The Health Law Resource
AMERICAN HEALTH INFORMATION MANAGEMENT ASSOCIATION
LANGUAGE FOR MODEL HEALTH INFORMATION LEGISLATION
ON CREATION, AUTHENTICATION AND RETENTION OF COMPUTER-BASED
PATIENT RECORDS
SEC.101. PREAMBLE.
The Congress finds that:--
A. A computer-based patient record is a compilation of information about an individual patient's health status and health care that resides in a system specifically designed to support users by providing access to complete and accurate clinical and related information concerning a patient. A fully computerized patient record is one that is created or recorded by computer, authenticated by computer, stored on media readable by computer and retrievable by computer;
B. Computer-based patient records are important tolls for supporting the clinical decision-making process and improving the quality of patient care;
C. Achieving widespread use of computer-based patient records is a necessary step in building a national health care information infrastructure that can make possible the provision of integrated health care services across multiple settings and providers of care, and can support efforts to simplify the administration of health care and reduce health care costs;
D. Certain State laws and regulations are barriers to development and implementation of computer-based patient records because of State-to-State variances in requirements for creation, authentication, maintenance, retention, and retrieval of patient records and because the laws and regulations of some States require maintenance or retention of patient records on paper or other media that are incompatible with full computerization of patient records;
E. To protect the health and privacy of individuals who receive health care in the United States and to support the accountability of health plans and providers for the health care they deliver, it is important that creation, authentication, maintenance, retention, and retrieval of computer-based patient records meet minimum standards for security, accuracy, integrity, accessibility and durability;
F. The interstate movement of individuals and patient records and the emergence of multi-state health care providers and payors create a compelling need for Federal law, rules and procedures governing the creation, authentication and retention of patient records utilizing computer technology.
SEC. 102. GENERAL DEFINITIONS.
In this [Act] (except as otherwise provided):
A. HEALTHCARE -- The term "health care" means: --
1. any preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, counseling, service, or procedure provided by a health care provider:--
a. with respect to a patient's physical or mental condition; or
b. affecting the structure or function of the human body or any part thereof, including, but not limited to, banking of blood, sperm, organs, or any other tissue; and
2. any sale or dispensing of any drug, substance, device, equipment, or other item to a patient or for a patient's use, pursuant to a prescription.
B. HEALTHCARE PROVIDER -- The term "health care provider" means a person who is licensed, certified, registered or otherwise authorized by law to provide health care in the ordinary course of business or practice of a profession.
C. PATIENT -- The term "patient" means an individual who receives or has received health care.
D. PRIMARY AUTHOR -- The term "primary author" means the individual who is primarily legally responsible for the content of a primary patient record or primary patient record entry. The primary author may or may not be the same individual as the recorder.
E. PRIMARY PATIENT RECORD -- The term "primary patient record" means a record created by or on behalf of a health care provider of health care provided to a patient.
F. PRIMARY PATIENT RECORD ENTRY -- The term "primary patient record entry" means any discrete entry into a primary patient record that constitutes less than the total record of a patient's health care by the health care provider maintaining such record. (Examples of primary patient record entries include progress notes entered into the primary patient record of hospitalized patients, notes of care provided to clinic patients, orders, home health nursing care plans, and laboratory results.)
G. RECORDER -- The term "recorder" means the individual who, or machine which, inputs the record or entry into a computer. The recorder may or may not be the same individual as the primary author.
SEC. 102. REQUIREMENTS FOR PRIMARY PATIENT RECORDS
Effective as of the effective date of the [Act], all primary patient records and primary patient record entries created, entered, or retrieved by computer or stored, maintained or retained on any magnetic,digital, optical, or other medium used to store date for computers shall meet all of the requirements set forth in this Section.
A. SECURITY
1. At a minimum, reasonable security shall be maintained for any computer on which any primary patient record or primary patient record entry is created, entered, or retrieved. At a minimum, reasonable security shall be maintained in the connection of such computer to any computer or communications system or network. The reasonableness of the security of a computer or a connection shall be determined taking into consideration at least the following:--
a. the state of commercially available computer technology:
b. the affordability of security technology, procedures and techniques;
c. the likelihood of failure of security and the risk that such a failure could be caused intentionally;
d. the magnitude of harm that could result if security fails, is inadequate or is breached;
e. known and reasonably anticipated threats to security;
f. standards promulgated by nationally recognized standard-setting organizations and professional associations in the fields of health information, healthcare informatics, and computer security; and
g. the requirements set forth in Subsection (c)(2) concerning accessibility.
2. The security system of any computer on which a primary patient record or primary patient record entry is created, entered, or retrieved, including any connections to such computer, shall be designed, utilized, maintained and administered to prevent unauthorized access to primary patient records and to data contained in such records and to prevent unauthorized input to, or modification or deletion of, such records and data.
B. AUTHENTICATION
1. Each primary patient record or primary patient record entry created or entered by computer shall be authenticated.
2. The term "authenticated" means association with each primary patient record or primary patient record entry of: --
a. a unique identifier of the recorder of such record or entry; and
b. the date and time when the recorder input such record or entry; and
c. a unique identifier of the primary author of such record or entry, if the primary author is other than the recorder; and
d. the date and time when the primary author accepted such record or entry, if the primary author is other than the recorder; and
e. a unique identifier of any other author of such record or entry, if such other author is other than the recorder of the primary author. The association with such record or entry of the unique identifier of the primary author of the time when the primary author accepted such record or entry must occur after the primary author has had an opportunity to review such record or entry and to corrector otherwise modify such record or entry.
3. After a primary patient record or primary patient record entry created or entered by computer has been authenticated, such authenticated record or entry may not be altered, modified, or corrected, unless the authenticated version of such record or entry is preserved, together with its authentication, and the altered, modified, or corrected version of such record or entry is authenticated, and contains a notation that such entry is altered, modified, or corrected. Nothing in this Subsection shall be construed to require that nay digital voice recording be retained after it has been transcribed or otherwise converted to text, and such transcription or text has been authenticated.
C. MEDIA AND FORMATTING.
1. A primary patient record or primary patient record entry maybe stored by computer on any type of medium, so long as the medium is reasonably durable and reliable, and the requirements of Subsections (2), (3), and (4) are met. The reasonableness of a storage medium's durability and reliability shall be determined taking into consideration at least the following;--
a. the minimum time period that primary patient records must be retained to comply with all applicable Federal and State laws;
b. the likelihood that the storage medium will fail, in view of the expected level of use of such medium;
c. the likelihood that the storage medium will fail to record or retain data accurately;
d. the magnitude of harm that could result if the storage medium fails;
e. known and reasonably anticipated problems with the storage medium; and
f. standards promulgated by nationally recognized standard-setting organizations and professional associations in the fields of health information, healthcare informatics, and computer security.
2. Primary patient records and primary patient record entries stored, maintained, or retained on any medium used to store data for computers or retrieved by computer shall be reasonably accessible by authorized individuals at all times during the time period that primary patient records must be maintained to comply with all applicable Federal and State laws. A primary patient record or primary patient record entry is accessible if it can be retrieved and displayed in a form usable by health care providers, and if it meets any display or output format requirements imposed by Federal or State law.
3. No particular data format shall be required for such records or entries, so long as such records or entries are accessible in accordance with the requirements of this Subsection.
4. There shall be no requirement to store primary patient records or primary patient record entries in a particular location, so long as the security and accessibility requirements of this [Act] are met, and so long as the entity legally responsible for each primary patient record maintains appropriate legal and/or physical control over the record and all of its components.
5. Reforming, copying, and conversion of primary patient records and primary patient record entries to new storage media or data formats shall be permitted and shall not require reauthentification of reformatted, copied, or converted records or entries, if the following requirements are met:--
a. The process of reformatting, copying, or conversion has been demonstrated to be reasonably accurate, at a minimum, and records of such demonstration are preserved for at least the time period during which reformatted or converted primary patient records or primary patient record entries must be retained to comply with all applicable Federal and state laws;
b. The requirements of Subsection (2) are met by any mew medium to which such a record or entry is converted or copied;
c. The requirements of Subsection (2), (3), and (4) are met by the converted, copied, or reformatted primary patient record or primary patient record entry.
d. ACCURACY. Any computer, and any computer or communications system or network, by or through which any primary patient record or primary patient record entry is created, entered, retrieve, stored, maintained, retained, converted, copied, or reformatted, including both hardware and software, shall be accurate in creating, entering, retrieving, storing, maintaining, retaining, converting, copying, or reformatting such record or entry.
Compare
wmanning@netreach.net or click here to submit a form.
Last updated by Bill Manning on 11/10/96