recommendations on electronic medical records standards in
TRANSCRIPT
1
Report of Sub-Group Task II (data connectivity) with reports of Sub-Group Task I (standards) and Sub-Group Task III (data ownership) incorporated
Recommendations On
Electronic Medical Records Standards
In India
Version 2.0 October 2012
Recommendations of EMR Standards Committee, constituted by an order of Ministry of Health & Family Welfare, Government of India
2
Sub-Group Task I (Standards)
Members: 1. Prof. Dr. S.V. Mani, TCS, Group Head, Sub-Group Task I 2. Dr. R.R. Sudhir, Shankar Netralaya 3. Ms. Kala Rao, TCS 4. Dr. Ashok Kumar, CBHI 5. Ms. Jyoti Vij , FICCI 6. Dr. Sameer A. Khan, Fortis Hospital
Sub-Group Task II (Data Connectivity)
Members:
1. Mr. B S Bedi, Adviser, CDAC, Group Head, Sub-Group Task II 2. Dr. Thanga Prabhu, Clinical Director, GE India, Member 3. Dr. Supten Sarbadhikari: Prof, Health Informatics, Coimbatore, Member 4. Mr. Chayan Kanti Dhar, National Informatics Center 5. Mr. Gaur Sundar, Project Manager, Medical Informatics Group, CDAC (Pune), 6. Dr. S. B. Bhattacharyya, Health Informatics Consultant, Ex-President, IAMI
Sub-Group Task III (Data Ownership)
Members: 1. Prof. Saroj K. Mishra ,SGPGI , Lucknow , Group Head, Sub-Group Task III 2. Prof. Indrajit Bhattacharya , IIHMR, New Delhi 3. Prof. Sita Naik, MCI 4. Dr. Karanveer Singh, Sir Gangaram Hospital 5. Dr. Naveen Jain, CDAC 6. Dr. Arun Bal 7 . Mr. Madhu Aravind, Healthhiway
N. B. This document incorporates the recommendations by the various Sub-Groups and consolidated into one document for easy reference. As there was considerable overlap in the areas of recommendations of sub-group Task I responsible for standards and sub-group Task II responsible for data connectivity, most of the recommendations were made primarily by the members of task group II in close consultation with the chairman of sub-group Task I Prof. (Dr.) S. V. Mani.
3
TABLE OF CONTENTS 1. EXECUTIVE SUMMARY .................................................................................................................................. 5
2. BACKGROUND .............................................................................................................................................. 7
3. MAJOR STAKEHOLDERS ................................................................................................................................ 9
4. ELECTRONIC HEALTH RECORDS/ELECTRONIC MEDICAL RECORDS ............................................................... 10
STUDY & ANALYSIS OF NATIONAL EHR/EMR PROGRAMS AROUND THE WORLD ..................................................................... 10
5. INTEROPERABILITY AND STANDARDS ......................................................................................................... 14
GOALS ....................................................................................................................................................................... 14 CATEGORIES FOR ADOPTION OF STANDARDS ...................................................................................................................... 15
Vocabulary Standards ................................................................................................................................................. 15 Content Exchange Standards ...................................................................................................................................... 16 Transport Standards ................................................................................................................................................... 16 Privacy and Security Standards .................................................................................................................................. 17
CLINICAL STANDARDS ................................................................................................................................................... 19 RECOMMENDED HEALTHCARE IT STANDARDS (FOR INDIA) ................................................................................................... 19 HEALTHCARE INFORMATICS STANDARDS ........................................................................................................................... 21
Issues 22 Trends 22
6. EMR MINIMUM DATA SET (MDS) ............................................................................................................... 23
7. OTHER STANDARDS .................................................................................................................................... 27
HARDWARE ................................................................................................................................................................ 27 CONNECTIVITY ............................................................................................................................................................. 27 SOFTWARE ................................................................................................................................................................. 27
8. DATA OWNERSHIP OF EMR ............................................................................................................................ 28
TECHNICAL SECURITY GUIDELINES: ...................................................................................................................... 32
(I) ELECTRONIC DATA STORAGE: ............................................................................................................................... 32 (II ) ELECTRONIC DATA TRANSMISSION: ........................................................................................................................... 32 (III) DATA ACCESS ........................................................................................................................................................ 32 (IV) DATA SHARING: ..................................................................................................................................................... 32 (V) DATA AUDIT: ........................................................................................................................................................ 33 (VI) GENERAL SOFTWARE / APPLICATION REQUIREMENTS: ................................................................................................... 33
ADMINISTRATIVE GUIDELINES: ............................................................................................................................ 33
CERTIFICATION PROCESS: .............................................................................................................................................. 33
PHYSICAL SECURITY GUIDELINES: ........................................................................................................................ 34
10. REFERENCES ............................................................................................................................................... 35
11. ANNEXURES ................................................................................................................................................ 36
ANNEXURE I ................................................................................................................................................................ 36 GO related to Sub-Groups Formation .......................................................................................................................... 36
4
Committee Discussions ................................................................................................................................................ 39 ISP: INTERNET SERVICE PROVIDER .................................................................................................................................. 53 VARIABLE CONTRIBUTION HEALTH PLAN: IN CONTRAST TO A FIXED CONTRIBUTION PLAN, A VARIABLE CONTRIBUTION INVOLVES EMPLOYERS COMMITTING TO A SPECIFIED LEVEL OF BENEFITS FUNDING FOR ITS EMPLOYEES, REGARDLESS OF THE ACTUAL BENEFIT PRICE. EMPLOYERS ARE THUS LOCKED INTO VARIABLE CONTRIBUTION ARRANGEMENTS BECAUSE THEY ARE COMMITTED TO FUNDING A CERTAIN BENEFIT STRUCTURE WITHOUT KNOWING WHAT THE FUTURE COSTS MAY BE IF PREMIUMS ARE RAISED. SEE ALSO FIXED CONTRIBUTION HEALTH PLAN. ............................................................................................................................................................ 63 VITAL STATISTICS: STATISTICS RELATING TO BIRTHS (NATALITY), DEATHS (MORTALITY), MARRIAGES, HEALTH, AND DISEASE (MORBIDITY). VITAL STATISTICS FOR THE UNITED STATES ARE PUBLISHED BY THE NATIONAL CENTER FOR HEALTH STATISTICS. VITAL STATISTICS CAN BE OBTAINED FROM CDC, STATE HEALTH DEPARTMENTS, COUNTY HEALTH DEPARTMENTS AND OTHER AGENCIES. AN INDIVIDUAL PATIENT’S VITAL STATISTICS IN A HEALTH CARE SETTING MAY ALSO REFER SIMPLY TO BLOOD PRESSURE, TEMPERATURE, HEIGHT AND WEIGHT, ETC. ................................................................................................................................................................................ 63 ANNEXURE VI ............................................................................................................................................................. 67 PROPOSED PORTABLE HEALTH RECORD ............................................................................................................................ 67 ANNEXURE VII ............................................................................................................................................................ 68
Privacy and Security in Meaningful Use Rule ............................................................................................................... 68 ANNEXURE VIII ........................................................................................................................................................... 69
HIPAA 45 CFR Part 142 Subpart C, Security and Electronic Signature Standards. .................................................... 69 45 CFR PART 164 ....................................................................................................................................................... 75
LIST OF TABLES
TABLE 1: WORLDWIDE HCIT PROGRAMS .............................................................................................................................. 11 TABLE 2: COUNTRY-WISE HCIT STANDARDS USAGE ................................................................................................................ 11 TABLE 3: COUNTRY-WISE DATA EXCHANGE STANDARDS USAGE ................................................................................................ 12 TABLE 4: COUNTRY-WISE STANDARDS ADOPTION STATISTICS .................................................................................................... 13 TABLE 5: PRIVACY & SECURITY STANDARDS ........................................................................................................................... 18 TABLE 6: HCIT STANDARDS (RELEVANT TO INDIA- INITIAL SET) ................................................................................................. 21 TABLE 7: HEALTH INFORMATICS STANDARDS ......................................................................................................................... 22 TABLE 8: EMR MDS ........................................................................................................................................................ 26
5
1. EXECUTIVE SUMMARY
Healthcare systems are highly complex, fragmented and use multiple information technology systems. With vendors incorporating different standards for similar or same systems, it is little wonder that all-round inefficiency, waste and errors in healthcare information and delivery management are all too commonplace an occurrence. Consequently, a patient’s medical information often gets trapped in silos of legacy systems, unable to be shared with members of the healthcare community. These are some of the several motivations driving an effort to encourage standardization, integration and electronic information exchange amongst the various healthcare providers.
In order to be meaningful, health record of an individual needs to be from conception (better) or birth (at the very least). As one progresses through one’s life, every record of every clinical encounter represents an event in one’s life. Each of these records may be insignificant or significant depending on the current problems that the person suffers from.
Developmental Origins of Health and Diseases (DOHAD) has successfully proven the importance of developmental records of individuals in predicting and/or explaining the diseases that a person is suffering from. In the current largely paper-based medical records world, invaluable data is more often than not unavailable at the right time in the hands of the clinical care providers to permit better care. This is largely due to the inefficiencies inherent to the paper-based system. In an electronic world, it is very much possible, provided certain important steps are taken beforehand to ensure the availability of the right information at the right time.
Increasingly it is becoming extremely necessary to ensure that the right information in right quantities is available for the right patient at the right time to ensure that the patient receives right care – the five R’s of information requirement.
Electronic health records are a summary of the various electronic medical records that get generated during any clinical encounter. Without standards, a life-long summary is not possible as different records from different sources spread across ~80+ years will potentially need to be brought into one summary. To achieve this, a set of pre-defined standards for information exchange that includes images, clinical codes and a minimum data set is imperative.
This report provides a structured overview of the key EMR standards with respect to Indian conditions. Since the field of ICT standards in the health sector is very wide and difficult to overview, it focuses primarily on the key standards only limited to hardware, software and connectivity. The various definitions, understanding of the term “electronic medical records”, world-wide trends, the recommended HCIT standards, high level requirements and minimum data sets are provided.
A background on EMR and EHR and its use is provided, followed by a list of the various stakeholders. A short study of the efforts world-wide including country-wise analysis of similar efforts and their current state is also outlined. A detailed discussion on the interoperability and standards that include a discussion on the goals, categories of adoption of standards, clinical
6
standards, EMR/EHR, preservation and security aspects, healthcare informatics standards, and the various coding systems is carried out followed by the detailing of the minimum data set that any Indian EMR must have.
While any vendor may choose to have any additionally relevant information captured and presented, all must conform to the MDS. There are additional notes that are essentially for industry and vendor “guidance” in designing and building an EMR. The conclusions include draft recommendations and final observations. A short reference section and glossary is added for everyone’s benefit.
It is important to note that the users of this document are advised to peruse and amalgamate, as necessary, the various provisions detailed in the Recommendations on Guidelines, Standards & Practices for Telemedicine in India as submitted by DIT, MCIT, Govt. of India to MoH&FW, Govt. of India, in July 2007.2
In conclusion, it must be added that these standards cannot be considered either in isolation or as “etched in stone for all eternity”. These will need to undergo periodic (at a maximum of 12 months interval) review and update as necessary. This document must be a “living document”.
7
2. BACKGROUND Health Care sector in India has witnessed significant growth during the last few years, both in quality and capacity. Relatively lower cost of health care, as compared to developed countries, coupled with international quality, has positioned India as a major destination for health care services. In spite of such developments, heath care facilities in the country remain inadequate to meet the needs of the citizens, particularly in rural areas, where approximately 70% of the people live. To address these problems, the government has launched major national initiatives such as National Rural Health Mission, establishment of six new AIIMS like institutions, up gradation of existing public hospitals and labs, etc. Management of communicable as well as non-communicable diseases has also been a major area of concern to the government. An Integrated Disease Surveillance Program (IDSP) is already under implementation. The Non-communicable Disease Risk Factor Surveillance under IDSP will track trends of selected major risk factors in the urban and rural population, aged between 15 and 64 years. Innovative systems are, however, required for quick reporting of such incidents when they occur and to implement an effective system of intervention to provide the best diagnostic and medical care to the affected patients and prevent further spread of the disease. India also has a strong base for medical research. Extensive work is being done as a part of postgraduate work in medical institutions, ICMR labs and other institutions. There is, however, a strong need of sharing of knowledge and resources amongst the researchers and healthcare providers. In addition, private sector has initiated massive investments in various facets of healthcare. This is expected to position health care as one of the largest service sectors and a significant contributor to the GDP. As the health sector is poised for major growth in next decade, the sheer size of healthcare sector in the country will necessitate extensive use of information and communication technology (ICT) infrastructure, services and databases for policy planning and implementation. Such a framework would require services based on inter-operable and sharable technology, standards utilization, connecting various institutions and service providers. The use of international experience, best practices and open technologies may be necessary in some scenarios. Technology is a critical tool in achieving the benefits of health information exchange (HIE). However, technology alone is not sufficient. Healthcare industry stakeholders that base their HIE solutions solely on technology do so at the expense of underlying health information management principles. An abundance of disparate HIE principles, models, definitions, products, and standards camouflages some crucial policy and process decisions an HIE initiative must make in the early stages of its development. Transmitting patient data electronically without attending to the business processes surrounding data capture, translation, and transmission has the potential to increase patient risks and healthcare costs. Data accessibility,
8
reliability, and accuracy are critical factors in obtaining the trust of stakeholders, including consumers, and in sustaining long-term data exchange on a large scale.3
Electronic health records can improve care by enabling functions that paper medical records cannot deliver:
EHRs can make a patient’s health information available when and where it is needed – too often care has to wait because the chart is in one place and needed in another. EHRs enable clinicians secure access to information needed to support high quality and efficient care.
EHRs can bring a patient’s total health information together to support better health care decisions, and more coordinated care.
EHRs can support better follow-up information for patients – for example, after a clinical visit or hospital stay, instructions and information for the patient can be effortlessly provided and reminders for other follow-up care can be sent easily or even automatically to the patient.
EHRs can improve patient and provider convenience – patients can have their prescriptions ordered and ready even before they leave the provider’s office, and insurance claims can be filed immediately from the provider’s office.5
It would certainly not be out of place to mention here that it will be particularly useful to review 45 CFR Part 164 for Security and Privacy aspects associated with EHR/EMR design, development, implementation, maintenance and use, as well as 45 CFR 160 for administrative requirements associated with code sets, data entry formats and standard unique identifiers.
9
3. MAJOR STAKEHOLDERS Citizens Health care providers and payers Education, research institutions and investigators Government departments and institutions Public health agencies and NGOs Pharmaceutical industry and medical device makers Telemedicine institutions Software and hardware vendors
10
4. ELECTRONIC HEALTH RECORDS/ELECTRONIC MEDICAL RECORDS
According to the "Integrated Care EHR", as defined in ISO/DTR 20514, an “EMR is a repository of information regarding the health of a subject of care in computer-processable form that is able to be stored and transmitted securely, and is accessible by multiple authorized users”.
It has a commonly agreed logical information model which is independent of EHR systems and its chief purpose is the support of continuing, efficient and quality integrated health care and it contains information which is retrospective, concurrent and prospective.
Broadly speaking, an EMR is a specific recording/episode of encounter and is case or purpose specific – Telemedicine/Care, while an EHR is an aggregation of EMRs and is usually life-long.
The benefits that an EMR is expected to bring in are: Paperless medical history Reduced healthcare costs Empowering the stakeholders to be able to deliver right treatment at the right time Promote the practice of evidence-based medicine Accelerate research and building effective medical practices Usher in ease in maintaining health information of patients With proper backup policies increase lifespan of health records of individuals that is
from conception to cremation safety with access, audit and authorization control mechanisms Faster search and updates
Study & Analysis of National EHR/EMR Programs Around the World1
Review of Healthcare IT Programs World-wide Country National Healthcare IT Program
Australia HealthConnect
Austria ELGA
Canada EHRS Blueprint
Denmark MedCom
England Spine
Hong Kong eHR Infrastructure
1 Conducted by Conducted by Medical Informatics Group, C-DAC, as part of Project for Building Distributed National EHR funded by DIT, MCIT, Govt. of India
11
Netherlands AORTA
Singapore EMRX
Sweden National Patient Summary (NPO)
Taiwan Health Information Network (HIN)
Table 1: Worldwide HCIT Programs
Country-wise Usage of Standards
Table 2: Country-wise HCIT Standards Usage
12
Country-wise Use of Exchange Standards
Table 3: Country-wise Data Exchange Standards Usage
13
Country-wise Statistics of Standards Adoption
Table 4: Country-wise Standards Adoption Statistics
14
5. INTEROPERABILITY AND STANDARDS
The recommendations outlined in this section are an incremental approach to adopting standards, implementation specifications, and criteria to enhance the interoperability, functionality, utility, and security of health information technology and to support its widespread adoption. It is to be kept in mind that these standards should be flexible and modifiable to adapt to the demographic and resource variance observed in a large and developing country like India.
It is important to recognize that interoperability and standardization can occur at many different levels. To achieve interoperability, information models would need to be harmonized into a consistent representation.(8)
In other cases, organizations may use the same information model, but use different vocabularies or code sets (for example, Systematized Nomenclature of Medicine Clinical Terms (SNOMED CT®) or ICD10-CM within those information models. To achieve interoperability at this level, standardizing vocabularies, or mapping between different vocabularies (using tools like Unified Medical Language System (UMLS)) may be necessary. For some levels, (such as the network transport protocol), an industry standard that is widely used (e.g. Transmission Control Protocol (TCP) and the Internet Protocol (IP), (TCP/IP)) will likely be the most appropriate. Ultimately, to achieve semantic interoperability, it is anticipated that multiple layers – network transportation protocols, data and services descriptions, information models, and vocabularies and code sets – will need to be standardized and/or harmonized to produce an inclusive, consistent representation of the interoperability requirements.
It is further anticipated that using a harmonization process will integrate different representations of health care information into a consistent representation and maintain and update that consistent representation over time. For an information model, this process could include merging related concepts, adding new concepts, and mapping concepts from one representation of health care information to another. Similar processes to support standardization of data and services descriptions and vocabularies and codes sets may also be needed.
It is also recognized that a sustainable and incremental approach to the adoption of standards will require processes for harmonizing both current and future standards. This will allow the incremental updating of the initial set of standards, implementation specifications, and certification criteria and provide a framework to maintain them. The decision to adopt such updates will be informed and guided by recommendations from an appropriate authority akin to a National Health Information Authority.
Goals Promote interoperability and where necessary be specific about certain content exchange
and vocabulary standards to establish a path forward toward semantic interoperability Support the evolution and timely maintenance of adopted standards
15
Promote technical innovation using adopted standards Encourage participation and adoption by all vendors and stakeholders Keep implementation costs as low as reasonably possible Consider best practices, experiences, policies and frameworks To the extent possible, adopt standards that are modular and not interdependent.
Categories for adoption of standards Vocabulary Standards (i.e., standardized nomenclatures and code sets used to describe clinical problems and procedures, medications, and allergies); a) Logical Observation Identifiers Names and Codes (LOINC®): The purpose of LOINC® is to
facilitate the exchange and pooling of clinical results for clinical care, outcomes management, and research by providing a set of universal codes and names to identify laboratory and other clinical observations. The Regenstrief Institute Inc., an internationally renowned healthcare and informatics research organization, maintains the LOINC database and supporting documentation, and the RELMA mapping program.
b) International Classification of Diseases (ICD10): The ICD is the international standard diagnostic classification for all general epidemiological, many health management purposes and clinical use.
c) Systematized Nomenclature of Medicine--Clinical Terms (SNOMED-CT): is a comprehensive clinical terminology, originally created by the College of American Pathologists (CAP) and owned, maintained, and distributed by the International Health Terminology Standards Development Organization (IHTSDO), a non-for-profit association in Denmark.
d) Current Procedural Terminology, 4th Edition (CPT 4): The CPT-4 is a uniform coding system consisting of descriptive terms and identifying codes that are used primarily to identify medical services and procedures furnished by physicians and other health care professionals.
e) RxNORM: RxNorm, produced by the National Library of Medicine (NLM) provides normalized names for clinical drugs and links its names to many of the drug vocabularies commonly used in pharmacy management and drug interaction software, including those of First Databank, Micromedex, MediSpan, Gold Standard Alchemy, and Multum. By providing links between these vocabularies, RxNorm can mediate messages between systems not using the same software and vocabulary.
f) ATC – Anatomic Therapeutic Chemical Classification of Drugs: is used for the classification of drugs. It is controlled by the WHO Collaborating Centre for Drug Statistics Methodology (WHOCC), and was first published in 1976. This pharmaceutical coding system divides drugs into different groups according to the organ or system on which they act and/or their therapeutic and chemical characteristics. Each bottom-level ATC code stands for a pharmaceutically used substance in a single indication (or use). This means that one drug can have more than one code: acetylsalicylic acid (aspirin), for example, has A01AD05 as a drug for local oral treatment, B01AC06 as a platelet inhibitor, and N02BA01 as an analgesic and antipyretic. On the other hand, several different brands share the same code if they have the same active substance and indications.
16
Content Exchange Standards (i.e., standards used to share clinical information such as clinical summaries, prescriptions, and structured electronic documents) a) Health Level Seven (HL7) Clinical Document Architecture: is an XML-based markup standard
intended to specify the encoding, structure and semantics of clinical documents for exchange. CDA is being used also in electronic health records projects to provide a standard format for entry, retrieval and storage of health information
b) HL7 2.5.1: defines a series of electronic messages to support administrative, logistical, financial as well as clinical processes and mostly uses a textual, non-XML encoding syntax based on delimiters. HL7 v2.x has allowed for the interoperability between electronic Patient Administration Systems (PAS), Electronic Practice Management (EPM) systems, Laboratory Information Systems (LIS), Dietary, Pharmacy and Billing systems as well as Electronic Medical Record (EMR) or Electronic Health Record (EHR) systems
c) Continuity of Care Record (CCR) is a health record standard specification developed jointly by ASTM International, the Massachusetts Medical Society (MMS), the Healthcare Information and Management Systems Society (HIMSS), the American Academy of Family Physicians (AAFP), the American Academy of Pediatrics (AAP), and other health informatics vendors. It is a core data set of the most relevant administrative, demographic, and clinical information facts about a patient's healthcare, covering one or more healthcare encounters. It provides a means for one healthcare practitioner, system, or setting to aggregate all of the pertinent data about a patient and forward it to another practitioner, system, or setting to support the continuity of care. The primary use case for the CCR is to provide a snapshot in time containing the pertinent clinical, demographic, and administrative data for a specific patient. To ensure interchangeability of electronic CCRs, this specification specifies XML coding that is required when the CCR is created in a structured electronic format. Conditions of security and privacy for a CCR instance must be established in a way that allows only properly authenticated and authorized access to the CCR document instance or its elements. The CCR consists of three core components: the CCR Header, the CCR Body, and the CCR Footer.
d) Digital Imaging and Communications in Medicine (DICOM): The DICOM Standards Committee exists to create and maintain international standards for communication of biomedical diagnostic and therapeutic information in disciplines that use digital images and associated data. The goals of DICOM are to achieve compatibility and to improve workflow efficiency between imaging systems and other information systems in healthcare environments worldwide. DICOM currently defines an upper layer protocol (ULP) that is used over TCP/IP (independent of the physical network), messages, services, information objects and an association negotiation mechanism. These definitions ensure that any two implementations of a compatible set of services and information objects can effectively communicate.
Transport Standards (i.e., standards used to establish a common, predictable, secure communication protocol between systems)
17
SOAP, originally defined as ''Simple Object Access Protocol'', is a protocol specification for exchanging structured information in the implementation of Web Services in computer networks. It relies on Extensible Markup Language (XML) as its message format, and usually relies on other Application Layer protocols (most notably Remote Procedure Call (RPC) and HyperText Transfer Protocol (HTTP)) for message negotiation and transmission. SOAP can form the foundation layer of a web services protocol stack, providing a basic messaging framework upon which web services can be built. The SOAP architecture consists of several layers of specifications for message format, message exchange patterns (MEP), underlying transport protocol bindings, message processing models, and protocol extensibility. Privacy and Security Standards N.B.: Additional information may be referenced from the relevant sections of the document Recommendations on Guidelines, Standards & Practices for Telemedicine in India as submitted by DIT, MCIT, Govt. of India2
Furthermore, it is advisable to take cognizance of the provisions of HIPAA Part 142 Subpart C, Security and Electronic Signature Standards as available at http://aspe.hhs.gov/admnsimp/nprm/sec13.htm that lists out in considerable details the requirements under these headings (please see Annexures III & IV below). The members of sub-group Task II find it worthy enough to recommend that these be taken into consideration with sufficient weightage during finalization of the requirements related to these points. For example, authentication, access control, transmission security, which relate to and span across all of the other types of related standards. Row # Purpose Adopted Standard
1
General Encryption and Decryption of Electronic Health Information
A symmetric 128 bit fixed-block cipher algorithm capable of using a 128, 192, or 256 bit encryption key must be used
2
Encryption and Decryption of Electronic Health Information for exchange
An encrypted and integrity protected link must be implemented (e.g., TLS, IPv6, IPv4 with IPsec).
3
Record Actions Related to Electronic Health Information (i.e., audit log)
The date, time, patient identification (name or number), and user identification (name or number) must be recorded when electronic health information is created, modified, deleted, or printed. An indication of which action(s) occurred must also be recorded (e.g., modification).
18
4
Record Treatment, Payment, and Health Care Operations Disclosures
The date, time, patient identification (name or number), user identification (name or number), and a description of the disclosure must be recorded.
Table 5: Privacy & Security Standards
Provisions under EHR Meaningful Use [45 CFR] The following are the provisions detailed in the document. Item Description Encryption and decryption of electronic health information
Any encryption algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the Federal Information Processing Standards (FIPS) Publication 140–2
Electronic health information exchange
Any encrypted and integrity protected link
Record actions related to electronic health information
The date, time, patient identification, and user identification must be recorded when electronic health information is created, modified, accessed, or deleted; and an indication of which action(s) occurred and by whom must also be recorded
Verification that electronic health information has not been altered in transit
A hashing algorithm with a security strength equal to or greater than SHA–1 (Secure Hash Algorithm (SHA–1) as specified by the National Institute of Standards and Technology (NIST) in FIPS PUB 180–3 (October, 2008)) must be used to verify that electronic health information has not been altered
Record treatment, payment, and health care operations disclosures
The date, time, patient identification, user identification, and a description of the disclosure must be recorded for disclosures for treatment, payment, and health care operations, as these terms are defined at 45 CFR 164.501
Access control Assign a unique name and/or number for identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information
Emergency access Permit authorized users (who are authorized for emergency situations) to access electronic health information during an emergency
Automatic log-off Terminate an electronic session after a predetermined time of inactivity
Audit log
Record actions: Record actions related to electronic health information Generate audit log: Enable a user to generate an audit log for a specific time period and to sort entries in the audit log The date, time, patient identification, and user identification must be recorded when electronic health information is created, modified, accessed, or deleted; and an indication of which action(s) occurred and by whom must also be recorded
Integrity
Create a message digest Verify upon receipt of electronically exchanged health information that such information has not been altered Detection: Detect the alteration of audit logs
Authentication Verify that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such
19
information
General encryption Encrypt and decrypt electronic health information unless it is determined that the use of such algorithm would pose a significant security risk for Certified EHR Technology
Encryption when exchanging electronic health information Encrypt and decrypt electronic health information when exchanged
Optional
Accounting of disclosures: Record disclosures made for treatment, payment, and health care operations The date, time, patient identification, user identification, and a description of the disclosure must be recorded for disclosures for treatment, payment, and health care operations
Terminologies and classifications are integral to medical research, public health reporting, and healthcare payment analysis. They are essential to achieve interoperability for a successful India wide health information system that results in increased patient safety.
Clinical Standards Clinical standards are health information standards to capture a patient's health information in a more coherent manner. This health information can include all or part thereof as relevant of the following: The illness a patient is suffering from The physician's observation of the patient's illness The diagnostic tests that need to be carried out to ascertain the patient’s illness and to give
the patient better treatment The results of the diagnostic tests The kind of treatment to be given to the patient The way the treatment should be given to the patient
Recommended Healthcare IT Standards (for India) Name Class Comments Phase 1 UHID Unique Health Identifier – to act as
Patient Identifier UID as a unique (primary or secondary) patient identifier. The UID should be used to identify a particular patient across all organizations (and their EMR systems); Aadhar number is recommended for use in EMR as either the primary or
20
secondary, where the primary is an internal unique health identifier used by the healthcare provider organisation
XML (eXtensible Markup Language)
for data capture, integration and presentation layer
To access via SOAP-simple object access protocol
HL7 CDA (xml) Clinical Document Architecture CCR (ASTM) Clinical Data for enterprises likely
to be used by organizations that have not yet adopted any standard (e.g., early stage companies), to support new business models, in disruptive applications that achieve cost savings and/or quality improvements by creating NEW PROCESSES, often involving parties that are not currently exchanging information
As it is expressed in the standard data interchange language known as XML, it can potentially be created, read and interpreted by any EHR or EMR software application
CCD (HL7) Clinical Data for Inter Department documents (the CDA CCD)
Likely to be used by organizations that already use HL7 for processes INTERNAL TO THE ORGANIZATION (or with existing trading partners), e.g., hospitals sending test result information to doctors and where implementers have already incurred significant fixed costs to adapt HL7 as a broad enterprise standard N. B.: CCR is stated to be a faster/cheaper alternative to CCD
RXNORM/ATC-AHFS Pharmacologic-Therapeutic
Medicines Needs to be researched as there is no universal
21
Classification/NDC -national drug classification, FDB-first databank (USA) Indian Drugs – MIMS/CIMS from CMPmedica
drug reference database. The WHO Drug Dictionary may be a good choice to begin with
Dictionary of Medicine & Devices, UK
Medicines & Medical devices UK standard used in NHS includes devices & drugs
LOINC Clinical Laboratory Observations Published and maintained by the Regenstrief Institute, USA, this is an universally accepted code for laboratory observations
HL7 V2.x or 3.0 Messaging As HL7 is still not widely present in India, propose start with version 3
HL7 V3.0 RIM Reference Information Model DICOM 3.0 Medical Images CPT 4 or 5, US Procedure & Therapy classification OPCS4, UK Procedure & Therapy classification SNOMED-CT Clinical Terminology WHO ICD 10 Disease classification WHO – PCS Procedure coding system WHO – ICF International classification of
functioning, disability & health
Phase 2 DSM Psychiatric conditions Diagnostic & statistical
manual of mental disorders
NIC/NOC/NANDA Nursing ADA Dental CDT 2, US Dental Procedures Table 6: HCIT Standards (relevant to India- Initial Set)
Healthcare Informatics Standards
Organization Standards
22
Table 7: Health Informatics Standards
Issues Unique Identification Interoperability / Sharing Integrated systems require consistent use of standards in e.g. medical terminologies and
high quality data to support information sharing across wide networks Ethical, legal and technical issues linked to accuracy, security confidentiality and access
rights. Common record architectures, structures Clinical information standards and communications protocols Trends National UID and Healthcare
Distributed EHR Concept
National Recommendations for Health Information Infrastructure in India
Information Technology Infrastructure for Health (ITIH) framework
Recommendations on Guidelines, Standards & Practices for Telemedicine in India
Indian health information network development (iHIND) recommendations from the National Knowledge
International Organization for Standardization (ISO)
Requirements for Electronic Health Record Architecture (ISO / TS 18308)
European Committee for Standardization (CEN)
CEN / TC 251 EN 13606
Code of Federal Regulations (CFR)
Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology (Title 45, Part 170)
American Society for Testing & Materials (ASTM)
Continuity of Care Record (CCR)
Health Level 7 (HL7) HL7 v2.x HL7 v3 HL7 Clinical Document Architecture (CDA) EHR - System Functional Model
HL7 & ASTM Collaboration Continuity of Care Document (CCD)
National Electrical Manufacturer’s Association (NEMA)
Digital Imaging and Communications in Medicine (DICOM PS 3.0 2004 onwards)
Office of National Coordinator for Health Information Technology (ONCHIT) – United States
EHR Meaningful Use
23
6. EMR MINIMUM DATA SET (MDS) The following MDS is recommended for an EMR to be used in India. Vendors are free and indeed encouraged to opt for additional data to satisfy unmet demands of the various stakeholders, principally the patients and the clinical care providers. This recommendation also covers various standards for data formats, storage, exchange, etc. The Minimum Data Set for a Telemedicine interaction is also defined. The recommendation covers various security provisions that are relevant to any patient-clinical care provider interaction.
Data Item Data Type Data Length
Format/Values Status
UHID Numeric 12 As per Aadhar Specifications Mandatory Patient Name Alphanumeric 50 To be split into First Name,
Middle Name and Last (Family) Name
Mandatory
Patient Date of Birth Date Fixed dd.mm.YYYY Optional Patient Age Numeric 9 dd.mm.yyy Mandatory Patient Gender Alphanumeric 1 To be shortened to one byte as
M, F, U or T. Systems should translate and show the full form on user screens
Mandatory
Patient Occupation Alphanumeric 50 Mandatory Patient Address Type Alphanumeric 9 Current/Permanent/Previous Mandatory Patient Address Line 1 Alphanumeric 25 Mandatory Patient Address Line 2 Alphanumeric 25 Optional Patient City/Town/Village/Police Station
Alphanumeric 25 LOV – List of values Mandatory
Patient District Alphanumeric 25 LOV – List of values Mandatory Patient State Alphanumeric 25 LOV – List of values Mandatory Patient Pin Code Alphanumeric 25 LOV – List of values Optional Patient Phone Type Alphanumeric 9 Landline/Mobile/PP-Landline/
Neighbour Landline/Relation Landline /Neighbour Mobile/Relation Mobile
Optional
Patient Phone Number Numeric 20 (099)9999999999 Optional Emergency Contact Person UID
Numeric 12 As per Aadhar Specifications Mandatory
Emergency Contact Person Name
Alphanumeric 50 Mandatory
Emergency Contact Person Relationship
Alphanumeric Spouse/Parent/Child/Partner/ Cousin/Friend/Neighbour/
Mandatory
24
Other Emergency Contact Person Address Type
Alphanumeric 9 Current/Permanent/Previous Mandatory
Emergency Contact Person Address Line 1
Alphanumeric 25 Mandatory
Emergency Contact Person Address Line 1
Alphanumeric 25 Mandatory
Emergency Contact Person Address Line 2
Alphanumeric 25 Optional
Emergency Contact Person City/Town/Village/ Police Station
Alphanumeric 25 LOV – List of values Mandatory
Emergency Contact Person District
Alphanumeric 25 LOV – List of values Mandatory
Emergency Contact Person State
Alphanumeric 25 LOV – List of values Mandatory
Emergency Contact Person Pin Code
Alphanumeric 25 LOV – List of values Optional
Emergency Contact Person Phone Type
Alphanumeric 9 Landline/Mobile/PP-Landline/ Neighbour Landline/Relation Landline /Neighbour Mobile/Relation Mobile
Optional
Emergency Contact Person Phone Number
Numeric 20 (099)9999999999 Optional
Care Provider UID Numeric 12 As per Aadhar Specifications Mandatory Care Provider Name Alphanumeric 50 Mandatory Care Provider Address Type
Alphanumeric 9 Current/Permanent/Previous Mandatory
Care Provider Address Line 1
Alphanumeric 25 Mandatory
Care Provider Address Line 2
Alphanumeric 25 Optional
Care Provider City/Town/Village/ Police Station
Alphanumeric 25 LOV – List of values Mandatory
Care Provider District Alphanumeric 25 LOV – List of values Mandatory Care Provider State Alphanumeric 25 LOV – List of values Mandatory Care Provider Pin Code Alphanumeric 25 LOV – List of values Optional Care Provider Phone Type
Alphanumeric 9 Landline/Mobile/PP-Landline/ Neighbour Landline/Relation Landline /Neighbour
Optional
25
Mobile/Relation Mobile Care Provider Phone Number
Numeric 20 (099)9999999999 Optional
Episode Type Alphanumeric 7 New/Ongoing Optional Episode Number Numeric 4 9999 – no prefixed 0 Optional –
mandatory if Episode Type is enabled
Encounter Number Numeric 4 9999 – no prefixed 0 Reason for Visit Alphanumeric 255+ Mandatory Present History Alphanumeric 255+ Optional Past History Alphanumeric 255+ Optional Family History Alphanumeric 255+ Optional Menstrual & Obstetric History
Alphanumeric 255+ LMP, Cycle Duration, Gravida, Parity to be captured as structured data. LMP: date type; Cycle Duration, Gravida, Parity: numeric type;
Optional
Socio-economic History Alphanumeric 255+ Optional Immunization History Alphanumeric Clinical Exam Vitals Systolic BP
Numeric 3 999 – no preceding 0 Optional
Clinical Exam Vitals Diastolic BP
Numeric 3 999 – no preceding 0 Optional
Clinical Exam Pulse Rate Numeric 3 999 – no preceding 0 Optional Clinical Exam Temperature
Floating 6,2 999.99 Optional
Clinical Exam Temperature Source
Alphanumeric 6 Oral/Armpit/Groin/Rectal Mandatory if Temperature is captured
Clinical Exam Respiration Rate
Numeric 3 999 – no preceding 0 Optional
Clinical Exam Height Floating 6,2 999.99 Optional Clinical Exam Weight Floating 6,2 999.99 Optional Clinical Exam Observation
Alphanumeric 255+ Optional
Investigation Results Alphanumeric 255+ Optional Clinical Summary Alphanumeric 255+ Mandatory Diagnosis Type Alphanumeric 11 Provisional/Final Mandatory Diagnosis Code Alphanumeric 10 Coding system dependent Mandatory
26
Table 8: EMR MDS
Diagnosis Alphanumeric 255+ Mandatory Treatment Plan Investigations
Alphanumeric 255+ Optional
Treatment Plan Medication
Alphanumeric 255+ Optional
Treatment Plan Procedure
Alphanumeric 255+ Optional
Treatment Plan Referral Alphanumeric 255+ Optional Other Treatment Plan Type
Alphanumeric 10 Diet/Life-style/ Others Optional
Other Treatment Plan Details
Alphanumeric 255+ Mandatory if Other Treatment Type is selected
Outcome Alphanumeric 9 New Visit/Better/Worse/Same/Fatal
Mandatory
27
7. Other Standards
Hardware Very difficult to propose as technology changes very quickly Should be able to support conception-to-death medical records Should be able to present a summary of life-long medical records Should be able to support privacy, secrecy and audit trail
Connectivity The EMR should be able to harness any telecommunications-related connectivity like the
Internet, LAN, WAN, WAP, CDMA, GSM or even Cloud Computing that will permit the various EMRs of an individual to be integrated into a single life-long electronic health record
The connectivity must be true, have better 99.9% uptime and is able to allow data exchange at sufficient speeds to allow one single EMR to be exchanged and displayed on the requesting system in 1 second of request, irrespective of the distance between the system making the request and the one executing it
The data exchange must be done in a secure manner to ensure data validity and non-repudiability
The data exchange must further ensure that data integrity is maintained at all times
Software It was concluded that the software should Conform to the specified standards Satisfy specified requirements Be Interoperable
28
8. DATA OWNERSHIP OF EMR The Ethical , Legal, Social Issues (ELSI ) guidelines for Electronic Medical Record ( EMR ) are recommended as follows.
(i) The regulations mentioned in this document will apply to the following :
Healthcare provider: A health care provider is an individual or an institution that provides preventive, curative, promotional or rehabilitative health care services in a systematic way to individuals, families or communities. An individual health care provider may be a health care professional, an allied health professional, a community health worker, or another person trained and knowledgeable in medicine, nursing or other allied health professions, or public/community health.
Institutions: These include hospitals, clinics, primary care centres and other service delivery points of healthcare.
Insurance corporations: Organisations offering a health insurance policy. A health insurance policy is a contract between an insurance provider (e.g. an insurance company or a government) and an individual or his sponsor (e.g. an employer or a community organization). Data Stewards: persons or legal entities responsible for confidentiality and management of the data contained in the Electronic Health Record ( EHR ).
Healthcare data consolidator : persons or legal entities who collect healthcare related data from various healthcare providers
Model Legislative Language1 Restrictions on Health Care Information Collection – Healthcare information must be
collected only to the extent necessary to carry out the purpose for which it is intended. Collection and the Use only for Lawful Purpose – Health care information must only be
collected and used for necessary and lawful purpose. Notification to Patient – Each person maintaining healthcare information must prepare
a formal, written statement of fair information practices observed by such person and this must be provided to each patient.
Restriction on Use for Other purposes – health care information may not be used for any other purpose beyond that for which it is collected, except as otherwise provided.
Right to Access – The patient ( or patient representative ) may have access to healthcare information concerning the patient , has the right to healthcare information , and has the right to have a notation made of any amendment or correction of such healthcare information requested by the patient ( or patient’s representative ).
Required safeguards – Any person maintaining, using or disseminating healthcare information shall implement reasonable security practices and procedures for the security of health care information and its storage, processing and transmission.
29
Addition protections – Method to ensure the accuracy , reliability, relevance, completeness and timeliness of healthcare information should be instituted.
Retention of relevant EHR has to be in sync with requirements of existing Indian laws including IT Act 2000.
(ii) Protected health data is defined as:
Any information, whether oral or recorded in any form or medium that is created or received by a health care provider, health insurance organization and third party agents (TPA), public health authority, employer, life insurer, school or university , Most other health information held by those who must follow the law ; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
(iii) Data ownership
A distinction is made between a. The physical or electronic records, which are owned by the healthcare provider.
These are held in trust on behalf of the patient, and
b. The contained data which is the sensitive personal data of the patient , is owned by the patient itself .
(iv) Data access and confidentiality
a. Regulations are to be enforced to ensure confidentiality of this data and the patient should have a control over this.
b. Patients should have the rights to inspect and amend any inaccuracies in their medical records. Rights to amend recorded data should be limited to correction of errors in the recorded patient / medical details
c. Patients should have the rights to restrict access to and disclosure of individually identifiable health information.
d. Data should be available to care providers on an ‘as required’ basis
(v) Disclosure of information :
a. For use for treatment, payments and other healthcare operations: In all such cases, a general consent must be taken from patient or next of kin, etc. as defined by law.
b. For use for non-routine and most non-health care purposes: a specific consent must be taken from the patient
c. Certain national priority activities should be specified for which health information may be disclosed without patient's authorization.
(vi) Healthcare provider's responsibilities :
30
a. Protect and secure the stored health information
b. While providing patient information, remove patient identifying information, if it is not necessary to be provided
c. Should ensure that there are appropriate means of informing the patient of policies relating to his/her rights to health record privacy
d. Document all its privacy policies and ensure that they are implemented and followed. This will include:
i. Develop internal privacy policies
ii. Designate a privacy officer who will be responsible for implementing privacy policies, audit and quality assurance
iii. Provide privacy training to all its staff
(vii) Other rights of patients
Patient should have the right to appoint a personal representative to carry out the activities detailed below.
a. Patients should have the right to ask for a copy of its medical records held by a healthcare organization. The healthcare organization can charge a reasonable fee to meet the administrative costs involved or providing information to the patient
b. Patients should have the right to request a healthcare organization which holds its medical records, to withhold specific information that he/she does not want disclosed to other organizations or individuals.
c. Patient can demand information from a healthcare provider on the details of disclosures performed of the patients medical records.
(viii) Denial of information
Healthcare provider should be able to deny information to a patient or representative or third party, in contravention of normal regulations, if in the opinion of a licensed healthcare professional the release of information would endanger the life or safety of others. This could include:
a. Information obtained from an anonymous source under a promise of confidentiality.
b. Psychotherapy notes.
c. Information compiled for civil, criminal or administrative action.
(ix) Use and disclosure without individual authorization
Disclosures can be performed without individual authorization in the following situations. However, as far as possible, and where appropriate, the data so provided should be anonymised to remove information that will allow identification of the patient. With Identifiers, On production of court order
31
(x) Digital signatures may be used to prevent non-repudiation based on the specifics of the use case.
Reference Guidelines for Digital Signatures, available at http://egovstandards.gov.in/guidelines/Guidelines%20for%20Digital-signature/view
Additional Reference Guidelines for Information Security , available at http://egovstandards.gov.in/guidelines/guidelines-for-information-security/view
Sub Committee of Task group III is placed at Annexure III.
32
9. DATA SECURITY
Technical Security Guidelines:
(i) Electronic Data Storage: a. All information marked as PHI (Personal Health Indicators) should be encrypted.
Encryption level should be at least 128 bit. This model has to be followed for any PHI data stored in mobile devices like cell phones, tablets, etc
b. Passwords should be stored as a one way hash to prevent any chance of thefts c. Storage of data should be in a manner that it will withstand deterioration, corruption
and unauthorized destruction
(ii ) Electronic Data Transmission: a. All data should be transmitted using SSL2 (minimum 128bit) b. Digital signatures may be used to prevent non-repudiation based on the specifics of the
use case. If the EMR documents need to be upheld in a court of law, use of digital signatures is a must.
(iii) Data Access: a. In any application that uses EMR, there has to be a “role based “ access control system.
In order to do so, the following guidelines need to be followed i. Categorize and breakdown health data into logical and reasonable elements or
entities. ii. Identify individual roles or job functions.
iii. Establish context and conditions of data use at a specific point in time, and within a specific setting.
b. There is no restriction on the roles that the organization requires to perform its activities, but it is recommended to closely mirror the roles documented in SNOMED – CT.
c. Audit and control procedures to ensure appropriate use of data by users as well as detection of unauthorized individuals
(iv) Data Sharing: a. Identifiable health information should not be disclosed without the informed consent of
the identified individual(s) except as required by law or for communication between the patient’s current health care provider team.
b. When information is released pursuant to the individual’s authorization the party receiving the health information shall not further redisclose the information without the individual’s authorization to disclose the health information except in an emergency treatment situation.
2 SSL = Secure Socket Layer
33
c. Aggregate data sharing for research, etc, should ensure that patient identity information is de-identified so that there cannot be any link made back to the patient. Mechanisms like k- anonymity maybe used to ensure patient privacy in this case.
(v) Data Audit: a. The electronic health record system and other health information systems should be
designed to verify the identity i. of the user and record each access to the record/database and
ii. the action taken (read, copy, update, etc). b. In addition to documenting the access by
i. time, date, and individual it is also recommended that the ii. purpose of the access be documented. Many authorizations
iii. contain a purpose statement that could be related to access. iv. Internal organizational users should provide a purpose by v. category (for example, patient treatment, patient billing, utilization
vi. Management, etc.). c. There has to be a mechanism to identify source of each datum in the database.
(vi) General Software / Application Requirements: a. Software should have a design safeguards to prevent allocation of data to the wrong
patient. b. Software should ensure that Patient record is changed only via an amendment process.
Also, the amended current version should be maintained along with the previous versions ensuring that data is not “deleted”.
Administrative Guidelines:
Certification Process: a. A periodic certification / audit process (maybe yearly) is necessary to ensure compliance b. Certification process has to cover artifacts that helps audit the following areas
i. Access by authorized users ii. Appropriate use of health information
iii. Disclosure of health information iv. Protection of data integrity v. Amending health information
vi. Authentication of users vii. Encryption of health information
viii. Use of digital signatures ix. Use of audit findings. x. Software change management process
xi. Computer network vulnerabilities xii. Physical Security measures
c. There has to be at least one person in the organization who would be trained as a “Chief Compliance Officer”
34
d. There has to be a “Incident Reporting” process that would be used to report incidences of non-compliance
e. Agreements with vendors and other business partners reinforce the commitment to protect the confidentiality of health information. Organizations may also use confidentiality agreements with staff to reinforce commitment to maintaining the confidentiality of health information.
Physical Security Guidelines: a. There has to be a process to control access to servers containing EMR data. Process has
to ensure that only the absolute necessary staff has access to this b. Paper / Non-electronic data has to be secured using reasonable means. Such
information has to be in the control of the people who are authorized to access it. c. Copies, faxes, printouts, or any medium containing
i. health information should be destroyed after use or retained in ii. a secure location. Transmitted material should be accompanied
iii. by a statement of confidentiality and responsibility. The receiving iv. party is then responsible for the security and confidentiality v. of the transmitted/copied health information.
35
10. REFERENCES (1) Final Recommendation, Framework for Information Technology Infrastructure for
Health in India (ITIHI), Volumes I & II, DIT, MCIT, Govt. of India (2) Recommendations on Guidelines, Standards & Practices for Telemedicine in India, DIT,
MCIT, Govt. of India (3) HIM Principles in Health Information Exchange (Practice Brief) (4) 2006 HIMSS RHIO Definition Workgroup (5) http://healthit.hhs.gov/portal/server.pt?open=512&objID=2996&mode=2 (see below) (6) Institute of Medicine (2000). "To Err Is Human: Building a Safer Health System (2000)".
The National Academies Press. http://fermat.nap.edu/catalog/9728.html#toc. Retrieved 2006-06-20.
(7) Charatan, Fred (2000). "Clinton acts to reduce medical mistakes". BMJ Publishing Group.http://bmj.bmjjournals.com/cgi/content/full/320/7235/597?ijkey=190e9b6dd6e8fec4ca3c2e353f290efb8237b334&keytype2=tf_ipsecsha. Retrieved 2006-03-17
(8) Department of Health and Human Services, USA, USA Billing Code: 4150-45 (9) HIPAA Laws: Privacy and Security 45 CFR 142 (10) EHR Meaningful Use (11) CCR – http://www.astm.org/Standards/E2369.htm
36
11. Annexures
Annexure I GO related to Sub-Groups Formation
Ministry of Health and Family Welfare
Department of Health and Family Welfare Nirman Bhawan, New Delhi-110108
No. Z.28015/79/2010-Hosp. Dated: 19 /10/2010
OFFICE MEMORANDUM
Subject: - Standardization of Electronic Medical Records. The undersigned is directed to refer to the decisions taken in the 1st meeting of EMR Standards Committee dated 30th Sept., 2010 regarding constitution of Sub-Groups for taking up various tasks for development of EMR standards. It has been decided to constitute the following Sub-Groups with the composition given herein as under:
Sub-Groups for Development of EMR Standards Tasks Members of Sub Group Group Head
Task 1: Standards Terminology, Coding standards et al.
7. Prof. Dr. S.V. Mani 8. Dr. R.R. Sudhir 9. Ms. Kala Rao 10. Dr. Ashok Kumar 11. Ms. Jyoti vij/FICCI 12. Dr. Sameer A. Khan
Prof. Dr. S.V. Mani, TCS
Task 2 : Data connectivity Including hardware, software and interoperability.
1) Dr. B.S. Bedi 2) Dr.Supten Sarbadhikari 3) Dr. S.B. Bhattacharya 4) Dr. Thanga Prabhu 5) Mr. Sunder Gaur 6) Mr. S.K.Dhar, NIC
Dr. B.S. Bedi, CDAC
Task 3: Data ownership Data protection and security including legal
7. Prof. Saroj K. Mishra 8. Prof. Indrajit
Bhattacharya 9. Prof. Sita Naik, MCI 10. Dr. Karanveer Singh
Prof. S.K. Mishra, SGPGI
37
aspects/complaints, guidelines and reports already available.
11. Dr. Naveen Jain, CDAC 12. Dr. Arun Bal 13. Mr. Madhu Aravind
Contd…2/-
-2-
The Group Heads and the members of the sub groups are
requested to complete the tasks assigned to them within the stipulated time frame as per the TOR.
Payment : All non-official members of the Sub-Groups, who are outstation, will be eligible for reimbursement of air travel by the economy class / shortest direct route and per diem @ Rs. 1000/- and other non-official members per diem @ Rs. 1000/- for the Sub-Group’s meetings. Out station non-official members will also be entitled for reimbursement of hotel accommodation expenses as per actual subject to a ceiling of Rs. 5000/-. TA /DA of official members of the Sub-Groups for attending the meetings shall be met from the same source from which their salary is drawn.
This issues with the approval of Secretary (Health & Family Welfare).
(V. P. Singh) Deputy Secretary to the Govt. of India
Ph. No.2306 2791 To
All the members of the EMR Standard Committee / Sub-Groups (As per list)
Copy to: -
PPS to HFM/ PPS to MOS(DT)/ PPS to Secretary (H&FW)/ PPS to DGHS/ PPS to AS & DG, CGHS /PS to JS (H)
38
Annexure II
Sub- Committee of Task Group III
Sl.
No. Names
1. Prof. Saroj K. Mishra Sanjay Gandhi PG Inst. of Medical Sciences
2. Prof. Indrajit Bhattacharya IIHMR , New Delhi
3. Mr. Madhu Aravind, HealthHiway
4. Dr.Karanvir Singh, Head -Medical Informatics Gangaram Hospital
5. Pawan Duggal , Supreme Court Advocate
6. Dr. Sunil Jain ,Medico- Legal Expert Gangaram Hospital
7. Dr.Nalin Mehta, Bio- ethics Expert, AIIMS
8. Dr.Kusum Verma, Cytopathologist Gangaram Hospital
9. Dr.Vijay Kumar Aruldas, Public Health Specialist Foundation for Research in Health Systems
39
ANNEXURE III
Preparatory Process for Draft Recommendations Committee Discussions Post formation initiation Communication via email, teleconferences Physical meetings where ever possible
o TSI Congress at Bhubaneshwar, Odisha o Indo-Swedish Workshop at Pune, Maharashtra o Informal discussion amongst sub-group members o Informal meetings between important/nominated members and Chairman, sub-
groups
40
ANNEXURE IV
Glossary of Medical Terms
[ A ]
Access: The patient’s ability to obtain medical care. The ease of access is determined by such components as the availability of medical services and their acceptability to the patient, the location of health care facilities, transportation, hours of operation and cost of care. Access describes an individual’s ability to obtain appropriate health care services. Barriers to access can be financial (insufficient monetary resources), geographic (distance to providers), organizational (lack of available providers) and sociological (e.g., discrimination, language barriers). Efforts to improve access often focus on providing/improving health coverage.
Actively-at-Work: Describes insurer’s policy requirement indicating that coverage will not go into effect until the employee’s first day of work on or after the effective date of coverage. May also apply to dependents disabled on the effective date.
Activities of Daily Living: (ADL’s, ADL) - An individual’s daily habits such as bathing, dressing and eating. ADLs are often used as an assessment tool to determine an individual’s ability to function at home, or in a less restricted environment of care.
Addendum: Text that is added to a document after it has been finalized.
Adjudication: Processing claims according to contract.
ADSL (Asymmetric Digital Subscriber Line): A type of DSL that uses copper telephone lines to transmit data faster than a traditional modem. ADSL only works within short distances because it uses high frequencies with short signals.
Alerts: Pop-ups or reminders. An automated warning system such a clinical alerts, preventive health maintenance, medication interactions etc.
Allergy List: This is a list of all the patient’s allergies.
Allowed Charge: is the amount, that Medicare approves for payment to a physician, but this amount may not match the amount the physician gets paid by Medicare (due to co-pay or deductibles) and usually does not match what the physician charges patients. Medicare normally pays 80 percent of the approved charge and the beneficiary pays the remaining 20 percent. The allowed charge for a nonparticipating physician is 95 percent of that for a participating physician. Non-participating physicians may bill beneficiaries for an additional amount above the allowed charge. The CMS intermediary in each state publishes these rates.
Allowable Costs: Covered expenses within a given health plan reflecting Items or elements of an institution’s costs, which is reimbursable under a payment formula. Both Medicare and Medicaid reimburse hospitals on the basis of only certain costs. Allowable costs may exclude, for example, luxury travel or marketing. CMS publishes an extensive list of rules governing these costs and provides software for determining costs. Normally the costs which are not reasonable expenditures, which are unnecessary, which are for the efficient delivery of health services to persons covered under the
41
program in question and are not reimbursed. The most common form of cost reimbursement is the “cost report” methodology used for DRG-exempt services, such as many out-patient hospital based programs, long-term care and skilled nursing units, physical rehab, psychiatric and substance abuse inpatient programs. Some specialty hospitals receive all of their CMS reimbursement as cost based reimbursement.
Ambulatory care: Any medical care delivered on an outpatient basis.
Annotator: A system function that allows an explanatory note or diagram to be added to an image.
Appointment Scheduler: The appointment scheduler which takes charge of your appointment tracking, fixing and blocking.
ASP: Application Service Provider (a.k.a. - Web based)
ASP (Applications Service Provider): Application service provider is a business that provides computer based services to customers over a network. Usually web based, within the EHR/EMR solution paradigm it is a remotely hosted program and database. Advantages are reduced initial investment in hardware and reduced responsibility in maintenance of server and data. The disadvantages are completely dependent on internet connectivity and on the server host speed to access images, scanned documents, etc. Long term cost is frequently greater.
ASP (Active Server Page): is dynamically generated web page with the use of ActiveX scripting, which executes on the server instead on the Web browser (HTML). The Server executes the file and generates an HTML formatted page for Search Engine Spiders or Web Browsers so it can be displayed properly.
Authentication: The verification of the identity of a person or process.
Authorization: Any document designating any permission. The HIPAA Privacy Rule requires authorization or waiver of authorization for the use or disclosure of identifiable health information for research (among other activities). The authorization must indicate if the health information used or disclosed is existing information and/or new information that will be created. The authorization form may be combined with the informed consent form, so that a patient need sign only one form. An authorization must include the following specific elements: a description of what information will be used and disclosed and for what purposes; a description of any information that will not be disclosed, if applicable; a list of who will disclose the information and to whom it will be disclosed; an expiration date for the disclosure; a statement that the authorization can be revoked; a statement that disclosed information may be re-disclosed and no longer protected; a statement that if the individual does not provide an authorization, she/he may not be able to receive the intended treatment; the subject’s signature and date.
[ B ]
Balance Billing: The practice of billing a patient for the fee amount remaining after insurer payment and co-payment have been made. Under Medicare, the excess amount cannot be more than 15 percent above the approved charge.
42
Balance Forward: An accounting reference for the amount outstanding on an account transferred from another billing system. Primarily used during data migration from your legacy system to your new Medinformatix system
Bed Days: Number of inpatient hospital days per 1,000 health plan members for a specified period, usually annual.
Behavioral Health, Behavioral Healthcare: An umbrella term that includes mental health, psychiatric, marriage and family counseling, addictions treatment and substance abuse. Services are provided by a myriad of providers, including social workers, counselors, psychiatrist, psychologists, neurologists and even family practice physicians. Many states have “parity” laws that attempt to require that behavioral health insurance coverage be provided “on par” to physical health coverage.
Beneficiary (Also eligible; enrollee; member): Individual who is either using or eligible to use insurance benefits, including health insurance benefits, under an insurance contract. It describes any person eligible as either a subscriber or a dependent for a managed care service in accordance with a contract. An individual who receives benefits from or is covered by an insurance policy or other health care financing program.
Billed Claims: Fees submitted by a health care provider for services rendered to a covered person. Fees billed and fees paid are rarely synonymous.
BMI (Body Mass Index): Calculation based on height and weight. This is similar to percent body fat and demonstrates how much effect a person’s weight is on their health.
BMI charts: BMI charts within EMR systems can manipulate data, perform calculations, and adapt to user preferences and patient characteristics, users may expect greater functionality from electronic BMI charts.
BSA (Body Surface Area): In physiology and medicine, the body surface area (BSA) is the measured or calculated surface of a human body. For many clinical purposes BSA is a better indicator of metabolic mass than body weight because it is less affected by abnormal adipose mass. Estimation of BSA is simpler than many measures of volume.
[ C ]
Continuity of Care Document (CCD):
Continuity of Care Record (CCR): The continuity of care record is a standardized electronic snapshot of a patient’s medical, insurance, and demographic information at any given point in time. Standardization was established by the Healthcare Information and Management Systems Society (HIMSS), the American Academy of Family Physicians (AAFP), other medical societies, and vendors and others in the healthcare informatics industry. Data are transmitted in XML, a standard transmission language, enabling a patient’s CCR to be shared among any number of providers. Each provider may make additions or changes to the information in a patient’s CCR, which is kept up-to-date in real time. While not all of the patient’s information is in the CCR–distinguishing it from most full-function electronic PHRs–critical information is available that may be useful in referrals, travel situations, and emergencies
43
Capitated payments: Payment for healthcare services based on the number of patients who are covered for specific services over a specified period of time rather than the cost or number of services that are actually provided.
Case Manager: A nurse, doctor, or social worker who works with patients, providers and insurers to coordinate all services deemed necessary to provide the patient with a plan of medically necessary and appropriate health care.
Case Management: Method designed to accommodate the specific health services needed by an individual through a coordinated effort to achieve the desired health outcome in a cost effective manner. The monitoring and coordination of treatment rendered to patients with specific diagnosis or requiring high-cost or extensive services. Case management is the process by which all health-related matters of a case are managed by a physician or nurse or designated health professional. Physician case managers coordinate designated components of health care, such as appropriate referral to consultants, specialists, hospitals, ancillary providers and services. Case management is intended to ensure continuity of services and accessibility to overcome rigidity, fragmented services, and the miss-utilization of facilities and resources. It also attempts to match the appropriate intensity of services with the patient’s needs over time.
Case Severity: A measure of intensity or gravity of a given condition or diagnosis for a patient. May have direct correlation with the amount of service provided and the associated costs or payments allowed.
CCHIT: Acronym for Certification Commission for Healthcare Information Technology is the recognized certification authority for electronic health records and their networks, and an independent, voluntary, private-sector initiative.
Chain of Trust Agreement: Referred to in HIPAA rules, this is a contract needed to extend the responsibility to protect health care data across a series of sub-contractual relationships.
CHAMPUS: Civilian Health and Medical Program of the Uniformed Services.
Charges: These are the published prices of services provided by a facility. CMS requires hospitals to apply the same schedule of charges to all patients, regardless of the expected sources or amount of payment. Controversy exists today because of the often wide disparity between published prices and contract prices. The majority of payers, including Medicare and Medicaid, are becoming managed by health plans that negotiate rates lower than published prices. Often these negotiated rates average 40% to 60% of the published rates and may be all-inclusive bundled rates.
Chart Note: A document, written by the clinician or provider, which describes the details of a patient’s encounter. It is sometimes referred to as a progress note.
Chief Complaint (CC)/Reason for Consultation (RFC)/Reason for Visit (ROV): for recording a patient’s disease symptoms.
Citrix Server: A server solution, similar to Microsoft Terminal Services that provides remote access to clients via the web or to dummy terminals in a network.
Clearinghouse: A company that provides clearing and settlement services for medical financial transactions. Some of the more popular clearinghouses include Emdeon/WebMD, McKesson and THIN.
44
Client-Server: A network architecture which separates the client (often an application that uses a graphical user interface) from the server.
Computerized Patient Record (CPR): Also known as an EMR or EHR. A patient's past, present, and future clinical data stored in a server.
Computerized Physician Order Entry (CPOE): A system for physicians to electronically order labs, imaging and prescriptions
CPT Code: A nationally recognizable five-digit number used to represent a service provided by a healthcare provider.
Client/Server architecture: An information-transmission arrangement, in which a client program sends a request to a server. When the server receives the request, it disconnects from the client and processes the request. When the request is processed, the server reconnects to the client program and the information is transferred to the client. This usually implies that the server is located on site as opposed to the ASP (Application Server Provider) architecture.
Clinical Data Repository (CDR):A real-time database that consolidates data from a variety of clinical sources to present a unified view of a single patient. It is optimized to allow clinicians to retrieve data for a single patient rather than to identify a population of patients with common characteristics or to facilitate the management of a specific clinical department.
Clinical Decision support system (CDSS): A clinical decision support system (CDSS) is software designed to aid clinicians in decision making by matching individual patient characteristics to computerized knowledge bases for the purpose of generating patient-specific assessments or recommendations.
Clinical Guidelines (Protocols): Clinical guidelines are recommendations based on the latest available evidence for the appropriate treatment and care of a patient’s condition.
Clinical messaging: Communication of clinical information within the electronic medical record to other healthcare personnel.
Claim: A request by an individual (or his or her provider) to that individual’s insurance company to pay for services obtained from a health care professional.
Claims Review: The method by which an enrollee’s health care service claims are reviewed prior to reimbursement. The purpose is to validate the medical necessity of the provided services and to be sure the cost of the service is not excessive.
CMS (formerly HCFA) : The Centers for Medicare & Medicaid Services (CMS), previously known as the Health Care Financing Administration (HCFA), is a federal agency within the United States Department of Health and Human Services (DHHS) that administers the Medicare program and works in partnership with State governments to administer Medicaid, the State Children’s Health Insurance Program (SCHIP), and health insurance portability standards.
CMS-1450: The uniform institutional claim form.
CMS-1500: The uniform professional claim form.
45
COBRA: See Consolidated Omnibus Budget Reconciliation Act.
Coded Data: Data are separated from personal identifiers through use of a code. As long as a link exists, data are considered indirectly identifiable and not anonymous or anonymized. Coded data are not covered by the HIPAA Privacy Rule, but are protected under the Common Rule.
Code Set: Under HIPAA, this is any set of codes used to encode data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes. This includes both the codes and their descriptions.
Coding: A mechanism for identifying and defining physicians’ and hospitals’ services. Coding provides universal definition and recognition of diagnoses, procedures and level of care. Coders usually work in medical records departments and coding is a function of billing. Medicare fraud investigators look closely at the medical record documentation, which supports codes and looks for consistency. Lack of consistency of documentation can earmark a record as “up-coded” which is considered fraud. A national certification exists for coding professionals and many compliance programs are raising standards of quality for their coding procedures.
Co-Insurance (coinsurance): A cost-sharing requirement under a health insurance policy that provides that the insured will assume a portion or percentage of the costs of covered services. Health care cost which the covered person is responsible for paying, according to a fixed percentage or amount. A policy provision frequently found in major medical insurance policies under which the insured individual and the insurer share hospital and medical expenses according to a specified ratio. A type of cost sharing where the insured party and insurer share payment of the approved charge for covered services in a specified ratio after payment of the deductible. Under Medicare Part B, the beneficiary pays coinsurance of 20 percent of allowed charges. Many HMOs provide 100% insurance (no coinsurance) for preventive care or routing care provided “in network”.
Common Rule: Under HIPAA, it outlines the necessity of obtaining informed consent from patients.
Computer-Based Patient Record (CPR): A term for the process of replacing the traditional paper-based chart through automated electronic means; generally includes the collection of patient-specific information from various supplemental treatment systems, i.e., a day program and a personal care provider; its display in graphical format; and its storage for individual and aggregate purposes. CPR is also called “digital medical record” or “electronic medical record”.
Consolidated Omnibus Budget Reconciliation Act (COBRA): Federal law that continues health care benefits for employees whose employment has been terminated. Employers are required to notify employees of these benefit continuation options, and, failure to do so can result in penalties and fines for the employer. It is an act that allows workers and their families to continue their employer-sponsored health insurance for a certain amount of time after terminating employment. COBRA imposes different restrictions on individuals who leave their jobs voluntarily versus involuntarily (Department of Labor, 2002).
Co-Payment, Co-payment, Co-pay: A cost-sharing arrangement in which the HMO enrollee pays a specified flat amount for a specific service (such as $10 for an office visit or $5 for each prescription drug). The amount paid must be nominal to avoid becoming a barrier to care. It does not vary with the cost of the service and is usually a flat sum amount such as $10 for every prescription or doctor visit, unlike co-insurance that is based on a percentage of the cost.
46
Cost Sharing: Payment method where a person is required to pay some health costs in order to receive medical care. The general set of financing arrangements whereby the consumer must pay out-of-pocket to receive care, either at the time of initiating care, or during the provision of health care services, or both. This includes deductibles, coinsurance and co-payments, but not the share of the premium paid by the person enrolled.
Current Procedural Terminology (CPT): A standardized mechanism of reporting services using numeric codes as established and updated annually by the AMA. It is a manual that assigns five digit codes to medical services and procedures to standardize claims processing and data analysis. The coding system for physicians’ services developed by the CPT Editorial Panel of the American Medical Association; basis of the Medicare coding system for physicians services. A medical code set of physician and other services, maintained and copyrighted by the American Medical Association (AMA), and adopted by the Secretary of HHS as the standard for reporting physician and other services on standard transactions. See Coding.
Customary, prevailing, and reasonable (CPR): Current method of paying physicians under Medicare. Payment for a service is limited to the lowest of (1) the physician’s billed charge for the service, (2) the physician’s customary charge for the service, or (3) the prevailing charge for that service in the community. Similar to the Usual, Customary, and Reasonable system used by private insurers.
[ D ]
Database Management System (DBMS): The separation of data from the computer application that allows entry or editing of data.
Data Content: Under HIPAA, this is all the data elements and code sets inherent to a transaction, and not related to the format of the transaction.
Decision Support System: Computer technologies used in healthcare that allow providers to collect and analyze data in more sophisticated and complex ways. Activities supported include case mix, budgeting, cost accounting, clinical protocols and pathways, outcomes, and actuarial analysis.
Deductibles: Amounts required to be paid by the insured under a health insurance contract, before benefits become payable. This is usually expressed in terms of an “annual” amount.
DICOM (Digital Imaging and Communications in Medicine): Digital Imaging and Communications in Medicine (DICOM) is a standard to aid the distribution and viewing of medical images, such as CT scans, MRIs, and ultrasound.
Digital Imaging and Communications in Medicine (DICOM): A standard to define the connectivity and communication between medical imaging devices.
Disease Management: A type of product or service now being offered by many large pharmaceutical companies to get them into broader healthcare services. Bundles use of prescription drugs with physician and allied professionals, linked to large databases created by the pharmaceutical companies, to treat people with specific diseases. The claim is that this type of service provides higher quality of care at more reasonable price than alternative, presumably more fragmented, care. The development of such products by hugely capitalized companies should be the entire indicator necessary to convince a provider of how the healthcare market is changing. Competition is coming from every direction—other
47
providers of all types, payers, employers who are developing their own in-house service systems, the drug companies.
Document Imaging: Is a process of converting paper documents into an electronic format usually through a scanning process.
Documentation: The process of recording information.
Document Management: The Document Manager allows the medical institution to store vital patient documents such as X-Ray’s, Paper Reports, and Lab Reports etc.
Drug Formulary: Varying lists of prescription drugs approved by a given health plan for distribution to a covered person through specific pharmacies. Health plans often restrict or limit the type and number of medicines allowed for reimbursement by limiting the drug formulary list. The list of prescription drugs for which a particular employer or State Medicaid program will pay. Formularies are either “closed,” including only certain drugs or “open,” including all drugs. Both types of formularies typically impose a cost scale requiring consumers to pay more for certain brands or types of drugs. See also Formulary.
Drug Formulary Database: This EMR feature is used for electronic prescribing, electronic medical record (EMR), and computerized physician order entry (CPOE) systems to present formulary status to the provider while during the prescribing decision.
[ E ]
E/M level coding: Evaluation and Management level coding – documentation of each visit which identifies each service provided during an office visit.
EDI: Acronym for Electronic Data Interchange. Electronic communication between two parties, generally for the filing of electronic claims to payers.
EDI Translator: Used in electronic claims and medical record transmissions, this is a software tool for accepting an EDI transmission and converting the data into another format, or for converting a non-EDI data file into an EDI format for transmission. See also Electronic Data Interchange.
Effective Date: The date on which a policy’s coverage of a risk goes into effect.
Electronic health records (EHR): is a distributed personal health record in digital format. The EHR provides secure, real-time, patient-centric information to aid clinical decision-making by providing access to a patient’s health information at the point of care.
Electronic Claim: A digital representation of a medical bill generated by a provider or by the provider’s billing agent for submission using telecommunications to a health insurance payer. Most claims are electronically submitted.
Electronic Data Interchange (EDI): The automated exchange of data and documents in a standardized format. In health care, some common uses of this technology include claims submission and payment, eligibility, and referral authorization. This refers to the exchange of routine business transactions from one computer to another in a standard format, using standard communications protocols.
48
Electronic Medical Records (EMR): A computer-based record containing health care information. This technology, when EMR fully developed, meets provider needs for real-time data access and evaluation in medical care. Together with clinical workstations and clinical data repository technologies, the provides the mechanism for longitudinal data storage and access. A motivation for healthcare entities to implement this technology derives from the need for medical outcome studies, more efficient care, speedier communication among providers and management of health plans. This record may contain some, but not necessarily all, of the information that is in an individual’s paper-based medical record. One goal of HIPAA is to protect identifiable health information as the system moves from a paper-based to an electronic medical record system. See also Computerized Medical Record.
EMR: Acronym for Electronic Medical Records. A computerized record of a patient's clinical, demographic and administrative data. Also known as a computer-based patient record (CPR) or electronic health record (EHR).
Electronic Eligibility: this EMR feature access a payer to deliver up-to-date insurance benefits eligibility information on patients. Electronic Health Records (EHR): Patient health records including treatment history, medical test reports, and images stored in an electronic format that can be accessed by healthcare providers on a computer network EPR: Broadly defined, a personal health record is the documentation of any form of patient information–including medical history, medicines, allergies, visit history, or vaccinations–that patients themselves may view, carry, amend, annotate, or maintain. Today, when we refer to PHRs, we typically mean an online personal health record–which may variously be referred to as an ePHR, an Internet PHR, an Internet medical record, or a consumer Internet Medical Record (CIMR). Generally, such records are maintained in a secure and confidential environment, allowing only the individual, or people authorized by the individual, to access the medical information. Not all electronic PHRs are Internet PHRs. PC-based PHRs may be set up to capture medical information offline.
Electronic Super bill: An electronic encounter form used for coding and billing.
EPR (Electronic Patient Record): Electronically maintained information about an individual’s lifetime health status and healthcare from all specialties. Evidence based medicine: Evidence-based medicine (EBM) is the integration of best research evidence with clinical expertise to aid in the diagnosis and management of patients.
Explanation of Benefits (EOB): A statement from the patient's insurance company that breaks down services rendered at time of doctor or hospital visit and amounts covered by insurance provider
[ F ]
Face Sheet: Also called a Summary Screen or Patient Dashboard. This screen includes a summary of patient relevant information on one screen.
Family History: A list of the patient’s family medical history including the chronic medical problems of parents, siblings, grandparents, etc.
49
Fee Schedules: A set maximum fee that an insurance company will pay a healthcare provider, it is a list of all CPT and HCPCS codes and their corresponding charges. This can be variable based on insurance. Fee schedules are usually associated with a particular payer and reflect the reimbursement rates negotiated under the contract.
Fee-for-service: A health insurance plan that allows policyholders to pay for any provider service, submit a claim to the insurance company, and get reimbursed if the service is covered by the insurance provider First DataBank: The leading provider of drug information. Provides context and integration information for healthcare of every type at every level.
Formatting and Protocol Standards: Data exchange standards which are needed between CPR systems, as well as CPT and other provider systems, to ensure uniformity in methods for data collection, data storage and data presentation. Proactive providers are current in their knowledge of these standards and work to ensure their information systems conform to the standards.
Formulary: An approved list of prescription drugs; a list of selected pharmaceuticals and their appropriate dosages felt to be the most useful and cost effective for patient care. Organizations often develop a formulary under the aegis of a pharmacy and therapeutics committee. In HMOs, physicians are often required to prescribe from the formulary. See also Drug Formulary.
[ G ]
Growth Chart: A feature for a Primary Care or EMR that can be used for paediatric patients. Age, height, weight, and head measurements can be entered over the patient's lifetime, and the feature creates a line graph.
Group Insurance: Any insurance policy or health services contract by which groups of employees (and often their dependents) are covered under a single policy or contract, issued by their employer or other group entity.
Group Model HMO, Group Network HMO: An HMO that contracts with one or more independent group practice to provide services to its members in one or more locations. Health care plan involving contracts with physicians organized as a partnership, professional corporation, or other legal association. It can also refer to an HMO model in which the HMO contracts with one or more medical groups to provide services to members. In either case, the payer or health plan pays the medical group, which is, in turn, is responsible for compensating physicians. The medical group may also be responsible for paying or contracting with hospitals and other providers.
Group Practice: A group of persons licensed to practice medicine in the State, who, as their principal professional activity, and as a group responsibility, engage or undertake to engage in the coordinated practice of their profession primarily in one or more group practice facilities, and who in their connection share common overhead expenses if and to the extent such expenses are paid by members of the group, medical and other records, and substantial portions of the equipment and the professional, technical, and administrative staffs. Group practices use the acronyms PA, IPA, MSO and others. Group practices are far more common now than a decade ago because physicians seek to lower costs, increase contracting power and share payer contracts.
50
[ H ]
Health and Human Services (HHS): The Department of Health and Human Services that is responsible for health-related programs and issues. Formerly it was known as HEW, the Department of Health, Education, and Welfare. The Office of Health Maintenance Organizations (OHMO) is part of HHS and detailed information on most companies is available here through the Freedom of Information Act.
HCFA (CMS-1500 Form): The insurance claim form that a healthcare provider turns in to an insurance company
HCFA 1500: The Health Care Finance Administration’s standard form for submitting provider service claims to third party companies or insurance carriers. HCFA is now called CMS, see CMS.
HCFA-1450: More commonly known as the UB-92 (Universal Bill). This is also an insurance claim form, but is used for hospital visits and rural health claims. It is characterized by including more procedure level reporting lines, as well as place for information such as hospital days.
Health: The state of complete physical, mental, and social well-being and not merely the absence of disease or infirmity. It is recognized, however, that health has many dimensions (anatomical, physiological, and mental) and is largely culturally defined. The relative importance of various disabilities will differ depending upon the cultural milieu and the role of the affected individual in that culture. Most attempts at measurement have been assessed in terms or morbidity and mortality.
Health Care, Healthcare: Care, services, and supplies related to the health of an individual. Health care includes preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, among other services. Healthcare also includes the sale and dispensing of prescription drugs or devices.
Health Care Clearinghouse: A public or private entity that does either of the following (Entities, including but not limited to, billing services, reprising companies, community health management information systems or community health information systems, and “value-added” networks and switches are health care clearinghouses if they perform these functions): 1) Processes or facilitates the processing of information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction; 2) Receives a standard transaction from another entity and processes or facilitates the processing of information into nonstandard format or nonstandard data content for a receiving entity. This term is used in the HIPAA rules.
Health Care Financing Administration (HCFA): The federal government agency within the Department of Health and Human Services which directs and oversees the Medicare and Medicaid programs (Titles XVIII and XIX of the Social Security Act) and conducts research to support those programs. It is now called CMS and generally it oversees the state’s administrations of Medicaid, while directly administering Medicare. See CMS, or Center for Medicare and Medicaid Services.
Health Care Operations: Institutional activities that are necessary to maintain and monitor the operations of the institution. Examples include but are not limited to: conducting quality assessment and improvement activities; developing clinical guidelines; case management; reviewing the competence or qualifications of health care professionals; education and training of students, trainees and practitioners; fraud and abuse programs; business planning and management; and customer
51
service. Under the HIPAA Privacy Rule, these are allowable uses and disclosures of identifiable information “without specific authorization.” Research is not considered part of health care operations.
Health Care Provider: Providers of medical or health care or researchers who provide health care are health care providers. Normally health care providers are clinics, hospitals, doctors, dentists, psychologists and similar professionals.
Healthcare Provider Taxonomy Codes: An administrative code set that classifies health care providers by type and area of specialization. The code set will be used in certain adopted transactions. (Note: A given provider may have more than one Healthcare Provider Taxonomy Code.)
Health Employer Data and Information Set (HEDIS): A set of HMO performance measures that are maintained by the National Committee for Quality Assurance. HEDIS data is collected annually and provides an informational resource for the public on issues of health plan quality.
Health Information: Information in any form (oral, written or otherwise) that relates to the past, present or future physical or mental health of an individual. That information could be created or received by a health care provider, a health plan, a public health authority, an employer, a life insurer, a school, a university or a health care clearinghouse. All health information is protected by state and federal confidentiality laws and by HIPAA privacy rules.
Health Insurance: Financial protection against the health care costs of the insured person. It may be obtained in a group or individual policy.
Health Insurance Portability and Accountability Act of 1996 (HIPAA): A Federal law that allows persons to qualify immediately for comparable health insurance coverage when they change their employment relationships. This legislation sets a precedent for Federal involvement in insurance regulation. It sets minimum standards for regulation of the small group insurance market and for a set group in the individual insurance market in the area of portability and availability of health insurance. As a result of this law, hospitals, doctors and insurance companies are now required to share patient medical records and personal information on a wider basis. This wide-based sharing of medical records has led to privacy rules, greater computerization of records and consumer concerns about confidentiality. In addition, HIPAA required the creation of a federal law to protect personally identifiable health information; if that did not occur by a specific date (which it did not), HIPAA directed the Department of Health and Human Services (DHHS) to issue federal regulations with the same purpose. DHHS has issued HIPAA privacy regulations (the HIPAA Privacy Rule) as well as other regulations under HIPAA. HIPAA gives HHS the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care information. This is also known as the Kennedy-Kassebaum Bill, the Kassebaum-Kennedy Bill, K2, or Public Law 104-191.
Health Level Seven (HL7): A data interchange protocol for health care computer applications that simplifies the ability of different vendor-supplied IS systems to interconnect. Although not a software program in itself, HL7 requires that each healthcare software vendor program HL7 interfaces for its products.
52
Health Maintenance Organization (HMO): HMOs offer prepaid, comprehensive health coverage for both hospital and physician services. The HMO is paid monthly premiums or capitated rates by the payers, which include employers, insurance companies, government agencies, and other groups representing covered lives. The HMO must meet the specifications of the federal HMO act as well as meeting many rules and regulations required at the state level. There are 4 basic models: group model, individual practice association, network model and staff model. An HMO contracts with health care providers, e.g., physicians, hospitals, and other health professionals. The members of an HMO are required to use participating or approved providers for all health services and generally all services will need to meet further approval by the HMO through its utilization program. Members are enrolled for a specified period of time. HMOs may turn around and sub-capitate to other groups. For example, it may carve-out certain benefit categories, such as mental health, and sub-capitate these to a mental health HMO. Or the HMO may sub-capitate to a provider, provider group or provider network. HMOs are the most restrictive form of managed care benefit plans because they restrict the procedures, providers and benefits.
Help Desk: Service and support desk HIPAA: The Health Insurance Portability and Accountability Act of 1996, is a set of federal regulations which establishes national standards for health care information.
History of Present Illness (HPI): The HPI is the history of the patient’s chief complaint.
HL7 (Health Level 7): one of the American National Standards Institute accredited Standard Developing Organization (SDO) - Health Level 7 domain is the standards for electronic interchange of clinical, financial and administrative info among healthcare oriented computer systems. Is a not-for-profit volunteer organization. It develops specifications, most widely used is the messaging standard that enables disparate health care applications to exchange key sets of clinical and administrative data. It promotes the use of standards within and among healthcare organizations to increase the effectiveness and efficiency of healthcare delivery. It is an international community of healthcare subject matter experts and information scientists collaborating to create standards for the exchange, management and integration of electronic healthcare information.
Human Subject: Under HIPAA rules, this term refers to a living subject participating in research about whom directly or indirectly identifiable health information or data are obtained or created.
Hybrid Record: Term used for when a provider uses a combination of paper and electronic medical records during the transition phase to EMR.
[ I ]
International Classification of Diseases, Ninth Revision, Clinical Modification (ICD-9-CM, ICD-10-CM): This is the universal coding method used to document the incidence of disease, injury, mortality and illness. A diagnosis and procedure classification system designed to facilitate collection of uniform and comparable health information. The ICD-9-CM was issued in 1979. This system is used to group patients into DRGs, prepare hospital and physician billings and prepare cost reports. Classification of disease by diagnosis codified into six-digit numbers. See also coding.
53
ICD-9: Internationally recognizable 3 to 5-digit code representing a medical diagnosis. Currently being replaced by the ICD-10 code.
IPA: Independent Physician Association or Independent Practice Association. Group of independent physicians that have joined together to negotiate contracts with payers, receive quantity discounts on products
International Health Transaction Standards Development Organization (IHTSDO):
Informatics: The application of computer technology to the management of information.
Integration: Integration allows for secure communication between enterprise applications.
Interoperability: The capability to provide successful communication between end-users across a mixed environment of different domains, networks, facilities and equipment.
Insurance Eligibility Check: to take care of the vital process of checking patient’s insurance eligibility often results in billing errors, insurance coverage concerns and delays.
Immunization: A complete list of all immunizations that the patient has had.
ISP: Internet Service Provider
IT (Information Technology): The development, installation, and implementation of computer systems and applications.
Independent Practice Association (IPA): or Organization (IPO) - A delivery model in which the HMO contracts with a physician organization, which in turn contracts with individual physicians. The IPA physicians practice in their own offices and continue to also see their FFS patients. The HMO reimburses the IPA on a capitated basis; however, the IPA may reimburse the physicians on an FFS or capitated basis.
Interface: A means of communication between two computer systems, two software applications or two modules. Real time interface is a key element in healthcare information systems due to the need to access patient care information and financial information instantaneously and comprehensively. Such real time communication is the key to managing health care in a cost effective manner because it provides the necessary decision-making information for clinicians, providers and payers.
Internal Medicine: Generally, that branch of medicine that is concerned with diseases that do not require surgery, specifically, the study and treatment of internal organs and body systems; it encompasses many subspecialties; internists, the doctors who practice Internal medicine, often serve as family physicians to supervise general medical care.
[ J ]
J-Codes: A subset of the HCPCS Level II code set with a high-order value of “J” that has been used to identify certain drugs and other items.
54
Joint Commission on the Accreditation of Healthcare Organizations (JCAHO): Formerly called JCAH, or Joint Commission on Accreditation of Hospitals, this is the peer review organization which provides the primary review of hospitals and healthcare providers. Many insurance companies require providers to have this accreditation in order to seek 3rd party payment, although, many small hospitals cannot afford the cost of accreditation. JCAHO usually surveys organizations once every 3 years, sending in a medical and administrative team to review policies, patient records, professional credentialing procedures, governance and quality improvement programs. JCAHO revises its “standards” annually.
[ K ]
Key Contributor Plan: This refers to a little known performance-based program with incentives for the purpose of attracting, motivating and retaining key individuals or small groups.
[ L ]
LAN (Local Area Network): A LAN supplies networking capability to a group of computers in close proximity to each other such as in an office building, a school, or a home.
Legacy Systems: Computer applications, both hardware and software, which have been inherited through previous acquisition and installation. Most often, these systems run business applications that are not integrated with each other. Newer systems which stress open design and distributed processing capacity are gradually replacing such systems.
Legacy System: Term used to describe an old system (usually hardware and software), ie. old medical billing software system.
Legacy System Integration: The integration of data between a legacy system and some other software program most commonly using HL-7 standards. LEPR (Longitudinal Patient Record): Longitudinal Patient Record is an EHR that includes all healthcare information from all sources.
Legend Drug: Drug that the law says can only be obtained by prescription.
Length of Stay (LOS): The duration of an episode of care for a covered person. The number of days an individual stays in a hospital or inpatient facility. May also be reviewed as Average Length of Stay (ALOS).
Licensing: A process most States employ, which involves the review and approval of applications from HMOs prior to beginning operation in certain areas of the State. Areas examined by the licensing authority include: fiscal soundness, network capacity, MIS, and quality assurance. The applicant must demonstrate it can meet all existing statutory and regulatory requirements prior to beginning operations.
Lifetime Limit: A cap on the benefits paid under a policy. Many policies have a lifetime limit of $1 million, which means that the insurer agrees to cover up to $1 million in covered services over the life of the policy.
[ M ]
55
M.A. (Medical Assistant): If certified, is referred to as CMA. Some clinics have similar positions known as Clinical Assistants. Used in most offices as a part of the nursing staff with responsibilities including working up patients, triaging and returning patient calls and assisting the provider in general. MD: Medical Doctor
Management Information System (MIS): The common term for the computer hardware and software that provides the support of managing the plan.
Master Patient / Member Index: An index or file with a unique identifier for each patient or member that serves as a key to a patient’s or member’s health record.
Maximum Allowable Actual Charge (MAAC): A limitation on billed charges for Medicare services provided by nonparticipating physicians. For physicians with charges exceeding 115 percent of the prevailing charge for nonparticipating physicians, MAACs limit increases in actual charges to 1 percent a year. For physicians whose charges are less than 115 percent of the prevailing, MAACs limit actual charge increases so they may not exceed 115 percent.
Maximum Defined Data Set: Under HIPAA, this is all of the required data elements for a particular standard based on a specific implementation specification. An entity creating a transaction is free to include whatever data any receiver might want or need. The recipient is free to ignore any portion of the data that is not needed to conduct their part of the associated business transaction, unless the inessential data is needed for coordination of benefits.
MEDCIN: Clinical documentation nomenclature designed to provide E&M level coding assistance to providers through the use of an extensive database for documenting patient encounters.
Medical Code Sets: Codes that characterize a medical condition or treatment. These code sets are usually maintained by professional societies and public health organizations. Compare to administrative code sets.
Medical Transcription: A PDA-compliant medical transcription system that manages the transcription cycle from the beginning to end by integrating voice recording, digital scripting, delivery of voice files to the medical transcriptionist and final transcript receipt.
Medical Calculators: A diverse range of Medical Calculators that allows the medical practitioner to make rapid, accurate calculations within seconds, with the focus on “evidence based medicine”.
Medication Reviewer: is a complete list of all medications that the patient is on or had been taking at some point.
Medical Group Practice: The American Group Practice Association, the American Medical Association, and the Medical Group Management Association define medical group practice as: provision of health care services by a group of at least three licensed physicians engaged in a formally organized and legally recognized entity sharing equipment, facilities, common records and personnel involved in both patient care and business management.
Medical Informatics: Medical informatics is the systematic study, or science, of the identification, collection, storage, communication, retrieval, and analysis of data about medical care services to improve decisions made by physicians and managers of health care organizations. Medical informatics
56
will be as important to physicians and medical managers as the rules of financial accounting are to auditors.
Medical Management Information System (MMIS): A data system that allows payers and purchasers to track health care expenditure and utilization patterns. It may also be referred to as Health Information System (HIS), Health Information Management (HIM) or Information System (IS). See also Electronic Medical Record (EMR).
Mid-level Practitioner: Refers to the group of providers considered to be one-level below M.D.s and D.O.s. Physician assistants (P.A.s) and Nurse Practitioners (N.P.s) are examples. Modifier: A two-character code added to a CPT or HCPCS code that is used to help in the reimbursement process. For example, a modifier can be used to explain that a procedure not normally covered when billed on the same day as another is actually a separate and significant process, or that it is a rural health procedure that gets higher reimbursement. Up to 4 modifiers can be attached to each CPT, although in most cases only 1 or 2 are used.
Multi-Specialty Group: A group of doctors who represent various medical specialties and who work together in a group practice.
[ N ]
National Council for Prescription Drug Programs: An ANSI-accredited group that maintains a number of standard formats for use by the retail pharmacy industry, some of which have been adopted as HIPAA standards.
National Drug Code (NDC): A medical code set maintained by the Food and Drug Administration that contains codes for drugs that are FDA-approved. The Secretary of HHS adopted this code set as the standard for reporting drugs and biologics on standard transactions. The classification system for drug identification is similar to UPC code.
Neonatal Intensive Care Unit (Neo ICU): A hospital unit with special equipment for the care of premature and seriously ill newborn infants.
Non-Participating Physician (or Provider): A provider, doctor or hospital that does not sign a contract to participate in a health plan, usually which requires reduced rates from the provider. In the Medicare Program, this refers to providers who are therefore not obligated to accept assignment on all Medicare claims. In commercial plans, non-participating providers are also called out of network providers or out of plan providers. If a beneficiary receives service from an out of network provider, the health plan (other than Medicare) will pay for the service at a reduced rate or will not pay at all.
Non-Plan Provider: A health care provider without a contract with an insurer. A non plan Provider is also known as nonparticipating provider.
Nurse Practitioner (NP): A registered nurse qualified and specially trained to provide primary care, including primary health care in homes and in ambulatory care facilities, long-term care facilities, and other health care institutions. Normally, NPs are licensed and possess masters degrees. Nurse practitioners generally function under the supervision of a physician but not necessarily in his/her or her presence. In some states, NPs are able to provide basic medical services without requiring MD or DO
57
supervision. They are either salaried or reimbursed on a fee-for-service basis. Nurse Practitioners are sometimes considered “midlevel practitioners”.
NPI (National Provider Identifier): Fairly new 8 digit alphanumeric identifier given to all medical facilities. Most M.D.s and DOS do not have NPIs at this time (they still use UPIN numbers). However, mid-level practitioners usually do. NSF (National Standard Format): Standard format for electronic filing.
[ O ]
Occupancy Rate: A measure of inpatient health facility use, determined by dividing available bed days by patient days. It measures the average percentage of a hospital’s beds occupied and may be institution-wide or specific for one department or service.
Ombudsperson or Ombudsman: A person within a managed care organization or a person outside of the health care system (such as an appointee of the state) who is designated to receive and investigate complaints from beneficiaries about quality of care, inability to access care, discrimination, and other problems that beneficiaries may experience with their managed care organization. This individual often functions as the beneficiary’s advocate in pursuing grievances or complaints about denials of care or inappropriate care. Organizations are mostly able to designate a member of their own staff as ombudsman.
Open Access: A term describing a member’s ability to self-refer for specialty care. Open access arrangements allow a member to see a participating provider without a referral from another doctor. Health plan members’ abilities, rights or invitation to self refer for specialty care. Also called Open Panel.
Open Panel: A term describing a member’s ability to self-refer for specialty care. Open access arrangements allow a member to see a participating provider without a referral from another doctor. Health plan members’ abilities, rights or invitation to self refer for specialty care. Also called Open Access.
Outcome: A clinical outcome is the result of medical or surgical intervention or nonintervention, or the results of a specific health care service or benefit package. The valued results of care as experienced primarily by the patient but also by physicians and all other participants in the processes contributing to the outcomes.
Outcomes Management: Providers and payers alike wish to find a method of managing care in a way that would produce the best outcomes. Managed care organizations are increasingly interested in learning to manage the outcome of care rather than just managing the cost of care. It is thought that through a database of outcomes experience, caregivers will know better which treatment modalities result in consistently better outcomes for patients. Outcomes management may lead to the development of clinical protocols. A clinical outcome is the result of medical or surgical intervention or nonintervention. Managed services organizations are now attempting to better manage clinical outcomes for their enrollees to increase the satisfaction of patients and payers while holding down costs.
Outcomes Measurement: System used to systematically track clinical treatment and responses to that treatment. The methods for measuring outcomes are quite varied among providers. Much disagreement exists regarding the best practice or tools to utilize to measure outcomes. In fact, much disagreement
58
exists in the medical field about the definition of outcome itself. A tool to assess the impact of health services in terms of improved quality and/or longevity of life and functioning.
Outcomes Research: Research on measures of changes in patient outcomes, that is, patient health status and satisfaction, resulting from specific medical and health interventions. Attributing changes in outcomes to medical care requires distinguishing the effects of care from the effects of the many other factors that influence patients’ health and satisfaction. With the elimination of the physician’s fiduciary responsibility to the patient, outcomes data is gaining increasing importance for patient advocacy and consumer protection. Outcomes research will also be used in the future by payers to identify potential partners on the basis of good outcomes.
Outpatient Care: Care given a person who is not bedridden. It is also called ambulatory care. Many surgeries and treatments are now provided on an outpatient basis, while previously they had been considered reason for inpatient hospitalization. Some say this is the fastest growing segment of healthcare.
Office Visit Levels: Otherwise know as E&M codes, the code varies from Level I to V depending on complexity with V being the most complex.
[ P ]
Past Medical History, Past Surgical History, Screening (PMSS): This is a list of all the past surgery and medical issues that the patient has been treated for.
Patient Liability: The dollar amount that an insured is legally obligated to pay for services rendered by a provider. These may include co-payments, deductibles and payments for uncovered services.
P.A. (Physician Assistant): A mid-level provider. They are required to have a Bachelor’s degree and then attend a rigorous 3-year training program mainly instructed by physicians. They are not physicians, but in most states have similar rights and privileges. However, they must be supervised by a physician.
Past Medical History: A list of a patient’s past health problems, surgeries and specialists. Patient Demographics: All the patient’s pertinent information such as first and last name, SSN, DOB, insurance, etc.
Patient Origin Study: A study, generally undertaken by an individual health program or health planning agency, to determine the geographic distribution of the residences of the patients served by one or more health programs. Such studies help define catchment and medical trade areas and are useful in locating and planning the development of new services.
Patient Portal: A secure web-based system that allows a patient to register for an appointment, schedule an appointment, request prescription refills, send and receive secure patient-physician messages, view lab results, pay their bills electronically, access physician directories.
Participating Physician: A primary care physician in practice in the payer’s managed care service area who has entered into a contract.
Part A Medicare: Refers to the inpatient portion of benefits under the Medicare Program, covering beneficiaries for inpatient hospital, home health, hospice, and limited skilled nursing facility services.
59
Beneficiaries are responsible for deductibles and copayments. Part A services are financed by the Medicare HI Trust Fund, which consists of Medicare tax payments. Part B, on the other hand, refers to outpatient coverage.
Part B Medicare: Refers to the outpatient benefits of Medicare. Medicare Supplementary Medical Insurance (SMI) under Part B of Title XVII of the Social Security Act covers Medicare beneficiaries for physician services, medical supplies, and other outpatient treatment. Beneficiaries are responsible for monthly premiums, copayments, deductibles, and balance billing. Part B services are financed by a combination of enrollee premiums and general tax revenues.
Participating Provider: Any provider licensed in the state of provision and contracted with an insurer. Usually this refers to providers who are a part of a network. That network would be a panel of participating providers. Payers assemble their own provider panels.
Payer (usually Third Party Payer): The public or private organization that is responsible for payment for health care expenses. Payers may be insurance companies or self-insured employers.
PC Based: A program designed to run on an individual PC. This typically means data is not shared in real time among other PCs (users).
PCP: Primary care physician who often acts as the primary gatekeeper in health plans. That is, often the PCP must approval referrals to specialists. Particularly in HMOs and some PPOs, all members must choose or are assigned a PCP.
PHR: A personal health record or PHR is typically a health record that is initiated and maintained by an individual. An ideal PHR would provide a complete and accurate summary of the health and medical history of an individual by gathering data from many sources and making this information accessible online.
Physician Attestation: The requirement that the attending physician certify, in writing, the accuracy and completion of the clinical information used for DRG assignment.
Physician Current Procedural Terminology (CPT): List of services and procedures performed by providers, with each service/procedure having a unique 5-digit identifying code. CPT is the health care industry’s standard for reporting of physician services and procedures. Used in billing and records.
Picture Archive Communication System (PACS): Used by radiology and diagnostic imaging organizations to electronically manage information and images
Physician Practice Organization (PPO): An arrangement between insurers and healthcare providers where providers agree to a discounted fee-for-service in exchange for more patients
Progress Note: The documentation of a patient visit or encounter including all or part of the SOAP format.
Practical Nurses: Practical nurses, also known as vocational nurses, provide nursing care and treatment of patients under the supervision of a licensed physician or registered nurse. Licensure as a licensed practical nurse (L.P.N.) or in California and Texas as a licensed vocational nurse (L.V.N.) is required.
60
Practice Parameters, Practice Guidelines: Systematically developed statements to standardize care and to assist in practitioner and patient decisions about the appropriate health care for specific circumstances. Practice guidelines are usually developed through a process that combines scientific evidence of effectiveness with expert opinion. Practice guidelines are also referred to as clinical criteria, protocols, algorithms, review criteria, and guidelines. The American Medical Association defines practice parameters as strategies for patient management, developed to assist physicians in clinical decision-making. Practice parameters may also be referred to as practice options, practice guidelines, practice policies, or practice standards.
Pre-Authorization: A cost containment feature of many group medical policies whereby the insured must contact the insurer prior to a hospitalization or surgery and receive authorization for
Primary Care: Basic or general health care usually rendered by general practitioners, family practitioners, internists, obstetricians and pediatricians who are often referred to as primary care practitioners or PCPs. Professional and related services administered by an internist, family practitioner, obstetrician-gynecologist or pediatrician in an ambulatory setting, with referral to secondary care specialists, as necessary.
Primary Care Network (PCN): A group of primary care physicians who share the risk of providing care to members of a given health plan.
Primary Care Physician, (PCP): A “generalist” such as a family practitioner, pediatrician, internist, or obstetrician. In a managed care organization, a primary care physician is accountable for the total health services of enrollees including referrals, procedures and hospitalization. Also see Primary Care Provider.
Primary Care Provider (PCP): The provider that serves as the initial interface between the member and the medical care system. The PCP is usually a physician, selected by the member upon enrollment, who is trained in one of the primary care specialties who treats and is responsible for coordinating the treatment of members assigned to his/her plan. See also Gatekeeper.
Principal Diagnosis: The medical condition that is ultimately determined to have caused a patient’s admission to the hospital. The principal diagnosis is used to assign every patient to a diagnosis related group. This diagnosis may differ from the admitting and major diagnoses.
Prior Authorization: A formal process requiring a provider obtain approval to provide particular services or procedures before they are done. This is usually required for nonemergency services that are expensive or likely to be abused or overused. A managed care organization will identify those services and procedures that require prior authorization, without which the provider may not be compensated.
Privacy: For purposes of the HIPAA Privacy Rule, privacy means an individual’s interest in limiting who has access to personal health care information. See also HIPAA Privacy Rule. Psychotherapy Notes: These include notes recorded by the health care provider who is a mental health professional during a counseling session, either in a private session or in a group. These notes are separate from documentation placed in the medical chart and do not include prescriptions. Specific patient authorization is required for use and disclosure of psychotherapy notes.
[ R ]
61
RAID (Redundant Array of Independent Disks): A way of storing the same data in different places on multiple hard disks. Often used on servers to provide redundancy in the event of a hard drive failure.
Real Time: The instantaneous sharing of data among a user group. It is common to a client/server database configuration.
Referral: Some insurance companies require that on specific plans a referral must be obtained for certain procedures or visits to specialists. The referral is acquired by the primary care physician (PCP) by contacting the insurance company by phone or mail. This is a request for the service. The referral consists of an authorization code, a number of visits allowed (if applicable) and an expiration date.
Referring Provider: is the provider that referred the patient to a specialist or for a specific procedure.
Relational Database: A database program that stores data in a manner similar to Excel, with the difference being the data elements are related (linked) to each other.
Remote Access: Data travels through a private, protected passage via the Internet, allowing healthcare providers to access from home or another practice location and allows EMR vendor to perform system maintenance off-site
Rendering/Performing Provider: The provider actually treating the patient.
Registered Nurses (R.N.’s): Registered nurses are responsible for carrying out the physician’s instructions. They supervise practical nurses and other auxiliary personnel who perform routine care and treatment of patients. Registered nurses provide nursing care to patients or perform specialized duties in a variety of settings from hospital and clinics to schools and public health departments. A license to practice nursing is required in all states. For licensure as a registered nurse (R.N.), an applicant must have graduated from a school of nursing approved by the state board for nursing and have passed a state board examination.
ROS (Review of Systems): A series of questions related to the system(s) that the patient is having complaints about (i.e. respiratory for cold symptoms). [ S ]
Secondary Care: Services provided by medical specialists who generally do not have first contact with patients (e.g., cardiologist, urologists, dermatologists). In the U.S., however, there has been a trend toward self-referral by patients for these services, rather than referral by primary care providers. This is quite different from the practice in England, for example, where all patients must first seek care from primary care providers and are then referred to secondary and/or tertiary providers, as needed.
SNOMED: (SNOMED CT) Systemized Nomenclature of Medicine Clinical Terms – SNOMED CT is the universal health care terminology. It is comprehensive and covers procedures, diseases, and clinical data. SNOMED CT helps to structure and computerize the medical record. It allows for a consistent way of indexing, storing, retrieving and aggregating clinical data across sites of care (i.e. hospitals, doctors offices) and specialties. By standardizing the terminology, the variability in the way data is captured, encoded and used for clinical care of patients and research is reduced. Allows for more accurate reporting of data. It is currently available in English, Spanish and German.
62
SureScripts: Electronic exchange that links pharmacies and healthcare providers. Founded in 2001 by NACDS to make the prescribing process safer and more efficient
SOAP Note: Progress note format utilized by Medinformatix that consists of Subjective, Objective, Assessment and Plan sections.
Social History: A description of a patient’s social habits and history including marital status, alcohol and drug use and exercise habits.
Subjective: Section in a progress note where a patient’s account of their current problem is documented. Consists of chief complaint, HPI and ROS.
Superbill: Also known as an encounter form, route slip or fee slip. This is a paper charge capture tool used to document coding for a specific patient visit. It is a printed form with patient information at the top, and a subset of the provider’s/practice’s most commonly used ICD and/or CPT codes. The form travels with the patient through the clinic. Providers check off items when they see the patient, and the form then travels to the checkout desk or billing office where the codes are entered into the billing system.
Supervising Provider: The physician that is supervising patient care for a mid-level. In some practices, the supervising provider signs off on every chart after a mid-level sees a patient, while in others he is simply available to assist if necessary. Physicians in some rural areas do not have to be on-site and can supervise remotely.
SQL: Structured Query Language – is a computer language aimed to store, manipulate and retrieve data stored in relational databases.
Sx: Abbreviation for symptoms
Skilled Nursing Facility (SNF): A licensed institution, as defined by Medicare, which is primarily engaged in the provision of skilled nursing care. SNFs are usually DRG or PPS exempt and are located within hospitals, but sometimes are located in rehab facilities or nursing homes.
Solo Practice, Solo Practitioner: A physician who practices alone or with others but does not pool income or expenses. This form of practice is becoming increasingly less common as physicians band together for contracting, overhead costs and risk sharing.
Subscriber:- Person responsible for payment of premiums, or person whose employment is the basis for membership in a health plan. [ T ] T1, T3 line: A high-speed internet connection provided via telephone lines often used by businesses needing internet connection speeds greater than DSL/Cable. Terminal Services: Microsoft's method for remote administration tasks that delivers the Windows desktop and Windows-based applications to nearly any personal computing device, even devices that can't run Windows. Therapeutic Alternatives: Strong Drug products that provide the same pharmacological or chemical effect in equivalent doses. Also see Drug Formulary.
63
Thin Client: Also know as a “Dummy Terminal” is a network computer without a hard-drive which requires the constant connection to a server to operate. Trial Balance: A detailed report of invoices for a patient. Treatment: The provision of health care by one or more health care providers. Treatment includes any consultation, referral or other exchanges of information to manage a patient’s care. The HIPAA Privacy Notice explains that the HIPAA Privacy Rule allows Partners and its affiliates to use and disclose protected health information for treatment purposes without specific authorization. Treatment Episode: The period of treatment between admission and discharge from a modality, e.g., inpatient, residential, partial hospitalization, and outpatient, or the period of time between the first procedure and last procedure on an outpatient basis for a given diagnosis. Many healthcare statistics and profiles use this unit as a base for comparisons. [ U ] UB-92 - Uniform Billing Code of 1992: Bill form used to submit hospital insurance claims for payment by third parties. Similar to HCFA 1500, but reserved for the inpatient component of health services. An electronic format of the CMS-1450 paper claim form that has been in general use since 1993. UNIX: A network capable, multi-user operating system used for workstations and servers. Many old practice management, medical billing and EMR software were originally designed under the UNIX operating system. UB-92 Form: Form designed for hospitals to file a medical claim with the patient's insurance carrier. UPIN (Unique Physician Identification Number): Unique Identification number given to each healthcare provider. Frequently used in insurance billing and is currently being replaced by the NPI number.
UPIN: A standard 6 digit alphanumeric identifier assigned to providers. Can be used for single provider or a group/facility.
URI: Abbreviation for Upper Respiratory Infection (Cold)
UTI: Abbreviation for Urinary Tract Infection (Bladder infection)
[ V ] VPN: Virtual Private Network – A VPN “tunnel” is a secure connection, typically firewall to firewall that provides for remote access to your data server.
Variable Contribution Health Plan: In contrast to a fixed contribution plan, a variable contribution involves employers committing to a specified level of benefits funding for its employees, regardless of the actual benefit price. Employers are thus locked into variable contribution arrangements because they are committed to funding a certain benefit structure without knowing what the future costs may be if premiums are raised. See also Fixed Contribution Health Plan.
Vital Statistics: Statistics relating to births (natality), deaths (mortality), marriages, health, and disease (morbidity). Vital statistics for the United States are published by the National Center for Health Statistics. Vital statistics can be obtained from CDC, state health departments, county health departments and other agencies. An individual patient’s vital statistics in a health care setting may also refer simply to blood pressure, temperature, height and weight, etc. [ W ]
Wave Scheduling: Scheduling patients in “waves”, i.e. scheduling several patients at the top of the hour (in the same time slot), and several at the bottom of the hour. Patients rarely arrive on time, and offices often run behind. Having blocks of busy and catch-up time can even this out. Modified wave scheduling
64
is a more recent trend where the schedule is based around the actual time spent with patients. Most patient visits do not require the provider to be in the room with the patient for 100% of the time. Wave scheduling allows more efficient scheduling by allowing for this. For example, a patient visiting an ophthalmologist may spend 15 minutes of a half hour visit waiting for their eyes to dilate. The doctor is only present for the last 15 minutes. Thus, another patient could be scheduled for the first 15 minutes. Thus, modified wave scheduling refers to creating a schedule that accounts only for the providers’ time spent with patients. This is only efficient if there is enough nursing staff to prepare several patients simultaneously.
Waiting Periods: The length of time an individual must wait to become eligible for benefits for a specific condition after overall coverage has begun.
Waiver : Approval that the Centers for Medicare and Medicaid Services (CMS, formerly called HCFA), the federal agency that administers the Medicaid program, may grant to state Medicaid programs to exempt them from specific aspects of Title XIX, the federal Medicaid law. Most federal waivers involve loss of freedom of choice regarding which providers beneficiaries may use, exemption from requirements that all Medicaid programs be operated throughout an entire state, or exemption from requirements that any benefit must be available to all classes of beneficiaries (which enables states to experiment with programs only available to special populations).
Waiver of Authorization: Under HIPAA, under limited circumstances, a waiver of the requirement for authorization for use or disclosure of private health information may be obtained from the IRB by the researcher. A waiver of authorization can be approved only if specific criteria have been met. See Authorization also.
Workers’ Compensation: A state-mandated program providing insurance coverage for work-related injuries and disabilities. Several states have either enacted or are considering changes to the Workers Compensation Laws to allow employers to cover occupational injuries and illnesses within their own existing group medical plans. Some employers pay premiums to the state or to insurance companies for this coverage. Others are self-funded and use third party case management or administrative services to manage the processes. See also Occupational Health.
[X] XML (Extensible Markup Language): Used for defining data elements on a Web page and communication between two business systems. Example: Standard messaging system for and EMR to integrate with another software such as a practice management or drug formulary database.
65
ANNEXURE V 1. Aadhar (UID) Number is to be used as the Universal Patient Identifier; Since it is expected
that it would take time for this to be implemented across the country. Until that time, we will need to accommodate other ID proof like PAN card/ License/ Voter I card etc.
2. Age is to be automatically calculated if date of birth is entered/available; once the patient's age is available, all client systems must automatically "age" the patient. For this, unless the patient's date of birth is available, the age will be approximated with the assumption that the patient was born on the 1st day of January of the year that the entered age appears to point to. The record display will need to clearly show that this age is an approximated one and that the patient may actually be older by 1 additional year maximally
3. More than one reason for visit may be entered 4. Menstrual history is available only if the chosen gender is female 5. Both structured and unstructured data can be used wherever the data type is alphanumeric
and data length is 255+ 6. If necessary, data type can be made longer wherever they are stated to be 255+ 7. UOM3 of BP4 is mmHg 8. UOM of pulse rate is per minute 9. UOM of temperature is degrees Celsius 10. UOM of respiration rate is per minute 11. UOM of weight is kilograms 12. UOM of height is centimetres 13. More than one diagnoses may be entered 14. Wherever list of values have been mentioned, the first is the default 15. It must be ensured that the no encounter number is arbitrarily assigned. The networking
system will need to take care of this. Episode and Encounter Reconciliation through appropriate merging and demerging will need to take place. However, this is a design and development issue, and out of scope for the work of MDS5 proposal
16. It must be ensured that the no encounter number is arbitrarily assigned. The networking system will need to take care of this. Episode and Encounter Reconciliation through appropriate merging and demerging will need to take place. However, this is a design and development issue, and out of scope for the work of MDS proposal
17. In Family History, the fields should be (i) relative, (ii) disease; This is actually implicit since the user can enter any of the three types and there is no bar in entering all types. This can appropriately be taken care of by system designers
18. Immunisation History should be a child table with multiple entries allowed, with a list of values for each vaccine type and dates administered with current status (administered/not-administered)
19. Allergies will be a list of values (drug generics, etc.) that would, in future, allow allergy alerts to be activated
3 UOM = Unit Of Measurement 4 BP = Blood Pressure 5 MDS = Minimum Data Set
66
20. Clinical Exam Height – Data storage should always be in centimeters in the database. However, the user module should allow entry in feet and inches, if desired, and should convert and store it in cm
21. Diagnosis Code should allow multiple entries per encounter record 22. Sufficient redundancies must be built in to the system to ensure no complete downtime in
case of system failure due to any reason including hardware, networking and power outages. Local records must be available 100% of time
23. Display from first record till date all encounters displaying the following 24. Reason for visit/Diagnosis 25. Encounter Date, Time & Location 26. Ability to view the encounter record details 27. Use SNOMED-CT for all clinical terms/observations 28. Use ICD-10 for all diagnoses – for statistical and epidemiological studies 29. Use LOINC for all investigation observations 30. Use secured XML as file format for information exchange 31. Will contain a header section that contains patient and observer ID/details and encounter
date, time and location (ID/details) 32. Will contain a body section that contains all other encounter-specific details 33. Use the HCIT Standards as relevant to India (please refer to the table below) 34. Conform to the Minimum Data Sets 35. Must capture and display the following items:
a. Patient Name, Gender, Age/DOB b. Observer Name c. Date & Time of Visit d. Problems/Diagnosis List e. Current medications f. Active allergies
67
Annexure VI
Proposed Portable Health Record As patients move around the healthcare system there is a need to carry essential information to ensure quality healthcare which will give their treating clinician basic information viz., medical condition, drug/allergy information etc. CCR standard XML file format (as used in Google Health), with demographics, insurance info, problem list/diagnoses, medications, allergy and alerts, vital signs, and lab results, consultation reports, hospital discharge and operative reports and test results (i.e. stress test, cardiac catheterization, relevant biochemistry and histopathology) kept current and accurate by a person’s healthcare team (nurses, doctors and pharmacists) which includes the patient.
68
Annexure VII Privacy and Security in Meaningful Use Rule (as retrieved from http://www.hitechanswers.net/security-meaningful-use/) Role of Security & Privacy in Meaningful Use In general, HHS has specifically included encryption as a requirement for a Certified EHR system (…). The inclusion of encryption in meaningful use is indicative of the Federal government’s recognition that encryption is a critical technology in securing protected health information (PHI). Certified EHRs must be able to provide the patient an electronic copy of their health information upon their request. This information must be provided within 96 hours from the time the provider obtains the information, such as lab results, for example. This patient information must be secured with at least a symmetric 128 bit fixed-block cipher algorithm capable of using 128, 192, or 256 bit encryption key. Certified EHRs must protect electronic health information by implementing controls and encryption, such as:
Assigning a unique user name for each user Encrypt and decrypt health information for backups, removable media, etc. Event recording such as deletion of records Audit review log Systems to ensure health information has not been altered using a hash algorithm Record disclosures made for treatment Ensure identity management is in place
69
Annexure VIII HIPAA 45 CFR Part 142 Subpart C, Security and Electronic Signature Standards. See http://aspe.hhs.gov/admnsimp/nprm/sec13.htm Technical Security Services and Mechanisms, and Electronic Signature Requirements and Implementation Features Category Section Req/Opt Item Definition Rule Reference
Technical Security Services (for information in place)
Access Control
requires Procedure for Emergency Access
(documented instructions for obtaining necessary information during a crisis)
§ 142.308
(c) (1) (i) (A)
and one of
Context-based access control
(an access control procedure based on the context of a transaction (as opposed to being based on attributes of the initiator or target))
§ 142.308
(c) (1) (i) (B) (1)
Role-based access
(an alternative to traditional access control models (e.g., discretionary or non-discretionary access control policies) that permits the specification and enforcement of enterprise-specific security policies in a way that maps more naturally to an organization's structure and business activities. With RBAC, rather than attempting to map an organization's security policy to a relatively low-level set of technical controls (typically, access control lists), each user is assigned to one or more predefined roles, each of which has been assigned the various privileges needed to perform that role)
§ 142.308
(c) (1) (i) (B) (2)
User-based access
(a security mechanism used to grant users of a system access based upon the identity of the user)
§ 142.308
(c) (1) (i) (B) (3)
70
and optionally
Encryption (transforming confidential plaintext into ciphertext to protect it. An encryption algorithm combines plaintext with other values called keys, or ciphers, so the data becomes unintelligible. Once encrypted, data can be stored or transmitted over unsecured lines. Decrypting data reverses the encryption algorithm process and makes the plaintext available for further processing)
§ 142.308
(c) (1) (i) (C)
Audit Controls which are (mechanisms employed to record and
examine system activity) § 142.308
(c) (1) (ii) (C)
Authorization Control
requires one of
Role-based access
(see above) § 142.308
(c) (1) (iii) (A)
User-based access
(see above) § 142.308
(c) (1) (iii) (B)
Data Authentication
which is
(The corroboration that data has not been altered or destroyed in an unauthorized manner. Examples of how data corroboration may be assured include the use of a check sum, double keying, a message authentication code, or digital signature.)
§ 142.308
(c) (1) (iv) (B)
Entity Authentication
requires (both)
Automatic logoff
(a security procedure that causes an electronic session to terminate after a predetermined time of inactivity, such as 15 minutes),
§ 142.308
(c) (1) (v) (A)
Unique user identifier
(a combination name/number assigned and maintained in security procedures for identifying and tracking individual user identity)
§ 142.308
(c) (1) (v) (B)
71
and one of
Biometric identifier
(an identification system that identifies a human from a measurement of a physical feature or repeatable action of the individual (for example, hand geometry, retinal scan, iris scan, fingerprint patterns, facial characteristics, DNA sequence characteristics, voice prints, and hand written signature))
§ 142.308
(c) (1) (v) (C) (1)
Password (confidential authentication information composed of a string of characters)
§ 142.308
(c) (1) (v) (C) (2)
PIN (a number or code assigned to an individual and used to provide verification of identity)
§ 142.308
(c) (1) (v) (C) (3)
Telephone Callback
(method of authenticating the identity of the receiver and sender of information through a series of "questions" and "answers" sent back and forth establishing the identity of each). For example, when the communicating systems exchange a series of identification codes as part of the initiation of a session to exchange information, or when a host computer disconnects the initial session before the authentication is complete, and the host calls the user back to establish a session at a predetermined telephone number.
§ 142.308
(c) (1) (v) (C) (4)
Token (a physical item necessary for user identification when used in the context of authentication. For example, an electronic device that can be inserted in a door or a computer system to obtain
§ 142.308
(c) (1) (v) (C) (5)
72
access)
Technical Security Mechanisms (for information in transit)
Communications/ Network Controls
requires (both)
Integrity Controls
(a security mechanism employed to ensure the validity of the information being electronically transmitted or stored).
§ 142.308
(d) (1) (i) (A)
Message Authentication
(ensuring, typically with a message authentication code, that a message received (usually via a network) matches the message sent).
§ 142.308
(d) (1) (i) (B)
and one of
Access Controls (protection of sensitive communications transmissions over open or private networks so that they cannot be easily intercepted and interpreted by parties other than the intended recipient)
§ 142.308
(d) (1) (i) (A)
Encryption (see above) § 142.308
(d) (1) (i) (B)
PLUS if over an open network
requires (all of)
Alarm (In communication systems, any device that can sense an abnormal condition within the system and provide, either locally or remotely, a signal indicating the presence of the abnormality. The signal may be in any desired form ranging from a simple contact closure (or opening) to a time-phased automatic shutdown and restart cycle.)
§ 142.308
(d) (2) (i)
Audit Trail (the data collected and potentially used to facilitate a security audit).
§ 142.308
(d) (2) (ii)
Entity Authentication
(a communications or network mechanism to irrefutably identify authorized users, programs, and processes and to deny access to unauthorized users, programs, and
§ 142.308
(d) (2) (iii)
73
processes)
Event Reporting (a network message indicating operational irregularities in physical elements of a network or a response to the occurrence of a significant task, typically the completion of a request for information).
§ 142.308
(d) (2) (iv)
Electonic Signature Standard
requires (all of)
Message Integrity
(the assurance of unaltered transmission and receipt of a message from the sender to the intended recipient).
§ 142.310
(c) (1)
Nonrepudiation (strong and substantial evidence of the identity of the signer of a message, and of message integrity, sufficient to prevent a party from successfully denying the origin, submission, or delivery of the message and the integrity of its contents).
§ 142.310
(c) (2)
User Authentication
(the provision of assurance of the claimed identity of an entity).
§ 142.310
(c) (3)
and optionally includes (all, some, or none of)
Ability to Add Attributes
(one possible capability of a digital signature technology; for example, the ability to add a time stamp as part of a digital signature).
§ 142.310
(d) (1)
Continuity of Signature Capability
(the concept that the public verification of a signature must not compromise the ability of the signer to apply additional secure signatures at a later date).
§ 142.310
(d) (2)
Countersignatures
(The capability to prove the order of application of signatures. This is analogous to the normal business practice of countersignatures, where a party signs a document that has already
§ 142.310
(d) (3)
74
been signed by another party.)
Independent Verifiability
(the capability to verify the signature without the cooperation of the signer).
§ 142.310
(d) (4)
Interoperability (the applications used on either side of a communication, between trading partners and/or between internal components of an entity, are able to read and correctly interpret the information communicated from one to the other).
§ 142.310
(d) (5)
Multiple Signatures
(With this feature, multiple parties are able to sign a document. Conceptually, multiple signatures are simply appended to the document.)
§ 142.310
(d) (6)
Transportability (the ability of a signed document to be transported over an insecure network to another system, while maintaining the integrity of the document, including content, signatures, signature attributes, and (if present) document attributes)
§ 142.310
(d) (7)
75
45 CFR Part 164 Volume: 1
Date: 2010-10-01
Original Date: 2010-10-01
Title: Appendix A to Subpart C of Part 164 - Security Standards: Matrix
Context: Title 45 - Public Welfare.
SUBTITLE A - DEPARTMENT OF HEALTH AND HUMAN SERVICES.
SUB CHAPTER C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS.
PART 164 - SECURITY AND PRIVACY.
Subpart C - Security Standards for the Protection of Electronic Protected Health Information.
Pt. 164, Subpt. C, App. A Appendix A to Subpart C of Part 164—Security Standards: Matrix
Standards Sections Implementation Specifications (R)=Required, (A)=Addressable
Administrative Safeguards
Security Management Process 164.308(a)(1) Risk Analysis (R)
Risk Management (R)
Sanction Policy (R)
76
Information System Activity Review (R)
Assigned Security Responsibility 164.308(a)(2) (R)
Workforce Security 164.308(a)(3) Authorization and/or Supervision (A)
Workforce Clearance Procedure
Termination Procedures (A)
Information Access Management 164.308(a)(4) Isolating Health care Clearinghouse Function (R)
Access Authorization (A)
Access Establishment and Modification (A)
Security Awareness and Training 164.308(a)(5) Security Reminders (A)
Protection from Malicious Software (A)
Log-in Monitoring (A)
Password Management (A)
Security Incident Procedures 164.308(a)(6) Response and Reporting (R)
77
Contingency Plan 164.308(a)(7) Data Backup Plan (R)
Disaster Recovery Plan (R)
Emergency Mode Operation Plan (R)
Testing and Revision Procedure (A)
Applications and Data Criticality Analysis (A)
Evaluation 164.308(a)(8) (R)
Business Associate Contracts and Other Arrangement
164.308(b)(1) Written Contract or Other Arrangement (R)
Physical Safeguards
Facility Access Controls 164.310(a)(1) Contingency Operations (A)
Facility Security Plan (A)
Access Control and Validation Procedures (A)
Maintenance Records (A)
Workstation Use 164.310(b) (R)
78
Workstation Security 164.310(c) (R)
Device and Media Controls 164.310(d)(1) Disposal (R)
Media Re-use (R)
Accountability (A)
Data Backup and Storage (A)
Technical Safeguards (see § 164.312)
Access Control 164.312(a)(1) Unique User Identification (R)
Emergency Access Procedure (R)
Automatic Logoff (A)
Encryption and Decryption (A)
Audit Controls 164.312(b) (R)
Integrity 164.312(c)(1) Mechanism to Authenticate Electronic Protected Health Information (A)
Person or Entity Authentication 164.312(d) (R)
79
Transmission Security 164.312(e)(1) Integrity Controls (A)
Encryption (A)
[http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/xml/CFR-2010-title45-vol1-part164-subpartC-appA.xml]