Electronic File Management – Protecting PHI
The final HITECH related HIPAA rule has been published. There is so much more work to be done to protect your practice data. Before you can set policies around how to keep your electronic data safe, you have to fully understand what electronic data you have and what levels of security are necessary for each category.
As I investigate new technologies to help us track and protect electronic PHI, I realize I’m a huge failure at keeping my past New Year’s resolutions. In particular, file maintenance. Back in the days of all paper files, we had an annual ritual of making bankers boxes, cleaning out files, archiving the old, moving forward the new, labeling the boxes, and putting them in storage. You knew exactly what files you were archiving and where they were going to be stored. It was a satisfying exercise, a visual accomplishment. A truck from the secure storage site came and picked up the boxes and we let them manage the security of the PHI in those boxes. Task completed.
We are focused on helping our clients understand the final rule as it relates to managing their electronic data and keeping PHI secure. Most small practices are unaware of where all their data is stored (consider all the desktop and My Documents folders of each user). There are two issues we are focusing on — data storage size and security.
Our first steps are to help the practices decide what to keep and what to discard. Right now for most offices, if it’s scanned, it’s kept. Nobody is going back to look at what is in patient EHR charts or computer/network directory flat files. They are not aware of the growing issues they are creating. We are seeing huge leaps in database sizes as everyone is scanning documents into their EHR and forgetting about them. Nobody is doing document maintenance as far as I can tell.
In the paper days, you thinned your charts. You didn’t keep old copies of registration forms. You didn’t file preliminary lab results when you got finals. The same edict needs to be applied to your electronic charts.
This may not be easy or a desirable task, but here are some thoughts:
- Review your patients by visit history and clean up charts on all those not seen in the last three years, just like when you pulled charts off the wall by their end tab year stickers. You can also do these tasks on current patient, as you touch their charts.
- Remove all but the latest registration forms (verify if your EHR tracks changes made in the system so you have historical data if needed.)
- Remove all preliminary lab result attachments (if your labs are attached as documents and not discrete data elements), leaving only the final results attached.
- Remove historical patient photos. For instance, if you are a pediatric practice and take photos at different stages in the child’s life, consider getting rid of all but the latest image. Photos are usually the biggest attachment files.
- If you routinely take photos for clinical purposes (i.e., dermatology), check your image size default on your camera(s) and see if you can use smaller images with satisfactory viewing results.
- Although it should go without saying, remove anything that doesn’t belong in the chart to begin with.
- Review your clinic protocols for scanning in charts from other offices. I routinely see clinic staff getting 50-plus page charts from other offices and scanning the entire thing into their EHR. Set a practice-wide protocol of what documents you need from other providers or your previous practice if you have moved. Be concise! You can always call the other office if there is something you need.
- Be aware of chart custody laws; who is responsible for PHI from external sources that are now a part of your chart records.
- If you are preparing to go live on EHR, now is the time to think long and hard about what you will scan and attach. I highly recommend using a professional scanning company to handle back scanning of your current paper charts into your new system. They have better scanners than you have in your office, which compress images much smaller than your office scanner. Also, they should be able to help you make critical decisions about what to scan and what to discard in your paper charts. Thin your charts first!
- Resist the urge to hire a bunch of students to come in and scan charts. They don’t have an understanding of your data, don’t know what to keep, and won’t identify when something is amiss in the chart. The file sizes will be much larger than a professional scanning solution.
- Look at billing documents you’ve scanned. Apply the same IRS record retention rules you do for paper charts and start removing all those images of EOBs etc. that you no longer need to maintain.
- For the sake of space, continue to be ruthless in deciding what you keep and what you don’t. If the documentation can be retrieved from another source (insurance company, referring doctor, lab or hospital) let them be the file managers for you when you can.
- For security, have your staff clean up their Desktop and My Documents directories, get that stuff off the local machines, and especially laptops if they leave the office, and onto a secure drive on your network. Have your IT support turn off group policies that re-direct My Documents directories to the server and teach the end users how to use the shared network drives instead. It’s much easier to secure data when it’s all contained in one place.
Julie McGovern is CEO of Practice Wise, LLC.