I INFORMATION MANAGEMENT ^xv ^10 ^126 ^198

Because modern medical practice frequently involves several clinicians and other professionals, every health care facility needs information man­agement systems in place to provide effective means of communication among all members of the health care team.

Medical Records

An accurate medical record must be maintained for each patient in a secure, confidential, and accessible way. A policy should be developed to verify the identity of all patients before treatment. Where feasible, a gov­ernment-issued picture identification should be used. A copy of this iden­tification can be included in the patient’s record for future identification. The patient’s name should appear on each page of the record, pertinent information should be firmly attached, and a problem list should be main­tained. Pertinent information, including allergies, should be readily acces­sible. The record should be legible, concise, cogent, and complete. Every entry should have identifying data and be dated, completed promptly, and signed by the qualified health care provider. Some symbols and abbre­viations can be confusing and should be avoided (see also the “Patient Safety” section in Part 1).

When surgery has been performed, the inpatient medical record should contain sufficient information and documentation to justify the preop­erative diagnosis, the operative procedure, and the postoperative course. Where feasible, medical records used in an ambulatory surgical facility should be standardized and conform to the record used in the facility or backup hospital. In addition, an ambulatory surgical facility should keep registers of admissions and discharges, operations, results of follow-up contacts, and controlled substances dispensed.

The medical record should allow an easy assessment of the care pro­vided to determine whether the patient’s health care needs have been identified, diagnosed, and managed effectively. Because modern medical practice frequently involves several physicians and professionals, the medi­cal record should serve as a vehicle for communication among all mem­bers of the health care team. Entries by all health care workers should be signed or initialed, dated, and timed. Any abbreviations should be clear to all health care workers who use the patient’s medical record. A medical record should not be altered except to correct an error. Erroneous entries in a medical record should not be erased, deleted, blacked out, or written over so that they are no longer visible; rather, a single line should be drawn through the incorrect entry and the correct information, if any, should be entered and signed. Corrections to previous entries must be dated and signed and should include reasons for the corrections. Late entries should be clearly stated as such and should include the current date and time, as well as the date, time, and circumstance for which the late entry is written.

A patient may have access to copies of her written or electronic medi­cal record. Although a written request is not required based on Health Insurance Portability and Accountability Act (HIPAA) regulations, it is nevertheless wise to obtain a written request so that all releases of records are documented. A patient also may ask for a correction of inaccurate information. The request must be made in writing, and a written answer should be provided within 60 days. If the correction request is denied, the patient’s disagreement must be noted in her file. Copies or scans of the written request and the answer should be included in the patient’s file, regardless of the outcome.

Medical records should be organized in a consistent manner. A sys­tem should be in place to avoid misplacing or misfiling medical records.

The medical staff should be made aware of the need for strict confidenti­ality of a patient’s medical records (see also the “Human Resources” section in Part 1). Electronic storage and transfer of patient information requires safeguards to limit access and protect confidentiality (see also “Electronic Health Records” later in this section).

There should be an established protocol for handling requests for records by the patient, her family, an attorney, an insurance company, or another third party. A signed authorization compliant with HIPAA must be obtained from the patient before the release of any medical informa­tion contained in her medical record other than for treatment, payment, operations, or as otherwise declared in the Notice of Privacy Practices (eg, subpoenas, neglect or domestic violence reporting). Only copies should be transmitted; the original record should be retained in the office.

When feasible, patient financial records should be kept in a separate confidential file, apart from the patient’s medical record. All correspon­dence or notation of conversations between physicians and professional liability insurance carriers or defense counsel pertaining to a patient should be kept in a confidential file separate from the patient’s medical record.

Medical and legal considerations determine the length of time records are retained. When records are no longer needed for medical purposes, federal and state laws determine how long they are to be kept. Some states have specific legal requirements for retaining medical records, specific requirements for retaining business records, or both; a medical record often is considered a business record.

The HIPAA Privacy Rule does not include medical record retention requirements but does include requirements for record-related disclosure and information protection activities. According to the privacy regulation, documents that relate to the following must be maintained for 6 years: uses and disclosures, authorization forms, business partner contracts, notices of privacy practices, responses to patients who want to amend or correct their information, patients’ statements of disagreement, and complaint records. There is also a 6-year federal statute of limitations for civil pen­alties imposed for fraud and abuse violations related to participation in federal health care programs.

Electronic Health Records ^169

The electronic health record (EHR) represents a fundamental change in the way health professionals approach the management of clinical informa­tion, and has the potential to improve the quality, safety, and efficiency of patient care when fully implemented.

The best system for a medical practice is one that allows for efficient collection and storage of medical information. The EHR should have the capability to perform proper tracking and follow-up. The goal is improved medical care: reduction of medical errors, improved communication, and reduction of drug errors. Acceptance of EHR implementation within an institution is facilitated when a single, specific program is installed across a network of computers, along with the establishment of an information technology support department provided by the organization.

Interoperability, the transfer of data among EHR systems and various health care providers, is slowly becoming a reality but is still a work in progress. Interoperability will enhance patient safety and reduce costs by ensuring patient information is available when and where needed and by reducing the need for duplicative testing.

Protecting patients’ health information is of paramount importance. Health information technology systems should be compatible with HIPAA requirements and flexible enough to accommodate state privacy laws, a particular concern for adolescent care, assisted reproductive technology, and genetic testing.

Specific administrative, physical, and technical safeguards to protect electronic information from unauthorized disclosure also are mandated under HIPAA. Although no computer system with online access is com­pletely safe, the following interventions can be taken to help protect com­puter systems from unauthorized users:

• Install security patches and fixes to update the safety of the com­puter’s operating system regularly. Make sure that antivirus secu­rity programs and operating systems are up to date and are able to respond to the continuously emerging computer and Internet threats that could threaten the system.

• Install a firewall if it is not already a feature of the operating system.

• Protect passwords. Passwords should never be words that can be found in the dictionary. Good passwords are at least eight characters long, consist of both numbers and letters, and are case sensitive.

• Change passwords at regular intervals.

• Encrypt laptops and mobile devices that access patient information in case of loss or theft.

• Use only encrypted e-mail and data storage tools for sharing of patient-sensitive information. Double-check the recipients and information included in the message before sending it.

• Keep file sharing to a minimum, and only share a single folder.

• Never open attachments from unknown people, and be wary of attachments from those who are known; viruses can be spread in an attachment without the sender realizing it.

• Use antivirus software, and run e-mail attachments through it.

• The EHR program should have an automatic logout time that closes the record after a period of inactivity to protect the contents from unauthorized viewing.

• Instruct all users not to leave e-mails open on unattended computer screens.

As with paper medical records, a copy of the patient’s picture identifica­tion (preferably, government issued) or a photographic image produced onsite can be included in the patient’s record for future identification. Many vendors of EHRs are including these capabilities in their products. Despite obstacles to widespread adoption and implementation, use of the EHR as a real-time, evidence-based support tool can help busy obstetri­cian-gynecologists improve the quality of the care they provide through improved care coordination, communication, and documentation.

Patient Communication and Follow-up

All telephone contact regarding clinical matters should be documented in the patient’s medical record. A method should be established to document or log such contacts during and after office hours. An answering service for telephone calls or specific equipment to receive and transmit patient mes­sages after normal office hours should be in place. The practitioner should be notified when a telephone message from a patient specifically requests that care be provided by that practitioner. Ideally, staff members should inform the patient of an approximate time when the call would be returned by the practitioner. All telephone prescription renewals should be verified by the practitioner.

A protocol should exist for processing pertinent clinical information that may arrive by telephone, facsimile, mail, or electronic means (see also “Electronic Communication and Patient Confidentiality” later in this sec­tion). A clear procedure should be in place to ensure that clinical informa­tion—such as laboratory, radiology, and pathology reports—and pertinent patient telephone messages are reviewed by the health care team. All such information should be initialed or signed and dated by the physician or qualified health care worker and then filed in the medical record.

Tracking and Reminder Systems

As more health care providers adopt an EHR system, choosing a system that can enhance the tracking and reminder process is an important con­sideration. Office tracking systems should be created for results of labora­tory studies, imaging studies, or consultation. The process for good patient follow-up begins with the practitioner’s explaining to the patient at the initial visit any needed test, referral, or follow-up and documenting this discussion in the medical record. The next step is logging these open items into a tracking or reminder system promptly and reviewing them frequent­ly and regularly according to the office’s established procedures.

Tracking systems may be in the form of a paper medical record log or computerized. Once information is entered into the system, it should be retrieved and reviewed regularly with accompanying documentation of any actions taken or discussions with the patient.

Each office should establish priorities for tracking important informa­tion, test results, and follow-up ordered by the health care provider. Referrals to consultants should be tracked, noting whether the patient has visited with the consultant and whether the consultant’s report has been filed in the medical record. Referrals of patients from other clinicians also should be tracked, with notification to the referring physician once the patient has been seen. The following are important elements to be tracked:

• Date ordered

• Patient name

• Identifying number

• Test, procedure, consultation, or referral

• Date of results

• Follow-up required

• Evaluation completed and patient notified

All printed results, including cervical cytology reports, mammography reports, consultations, and pathology reports, should be reviewed, ini­tialed, and dated by a clinician who has been designated to perform this function. Electronic results should be signed off electronically and time stamped. Test results then should be filed permanently in the medical record, whether paper or electronic, including a notation of what follow-up testing or procedures are recommended.

The following characteristics are important for any tracking and reminder system, whether electronic or paper based:

• Policies and procedures. An office policy and procedure on tracking should be developed with input from the staff. All office members should agree to follow the same protocols. The office policy should address how to contact the patient and how to document the fol­low-up in the patient’s medical record. Usual time frames for when to expect various types of results should be defined, and a protocol should be established for dealing with delayed or missing reports.

• HIPAA compliance. When contacting patients—whether by mail, by phone, or electronically—physicians and their staff must follow HIPAA regulations. Care also must be taken to limit the amount of information disclosed by way of voice mail or to other indi­viduals who may answer the call without prior consent. Instead,

it may be preferable to leave a name and telephone number, ask­ing the patient to call the office. The HIPAA Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reason­able safeguards when doing so (see Bibliography). If the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated (see also “Electronic Communication and Patient Confidentiality" later in this section).

• Specificity. The reminder system should contain specific data and dates, including the dates for receipt of information and time lines for notifying the patient.

• Central location. The reminder system should be located centrally in the office and should not be kept in individual patient medical records. Reminders should be accessible to the entire staff.

• Reliability. The tracking system should not be the responsibility of a single individual. Office staff should be cross-trained so that the system is reliable and efficient. It should be updated and monitored regularly.

A protocol should be established to ensure that patients are informed of all significant abnormal test results. This notification should be documented in the patient’s medical record. Computerized tracking and reminder systems, although not required, are available with custom alerts, telephone reminders, and telephone numbers to call for automated test results using individual identifying numbers. Some practices are now using secure patient portals where patients can receive their test results electroni­cally as well as electronic reminders about when their next test should be scheduled. A method should exist for monitoring patients’ adherence to recommendations that are made based on abnormal test results. The patient or her family should be given individualized instructions for con­tinuing care after office operative procedures, and this instruction should be documented in the patient’s medical record.

An established protocol also should exist for follow-up with patients who do not appear for an appointment after several appointments have been made. Missed appointments can lead to delays in diagnosis and treatment; therefore, a system of scheduling appointments and review­ing missed ones is important. The following principles can be applied to scheduling and rescheduling appointments to protect the patient and practitioner:

• Schedule appointments based on medical need.

• Indicate the follow-up interval in the medical record, and ask staff to schedule the follow-up appointment before the patient leaves the office.

• Identify and review missed appointments, because a prolonged follow-up interval may interfere with the patient receiving timely treatment.

• Instruct staff to call patients to find out their reason for missing an appointment and to reschedule. Send a letter if there is no answer, only an answering machine is reached, or the patient refuses to be seen during the recommended interval. Consider using certified mail for nonresponsive patients with potentially serious conditions. Document in the record, and include a photocopy or scanned copy of the letter in the chart, if possible.

• When patients are referred from another physician but miss or do not make an appointment, notify the referring physician (by phone and in writing) that the patient did not show up for, or cancelled, the appointment. Also, clarify with the referring physician who will follow up with the patient. This information should be documented in the medical record.

• The number of attempts to contact a patient who consistently misses appointments should be tailored to the risk involved. A clearly defined policy consistent with any state regulations must be estab­lished for the type and number of attempts that will be made to contact the patient.

The AMA states that it is ethical for physicians to charge for missed appointments or for appointments not canceled at least 24 hours in advance if patients are fully advised of the possibility of such charges. However, procedures and policies regarding missed appointments differ from state to state.

Missed appointments, nonadherence to medical advice, and refusal of a recommended test or procedure should be documented in the patient’s medical record. Clinicians have the right to terminate patient-practitioner relationships. The clinician should be aware of any legal and managed care contractual requirements that apply to termination of the patient­practitioner relationship. All steps undertaken to terminate the relationship should be documented in the patient’s medical record. Recommendations regarding the closing of a practice are found in the “Risk Management” sec­tion in Part 1.

Electronic Communication and Patient Confidentiality ^173

The use of technology for exchanging medical information among patients and health care providers is increasing. Electronic communication media, including cellular telephones, telephone answering machines, facsimile machines, electronic mail, and wireless devices all improve access among clinicians and patients but increase the possibility that a breach of patient confidentiality may occur (see also the “Human Resources” section in Part 1) and that third parties may have authorized or unauthorized access to the health care provider’s or the patient’s communication system. The HIPAA Privacy Rule allows covered health care providers to communicate electroni­cally, provided they apply reasonable safeguards when doing so. Further, although the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communication between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through unen­crypted e-mail. Office computer stations should be placed to minimize unau­thorized access. Unauthorized electronic access can be minimized by using procedures such as password-protected screen savers and automatic logout.

It can be useful to provide patients with written information on the privacy risks of electronic communication, guidelines for how and when the patient and practitioner may use this form of communication, and the expected turnaround time for processing each communication. Patients should understand that no clinician or institution can guarantee complete security of electronically transmitted data and that communications about highly sensitive subjects should not be e-mailed or faxed. In addition, elec­tronic communications may not be received in a timely manner or be read at all; therefore, time-sensitive and urgent issues should not be communi­cated electronically. Recommendations for e-mail use have been published (see Box 2-3).

Box 2-3. Suggestions for Electronic Communications ^

• Obtain informed consent for use of e-mail with patients.

• Include guidelines for when e-mail may and may not be used.

• Request that patients write their full name and an identifier (eg, medical record number, birth date, address) in the text of the message.

• Establish turnaround times for messages and who will view messages.

• Establish types of appropriate communications (eg, prescription refill request, appointment reminder, results of home monitoring of blood pressure or glucose).

• Never use e-mail for highly sensitive or urgent matters.

• When replying to patient queries, include the full text of the query in the reply.

• Describe security measures that are in place.

• Indemnify against information lost because of technical failure.

• Do not forward patient-identifying information.

• Keep professional and personal e-mail accounts separate.

• Double-check all addressee fields before sending messages to ascertain that the e-mail is not going to multiple and unintended addressees.

• Back up e-mail regularly, and store a copy of each query and reply with the patient's medical record.

• Ideally, health care providers and patients will acknowledge to each other that messages have been received, read, and acted on. Use an automatic out-of-office reply feature if e-mails will not be serviced according to turnaround times previously agreed upon.

• If an e-mail is sent to a group of patients, use the blind copy feature so that the recipients' addresses are not visible.

• Health care providers should add an automatic footer to their e-mails telling patients to call or make an appointment if the e-mail reply has not been sufficient to meet their needs.

• Health care providers should not leave e-mails open on computer screens. E-mail accounts should be password protected and have auto­matic logout.

Data from Kane B, Sands DZ. Guidelines for the clinical use of electronic mail with patients. The AMIA Internet Working Group, Task Force on Guidelines for the Use of Clinic-Patient Electronic Mail. J Am Med Inform Assoc 1998;5:104-11.

Social media can be an effective tool to disseminate important health messages, reach out to patients, and advocate for women’s health issues. But with this new territory comes new rules and risks. Protected health information should never be shared or discussed on a social media plat­form. Clinicians can have a successful and rewarding social media presence by educating themselves about potential liability pitfalls and being alert to possible privacy violations. Box 2-4 includes some helpful “do’s and don’ts” to consider when using social media.

Remote Consultations

Physicians should become familiar with their own state’s regulations concerning remote consultations. Most states require that all physicians, wherever located, who provide medical advice to patients in that state have a medical license for that state. Practice web sites should carry clear disclaimers stating that the site is for informational purposes only, that the site is not intended to give medical advice, and that use of the site does not establish a patient-physician relationship.

Informed Consent

The clinician is responsible for securing the patient’s informed consent. It is imperative that the patient understand all aspects of her treatment, and so informed consent is an ongoing process. The risks and benefits of each procedure as well as alternatives should be discussed (see also the “Ethical Issues” section in Part 1). Patient education information, when available, should be provided to assist in the informed consent process and in discus­sions that relate to specific treatments, tests, operations, and procedures. The patient should be informed of the common adverse effects of prescribed drugs and the importance of reading the patient package inserts for drugs or devices. All informed consent discussions and informational material pro­vided should be documented appropriately in the patient’s medical record.

If a patient refuses a recommended test, treatment, or procedure, this refusal also should be documented. Documentation should include the following:

• That the clinician recommended a particular test, treatment, or pro­cedure to the patient

• That the clinician explained the need for the test, treatment, or pro­cedure, and the benefits and risks involved

• That the clinician explained the consequences of refusing the recom­mendation

• That the patient refused the treatment or procedure and her reasons for the refusal

Box 2-4. Social Media DOs and DON'Ts ^

Some of the most important rules for physicians using social media include the following:

Modified from Social media guide: how to connect with patients and spread women's health messages. ACOG Today. November 2012. American Congress of Obstetricians and Gynecologists: Washington, DC; p. 6.

When presenting medical information to a patient, whether as part of obtaining an informed consent or simply presenting educational informa­tion, the clinician must be sensitive to the patient’s ability to understand and process the information presented. The health literacy of the patient may present an impediment to the informed consent process. All medical information and instructions should be presented in a manner and at a level that allows the patient to comprehend and participate in the decision­making process. The use of medical jargon should be avoided (see also the “Patient Safety” section in Part 1 for a discussion of patient-provider communication).

Practitioners also should comply with specific state and federal informed consent laws and regulations that apply to specific treatments or pro­cedures. Doing so may include informing patients of risks and benefits specified in the laws and having patients sign an approved consent form. Specific additional requirements may apply to minors (see also the “Ethical Issues” section in Part 1 and the “Adolescents” section in Part 3).

Bibliography

American College of Obstetricians and Gynecologists. Professional liability and risk management: an essential guide for obstetrician-gynecologists. 2nd ed. Washington, DC: ACOG; 2008.

American College of Obstetricians and Gynecologists. Quality and safety in wom­en’s health care. 2nd ed. Washington, DC: American College of Obstetricians and Gynecologists; 2010.

Americans with Disabilities Act, 42 U.S.C. §12101 (2011). Available at: http://www. gpo.gov/fdsys/pkg/USCODE-2011-title42/pdf/USCODE-2011-title42-chap126. pdf. Retrieved September 20, 2013.

Centers for Medicare and Medicaid Services. EHR incentive programs. Available at: http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentive Programs/index.html. Retrieved September 26, 2013.

Cultural sensitivity and awareness in the delivery of health care. Committee Opinion No. 493. American College of Obstetricians and Gynecologists. Obstet Gynecol 2011;117:1258-61. [PubMed] [Obstetrics & Gynecology]

Department of Health and Human Services, Office for Civil Rights. Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients? Washington, DC: OCR; 2008. Available at: http:// www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html. Retrieved October 22, 2013.

Department of Health and Human Services, Office of Minority Health. Think cul­tural health. Available at: https://www.thinkculturalhealth.hhs.gov. Retrieved July 19, 2013.

Effective patient-physician communication. Committee Opinion No. 587. American College of Obstetricians and Gynecologists. Obstet Gynecol 2014;123:389-93. [PubMed] [Obstetrics & Gynecology]

General administrative requirements, 45 C.F.R. part 160 (2012). Available at: http://www.gpo.gov/fdsys/pkg/CFR-2012-title45-vol1/pdf/CFR-2012-title45-vol1- part160.pdf. Retrieved September 20, 2013.

Health literacy. Committee Opinion No. 585. American College of Obstetricians and Gynecologists. Obstet Gynecol 2014;123:380-3. [PubMed] [Obstetrics & Gynecology]

Informed consent. ACOG Committee Opinion No. 439. American College of Obstetricians and Gynecologists. Obstet Gynecol 2009;114:401-8. [PubMed] [Obstetrics & Gynecology]

Modifications to the HIPAA privacy, security, enforcement, and breach notification rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules. Fed Regist 2013;78:5565-702. [PubMed] [Full Text]

Partnering with patients to improve safety. Committee Opinion No. 490. American College of Obstetricians and Gynecologists. Obstet Gynecol 2011;117:1247-9. [PubMed] [Obstetrics & Gynecology]

Patient safety and the electronic health record. Committee Opinion No. 472. American College of Obstetricians and Gynecologists. Obstet Gynecol 2010; 116:1245-7. [PubMed] [Obstetrics & Gynecology]

Security and privacy, 45 C.F.R. part 164 (2012). Available at: http://www.gpo.gov/ fdsys/pkg/CFR-2012-title45-vol1/pdf/CFR-2012-title45-vol1-part164.pdf. Retrieved September 20, 2013.

The limits of conscientious refusal in reproductive medicine. ACOG Committee Opinion No. 385. American College of Obstetricians and Gynecologists. Obstet Gynecol 2007;110:1203-8. [PubMed] [Obstetrics & Gynecology]

Tracking and reminder systems. Committee Opinion No. 546. American College of Obstetricians and Gynecologists. Obstet Gynecol 2012;120:1535-7. [PubMed] [Obstetrics & Gynecology]

Resources

Adolescent confidentiality and electronic health records. Committee Opinion No. 599. American College of Obstetricians and Gynecologists. Obstet Gynecol 2014;123:1148-50. [PubMed] [Obstetrics & Gynecology]

American Congress of Obstetricians and Gynecologists. Health information tech­nology. Washington, DC: American Congress of Obstetricians and Gynecologists; 2013. Available at: http://www.acog.org/About_ACOG/ACOG_Departments/ HealthJnformationJechnology. Retrieved September 30, 2013.

American Congress of Obstetricians and Gynecologists. Social media and profes­sionalism in the medical community (DVD). Washington, DC: American Congress of Obstetricians and Gynecologists; 2013.

American Medical Association. Implementing health IT. Available at: http:// www.ama-assn.org//ama/pub/physician-resources/health-information-technology/ implementing-health-it.page. Retrieved July 19, 2013.

Civil money penalties, assessments and exclusions. 42 C.F.R. part 1003 (2012). Available at: http://www.gpo.gov/fdsys/pkg/CFR-2012-title42-vol5/pdf/CFR-2012- title42-vol5-part1003.pdf. Retrieved September 20, 2013.

Department of Health and Human Services. Health information privacy: the pri­vacy rule. Available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/priva cyrule/index.html. Retrieved July 19, 2013.

Integrating the Healthcare Enterprise. Available at: http://www.ihe.net. Retrieved July 22, 2013.

Kane B, Sands DZ. Guidelines for the clinical use of electronic mail with patients. The AMIA Internet Working Group, Task Force on Guidelines for the Use of Clinic­Patient Electronic Mail. J Am Med Inform Assoc 1998;5:104-11. [PubMed] [Full Text]

Sands DZ. Help for physicians contemplating use of e-mail with patients [editorial]. J Am Med Inform Assoc 2004;11:268-9. [PubMed] [Full Text]