Physical Security of Manual or Paper Records


AHIMA's Long-Term Care Health Information Practice & Documentation Guidelines

 

 

Printable version of this page (click <ctrl>+P, or use your browser's print function)

 

Physical Security of Manual/Paper Records

 

Contents



 

HIM STANDARD:

 

Security Measures for Record Check Out-Manual

 

One of the most important physical security measures that must be in place in every long term care facility is a record sign-out system (log-out and/or outguides) for all types of medical records. Not only do the systems have to be in place, but they must also be enforced to be effective. Health information staff should monitor the sign-out practices and assure that records are returned promptly.

 

 

Maintaining Security of Electronic Record Access

 

HIM STANDARD: 

 

 

Facilities with electronic records or hybrid (partially electronic) records must establish policies and procedures for verifying access authorizations before granting physical access, which include documented instructions for validating the access privileges of an individual before granting those privileges. Need-to-know (Minimum Necessary) procedures for personnel access should be defined so that a user shall have access only to the data needed to perform a particular function.  Need-to-know is also a criterion for removal of user accounts included in the requirements for termination procedures. Staff members should not be allowed access to information beyond the scope of their current job functions.

 

A computer role based access grid should be established that delineates both the access privileges and limitations based on the employee’s position. Access privileges must be able to be changed as changes in the system, applications or forms are implemented or changes in access needs for individuals or classes of employees change.

 

Information must also be classified to indicate what level of access control is indicated

 

For example:

 

 

The Workstation is another integral part of electronic record physical security. HIPAA Security requires that the facility have a policy and guidelines on workstation use (documented instructions and procedures delineating the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific computer terminal site or type of site, dependent upon the sensitivity of the information accessed from that site).”    Users should be guided as to unauthorized viewing. The policy might show that users need to log off when they leave the workstation unattended during their shift and before they end their shift for the day. As an alternative to logging off, password-protected screensavers could also be used to secure an unattended workstation.

 

The physical attributes of the workstation site must also be addressed. Some examples of this may be:

 

 

Workstation sites that have access to sensitive data and/or workstation sites that are in a public area may need extra physical attribute policies to maximize the security of the site.  Special consideration must also be given to protection of information stored in portable devices such as laptop computers and PDAs that guard against theft, loss or unauthorized use.

 

Other considerations for control of physical access to electronic records include but are not limited to:

 

 

What to do if a Record is Lost, Destroyed or Stolen

 

Even with the best preventative systems in place medical records, in full or in part, can be inadvertently lost, destroyed, or stolen. To limit or minimize the harm, systems must to be in place and enforced which protect the records. 

 

When records are lost or missing, an exhaustive search should be conducted to locate the documents or records. Once records are found, evaluate the system failure that resulted in the loss of records and implement corrective measures to prevent it from occurring again.

 

After an exhaustive search for lost records or in situations where the records are known to be destroyed or stolen, the next step is to reconstruct the record if possible.

 

Reconstruct the information by:

 

If unable to reconstruct part or all of a resident's health information, document the date, the information lost, and the event precipitating the loss in the resident's record. When appropriate, document what and how information was reconstructed. Authenticate the entry as per facility policy. When information is disclosed that would have normally included the missing portion, include a copy of the entry documenting the loss of that information.

Disaster Plans

 

HIM STANDARD:

 

 

Every long term care facility should have a disaster plan in place to deal with unexpected events and outline how health information/medical records will be protected from damage.  A well thought out disaster plan will minimize disruption, ensure stability, and provide for orderly recovery when faced with an unforeseen event.

 

A plan should be in place to deal with water damage (flood, sewage back-up, sprinkler damage, etc), fire, power failures (electronic medical records and clinical information systems), resident evacuation, and other natural disasters common to your area such as a hurricane or tornado. 

 

AHIMA has the following practice brief on disaster planning which details the steps to take in preparing for potential adverse events.

 

Research

 

 

Drafting the Plan

 

 

For each plausible disaster and core process, generate a contingency plan. The document might include:

 

 

Implementing the Plan

 

 

Restoring Damaged Records

 

In the event records are damaged in an actual disaster, contact a fire/water/storm damage restoration company. If services are contracted, the contract must provide that the business partner will:

 

 

To the extent records cannot be reconstructed by the damage restoration company, reconstruct the information by:

 

 

If unable to reconstruct part or all of a resident's health information, document the date, the information lost, and the event precipitating the loss in the resident's record. When appropriate, document what and how information was reconstructed. Authenticate the entry as per facility policy. When information is disclosed that would have normally included the missing portion, include a copy of the entry documenting the loss of that information.

Create and retain a record of the disaster event and a list of resident records affected, with recovery efforts, successes, and failures. This will allow for easy retrieval of general information regarding the past event should any legal or accreditation issues arise.

 

Post Disaster

 

Following the disaster, meet with staff and allow them the opportunity to:


Copyright ©2011 American Health Information Management Association. All rights reserved. All contents, including images and graphics, on this Web site are copyrighted by AHIMA unless otherwise noted. You must obtain permission to reproduce any information, graphics, or images from this site. You do not need to obtain permission to cite, reference, or briefly quote this material as long as proper citation of the source of the information is made. Please contact Publications to obtain permission. Please include the title and URL of the content you wish to reprint in your request.