trade
practices.
When a federal government agency wants to issue a regulation (or is directed to do so by a law), it puts a
notice of proposed rulemaking (NPRM), proposed rule, or an interim final rule into the Federal Register,
which is a daily publication of the federal government designed to communicate with the public
concerning any announcements, new or changed regulations, and requests for comments, information, or
proposals. A NPRM includes a request for public comment within a set period of time. After comments are
reviewed and the rule is finalized, an effective date is established. An interim final rule is different in that it
Page 3 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
carries an effective data – and may or may not include a request for comments. If there are substantive
comments on the IFR, the rule will be modified and a new effective date established. When rules are
finalized, they are also published in the Federal Register. Final rules contain not only the requirements to
which the target audience must comply by the date specified in the rule, but also contain a summary of
the comments and how the federal agency responded to the comments. It should be noted that often
comments reflect both ends of a spectrum and every conceivable viewpoint in between. It can be very
challenging to reconcile these and come up with the best possible final rule. As such, there may also be
modifications to rules after they have actually been implemented.
Federal Laws Impacting HIT, EHR, and HIE
There are many Federal laws and regulations that impact HIT, EHR, and HIE:
Privacy Act of 1974 has guided federal agencies in their health record keeping. This law is not a
universal privacy act because it does not impact private citizens – only those employed by the federal
government.
Freedom of Information Act (FOIA) which makes records from the executive branch of the Federal
government freely available to the public, including the Veterans Administration EHR software source
code.
Confidentiality of Alcohol and Drug Abuse Patient Records is a long-standing regulation that
establishes that any healthcare provider receiving Federal funds for treating alcohol and drug abuse
patients must prohibit redisclosure of such information.
Comprehensive Drug Abuse Prevention and Control Act of 1970 (Controlled Substances Act),
does not allow Schedule I substances (e.g., heroin) to be prescribed in U.S. and Schedule II to V drugs
(e.g., narcotics) to be dispensed only on order/prescription of a practitioner registered with DEA. In 2010,
DEA issued regulations not yet implemented permitting e-prescribing for controlled substances with twofactor authentication.
Some federal regulations are applied exclusively to information held by the federal government, such as
the Privacy Act of 1974 and the Freedom of Information Act. Others pertain to organizations receiving
federal funding (such as through Medicare reimbursement), such as the Confidentiality of Alcohol and
Drug Abuse Patient Records rule. Still others pertain universally, whether federal funding is received or
not, such as the Controlled Substances act
Clinical Laboratory Improvement Amendments of 1988 (CLIA) establish quality standards for
laboratory testing, regulated by CMS. These Amendments and their state counterparts require lab results
to be reported only to ordering provider, impacting the timing of when lab results may be reported to
others (such as patients within an HIE organization).
Medicare Prescription Drug, Improvement, and Modernization Act (MMA) of 2003 is establishing
rules and standards for the transmission of electronic prescriptions relative to the new Medicare Part D
program for prescription drugs.
Genetic Information Nondiscrimination Act of 2008 (GINA) is designed to assure that employers and
others do not discriminate against individuals based on genetic information. This aids in use of such
information to personalize medicine, where cancer and other treatment must be designed to target
specific genetic traits.
Some federal laws also have complementary state laws, such as CLIA; or do not preempt state law
where state law exists and is more stringent, such as HIPAA.
Page 4 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
Patient Safety and Quality Improvement Act of 2005 establishes voluntary reporting to assess and
resolve patient safety and health care quality issues, including confidentiality provisions such that
providers will not be discriminated against as they report quality measures.
Family Educational Rights Privacy Act (FERPA) provides for privacy protections relative to health
information maintained by schools – and is somewhat inconsistent with HIPAA. HHS and the Department
of Education has issued a comparison document to help clarify.
Red Flags Rule issued by the Federal Trade Commission (FTC) requires creditors to have a program
where they watch for potential identity theft. Once thought to apply to all providers, it has now been
clarified that it applies to only providers who use consumer reports in connection with a credit transaction
or advance funds in limited ways.
Some federal laws also have complementary state laws, such as CLIA; or do not preempt state law
where state law exists and is more stringent, such as HIPAA.
(Question 1)
Laws Restricting Referrals
Other laws that impact providers are the Stark law and federal and state anti-kickback statutes and False
Claims Act. Their purpose is to ensure that referrals are made in the interests of the patient, not the
provider. Any arrangement that provides a financial benefit can trigger the prohibition.. For example, the
HHS Office of Inspector General (OIG) has long been concerned about commercial laboratories providing
free printers for physicians to print results, as it may be an inducement to refer tests to the lab. The law
would be violated if a hospital provided an EHR to a physician practice. However, when a hospital gives a
physician online access to hospital information, that is not considered to be a benefit to the physician.
There have been exceptions, however, such as where items or services are supplied at market prices.
Another relates to community-wide network donations, where funds are pooled so that no one
relationship can be singled out as a potential kickback. This is useful for HIEs. In order to incentivize use
of HIT, the Medicare Modernization Act (MMA) created an exception for hospitals and others to provide eprescribing systems and EHR software, information technology, and training services to physicians.
Exceptions to the Stark self-referral law were published on August 8, 2006 by CMS. Simultaneously, a
final rule making equivalent safe harbors for anti-kickback laws was published by the Office of the
Inspector General (OIG) of the Department of Health and Human Services (HHS).
Stark law, federal and state anti-kickback (A-KB) statutes, and the False Claims Act prohibit referrals
among providers who have tainted financial relationships, irrespective of the legitimate business purpose.
Exceptions to Stark and Anti-Kickback Laws
To qualify for the physician self-referral exception, the items and services must be used solely for eprescribing or predominantly to create, maintain, transmit, or receive EHRs. In the case of EHRs, the
software must be certified as interoperable by a certifying body recognized by the Secretary of HHS. Also
in the case of EHRs, the physician must pay 15 percent of the donor’s cost for the items and services, the
donation may not include hardware, and the donor may not finance the physician’s payment. In both the
cases of e-prescribing and EHRs, the donor must not make the receipt of items or services a condition of
doing business with the donor, the eligibility of a physician for the items or services must not be
Page 5 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
determined in a manner that takes into account the volume or value of referrals or other business
generated between the parties, and the arrangement must be in writing.
Stark and Anti-Kickback laws remain critical to the relationships among provider organizations. Donations
able to be supported through their exceptions are, however, important to the overall momentum toward
HIT and EHR.
Administrative Simplification & Affordable Care


Health Insurance Portability and Accountability Act of 1996 (HIPAA)
 Transactions and Code Sets (TCS) provides standards for enrollment and premium payment,
eligibility verification, claims, claims status, remittance advice, prior authorization. Updated
versions required by January 1, 2012
 Medical code sets: ICD-9-CM and CPT; ICD-10-CM/PCS required by October 1, 2013
 Privacy Rule establishes standards for uses and disclosures of protected health information (PHI)
including held by business associates via contract, gives individuals rights in their PHI, and
establishes administrative requirements
 Unique identifiers for employers, providers, (health plans), and [individuals]
 Security Rule establishes standards for administrative, physical, and technical security controls
for covered entities and business associates via contract
 Patient Medical Record Information initiated process to define standards for vocabularies
Affordable Care Act of 2010 (ACA) provides health insurance reform and enhances administrative
simplification – currently ruled unconstitutional
In addition to ARRA/HITECH, two other rules that have been on the books for some time significantly
impact HIT, EHR, and HIE. These are the requirement to adopt the latest version of the HIPAA
transactions and code sets (X12 Version 5010) by January 1, 2012 and the requirement to adopt ICD-10CM by October 1, 2013.
Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a wide-sweeping set of provisions
that establishes rules on healthcare fraud and abuse and attempts to overcome exclusionary practices for
pre-existing conditions (i.e., the “portability” of health insurance). Within the context of HIT, HIPAA
promotes administrative simplification through adoption of information systems by HIPAA-covered entities
(health plans, healthcare clearinghouses, and providers who file claims electronically). It does this
through standards for electronic financial and administrative transactions and code sets (TCS) for the
medical and retail pharmacy communities; standard identifiers for employers, providers, health plans, and
individuals; and standards for patient medical record information, which included recommendations for
standard vocabularies. In response to the need for health reform, the Affordable Care Act was enacted in
2010 and it also includes administrative simplification provisions for a healthcare standard for electronic
funds transfer, standard identifier for health plans that had not yet implemented under HIPAA, and
standard operating rules for use of the transactions. (ACA is primarily directed at health insurance reform
– see Core Course I.) The privacy advocacy community has lobbied Congress to disallow creation of a
unique health identifier for individuals until such time as a Federal privacy law is enacted – which to this
time does not exist.
The privacy advocacy community was successful in seeing that Privacy and Security were addressed in
HIPAA, and these regulations have been effective since 2003 and 2005 respectively. ARRA/HTECH is
bringing enhancements to the Privacy and Security regulations.
American Recovery and Reinvestment Act (ARRA) of 2009, including Health
Information Technology for Economic and Clinical Health (HITECH)



Guidance Specifying Technologies and Methodologies that Render PHI Unusable, Unreadable, or
Indecipherable to Unauthorized Individuals for Purposes of Breach Notification Requirements, HHS,
April 27, 2009
Statement of Organization, Functions, and Delegations of Authority (moving authority for Security
from CMS to OCR), Sept. 4, 2009
Breach Notification for Unsecured PHI, IFR, HHS, August 24, 2009
Page 6 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE






Health Breach Notification Final Rule (regarding personal health records), FTC, August 25, 2009
HIPAA Administrative Simplification: Enforcement, IFR, Oct. 30, 2009
Medicare and Medicaid EHR Incentive Program, Final Rule, CMS; and
HIT: Initial Set of Standards, Implementation Specifications, and Certification Criteria for EHR
Technology, Final Rule, ONC, July 28, 2010
(Temporary [July 18, 2010] and Permanent [Jan. 7, 2011]) Process for Organizations to Conduct
Certification of EHR Technology, ONC, Final Rules
Modifications to HIPAA Privacy, Security, and Enforcement under HITECH, Proposed Rule, July 14,
2010
ARRA/HITECH
The American Recovery and Reinvestment Act (ARRA) of 2009, and the Health Information Technology
for Economic and Clinical Health (HITECH) Act of 2009 which is incorporated into the ARRA are part of
President Obama’s stimulus program. ARRA provides incentives for adoption of certified EHRs used in a
meaningful way (i.e., for exchange of data and quality measure reporting) and gives statutory
permanence to the Office of the National Coordinator for Health Information Technology (ONC), which is
playing an increasingly important role in HIT policy and standards development and deployment. HITECH
also reaffirms HIPAA, enhances it, and provides for protections to identifiable health information beyond
covered entities and business associates (such as for PHRs).
A number of guidance documents, proposed rules, interim final rules, and final rules have been released
since ARRA/HITECH became law on February 17, 2009 – and more are expected to be forthcoming,
including final rules enhancing the HIPAA Privacy and Security Rules as well as final rules for those still in
interim final rule status.
Food, Drug, and Cosmetic Act, including Medical
Device Amendments of 1976



Provides regulations on testing, manufacture, labeling, and distribution of drugs, cosmetics, and
devices, including human blood and some telehealth equipment.
Although EHRs have not been considered medical devices to date, the FDA has the right and has
publicly observed that clinical decision support in EHR could fall under the medical device category.
In response to growing reports of unintended consequences from using EHRs, the FDA created a
Working Group on Regulation of EHR Systems in April 2009. A preliminary report and
recommendations were issued in August 2010, suggesting several areas for further evaluation,
guidance, and clarification of existing regulation that could be the basis for additional regulation
One industry observer (Dale Sanders, CIO, Cayman Island Health Authority, April 20, 2010) has likened
clinical decision support in EHRs to seat belts in cars: initially, seat belts were voluntary and only crossed
the lap of the driver and passenger. The result was improved safety, but also introduced the new danger
of a range of injuries that had not previously existed. The result was the addition of shoulder straps and
three-point anchors which significantly improved safety and reduced unintended consequences. Later,
seat belts became required by state law, subject to ticketing for drivers who did not observe the law.
Another industry observer, Dr. Berkowitz, suggests that shoulder straps should be added to EHRs due to
unintended consequences – whether by poor implementations, poor design, or other reasons.
While controversial, the FDA has the power to regulate EHRs if they consider them to be medical devices
and has instituted a working group and studies of the matter
(Question 2 )
Page 7 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
State Laws
Much of the law concerning retention, storage, accuracy, integrity, and authentication in HIT, EHR, and
HIE is derived from state laws. Hospitals and other providers cannot operate without state licensure (of
the organization or individual practitioner). Each state’s licensure laws vary, and each state may have
separate laws for licensure of hospitals, pharmacies operated within a hospital, retail pharmacies, and
various types of professionals. For example, state boards of pharmacy license pharmacists and establish
standards for the content and format of prescriptions, including their signature requirements (all of which
now permit electronic transmission of prescriptions). In addition to healthcare licensure laws, however,
there are also general business record rules and hearsay rules that address the circumstances in which
business records, such as health records, may be admitted into evidence in a court proceeding. State
laws may be accessed directly from a website maintained by the State, or through portals set up by
special interest groups, such as those identified on this slide.
State laws present a “crazy quilt” of privacy and other pertinent laws. State laws vary considerably, and
should be your primary source of information for organizational policies.
Health Information Security and
Privacy Collaboration
Regulations promulgated pursuant to the Health Insurance Portability and Accountability Act (HIPAA)
established baseline health care privacy requirements for protected health information (PHI). Many states
have adopted statutes that are more stringent than HIPAA., in which case these more stringent statutes
pre-empt HIPAA. As a result, any given organization must apply state statutes that are more stringent
when doing business in that state, such as requesting that information about a patient who resides in a
state other than the state in which the healthcare services are provided.
Variations in state laws present challenges for widespread HIE. As a result, the federal government
contracted for the formation of the Health Information Security and Privacy Collaboration (HISPC) in
2006. This is a new partnership consisting of a multi-disciplinary team of experts and the National
Governor's Association (NGA). The HISPC works with approximately 42 states or territorial governments
to assess and develop plans to address the variations in state laws (and organization-level business
policies) that affect privacy and security practices which may pose challenges to interoperable health
information exchange. A full set of their work products is available from the HHS Health IT portal (
http://healthit.hhs.gov/ ).
A new initiative to promote interoperability in the area of privacy laws is the creation of HISPC
State HIE Laws
There are no federal laws that mandate HIE, nor laws that pertain solely to HIEs. Many states, however,
have started introducing bills and enacting statutes – to help support the formation of HIEs, promote their
sustainability, and assure their value, as well as to address some of the potential legal issues that newly
forming HIEs may face. The State-Level HIE Consensus Project inventories state-level HIE initiatives
(see http://statehieresources.org/ )
There are a number of legal agreements that may be used to support HIE organizations.The business
associate contract is the basic HIPAA agreement for covered entities to use when engaging other parties
to perform work for them. In general, HIEs are business associates, as they predominantly perform a
function involving the use or disclosure of individually identifiable health information. A data use
agreement is another HIPAA requirement when a “limited data set” is exchanged with another party for
research, public health, or health care operations. The limited data set is individually identifiable health
information from which most but not all HIPAA-specified identifiers have been removed.
Many HIEs have adopted a data sharing agreement and/or participation agreement. These agreements
may be construed as broader than the HIPAA business associate contract. They address many issues
Page 8 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
associated with the exchange of information in addition to privacy and security. Because such
agreements are very new, it is not always clear whether these are two different terms meaning the same
thing, or if the data sharing agreement refers to what data may be shared under what circumstances and
the participation agreement is more a governance agreement relating to how one participates, pay fees,
etc. Obviously any agreements should be put into place by a qualified attorney advising the HIO
specifically.
HIE legal agreements may include: business associate contracts, data use agreements, data sharing
agreements, and participation agreements.
“Voluntary” Standards
There are some federal regulations which are considered voluntary requirements. A healthcare
organization only has to comply with them if they choose to participate in the program to which the law
relates. An important example is the Conditions of Participation (CoP) for those providers choosing
reimbursement under Medicare and Medicaid.
There are CoP for Hospitals and for other forms of providers, such as providers of outpatient physical
therapy and speech-language pathology and home health agencies. The regulations establish standards
that are used to improve quality and protect the health and safety of the beneficiaries. The Centers for
Medicare and Medicaid Services (CMS) may conduct surveys of healthcare organizations to ensure they
are in compliance with the CoP.
Some laws are “voluntarily” applicable to those organizations choosing to participate in programs
associated with them. The Medicare and Medicaid Conditions of Participation are an important example
Accreditation
Although not law, accreditation is extremely important to health care and in many respects is as important
as law. Accreditation is the voluntary review of an organization’s compliance with standards of
accreditation distributed by voluntary accrediting bodies. These standards address many aspects of
information management, including the capturing, reporting, processing, storing, retrieving, disseminating,
and display of clinical/service and non-clinical data and information.
The Joint Commission (formerly the Joint Commission on Accreditation of Healthcare Organizations) and
the American Osteopathic Association (AOA) are the most widely recognized accreditation organizations
for hospitals. CMS recognizes them as “deeming” organizations. This means that when a healthcare
organization meets their standards of accreditation, the hospital may be deemed by CMS to have also
met the CoP. A hospital would typically undergo an additional survey only if a special Medicare inspection
finds noncompliance.
There are other accreditation organizations as well that generally focus on specific services or types of
organizations, such as health maintenance organizations, physician practices, insurance companies,
laboratories, rehabilitation facilities, and radiology services
(Question 3)
Page 9 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
Part 2: Legal and Evidentiary Aspects
of HIT, EHR, and HIE
While specifics in state statutes with respect to records maintained by healthcare organizations vary; in
general, they all address certain fundamental issues. Each of these main areas of legal aspects should
be considered in planning for HIT, EHR, or HIE.
This part of the Legal and Regulatory Aspects of HIT, EHR, and HIE Course addresses the issues
primarily governed by state law and significantly addressed in the HIPAA Security Rule with respect to
assuring that HIT and EHR enable the maintenance of a legal health record. While specifics in state
statutes with respect to records maintained by healthcare organizations vary, in general, they all address
certain fundamental issues. Each of these main areas of legal aspects should be considered in planning
for HIT, EHR, or HIE:









Retention
Destruction
Durability
Storage
Transmission integrity
Accuracy of entries
Admissibility
Best evidence
Authorization/Consent
State laws concerning health records may be found in hospital licensure laws, professional licensing laws,
and many other sources
Retention
Retention refers to how long a record must be kept in relation to its potential need in a legal action
(statute of limitations). Various federal regulations, state statutes of limitations, and some accrediting
bodies all provide various retention requirements, often based on the nature of the data.
State statutes vary widely, but generally have laws requiring retention of health records within the range
of seven to ten years. The statute of limitations for minors begins at the age of majority (the age of which
varies by state). Some states require long retention periods, but permit destruction of paper documents
sooner if microfilmed. Healthcare organizations may also establish retention policies that extend beyond
their state’s statutes of limitations when the organization conducts a lot of research, or when they have a
high rate of readmissions/revisits.
Very few states have addressed retention of EHRs apart from paper records, therefore the common belief
is that unless otherwise specified, EHRs should be retained for at least the same amount of time as paper
records.
The American Health Information Management Association (AHIMA) maintains information on the record
retention requirements of accreditation organizations, federal regulations, and state statutes at
www.ahima.org
Spoliation of Evidence Doctrine
The legal system has accumulated a body of knowledge, called doctrines, that sets forth principles that
should be followed in certain situations, much like business best practices.
The spoliation of evidence doctrine relates to the act of holding from destruction those records that are
the subject of pending or potential litigation or investigation. Destroying such a record could be viewed by
Page 10 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
the courts as the equivalent of obstruction of justice in a criminal case. Courts may impose sanctions for
destroying records relevant to pending, or even potential, litigation. These may include not allowing
documents introduced at trial, special jury instructions, financial sanctions, fines, imprisonment, or even a
new lawsuit in certain states.
Healthcare organizations are advised to never destroy a record of a case involved in an investigation or
litigation even if it is due for destruction according to the organization’s retention schedule. It is further
advisable to sequester these records so they will not be tampered with. In an electronic environment, that
may mean applying stricter access controls so entry of any further information into the record is
prohibited, or moving the record to a separate medium or printing out an exact representation of the
record and storing these in a “legal file,” which is usually kept under the jurisdiction of the health
information manager who is the hospital’s official custodian of records and who may be called upon to
testify that the record was compiled and maintained in the normal course of business. In a physician
practice without a HIM professional, the practice manager or physician in charge of operations would
serve in this capacity.
Spoliation of evidence may be worse than the original problem! A complete record is the best source of
defense.
Legal Health Record
The American Health Information Management Association (AHIMA) is the professional membership
organization of health information management (HIM) professionals, who have long been designated the
custodian of the legal health record. The custodian of health records is the individual responsible for
collecting, protecting, and archiving the legal health record. This individual may be called to testify to the
admissibility of the record, and be asked to verify the timeliness and normal business practices used to
develop and maintain the health record.
As the health record has become automated, the responsibilities of the custodian of the legal health
record remain the same, but the definition of what constitutes a “legal health record” has become of
concern to HIM professionals. There are concerns associated with what portions of an EHR should be
released. For example, while evidence of the electronic signature is a critical element of the legal health
record, the audit trail of a view-only access is generally not considered part of the legal health record and
would not be produced in response to a subpoena or court order for the “legal health record;” however, as
AHIMA also notes, it is possible that such audit trail information could be found discoverable and required
to be produced either in addition to the “legal health record” or separately.
AHIMA defines the legal health record as: “Generated at or for a healthcare organization as its business
record and is the record that would be released upon request.” It also notes “[The legal health record]
does not affect the discoverability of other information held by the organization.” See
www.ahima.org for additional information.
There are also concerns surrounding whether printouts of electronic data qualify as admissible evidence.
While this should generally not pose a problem, if the system cannot generate a print out that reflects how
the care delivery process occurred, it may be found to be inadequate as admissible evidence. For
example, if the care delivery process includes the physician writing an order for multiple items and
services at one time, such as medications, special diet, lab tests, radiology procedure, etc., it is generally
desirable to be able to print out that specific order as a unit. Some EHR systems have only been able to
print out sets of all medications ordered, all special diets, all lab tests, all radiology procedures, etc. The
data are the same, but the “information,” or how the data are related to one another, may be lost in
different format.
However an organization may define its legal health record, that definition does not affect the
discoverability of other information held by the organization.
Page 11 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
Retention of Metadata/E-Discovery
Another critical legal aspect related to retention of records relates to audit logs and other metadata that
surround EHRs. In the life of a lawsuit, discovery refers to compulsory disclosure. This is the phase in
which legal counsel attempts to learn everything possible surrounding a case. New federal (and state)
regulations enforce the fact that such information, is subject to a discovery motion. E-discovery refers to
Amendments to Federal Rules of Civil Procedure and Uniform Rules Relating to Discovery of
Electronically Stored Information.
Metadata are the description of the data and underlying software in applications. While metadata may be
thought of with respect to the creation of a data repository and is the description of the characteristics of
each data element, metadata also may refer to the clinical decision support that is embedded in software
and “fires” rules when certain data conditions are met. It is possible that an attorney during discovery will
want to know what rules fired and what actions were taken with respect to those rules, even if no
documentation results. Audit logs are the records of user access, including userIDs, date/time stamp, and
actions associated with each access. The audit log would reveal what userID and password or other
means of authentication was used to access data and what actions were taken. Audit logs also assist in
proving record integrity. Regular review of audit log data identifies potential data breaches, including
instances of potential identity theft.
Metadata refers to data about data. Metadata include description of data elements in a database,
underlying applications and programs, and audit trails
Metadata and Change Control
Because metadata and audit logs may be part of the discovery process in a lawsuit and required to be
provided in evidence of record trustworthiness, some organizations are retaining them for the same
period of time as the record’s content. This raises the issue of not only how metadata are retained, but
also versioning of the underlying software. While it should not be necessary to keep a copy of every
version of the software to enable its actual use in court, it is necessary to keep track of all changes so the
date and nature of the change can be determined. As new versions of software are introduced and may
have more robust clinical decision support, such changes are also part of the metadata change control
process. Most such upgrades are backward compatible, meaning that the new version can access data
originally captured and processed in the old version, however, this should be ascertained before applying
the upgrade. If the upgrade is not backward compatible, the old version should be archived in the event
its disclosure is necessary. This should not impact the licensure agreement, but again – worth addressing
in contract negotiations up front.
Change control, version control, and backward compatibility are critical elements in enabling retention
Destruction Policy
Most healthcare organizations have established policy that destruction of health records should take
place only after approval by the organization’s administration, attorney, malpractice liability insurance
carrier, and/or board of directors. When health records are destroyed, it is advisable to keep a witnessed
manifest including, at a minimum, the patient’s names and identifying number of the records destroyed.
Some organizations will keep additional information, such as the dates of admission, discharge, and
encounters; physician names; diagnoses and procedures; and even in some cases records of history and
physical exams, operative and pathology reports, and discharge summaries.
When healthcare organizations close, health records are generally sold as part of the assets in the sale;
but if not, practice varies widely with respect to their disposition. It is generally recommended that the
records be kept in some capacity, even if by the local public health department, although there are
organizations that have notified patients to direct their records to another provider or they will be subject
to destruction.
Page 12 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
Because destruction of business records, such as health records, is an important legal matter, it should
be performed according to policy and with special permission.
Destruction of EHRs and Electronic Media
HIPAA addresses disposal and re-use of electronic media and devices from the perspective of preserving
confidentiality. Healthcare organizations are required to implement policies and procedures that would
address the final disposition of ePHI and/or the hardware or electronic media on which it is stored as well
as remove ePHI from any electronic media before it is made available for reuse. It does not elaborate
further, but most experts agree that electronic media, including hard disks as well as floppy disks,
magnetic tape, CDs, etc. have data to be fully removed, not just reformatted. Degaussing or zerorizing
are the methods most commonly recommended. These are methods that use a magnetic field to erase
(neutralize) the data bits stored on the magnetic media. Physical destruction of the media is also possible.
When destroying paper records, they should be shredded, incinerated, or pulverized. Most healthcare
organizations use a professional records management company to perform electronic and/or paper
destruction. These companies use bonded agents to pick up the material to be destroyed and provide
certification of the destruction.
Destruction of devices and media are addressed by HIPAA as a confidentiality protection
(Question 4)
Durability
Most record retention requirements center around statutes of limitations. The purpose is to be able to
retrieve the record in the event it is needed as evidence in court. Of course, accreditation organizations,
Medicare Conditions of Participation CoP, licensure requirements, and other laws and standards are also
concerned with the healthcare organization’s ability to retain information to meet the needs of continued
patient care, research, education, and other legitimate uses of the information. All of these needs raise
another matter, which is durability, or the permanence, of the media on which the record is retained.
Generally it is believed that paper can be retained for the period of time in which it is required to be
maintained by states’ statutes of limitations. There has been some concern, however, that it is not known
how long data can be retained on electronic media. This was of special concern in the early days of laser
disks. Most experts now believe that the durability of electronic media is equal to or better than paper.
Where state law does not provide specific requirements for electronic records, however, it might be
prudent to periodically test the ability of records in electronic media to be restored. There are actually two
reasons for this: The first is to prove their durability. But the second is to prove that the software is still
capable of enabling the display and/or printing of the data. Although most upgrades are backward
compatible, as EHRs age and new versions of software are implemented, it would be prudent to ensure
that data can be retrieved through the updated software. It may be necessary to retain a copy of the older
version of the software to retrieve archived data, or it least to retain the software documentation in order
to substantiate what utility was, or was not, available at the time of the data creation and use.
Because much of the ability to enter health records into court as evidence depends on the fact that they
were kept in the normal course of business, whatever practice is put into place to test durability needs to
be performed consistently over time and consistent with the organization’s policy
Storage
Storage is closely related to retention, destruction, and durability. Joint Commission defines storage
requirements as safeguarding health records from loss, destruction, tampering, and unauthorized use.
Page 13 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
The HIPAA Security Rule address safeguards for electronic protected health information (PHI), including
requirements for contingency planning that must address back up, disaster recovery, and emergency
mode operation (i.e., business continuity). As healthcare organizations move from a paper-based
environment through various stages of hybrid records where part of the content is on paper and part in
electronic form, many are starting to implement more sophisticated contingency planning, including fully
redundant servers, remote disaster operations capability, and back up power supply (such as a diesel
generator). HIPAA also has a requirement for safeguarding the integrity of data. This is protection from
improper alteration or destruction. Encryption is one way to corroborate that ePHI has not been altered or
destroyed in an unauthorized manner. However, it is an addressable implementation specification,
meaning that other procedures could be applied that would also protect integrity. Some of these would be
functions of the software supporting the data, but many could be physical facility controls.
As more information is automated, there is also an increasing need to protect data that are stored on
devices and media that may be transported somewhere, such as to a back up facility, for providing home
health services, to telecommute, or respond instantaneously to medical emergencies. The federal
government has issued guidance that encourages encryption (or destruction as applicable), and the
ARRA/HITEC provides a federal data breach notification requirement, requiring reporting of breaches of
“unsecured PHI,” i.e., where technology has not been used to “render data unusable, unreadable, or
indecipherable to unauthorized individuals.” Although the data breach notification requirements address
any form of breach, to date, most reported breaches have surrounded paper or physical storage media.
Part of storage management is also the retention of documentary evidence called for in HIPAA, such as
retention of maintenance records to prove that HIT was adequately maintained, records of information
system activity review (ISAR), incident reports and response, and privacy and security training.
Transmission Integrity
States that have statutes addressing EHRs typically also require transmission integrity, although
generally do not define this very explicitly. HIPAA also addresses transmission integrity, by indicating that
covered entities should “implement security measures to ensure that electronically transmitted ePHI is not
improperly modified without detection until disposed of.” HIPAA also includes an addressable
implementation specification for encryption of ePHI “whenever deemed appropriate.” This has been
upgraded to virtually a direct requirement in subsequent security guidance of HHS and in the
ARRA/HITECH Act of 2009 and its required data breach notification provisions.
Today, most healthcare organizations do not permit use of the open Internet for transmission of EHRs or
any other protected health information (PHI). Instead, they utilize secure protocols (such as the Secure
Socket Layer [SSL] protocol, newer Transport Layer Security [TLS]), or older Internet Protocol Security
(IPSec) over leased lines, creating virtual private networks (VPNs) that provide an encrypted tunnel
through the Internet. These means, however, only afford an “envelope” of protection and not the data
contained therein. While Internet sniffing is certainly possible as data are in motion, vulnerability to breach
tends to be more likely once data have reached their destination (at rest, in use, and when disposed).
Hence the expanded recommendations and cautions to encrypt the data as well.
ARRA/HITECH data breach guidance references the following resources:
–NIST SP800-111, Guide to Storage Encryption Technologies for End User Devices
–NIST SP800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS)
Implementations
–NIST SP800-77, Guide to IPSec VPNs
–NIST SP800-113, Guide to SSL VPNs
Page 14 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
Accuracy of Entries
In addition to protecting the privacy and security of PHI, state statutes generally require ongoing
verification of the accuracy of data in health records. For example, New York requires hospitals to have:


A protocol for ensuring that incomplete entries or reports or documents are not accepted or
implemented until reviewed, completed, and verified by author, and
A process implemented as part of the hospital’s quality assurance activities that provides for
sampling of records for review to verify the accuracy and integrity of the system.
Licensing and accrediting agencies, as well as health plans, are also looking at the legitimacy of the
entries – that they describe the patient uniquely and are in compliance with documentation, especially in
support of reimbursement.
A primary source for determining the accuracy of entries in EHRs is through audit logs, assuming, of
course, that the software has audit log capability. Unfortunately, there are some systems sold as EHRs
that do not have audit log capability, or in some cases the capability is turned off. Another critical aspect
of accuracy in EHRs is the responsibility of the users to use their own unique userID and password or
other form of authentication. Sharing any authentication method is the same as signing a blank check and
leaving it for anyone to use.
Although state statutes vary, all require the need to assure accuracy of data entry in some way.
Another aspect of accuracy, however, relates to how errors are legitimately corrected and addenda made.
Annotating these in EHRs is often more difficult than merely lining out an entry, initialing it, and recording
a new entry as typically performed on paper. Each vendor addresses error correction in a slightly different
manner. It is important to understand how this occurs as part of the EHR design process. An EHR should
be designed so that a corrected entry will be date/time stamped accordingly and permit viewing of the
original entry when necessary. When required to produce a copy of the legal medical record for court, the
ability to see where errors existed and were corrected is an essential element to being able to state that
the EHR was created in the normal course of business. Error correction also impacts patient care. An
erroneous entry could have been acted upon before it was corrected, making it necessary to understand
the sequence of events surrounding its correction. A corrected entry may also be a part of a sequence of
data that will later be graphed. The corrected entry needs to appear in relation to the original data
collection, not time of correction.
Checking how an EHR handles an error may be even more important than checking how easy it is to
enter data to begin with.
Admissibility
In general, business records, such as health records, are considered hearsay because they contain
statements other than by someone on the witness stand. In addition most states have an exception to the
hearsay rule for business records or permit the record in under another exception.
However, a health record may be submitted into evidence in a court either directly under the state’s
business record rule or with permission of the judge under an exception to a hearsay rule. When
submitting a health record for use in court, the fact that the record was made in the normal course of
business must be attested to by the record custodian. He or she must be able to describe all aspects of
the record’s creation, how accuracy is assured, what authentication methods are used, how records are
stored and may be transmitted, and the organization’s record retention and destruction policies.
Health records are generally admissible in a court of law due to the fact that they are the provider’s
business records.
Page 15 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
Best Evidence Rules
Although the best evidence rule states a preference for the "original“ of a record, federal and many state
rules of evidence deem any printout or other readable output of an electronic record shown to reflect the
data accurately an original. Microfilm and digital images generally are admissible as duplicates.
When a record has been microfilmed or stored on some other form of computer media and the original
destroyed, the information can still be entered into evidence under best evidence rules.
It is important to review state statutes before declaring electronic information the official legal source of
health information.
(Question 5)
Authorization/Consent
As HIOs are forming there is an increasing emphasis on obtaining consent for uses and disclosures of
health information. This stems from general Web-based marketing and e-commerce practices:
Consumers are very accustomed to opt-in or opt-out choices on the Internet. As the federal government
promotes consumer empowerment to achieve value-driven health care, there is much more emphasis
placed on consumers rights in their health information. There is also increasing awareness of the rising
rate of medical identity theft, consumer concerns regarding the ability of healthcare organizations to
protect their health information, and lack of trust on the part of covered entities about how well other
covered entities or their business associates may be adhering to HIPAA Privacy and Security
requirements. As a result, many states have legislated more stringent requirements for consent in uses
and disclosures of health information in general, and many HIOs are adding consent to their policies in an
effort to be more transparent and responsive to consumer concerns.
It is important to understand what consent means, how it may be used in different contexts, and its use in
HIPAA, especially with respect to authorization. Certainly informed consent is a process that has existed
for a long time in health care relative to patients consenting for specific medical interventions.
Authorization vs. Consent
Authorization in the HIPAA Privacy Rule is granting of formal written permission (using a valid
authorization form) for uses and disclosures of protected health information (PHI) for which an
authorization is required (45 CFR §164.508). Authorization in HIPAA Security Rule refers to policies
and procedures for granting access to electronic PHI that are consistent with the applicable requirements
of the Privacy Rule (45 CFR §164.308(3)).




Consent in HIPAA Privacy Rule
 A covered entity may obtain consent to use or disclose PHI to carry out TPO
 Consent is not effective to permit a use or disclosure when an authorization is required or
other condition must be met (45 CFR §164.506(b)(2))
States may have more stringent requirements, especially for highly sensitive information, such as
mental health, HIC/AIDS, and genetic information
States are increasingly considering adding consent requirements for uses and disclosures of PHI
via an HIO
Some HIOs are requiring consent by policy
 Opt in: Seek advance consent to be included
 Opt out: Provide right to not be included
 Notice only
 Matrixed consent: blends nature of PHI, uses, and users
Authorization is an explicit permission and is required by HIPAA for specific uses and disclosures.
Page 16 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
In general, consent is also permission, but may range from a formal process of documenting the consent
action to a less formal opt-in or opt-out selection. HIPAA treats consent very narrowly and refers to use or
disclosure of PHI for treatment, payment, and healthcare operations (TPO).



Informed consent is permission for
 A provider to administer care and/or treatment or perform surgery and/or other medical
procedures, explaining benefits and risks and enabling informed decision
 A researcher to involve a human being as a subject in a research study covered by the Common
Rule or HIPAA’s Privacy Board requirements
 The AMA Office of the General Counsel (last updated May 7, 2007) defines informed consent
as a communication that is both ethically and statutorily required by all states for specific
medical interventions.
Informed consent within the context of research is described by the Protection of Human
Subjects regulation (a.k.a. the Common Rule) at 45 CFR §46.101, requiring an informed consent (or
waiver by an Institutional Review Board) for “all research involving human subjects conducted,
supported, or otherwise subject to regulation by any federal department or agency which takes
appropriate administrative action to make the policy applicable to such research.” HIPAA also
requires either an authorization for research or a waiver by a Privacy Board where the research may
not be subject to the Common Rule (45 CFR §164.512(i)).
Within HIPAA, consent is not required, but permitted if a covered entity chooses to require it, or if
state statutes require it. The intent of consent within HIPAA, however, is different than authorization.
Informed consent is a process that has existed for a long time in health care relative to providers
obtaining permission to administer to patients.
Page 17 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
Part 3: Authentication
Authentication
Both federal and state laws address authentication, and the context in which authentication is addressed
must be fully understood in order to apply to EHR.
This Part of the Legal and Regulatory Aspects of HIT, EHR, and HIE course addresses the special focus
of signatures and how documentation in electronic form can be authenticated.







Signature Requirements
Authentication
ESIGN and UETA
Digitized Signature
Electronic Signature
Digital Signature
NIST/DEA e-Prescribing Authentication Requirements
Authentication refers to how an electronic signature represents the same qualities as a ‘wet signature.’
That is, authentication in a computer must identity the individual making an entry and must reflect the
individual’s intent to sign the information entered
Signature Requirements
The following is an example of one state’s hospital licensure requirement with respect to signatures used
in electronic records:
“Electronic signature and other computer-generated signature codes are acceptable when used within
hospital policy.”
Other states are more specific, indicating that the signature should include: date, time, category of
practitioner, mode of transmission, and point of origin.
HIPAA identifies authentication as “person or entity authentication,” because it is possible that one
system may need to authenticate with another system to exchange data. HIPAA’s authentication standard
requires covered entities to implement procedures to verify that a person or entity seeking access to
protected health information (PHI) is the one claimed, however, HIPAA does not specify further how such
procedures must be carried out.
The most famous signature is that of John Hancock – and such a “wet signature,” where a person has
signed in ink, is still the “gold standard” with respect to assuring who wrote the signature.
Page 18 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
Authentication
In the paper world, a “wet” signature (i.e., an individual’s name written in ink) provides authentication, and
is the standard against which the strength of all other signature forms is evaluated. For commercial
transactions, an electronic replication of a wet signature, called a “digitized” signature, is sufficient. Based
on recommendations from the Uniform Electronic Transactions Act (UETA), the Electronic Signatures in
Global and National Commerce Act (ESIGN) signed into law on June 30, 2000 defines electronic
signature as: “an electronic sound, symbol, or process, attached to or logically associated with a contract
or other record and executed or adopted by the person with the intent to sign the record.” However, as an
analysis of the various forms of signature will reveal, ESIGN is inherently “weak:” How is “intent to sign”
demonstrated? “Sounds, symbols, or processes” are ill-defined. Although they are easy to explain, can be
captured by most computers, and technology independent because any computer can accept a scanned
image of a signature or sound file, these processes are only weakly bound to a document or data and can
be easily subverted.
So while neither ESIGN nor HIPAA require “strong” authentication measures, there is growing movement
to make electronic signatures stronger. The DEA issued an interim final rule on March 31, 2010
describing authentication requirements for e-prescribing of controlled substances. It requires certification
of the credentials of practitioner allowed to write prescriptions for controlled substances, and then either
two-factor electronic authentication (including biometrics or hard tokens) or a digital signature.
Strength of a signature refers to how likely it may be forged, or how unlikely one is able to repudiate it is
your signature. Any signature may be made stronger by adding signature attributes or combining two or
more attributes.
Digitized Signature
Digitized signature is one form of signature used in computer systems. It is a scanned image of a
signature, commonly used in the retail industry where a cashier is able to compare the signature written
with a stylus on a signature pad to the signature on the back of the credit card. It is the weakest form of
electronic authentication, although signature dynamics is a stronger form of the technology that includes a
forensic signature analysis much as that performed on wet signatures. Signature dynamics requires the
use of a special digitized pad and stylus as well as a signature file. When the individual uses the stylus to
sign the pad, the device measures the X and Y coordinates of the digitized signature; the pressure,
velocity, and acceleration of the writing of the signature; and verifies those characteristics against those
on file. The digitized signature can be associated with a specific signed document through a “hash”
function that is an algorithm that essentially creates a hash value, or fingerprint, for the document. As a
result, if the document changes, the hash values will not be the same, and the signature is invalidated.
Digitized signatures are considered weak. Signature dynamics is a much stronger improvement on
digitized signature, but not widely used today.
Electronic Signature
Although the term “electronic signature” has come to be used generically, electronic signature most
commonly refers to the use of a password, token, biometrics or some combination of such to create a
logical manifestation of a signature. It supplies additional information such as a date and time stamp and
purpose specific to the user (e.g., is the user a co-signer?). This is the most commonly used means to
authenticate information electronically today in health record applications.
A number of efforts are being made to make it easier to use strong authentication methods. Training
users on how to select strong passwords containing at least 7 characters, including no words and a
combination of alpha, numeric, and special characters (such as using something like “0s@eCUC” to
represent something familiar, such as “Oh say can you see”) and increasing the interval of time between
requiring them to change their password (a truly strong password should not have to be changed more
frequently than every 6 months unless compromised) is one means. Another is to adopt “single sign on”
Page 19 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
technology or a synchronized password capability to help users who must access multiple applications.
Two-factor authentication follows the principle of applying something you know and something either that
you have (e.g., token, swipe card, proximity card) or something you are (e.g., biometric).
Electronic signatures, i.e., userID and password, token, or some combination thereof, are the most
common form of signature in EHRs today.
Digital Signature
Digital signature is the term reserved to describe a process of encryption and non-repudiation. There are
several components associated with a digital signature:
Digital Signature Elements
In a digital signature, encryption provides the means to protect the content of a message from being
revealed (whether the message is a signature only or content and signature). Encryption is a form of
cryptography where an algorithm is used to scramble the content so that only an equivalent algorithm can
be used to decrypt the message. Non-repudiation is substantial evidence of the identity of the signer of a
message and of message integrity, sufficient to prevent a party from successfully denying the origin,
submission, or delivery of the message and the integrity of its contents.
There are many mathematical algorithms that have been used to create various forms of digital signature.
The National Institute of Standards and Technology (NIST) has a Digital Signature Standard (DSS) that
has become a Federal Information Processing Standard (FIPS 186-1). This standard enables the use of
the RSA (Rivest-Shamir-Adleman) digital signature algorithm or the DSA (Digital Signature Algorithm) to
digitally sign messages. RSA is the most popular digital signature, used in many Web browsers and with
the Secure Sockets Layer (SSL) protocol. When integrity of the data within the message is required, the
Secure Hash Algorithm (SHA-1) can be added. Hash, also called a message digest, is a number
generated from a string of text. It is substantially smaller than the text itself, and is generated by a formula
in such a way that it is extremely unlikely that some other text will produce the same hash value.
A digital signature is the strongest form of authentication possible.
Page 20 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
Public Key Infrastructure
PKI works in the following way for two parties, A and B, to conduct a message:
1.
2.
3.
4.
5.
A requests B’s public key from a certificate authority (CA) to access the CA’s certificate directory.
The CA sends B’s public key to A.
A sends a session key encrypted with B’s public key and A’s own public key to B.
B validates A’s public key with the CA.
If the CA responds that A’s public key is still valid, B decrypts the session key with B’s private key
so that A and B can communicate in a secure manner.
Public key infrastructure is set of procedures associated with one form of digital signature that uses a
public key. It binds the identity of an individual with a public key in asymmetric encryption technology, or
also called cryptography. This technology utilizes a “key pair” between two individuals or parties who are
trying to communicate in a secure manner. One key is made available publicly (i.e., the public key) and
the other is kept private (i.e., the private key). Digital certificates are the basis for public key infrastructure
(PKI), which is an International Standards Organization (ISO) authentication framework. The framework
utilizes public key cryptography and the X.509 standard protocol to enable secure authentication to
happen across different networks and the Internet. Unfortunately, with the exception of the digital
signature certificate standard (X.509), there is no other single standard for PKI. The result has been that
PKI products may be difficult to interoperate with each other.
(Question 6)
Federal Authentication Guidance
Although not law, the National Institute of Standards and Technology (NIST) develops the Federal
Information Processing Standards (FIPS), which federal government agencies are required to use. In
addition, NIST develops Special Publications (SP) that provide guidance on information security
technology. NIST Special Publications are available at http://csrc.nist.gov/publications/PubsSPs.html and
are an excellent resource for anyone needing additional information on computer security processes.
NIST’s Electronic Authentication Guideline (SP 800-63-1) was included in the DEA Interim Final Rule for
Electronic Prescriptions for Controlled Substances, requiring Assurance Level 3 for identity proofing (i.e.,
digital certificate). FIPS 140-2 Security Level 1 was the required level of security for hard tokens, although
additional levels exist, such as where a hard token includes a biometric function as well.
The authentication levels are:
1 = little or no confidence in asserted identity (e.g., self-identified user/password)
Page 21 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
2 = some confidence in asserted identity (e.g., PIN/password)
3 = High confidence in asserted identity (e.g., digital certificate)
4 = Very high confidence in the asserted identity (e.g., hard token)
The authentication levels are used in coordination with potential impact categories (inconvenience,
financial loss, harm to public interests, unauthorized release of sensitive information, personal safety, and
civil or criminal violations) for authentication errors to provide assurance level impact profiles. Based on
the four authentication assurance levels and six potential impact categories for authentication errors, it is
possible to determine the appropriate level of authentication measure for any type of information
exchange.
The National Institute for Standards and Technology (NIST) has produced an extensive library of special
publications concerning security for use of electronic information system in the federal government. This
library can be accessed at: http://csrc.nist.gov/
(Question 7)
Page 22 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
Part 4: Ethical Aspects of HIT, EHR, and HIE
Ethical Aspects of HIT, EHR, and HIE
Legal and regulatory aspects of information technology use do not always provide solid answers to
questions, especially as new frontiers in technology are being explored.
This part of the Legal and Regulatory Aspects of HIT, EHR, and HIE course addresses ethical decision
making. This is an area that has become increasingly important – especially as short cuts and
workarounds are often used to overcome barriers to adoption of HIT, EHR, and HIE.
Examples of ethical issues are prevalent in health care, including and especially bio-ethics surrounding
treatment and end-of-live matters – which are not covered here as they do not relate to HIT. To be
covered here are:





Documentation aids
E-mail
Hybrid records
Clinical decision support
Vendor selection
Legal and regulatory aspects of information technology use do not always provide solid answers to
questions, especially as new frontiers in technology are being explored. Furthermore, law tends to lag
behind technology. As a result, organizations need to apply ethical principles in making judgments about
use of new technology
Ethical Decision Making
Ethics is a process of reasoned discourse (discussion) among decision makers in order to identify what is
the right or good thing to do. Ethical decision making requires everyone to consider the perspectives of
others, even when they have different values. Bioethics involves problems or issues regarding clinical
care or the health information system that are never strictly theoretical in nature but must always result in
a decision.
The principles espoused in ethics have been described in The Belmont Report, which was submitted to
the U.S. Office of Human Subjects Research of the National Institutes of Health. They include:



Respect for persons, and their autonomy and privacy (“The good”)
Beneficence, meaning promoting good and doing no harm (also part of the Hippocratic Oath) (avoid
“The bad”)
Justice, meaning treating others fairly (avoid “The Ugly”)
One may wonder why the inclusion of ethics in a program on HIT and EHR – and the fact of the matter is
that law and regulation always lag behind technology. So that when new technology is introduced, how to
manage the new technology frequently must be determined by an organization’s ethical decision making
process.
This Course looks at five examples: vendor selection, documentation accuracy, e-mail, hybrid records,
and clinical decision support; but many other examples may come to mind.
Page 23 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
Steps in ethical decision making include: (1) determining if the situation is an ethical dilemma, (2)
identifying relevant facts and stakeholders involved, (3) proposing what courses of action could be taken
and what conflicts may arise from each, (4) evaluating a proposed course of action against ethical
principles and reaching consensus on the “right” thing to do, then (6) act and evaluate.
Documentation Accuracy
Information technology introduces documentation tools that are both time-savers as well as potential risk
areas, especially for health care. Some of these tools include:
“Cut and paste” (which technically is copy and paste, although cut and paste is also possible and an even
bigger risk). This is most frequently found when the EHR’s documentation component is based on word
processing (rather than structured data entry templates). When used, clinicians should be taught to be
very careful, not only to avoid copying one patient’s information into a different patient’s record, in the
example, Jim’s birthdate would not make him a “child”) but to be aware that the repetitive copying could
suggest that the clinician was actually not administering to the patient. Reuse of data is similar to cut and
paste, with a somewhat different process. Some organizations conduct audits of EHRs to look for
potential problems with this function.
Consider the error in the following note that derived from “copy and paste:”
Copying a note referencing a child that does not apply to an adult (birth date: 12-02-58) is an error state
in documentation.
Smart text, or macros, permits a user to enter a few keystrokes to be provided an entire narrative entry.
For example, the entry of *OM might produce a statement that indicates the typical findings for a
physician’s entry with respect to history of present illness for a patient with otitis media.
While macros can be helpful, they also are subject to the concern of producing “canned” documentation.
To reduce this possibility, some EHRs only produce text that has embedded variables that must have
unique data entered into them, such as indicated by the carrot symbols (“< >”) in the example below.
Page 24 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
Some EHRs prevent a user from proceeding to a new entry screen or log off until all required data
elements have been entered into variable fields, such as whether the otitis media is in the left or right ear
in the example.
Compliance issues can also arise from workarounds. For instance, a physician may enter an order for a
laboratory test and be expected to also enter a diagnosis (often supplied as an ICD-9-CM code)
supporting the medical necessity of the test. Some EHRs will not permit the order to be executed without
a code. Other systems permit any code to be entered, which may not necessarily be the code that truly
explains the reason for the test. Such an entry may result in not providing the patient with an Advanced
Beneficiary Notice (ABN) advising the patient that Medicare may not pay for the test given the reported
diagnosis.
In order to ensure the accuracy of documentation, it is important to audit use of automation tools.
An Ethical Dilemma that Almost Isn’t
Any More: E-Mail
E-mail is an example of an ethical dilemma which health care seems to have solved relatively well by
using e-mail encryption or secure portal. Yet some privacy and security issues may remain, especially by
well-intentioned yet not careful processes. An example arose when the pharmaceutical manufacturer,
Lilly, decided to discontinue its “Prozac Users Group” which it had supported as a means to help Prozac
users remember to take their medication. Just as soon as they sent the email to all participants, they
realized that the addresses were visible to all participants and reported this transgression to the FTC, who
fined Lilly for not following its privacy policy. Interestingly, none of the participants complained, as they
apparently were happy to have their fellow users’ addresses – perhaps with the intent of creating their
own users group.
More pertinent are other elements of using e-mail that continue to pose potential ethical dilemmas such
as:





Disparity between patients and physicians in their desire to use electronic systems for
communications
Potential liability by patients in an urgent situation
The volume and length of messages, especially with respect to reimbursement for e-visit
consultations
The potential for electronic communications to widen social disparities in access to healthcare and
in healthcare outcomes
Managing the evidentiary aspects of electronic communications: retention, destruction, storage,
transmission, and authentication
The ethical dilemma in e-mail may best be exemplified by the vast majority of patients wanting to e-mail
their providers, and the few providers interested in accepting e-mail.
Use of E-Mail
The American Medical Association (AMA) in its “Guidelines for Physician-Patient Electronic
Communication” available at http://www.ama-assn.org defines provider-patient e-mail as “computer-
Page 25 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
based communication between providers and patients within a professional relationship, in which the
provider has taken on an explicit measure of responsibility for the patient’s care.” This establishes
boundaries for use of e-mail. The AMA in its publication of Current Procedural Terminology (CPT) used to
describe physician services for reimbursement has added a set of codes for e-mail communications and
some payers have begun to reimburse ($20 - $30) for e-mail in some instances, with demonstrated
improvements in cost and workflow .
Other sources of recommendations for use of e-mail in health care are available from the AMIA -see
www.amia.org , and the American Health Information Management Associations ( www.ahima.org ) which
has a practice brief on “E-mail as a Provider-Patient Electronic Communication Medium and its Impact on
the EHR;" and the American College of Physicians in its ACP Observer, which provides guidance to
physicians on using e-mail for e-visits.
E-Mail Risk Analysis
There is a growing body of literature that suggests that experts believe that provider-patient electronic
communications, including e-mail and text messaging, are healthcare organizational business records
and therefore subject to the same medico-legal, privacy, and security provisions as any other PHI. While
HIPAA does not address e-mail explicitly, it does note in the comments section of the final security rule
that “there are financial and technical burdens associated with the employment of encryption tools” and
that “switched, point-to-point connections, for example dial up lines, have a very small probability of
interception.” However comments also encourage covered entities “to consider use of encryption
technology for transmitting ePHI particularly over the Internet.” (Federal Register 68, no. 34 (Feb. 20,
2003))
Some of the security and privacy risk considerations for e-mail include: interception, alteration of
message, transposition of characters in addresses resulting in delivery errors, difficulty in confirming the
identity of the patient in an e-mail request, and other security issues associated with attachments,
unsecured transmission lines, and viruses. There are also medico-legal risks associates with e-mail.
There may be delays in response, misfiles, lost communications nullifying the benefits especially with
respect to reasonable response times, misinterpretation due to lack of verbal and nonverbal cues, links to
Web pages that have been referenced for patient education that are inactive, lack of documentation that
the intended recipient received and read the message sent by the provider, inappropriate utilization by
patients resulting in adverse outcomes, and well-intentioned yet misguided messaging.
The case of Eli Lilly’s notification to Prozac users that it was shutting down its Prozac users chat group
breached the confidentiality of each user when each addressee was listed in the address box. Although
the company was fined for violating interstate commerce laws for this breach, it is interesting that none of
the recipients of the message filed suit!
E-Mail Security Recommendations
In addition, while many states have not promulgated statutes specifically with respect to e-mail containing
PHI, several states have guidelines for managing the state government’s use of e-mail that can serve
potentially as guidance to healthcare organizations within those states.
In general, recommendations for securing e-mail include:



Utilizing a process to control access and ensure non-repudiation, often through adopting browserbased, Web portal technology rather than direct use of e-mail over the Internet
Instructing users to evaluate the content of the message and ability to reply without revealing PHI in
light of the security of the transmission, and replying to e-mail rather than retyping an address
Maintaining a secure mail server, including configuration management and managing that
encryption does not interfere with virus scanning and mail content filtering.
Page 26 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
There are ways to use e-mail safely. Common sense should prevail; but the prevalence of e-mail use in
general makes it easy to forget special cases such as PHI.
E-Mail Medico-Legal Recommendations
Medico-legal recommendations for e-mail usage include:








Creating criteria for provider-patient e-mail communication, including appropriate uses,
impermissible e-mail system use, and topics not be addressed in e-mail
Obtaining the patient’s authorization/agreement to use e-mail
Developing policies (and the technical capability for) requiring e-mail documentation to become part
of the patient’s health record
Developing policies to guide the use of group e-mail messages that protect the identities of
individual members of a group, if such messages are to be used at all
Determining a patient’s health literacy level and ability to use an e-mail application
Instructing the patient on appropriate types of e-mail and to follow up in person or by phone for
requests that do not meet content guidelines for e-mail
Establishing policy for e-mail turnaround time, monitoring this, and apply sanctions
Defining a methodology to audit e-mail to ensure customer service, quality of care, legal risk issues,
privacy and confidentiality, and tracking incorrectly addressed mail
Of critical importance is to define when e-mail is acceptable or not, under what parameters e-mail may be
used for an e-visit, and the use of a secure e-mail system or patient portal to protect the confidentiality of
the communication. Several practices that have started conducting e-visits also observe that even though
a request for a refill does not qualify for a (reimbursable) e-visit, they encourage their patients to use email as a convenience for both the patient and practice.
(Question 8)
An Ethical Dilemma that Seems to be Getting Bigger: Hybrid Records
Because healthcare facilities may not implement all components of an EHR at one time, the result can be
a system of hybrid records that includes both paper and electronic documents and uses both manual and
electronic processes. Hybrid records are most common in hospitals. There are several issues in
maintaining hybrid records. Unfortunately, many organizations do not recognize the full scope of the
issues in the early stages of migrating to EHR and so do not plan for managing some of the issues:

A hybrid record consisting of mutually exclusive electronic and paper components is easier to
manage, especially from cost and legal perspectives. There is only one source for both types of
documents so that there does not need to be reconciliation between two sources, whereas if a dual
source system is maintained, the clinician who views the lab results on line may not be aware of an
annotation on the printed version in the chart. Mutually exclusive systems reduce the possibility for
clinical error.
Hybrid records are essentially state of the art today. They present ethical issues, but generally are difficult
to avoid.
Page 27 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
Additional Hybrid Record Issues



A hybrid record consisting of mutually exclusive electronic and paper components, however,
requires clinicians to use the electronic system. If this is not well-managed, there is some risk that a
given clinician may assume that because results are not in the paper chart they do not exist. The
alternative is also true, that a clinician normally using the electronic system to access results may
assume that is the only source when someone else printed out a copy and made an annotationthat
might be pertinent.
A hybrid record system requires more diligence in ensuring that normal record management
functions are performed equally. For example, the spoliation of evidence doctrine would have an
organization hold records from destruction. Without clear policy on what the official record
constitutes, it is possible that one part of the record could be destroyed in the normal course of
following the retention policy even while another part has had a legal hold put on it.
The Joint Commission (and the courts) want to be assured that record content can come together
as a unit record. Many organizations continue to print everything out and file in the chart folder for
this reason. However, there is the risk that by default another practice is more generally followed.
Techno-savvy clinicians may prefer to use the computer system and it may be found that the more
that becomes available online the less inclined those clinicians are to refer to the paper record.
Hybrid records present issues such as where to look for data, ensuring data is only in expected location,
and managing transition to EHR.
(Question 9)
Ethical Issues in Clinical Decision Support (CDS)
There are a number of potential ethical issues in use of clinical decision support (CDS). One of the more
controversial relates to documentation associated with overriding alerts.
Certainly in the past the rationale for clinical decisions was not always documented. This was considered
a thought process expected of professionals., Federal Rules of Civil Procedure that govern how civil suits
in US district courts are managed, however, were recently amended to address e-discovery and allow for
discoverability of metadata. Metadata includes alerts, workflow/queuing directions, and practice protocols
used in CDS as “dynamic data”. As metadata are discoverable, it will be when an alert fired. A clinician
would be hard-pressed to explain after the fact why the alert was not followed. From a practical
perspective, documenting the rationale for an override could reduce hassles, such as when there is a
drug alert and the pharmacist and/or nurse can be expected to check with the physician. At this point,
many organizations are making the documentation of overriding CDS alerts a matter of medical staff
policy.
Federal Rules of Civil Procedure were amended on April 13, 2006, and many states have subsequently
followed with similar amendments.
Additional Issues in CDS
Other ethical issues associated with CDS include:


CDS software must be carefully developed. This is often an ethical dilemma between software
companies who want to get systems to market and then worry about whether the CDS is right, and
users who need failsafe software from the start.
Source of knowledge used in CDS system must be made known to and trusted by users. Some
EHRs come with or support subscription to fully developed knowledge bases; others depend on
users to develop the knowledge through internal consensus and/or use.
Page 28 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE


Knowledge sources must be kept current, but constant updating can be time-consuming and risk
prone. The “Daily Med” from the National Library of Medicine and FDA make updates available
daily.
Determining the accuracy of the rule may be an ethical dilemma if the process for using the CDS
system requires additional data collection and entry that clinicians previously have not performed or
do not want to perform.. If a rule fires with incomplete information, it can be inaccurate. Hence very
careful programming to ensure that the rule either identifies the missing data or requires missing
data to be entered before firing is important.
Clinical decision support (CDS) systems are no longer that new, but still are new to many users.
Considerable work flow and process changes are involved in acclimating to use of CDS. In addition,
considerable fine-tuning of rules and alerts are needed to ensure that CDS can be used most effectively.
Case Law Could Set Precedence
Whether and how clinical decision support (CDS) is used is another ethical dilemma. Berner (in “Ethical
and Legal Issues in the Use of Clinical Decision Support Systems,” Journal of Healthcare Information
Management, Vol. 16, No. 4) notes that physicians are legally obligated to practice in accordance with the
standard of care. The standard, however, may be the subject of interpretation – and case law. In fact,
Berner cites the case of the T.J. Hooper tugboat and its sister tugboat which were pulling barges in the
1930s when radios were available, though not widely used on tugboats. When their cargo sank in a storm
and the barge owners sued, the tugboat company was still found liable for not having a radio which would
have warned them of the approaching storm!
Even though this case is completely outside the domain of healthcare, it has been posited that it may
provide legal precedent for liability for failure to use available technology. Certainly the fact that the
industry now has an ANSI accredited standard for EHR that includes CDS and the meaningful use
incentive criteria includes CDS as one measure brings the industry closer to an obligation to use such
support.
Despite the age of the T.J. Hooper case, it may still establish precedence for use of new technology.
Ethical Issues in Vendor Selection
Vendor selection is the final example of ethical issues that may arise as care delivery organizations
acquire HIT, EHR, or HIE.
One ethical dilemma often faced in HIT, EHR, and HIE vendor selection relates to the fact that these
products represent a very large investment for the organization purchasing them, and a large commission
to the seller. Salespersons often attempt to cultivate “internal sales people” by plying them with gifts,
making promises unknown to others, or using other tactics that introduce bias into the organization’s
vendor selection process. In addition, many vendors are increasingly becoming more protective of their
intellectual property rights in their products – imposing what some have described as “gag orders” on
buyers – precluding them from showing the software to others and even discussing potential product
faults.
Page 29 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
A code of conduct can be useful for an organization to adopt in preparation for vendor selection.
Ethical Issues in Vendor Selection
Another potential ethical dilemma relates to the “hold harmless” provisions typically found in a vendor’s
license agreement, examples of which follow. These hold the vendor harmless in the event a user does
not apply professional judgment in using the product. Although these clauses have been controversial, no
vendor will remove them; and to some extent speaks to the issue previously mentioned relating to
whether EHR is a medical device subject to regulatory approval. The following is a collection of phrases
similar to what is found in many vendor contracts.
Page 30 of 31
Course 102 Legal and Regulatory Aspects of HIT, EHR, and HIE
(Question 10)
Page 31 of 31