It was a busy day at Blog Central today. I was peppered with quite a few people asking my opinion. It is quite flattering really - thanks!

Anyway. One question I was asked today was what I though the most important factors  were to consider when keeping records efficiently in a medical practice. Rather than answering it in isolation I said that I'd post my response here for all to see.

I belive that the management of records in a medical practice is similar in many ways to managing any business record but there are some key differences which must be taken in to consideration.

The similarities come from the fact that a medical center has ‘formal records’ in the same way as any other business. These records include tax information, personnel records, real estate records, etc. There are legal and corporate rules that determine how long these records must be kept and whether they can be altered. Companies must also make provision for this information to be ‘discovered’ should the courts order the organization to produce specific information.

One of the key differences that medical offices have is that they store patient’s medical records. Medical records are provisioned under a specific set of laws that protect the data, these records are commonly referred to as Private Health Information (PHI) and are protected in the US by a regulation called the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA as a regulation is over 10 years old and it sets out specific responsibilities to ensure that the privacy of the PHI is maintained as well as ensuring that the information is protected from destruction for a given length of time.

In order to consider the two most important factors, first consider two of the key phrases in the HIPAA regulation. (Note that a ‘covered entity’ in this context is the medical office)

1) A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.

2) A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use.

Dealing with the first issue basically says that you must store electronic copies of medical records in a secure repository. This repository must be able to guarantee who can access the information and be able to prove who accessed it and when. Without a robust and secure system to store your content you will not be able to show that you are protecting records to the standards set by HIPAA.

The second issue was trickier until recently. It suggests that a medical institution needs to ensure that people do not see medical records ‘accidentally’ or even see parts of a medical record that they did not need access to. If someone is doing blood work for you then they do not necessarily need to see your entire medical history – just the parts that are relevant. We now have systems which can limit access to records on a page-level basis. This capability is enforced by Information Rights Management and gives the system the ability to grant access to any part of a document and also audit which parts have been accessed, by whom and when.