Not so long ago, defining the “medical record” was simple. It was the paper chart—volume upon volume that captured the serial, dutifully recorded events of a person’s health care at a hospital or physician’s office. Entries were typically handwritten, dated and timed, and signed in ink with title (i.e., authenticated). Errors were easily identified by an authenticated strike-through. Similarly, the paper chart was synonymous with the legal medical record (LMR). In other words, a patient’s paper chart was that patient’s LMR by definition, even if critical data was omitted or irrelevant data was included.
Fast-forward to 2021 and the use of technology for capturing the record of a patient’s care. Technology has brought new challenges as well as successes. For example, pervasive and persistent mythologies include that 1) a patient’s electronic health record (EHR) is the LMR, and 2) patient-specific EHR printouts to paper or disc—or displays on monitors—are necessarily equivalents to the paper chart of the 1980s. Neither are true. We now must define at the outset what is included in the LMR/designated record set to ensure the accuracy of what is retained and released.
For leaders in health information management (HIM), the mission of protecting the integrity of the information within the medical record, as well as ensuring accessibility and availability, is frequently challenged by competing priorities. In fact, the electronic system technologies that are embraced to solve many of the historic HIM issues have other layers of complexity. These include 1) quality-of-care alerts and explanations; 2) layers of data and other information that are needed for regulatory or reimbursement purposes; and 3) information not specifically related to care, intrinsic to the technology itself, and records of system settings and changes. How can an organization address potentially competing priorities within a framework that accurately conveys the patient’s story? How can an organization ensure that the preserved record of care meets current and future legal requirements? The 2011 AHIMA brief titled “Fundamentals of the Legal Health Record and Designated Records Set” has served as the guide for health information professionals as well as those in legal and compliance.1 The current challenge is to continue to build on this framework to meet the ever-expanding complexities in HIM.
“To be or not to be” became the catchphrase at our academic medical center (AMC) when the journey to redefine the legal medical record (LMR) and designated record set (DRS) began. This phrase was used on an almost daily basis as part of the “deep dives” into the complexities of business relationships in healthcare and the subsequent accumulation of data in the Electronic Patient DataStore (EPDS). According to the Health Insurance Portability and Accountability Act of 1996 (HIPAA),2 personal health information must be secured to protect patient privacy while preserving the integrity of the information as a record of the patient’s care. In South Carolina, state law does not provide definitive guidance, giving only a broad definition of the “medical record” or DRS in the context of preservation.3 Is the goal to preserve for legal and compliance use? Or as a business record? Beyond the basic guidelines, the specifics of how each organization defines the components of the record is institutionally determined, reflecting critical details in institutional policy and procedures.
For many people, all information contained in the electronic health record (EHR) is synonymous with “medical record” or even “legal medical record.” This is an erroneous concept in today’s electronic world of bits and bytes. Rather, the EHR is a “datastore” for each patient—a set of patient-specific data elements. Most are collected through the course of care, but some are data from other organizations—only some of which is relevant to the patient’s current care. Other elements are software system data, and while patient-specific, are utilized only to ensure proper system function. During the struggle at our AMC to more clearly understand the complexities of the EHR, the initial focus was to address what data “fit” the LMR and DRS definitions.
Given the complexities introduced by the competition between the free flow of information in an electronic record and the need to segregate certain elements of this record from the legal medical record, a stakeholder task force was created. This group consisted of representation from 1) health information services (medical records); 2) the information medical director group; 3) the chief medical information officer; 4) the chief research information officer; 5) the university, practice plan, and hospital compliance offices; 6) the office of general counsel; 7) the Institutional Review Board; 8) the clinical and translational research award regulatory knowledge and support core; 9) the provost’s office; 10) radiology; and 11) pathology. Use cases were contributed by members based on actual cases encountered during the transition to an integrated electronic record or hypothetical cases. Each record type was designated to (a) records set(s) based on discussions and input from stakeholders. The task force made consensus recommendations, with final approval coming from the compliance offices and general counsel. Use cases were also presented at national health record and health informatics meetings to receive input from stakeholders at other institutions.
Types of Patient Information Within the Electronic Patient DataStore (EPDS)
The Designated Record Set and Legal Medical Record
The DRS is defined by HIPAA in 45 CFR 164.5014 as “a group of records maintained by or for a covered entity …” The LMR is further described by AHIMA as “generated at or for a healthcare organization as its business record and is the record that would be released upon request … and is a subset of the entire patient database.”5 The state of South Carolina specifies the minimal elements to be included in the DRS; these are listed in Table 1.6
Our AMC policy defines the LMR as the primary documentation of direct patient care provided by the organization in its own health care facilities. “Facilities” includes modalities such as telehealth and provider and patient web portals, as well data collected using mobile applications. Meanwhile, the DRS includes all elements of the LMR in addition to supporting documentation. For example, a patient’s legal medical record may include the summary of findings from a recent endoscopy. The DRS may also include an expanded version of the documentation—the summary of findings and also images from the procedure. In this example, the endoscopy equipment is considered a “source system”; its PHI is secured and accessible as required by HIPAA and is maintained in alignment with the record retention policies of the organization.
The other major type of patient information contained within the EPDS is termed “Other Patient-Specific Information” (OPSI).
Other Patient Specific Information (OPSI)
OPSI is a large and diverse set of information found within the EHR that does not meet the definition of the LMR nor the DRS. We termed this OPSI, which is a subset of the EPDS and is defined as information potentially related to the patient’s current health. Our AMC OPSI includes but is not limited to:
- Never finalized or temporary patient information (e.g., original/ unsigned transcription, pended orders, or notes never utilized for care)
- Best practice alerts for medication dosing and other guidelines or references stored within the electronic health system
- Aggregated patient information such as quality improvement and population management reports
- Nursing worklists and provider handoff communications (e.g., Kardex®, which is discarded after patient discharge)
- Psychotherapy notes, which, in accordance with HIPAA, are not a part of the LMR/DRS. While certainly OPSI, psychotherapy notes may be within the EPDS (or not) and have entirely separate security and access protocols.
As the complexities surrounding the EHR continued to evolve, our AMC developed a visual to aid in the understanding—a framework—which is shown in Figure 1. In the beginning, the framework portrayed a simple concept, the larger circle of the DRS with the smaller LMR circle contained within. This clarification of the relationship between the DRS and LMR and OPSI also informed HIM policy, especially about the release of information (ROI) and retention of PHI.
Results: Derivative Foundations for Institutional Policies and Procedures Using This Framework
- All care provided directly to patients at the institution’s care locations, including via electronic portal and remote devices, must be appropriately documented within specific time frames established in policy within the electronic health record, if available.
- Every piece of patient data is classifiable as one of the patient data type (i.e., LMR (within the DRS), DRS or OPSI).
- Our AMC recognizes that some elements of a patient’s DRS (including LMR) might not originate within the AMC EPDS. Nevertheless, by policy, such information must be transferred to the EPDS as soon as practicable, so that the information is accessible to patients, providers, and other authorized persons. Meanwhile, there is no requirement that OPSI be included in the EPDS.
- Patient healthcare data that is received from external, unaffiliated sources are automatically considered OPSI. This includes, for example, unsolicited patient data that may be available electronically via “interoperability” mechanisms. A member of the medical staff may designate any external data element for inclusion in the AMC DRS, as indirectly supportive of care.
- Clinical research data that is or impacts current clinical care is a part of the LMR/DRS. The research principal investigator, with advice from clinical partners and with oversight from the Institutional Review Board (IRB), determines what research data within a given study meets this criterion. All clinical research data is governed by applicable federal and state law, including potential “certificates of confidentiality.”
- All patient data within the EPDS, in all classes, may be discoverable except: 1) LMR/DRS information protected by a clinical research certificate of confidentiality; and 2) any psychotherapy notes. Note, however, that law, regulation, and institutional policy allow data in specific classes of specific “age” to be removed from the EPDS.
- All LMR/DRS data must be authenticated and maintained in congruence with applicable state and federal laws and organizational policies.
- Documentation that is never finalized in the EHR, such as pended orders and notes, is OPSI. Organizational policy will dictate whether this is retained or expunged after the care encounter is closed.
- Quality of care initiatives and reports is OPSI, are protected by law, in South Carolina. See S.C. Code Ann. 40-71-10-20 (the Peer Review Statues) and S.C. Code 44-7-392 (2012), the Patient Safety Quality and Improvement Act of 2005, 42 U.S.C. 299, and the Patient Safety and Quality Improvement Final Rule, 42 CFR Part 3.
Results: Use Cases for the EPDS Framework
The use cases below are identified in Figure 2.
HIPAA makes clear that psychotherapy notes, defined as below, are not a part of the LMR or DRS.
Psychotherapy notes are defined as those notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.7
In our AMC model, psychotherapy notes are classified as other patient-specific information. These notes are almost always contained within the EPDS but managed with strict privacy and security controls in accordance with HIPAA and, by policy, are accessible only to the authoring therapist and to hospital counsel in emergencies unless there is specific patient consent.
External, “Unauthorized” Patient Information
Like most large academic medical centers, our AMC has struggled with the volume of outside patient information that comes into the organization, including that which appears “automatically” from unaffiliated organizations using EHRs. Some organizations readily accept these outside records as part of their organizational DRS. Our AMC regards this practice as dangerous because 1) the accuracy and relevance of the external information to our care is often questionable; 2) the external information may not be complete and up to date; 3) the time and effort required to review all information is often overwhelming; and 4) an automatic inclusion into our DRS could be viewed as an assumption of liability for all content.
Therefore, using our AMC model, this outside information falls into the OPSI category. The best example in this category is patient records that are unsolicited and come from an external source. Easily recognized as an example of OPSI are the large amounts of patient data that may include years of history, notes, and test results, most of which are not pertinent to the current care of the patient. Our AMC policy requires the receiving provider to “designate” which pieces of external documentation, if any, are to be included in the DRS, as supportive of the clinical care our AMC provides.
Although CMS has no jurisdiction in defining the LMR/DRS, many AMCs have prohibited student documentation in the EHR due to complex CMS billing language and concerns regarding documentation in the record by non-licensed trainees. This negatively impacted student interaction with preceptors and was detrimental to student learning since students were not learning how to document care in the electronic health record.
In 2012, the Alliance for Clinical Education (ACE)8 published a statement recommending that students have the opportunity to document in the EHR. AMCs took different approaches in addressing this educational need. For example, some schools created a mirror version of the EHR for students to practice documentation and decision-making.
At our AMC, a multidisciplinary committee was convened in 2017 to discuss how to improve the student learning experience while maintaining quality of care. The key factors were the framework presented here, and the realization that the EHR is not equivalent to the LMR/DRS. A student note could, in fact, exist within the EHR but by definition not officially be part of the DRS/LMR. As a result, students gained full access to their patients’ records, could pend orders for licensed provider review and approval, and create OPSI notes distinguished by an automatic header of “for training purposes only.” Student notes were filed to a separate tab within the EHR.
In January of 2018, CMS amended its regulations,9 which became effective March 2018 and allowed medical student documents as support for professional billing. The caveat is the presence of the resident or attending physician, with the latter personally performing key elements of the service. The final element is authentication of the student note by the resident or attending.
Subsequently, EHR functionality at our AMC was modified to allow the teaching physician to addend a student note. Again, congruent with our AMC’s medical record framework, the original student note remains in the EPDS as OPSI, while the addended (potentially greatly edited) note authenticated by the attending physician is LMR. This change allowed medical students to take a more active role in the visit. Meanwhile, teaching physicians are focused on a review of the student documentation for training purposes and also can incorporate portions of the student note into their own notes. This improves student education, makes note authentication more timely and less burdensome, and reduces documentation time for the attending.10
Starting in 2019, CMS further loosened regulations in a continuing effort to reduce physician burnout. The new regulations allow the physician to use the notes of a nurse, resident, or medical student as long as the physician was present and observed the care or provided the care that is documented. In addition, if one of the care team attests to the teaching physician’s presence, then the workflow required by the physician is simplified to require only a review and approval of the documentation noted by a signature. Starting in 2020, Medicare allowed billing physicians, advanced practice nurses (ARPNs), physician’s assistants (PAs), and therapists to use the documentation of other physicians, APRNs, PAs, therapists, as well as nurses and students in medical, PA, or APRN programs. The billing clinicians must review and verify that the documentation is an accurate reflection of the service the billing clinician personally provided or observed.11
Clinical Research Data
Research is another domain of documentation that can potentially impact an organization’s EHR. The important distinction defined by our institution is that research documentation becomes part of the LMR if it is pertinent to clinical care. At a minimum, pertinent records include problems, medications, and allergies. Laboratory results obtained as part of clinical research but pertinent to medical care would be included in the LMR unless otherwise prohibited. Our AMC model for defining the medical record (Figure 1) illustrates the complexity of information in a research study. Some aspects of the documentation may be LMR, some DRS, and some OPSI, depending on the organizational policies. Conceptually, if the patient is part of a confidential study, the same patient could have two distinct MRNs, with the non-research medical record containing no link or identifying information related to the confidential study. If a certificate of confidentiality and an IRB-approved consent dictate that certain LMR information not be included in the medical record, then our AHC decided to document information pertinent to care with such an alias record. The confidential study LMR/DRS could have study-specific information such as medications or problems that are related to direct patient care but without identifiers. The patient alone has the option to reveal the alias from the de-identified record to care givers if they wish.
Occupational Health Records (OHR)
Healthcare organizations are often contracted to provide occupational health services to local employers. Such services may either by documented within an OHR that is owned by the employer or in the context of occupational health visits within the LMR of a contracting healthcare organization.12 This distinction is critical. The latter follows usual direct patient care documentation and HIPAA regulations, with the twist that certain data elements are automatically available to the employer, who also pays for work-related care and health evaluations. However, an employer owned OHR is governed by OSHA; if this occupational data is maintained within the EPDS of a contracting health care entity such as our AMC, it must be kept separate from the same individual’s LMR/DRS by that provider, with different rules for information access.13
The use cases described in the results section illustrate the utility of the EPDS framework. Its utility is discussed below as legal/compliance guidance as well as clinical value.
The clinical goal of the EPDS framework is to underpin the accessibility of all care-relevant information to the care team (including the patient) as decisions are made about the patient’s ongoing healthcare. The converse is also critical: to avoid “flooding” providers with patient data that is inaccurate and/or irrelevant to current care. That is the challenge of interoperability, whether for sharing data with our colleague down the hall about today’s outpatient visit, or with an unaffiliated provider, distant in space and time.
However, today, interoperability of healthcare data is mandated by federal law (e.g., the 21st Century Cures Act), and both EHR vendors and healthcare organizations and providers are prohibited from interference. Interoperability means sharing patient data between data systems, often via a portal or link. In more developed systems, external data may be viewable within the EHR of a partnering facility, ideally notated so that the originating facility and other metadata might be available. Sharing certain data types (e.g., problems, medications, allergies) is required and supported by the use of mandated vocabularies within EHRs, including SNOMED and RxNORM.
The vast and increasing amount of patient healthcare data in the electronic age has produced new questions about cost, meaningful access, long-term storage, and liability of patient information. Legal teams are struggling with the very real challenge of e-discovery. What PHI must be maintained for the purpose of patient care and legal requirements, and what data in the system is not needed? The challenge for each organization is to define clearly in policy and procedures the organizational goals regarding the maintenance, storage, and destruction of OPSI.
Defining the components of the legal medical record and the designated record set on an organizational level are clearly only the tip of the iceberg. Introduction of EHRs, thought to be the panacea for health information management, has brought additional layers of complexity. The introduction of electronic technology has allowed the capture of copious amounts of data for a patient’s record, but what continues to be a challenge is the ability to segregate data elements based on policy definitions. As work progresses in the standardization of important policy, hopefully technology can prove once again to be critically adjunctive in this complex equation.
We suggest that our AMC framework presented here outlining the relationships between the LMR, DRS, and EHR can inform similar work in policy and operations by other organizations.
We are particularly grateful for the many discussions on these topics with our AMC informatics medical directors and Chris Kindt, nurse informaticist; the HIM managers; the entire Health Information Management Committee, chaired by Dr. Baron Short; our AMC Clinical Information Systems Interoperability Subcommittee, co-chaired by Dr. Jimmy McElligott and facilitated by Tasia Walsh; former CNIO Kay Burke; our AMC legal and compliance teams including Kelly Shaw and Nancy Pope; Carol Courvoisie; and leaders of our AMC EPIC program team, including Melissa Forinash, Kelly Garrison, Peggy Jenny, and Rose Rodriguez.
1. AHIMA. “Fundamentals of the Legal Health Record and Designated Record Set.” Journal of AHIMA 82, no.2 (February 2011).
2. Health Human Services. Health Insurance Portability Act of 1996 (HIPAA). Public Law 104-191, HHS.gov.
3. South Carolina Code of Laws. 44-115-15, 44-7-110 through 44-7-394, 44-37-40, 44-37-50, and 637-40.
4. Health Human Services.
6. South Carolina Code of Laws
7. Centers for Medicare and Medicaid Services, Department of Health and Human Services. Title 42-Public Health. Chapter IV, Subchapter G-Standards and Certification. Part 482-Conditions of Participation for Hospitals, Subpart C-Basic Hospital Functions. Section 482.24-Condition of Participation: Medical Record Services. http://cfr.vlex.com/vid/482-condition-participation-record-19811382#ixzz13345288z.
8. Medicare Student Documentation Regulations: CMS Claims Processing Manual Pub. 100-04, Chapter 12, Section 100.1.1, B.
10. Kathleen Wittels, MD, Joshua Wallenstein, MD, Rahul Patwari, MD, and Sundip Patel, MD.”Medical Student Documentation in the Electronic Record: Patterns of Use and Barriers,” West J Emerg Med 2017, 18(1), 133-136.6.
11. Medicare Student Documentation Regulations.
12. Health Human Services.
13. Occupational Safety and Health Administration. www.osha.gov.
Phyllis T. Floyd, RN, BSN, MBA, NE-BC, (firstname.lastname@example.org) is a retired HIM director at the Medical University of South Carolina.
Jim C. Oates, MD, (email@example.com) is a professor of medicine, the director of the Division of Rheumatology and Immunology, and the vice chair for research at the Medical University of South Carolina.
Julie W. Acker (firstname.lastname@example.org) is a retired senior director of compliance at the Medical University of South Carolina.
Robert W. Warren, MD, PhD, MPH, (email@example.com) is a professor emeritus and retired CMIO at the Medical University of South Carolina.