Category Archives: bTop-Ten

10 Ways ICD-10 Changed Everything In Malaysian Healthcare

Posted on by
Reply

I stumbled upon this chart below from AAPC, that provides education and professional certification to physician-based medical coders and to elevate the standards of medical coding (by clicking on this chart, the  chart will open in a new tab of your current window and you can then click the image again from the new tab to view a larger and clearer image).

ICD-10 will change everything

Chart credit: aapc.com/

As Malaysia had already implemented ICD-10 by 1 January 1999, I felt like doing this post based on the chart above showing the things that changed since the transition period in 1998 from ICD-9 till we switched to using ICD-10, as you can view from the presentation below (by clicking on this presentation, the presentation will open in a new tab of your current window and you can then click the image again from the new tab to view a larger and clearer image).

10-Ways-ICD-10-Changed-Everything-In-Malaysian-Healthcare

8 ways for identifying opportunities for improvement and documenting a hospital’s performance level

Posted on by
Reply

8-ways-for-identifying-opportunities-for--improvement-and--documenting-a-hospital’s--performance-level-2

References:
Joint Commission International 2010, Joint Commission International Accreditation Standards For Hospitals, 4th edn, JCI, USA

13 security tips as part of a data breach response plan to combat mobile device threats in the BYOD era @ your HIM/MR office

Posted on by
Reply

I took you on a rendezvous about the Bring-Your-Own-Device(BYOD) phenomenon especially talking about mobile devices that can wreak havoc on a hospital in my two previous posts, The perils BYOD bring to healthcare – but before that, what is a mobile device exactly? and Patient data breaches in the BYOD and BYOC era.

Here are some pointers I picked up while fact-finding on BYOD and some 13 security tips as part of a data breach response plan to combat mobile device threats to a healthcare setting like at a hospital, and in essence as a focus of this website-blog, at your Health Information Management(HIM)/Medical Records(MR) Department backyard especially if you work with Electronic Medical Records(EMR).

  1. Get help from the IT department of your hospital to install and advice on USB locks for a low cost solution to easily plug ports and offer an additional layer of security when encryption or other software is installed on computers, laptops or other devices that may contain protected health information(PHI) or sensitive information, to prevent unauthorised data transfer (uploads or downloads) through USB ports and thumb drives
  2. Lost or stolen computing or data devices are the number one reason for healthcare data breach incidents. Consider geolocation tracking software or services for mobile devices that can immediately track, locate, or wipe the device of all data
  3. Brick the mobile device when it is lost or stolen
  4. All mobile devices including USB drives, should be encrypted if they will be used remotely and if there is a possibility sensitive data will be stored on those devices. Require the use of company owned and encrypted portable media
  5. Laptops put in “sleep” mode, as opposed to shutting them down completely, can render encryption products ineffective.
  6. Once a password is entered, a laptop is unencrypted (and unprotected) until the laptop is booted down. Simply putting the laptop into “sleep” mode does not cause the encryption protection to kick back in. A laptop that is lost or stolen while in “sleep” mode is therefore completely unprotected. Employees should be clearly advised to completely shut down their laptops before removing them from the workplace (e.g. when taking them home for the evening) and to only use the full shut down function, rather than “sleep” mode, when traveling or leaving their laptop unattended in an unsecure environment. This policy should be strictly enforced and audited.
  7. Limit the inappropriate use of personal devices (such as strong policies, training, and sanctions for noncompliance). To further reduce the risk, consider the root cause of the problem—what benefits are personal devices offering to employees that the organization’s systems are lacking. For example, if clinicians are texting PHI from personal devices because a hos­pital does not offer a similarly convenient means of communicating, then the hospital may want to consider whether it can offer a secure alternative to texting.
  8. Don’t permit access to PHI by mobile devices without strong technical safeguards: encryption, data segmentation, remote data erasure and access controls, VPN software, etc.
  9. Educate employees about the importance of safeguarding their mobile devices by not downloading applications and free software from unsanctioned online stores that may contain malware, turning off security settings, not encrypting data in transit or at rest, and not promptly reporting lost or stolen devices that may contain confidential and sensitive information
  10. As Electronic Protected Health Information (EPHI) can be accessed from a multitude of mobile devices, risks of contamination of systems by a virus introduced from a mobile device used to transmit EPHI, significantly increases.  Thus, implement an EPHI security by purchasing cyber liability insurance
  11. Ensure that the BYOD mobile devices(the user owns and is primarily in control of the device—not IT) coming offline are adequately secured and checked before disposal or donation. So once a user upgrades to a new smartphone or mobile device, the devices coming offline are almost always overlooked. Such smartphone and other devices are typically given to children to play with, donated to various charity organization or handed down to other family members—in many cases with­out confirmation that they’ve been sufficiently wiped and potentially leaving sensitive, confidential and other data intact. The result is a constant stream of devices going offline and posing significant data breach risks
  12. Have a proactive data management strategy to protect critical patient data and to allow access to patient data on an as needed basis, a stragety adopted from data protection concepts of the financial industry when for example, credit cards are now increasingly sent using tokenization technology. This technology can be adopted for the healthcare industry
  13. Transparency and End User Consent Opt-In when smartphone companies collect, share and/or store personal information; conduct a thorough technical review/risk audit of new technologies before implementation for use by patients and/or employees

I have visual!

There are many infograhics on BYOD but I like this one because it relates quite closely to all the above I have posted about.

The infographic below is a summary of findings from a study commissioned  by ESET, an IT security company founded and headquartered in Bratislava, Slovakia in 1992, which develops leading-edge security solutions against cyber threats. The study was to help companies gain a better understanding of the scale and scope of risks identified with BYOD when companies adopt a BYOD mindset, but should make sure to implement a BYOD policy, as it is no laughing matter.


Source : vbridges.com/

References:
Largely from ID Experts, idexpertscorp.com/, with cross-references from:

Elizabeth B., International Perspectives in Health Informatics, 2011, IOS Press BV, Netherlands

Karen A. W, Frances W.L and John P.G, Managing health care information systems : a practical approach for health care executives, 1st ed, 2005, Jossey-Bass, A Wiley Imprint, San Francisco, USA

Kenneth C.L and Jane P.L, Management Information Systems Managing The Digital Firm, 12 ed, Prentice Hall, 2012, New Jersey, USA

Keri E.P and Carol S.S, Managing and Using Information Systems A Strategic Approach, 2010, John Wiley & Sons, New Jersey, USA

The Five Rights of Data Administration!

Posted on by
1

If you read the post Documentation of medication administration in medical records, I am sure you did not miss reading about how clinicians and nurses use the “Five Rights of Medication Administration” to ensure proper patient care.

If you work in an EMR environment, then the following infographic, entitled “The Five Rights of Data Administration,” created by Symantec to help Health IT staff and users like you, Health Information Management(HIM) / Medical Records (MR) practitioners answer important questions about the use, access, and availability of critical patient data. This infographic outlines specific best practices to ensure that patient information is kept secure regardless of where it is. The infograhic also helps you and Health IT staff in organizations like the hospital you work in better understand the administration of patient data

I believe HIM/MR practitioners working in an EMR setting need to adopt similar but modified best practices for ensuring proper security and privacy for patient data based on the specific best practices outlined in this infograhic.

Note: Click on the infograhic above to view a larger image in a new tab of your current window.

From this infograhic, you need to cultivate the following specific best practices with coordination, guidance and help from IT staff of your hospital.

  1. Right Time – data in EMRs should be available to authorised personnel in your department whenever they need it and must be backed up and secure
  2. Right Route – users like clinicians who need access to EMR data regardless of where they and the device they’re using, must have ready access to updated data your are responsible for at your end
  3. Right Person – ensure only the right people have access to certain information though access verification in your department
  4. Right Data – prevent unauthorised tempering or accidental corruption of data with only users entitled or authorised to have access to data in your department and minimising or banning Bring Your Own Device (BYOD) mobile devices
  5. Right Use – ensure only the “minimum necessary” information is provided to external sources who request data that can be extracted from your end of the EMR system, thus assuring confidentiality

Just like medication administration is taken very seriously with the utmost accuracy and attention to detail as they can mean the difference between life and death, the proper administration of patient data should also be taken very seriously as it too can prevent misdiagnoses or mistreatment without accuracy and attention to detail.

Informed Consents – 5 required documentation in the medical record providing information to patient and family

Posted on by
2

“Every human being of adult years and sound mind has a right to determine what shall be done with his own body….”, is an often quoted (in bioethics and legal literature) statement by Justice Cardozo from the well-known case Schloendorff v. Society of New York Hospital, 105 N.E. 92, 1914.

Informed consent as Wikipedia informs us “is a phrase often used in law to indicate that the consent a person gives meets certain minimum standards”. It is interesting to note that this term was first used by Paul G. Gebhard, an attorney well educated from Yale and Harvard Law School and the senior partner in the government, health care and association group of the Chicago law firm of Jenner & Block, in a 1957 medical malpractice case in which a patient contended that a physician at a Stanford University hospital had not fully disclosed the risk in a recommended treatment.

As an informed consent grants the right to a patient to be involved in their care decision, the inform consent informs a patient of those factors related to the planned care required for an informed decision.

Informed consent can be obtained when at several points in the care process. Informed consent can thus be obtained when a patient is admitted for inpatient care before certain procedures or treatments for which the risk is high.

It is important to know the following:

  • the consent process is clearly defined in the hospital’s policies and procedures incorporating relevant laws and regulations
  • the role patients and families in the informed consent process – (i) they are informed as to what tests, procedures, and treatments require consent and how they can give consent (for example, given verbally, by signing a consent form, or through some other means), (ii) they understand who may, in addition to the patient, give consent
  • trained designated staff members inform patients, obtain and document patient consent. Here I like to quote the Malaysian Medical Council  (MMC) which “upholds that the responsibility for obtaining consent lies with the  practitioner performing the procedure. He is the best person who can ensure that the necessary information is communicated and discussed”,  as stated in its “A Guidebook for House Officers”, paragraph 4.12, pages 37-38, dated 23 April 2008. A statement from a booklet by the MMC,  “Good Medical Practice”,  paragraph 3.7, page 13 also defines and states the role of doctors in providing an informed consent.

Now that you as a HIM/MR practitioner finished reading from the above a brief overview of the basic human right of a patient to informed consent, you need to know the kind of documentation that goes into a medical record.related to informed consent which is obtained before surgery, anesthesia, use of blood and blood products, and other high-risk treatments and procedures.

A medical record will contain an informed consent for :

  1. surgical or invasive procedures
  2. anesthesia other than local including moderate (“conscious”) and deep sedation
  3. blood and blood products used
  4. high-risk procedures and treatments

When informed consent is taken, the following will also be recorded in a medical record:

  1. identity of the individual providing information to patient and family
  2. patient’s signature or a record of verbal consent

Thus,  the 5 required documentation in the medical record providing information to patient and family includes numbers 1 to 4 as given above and number 5, ” identity of the individual providing information to patient and family and the patient’s signature or a record of verbal consent”

Whether or not your hospital is been accredited by the Joint Commission International(JCI), you need to play your role to ensure that an informed consent is documented in the medical record when a patient had surgery, anesthesia, used of blood and blood products, and undergone other high-risk treatments and procedures.

If you hospital is been accredited by JCI, then you must be informed that JCI Standard *PFR.6.4 applies to an informed consent documentation in a medical record. JCI Standard PFR.6.4 states that “Informed consent is obtained before surgery, anesthesia, use of blood and blood products, and other high-risk treatments and procedures”.

Still on the subject of JCI accreditation, it’s good to be aware not only of JCI Standard PFR.6.4, but also I think as an informed HIM/MR pratitioner to also know the following too:

  1. that a hospital has a clearly defined informed consent process described in policies and procedures
  2. who are trained to implement these policies and procedures
  3. what is clearly explained regarding any proposed treatment(s) or procedures to the patient and, when appropriate, the family

In addition, be informed that:

  1. designated staff members who are trained, not only to carry out the process of giving out the informed consent but also obtain and document patient consent in accordance to the  JCI Standard PFR.6 which states that “Patient informed consent is obtained through a process defined by the organization and carried out by trained staff in a language the patient can understand”.
  2. these trained designated staff members provide information as stated the elements (a) to (h) as in the JCI Standard PFR.6.1 which states that “Patients and families receive adequate information about the illness, proposed treatment(s), and health care practitioners so that they can make care decisions”

So much more to be informed on informed consent, and I think I covered pretty much already on JCI Standards PFR.6, PFR.6.1 and PFR.6.4

*PFR stands for Patient Family Rights