JCI Standard MCI.16 – Leadership and Planning, records and information are protected

A hospital ensures to maintain the security and confidentiality of data and should be especially careful about preserving the confidentiality of sensitive data. The hospital is also usually expected to determine the level of security and confidentiality maintained for different types of information.

When the Joint Commission International (JCI) examines how a hospital practices in the area of information management at an overall level during a hospital accreditation survey, its surveyors would normally check how the hospital addresses the Standard MCI.16 which requires that “Records and information are protected from loss, destruction, tampering, and unauthorized access or use”.

Natural or man-made disasters could destroy paper-based or electronic patient records when heat, water, fire, or other damage is likely to occur. Medical records, other data and information should  be stored in locations that are secure and protected at all times.

Image credit: sandor.com.my

It is common for the record room to contain fire walls or at minimum fire doors that prevent a fire from spreading from one area to another. The file area should also have a sprinkler system in place in case of fire. What is often overlooked here in Malaysia is an enclosed top shelf to help protect them from water damage in the event of sprinkler system malfunction.

Health Information Management (HIM) / Medical Records (MR) practitioners here in Malaysia or elsewhere should check with their local fire departments on fire codes that dictate clearance needed between the ceiling and the shelves as well the space required between file rows. The file area should also contain a fire extinguisher and a fire pull switch, and staff must be trained in the use of each.

The official portal for the Fire and Rescue Department Malaysia (FRDM) classifies fires caused by paper as Class A Fire and fire caused by electrical sources as Class E Fire. The portal recommends fire and safety tips but I am listing among other tips those of which that will be applicable to HIM/MR departments here in Malaysia, namely to install smoke detectors on the ceiling, no smoking on premise (obviously prohibited in a hospital), and avoiding power supply extensions that burden the electric circuitry. An HIM/MR practitioner and his or her staff should familiarise with the easy steps to use a Fire Extinguisher (there is a poster for quick facts) as given in this portal.

Records must also be protected from water damage due to malfunctioning sprinkler systems or flooding. Records should not be stored on the floor, as this presents a safety hazard to staff members and records could be damaged in the event of flooding. Records that are maintained in closed files are more protected from water damage than records located on open shelf units.

Medical information when documented and collected, is important for understanding the patient and his or her needs and for providing care and services over time. This information may be in paper or electronic form or a combination of the two.

A hospital must respect such information as important for patient care and establishes policies and procedures to address issues related to the security, and as such has implemented policies and procedures that protect such information from loss or misuse. A hospital must also respect the confidentiality of patient information, and thus also establishes policies and procedures to address issues related to confidentiality, and implements processes to prevent unauthorised access to confidential information.

A policy implemented by a hospital is a Medical Records Policy, that includes policy statements on matters like the security of medical records information, access to medical records and medical information and the process to gain access when permitted, either paper-based and electronically stored information or a combination of the two.

Standard Operating Procedures should be constructed to provide (i) procedures on security from loss due to natural and man-made disasters, and (ii) procedures on access to medical records and the process to gain access when permitted that protect such information from misuse (tampering) but also theft.

An effective process on confidentiality defines the following:

• Who has access to information
• The information to which an individual has access
• The user’s obligation to keep information confidential
• When release of health information or removal of the medical record is permitted
• How information is protected against unauthorised intrusion, corruption, or damage
• The process followed when confidentiality and security are violated

Patient information is protected from theft when only authorised personnel have access to the file area. For example, procedures that protect patient information areas would include processes such as :

• if a HIM/MR staff member is not available in the file area to retrieve a record, the area must be secured
• if the file area is locked, only those authorised to access the area should have a key or use authorised swipe cards (similar to those used for hotel rooms)
• when the file area is not staffed (e.g., evenings, nights, weekends), procedures must be established to allow limited access to records
• a nursing supervisor will be provided with a key to the file area and assigned responsibility for retrieving patient records if needed

One must not forget that patient information located in patient areas (e.g., nursing units) must be evaluated for protection against loss from fire, water, and theft.

Image credit : http://www.butdoctorihatepink.com/

Computerised health information also needs to be protected from loss due to fire, water, or theft. It is common to create a backup file of all computerised patient information and to store the backup file off site (at a location other than the facility). In the event of loss, the backup can be used to re-create patient information.

Patient medical records and other data and information should always be secure and protected at all times portable computer security (e.g., laptops, mobile devices, and so on). The risk of theft increases when someone can simply “walk off” with a laptop, resulting in stolen patient information. I have posted enough material on Bring Your Own Devices (BYOD) and Bring Your Own Cloud (BYOC) hazards in past posts of this blog on how hospitals and HIM/MR departments need to establish appropriate controls to address this issue.

I would think that a Contingency Plan by the HIM/MR department is necessary to respond to an emergency or other occurrence (e.g., fire, vandalism, system failure, and natural disaster) that damages paper-based and electronically stored information or a combination of the two.

For an HIM/MR working with Electronic Medical Records (EMRs), the Contingency Plan would address (Michelle AG & Mary JB 2011) a data backup plan and disaster recovery plan to create and maintain retrievable exact copies and to restore any loss of data to enable continuation of critical business processes in an emergency mode, ensure testing and revision procedures for periodic testing and revision of contingency plans, and include applications and data criticality analysis to determine the potential losses which may be incurred if components of applications and data were not available for a period of time.

I believe all said and done, that better protection of medical information will require efforts in improving public policy at a centralised command level if your hospital is part of a group of hospitals. The lack of uniform policies and procedures for the privacy and security of medical information creates particular problems for a group of hospitals’ organisation that serves its hospitals in multiple states and creates additional confusion for patients regarding their rights.

Overall, if security policies and procedures are not established and enforced, concerns might be raised about the security of patient information during legal proceedings. This could result in questioning the integrity of the medical record.

It is imperative that HIM/MR practitioners working in any hospital setting understand the importance of security and confidentiality of Protected Health Information (PHI) and medical records, and work towards understanding the uniform policies and procedures if any – or just his or her hospital policies and procedures, and ensures that medical records and other information are protected from loss or destruction, tampering and unauthorised access or use.

The implementation of the above measures would enable a hospital that had acquired JCI accreditation status or one that is seeking JCI accreditation status, to have met or fully meet the Standard MCI.16 and its two (2) MEs.

References:
Joint Commission International 2010, Joint Commission International Accreditation Standards For Hospitals, 4th edn, JCI, USA

Michelle AG & Mary JB 2011, Essentials of Health Information Management: Principles and Practices, 2nd edn, Delmar, Cengage Learning, NY, USA

Official Portal Fire and Rescue Department Malaysia(FRDM), viewed 27 July 2012 <http://www.bomba.gov.my/main.php>