Corrections Be Date- and Time-Stamped?

¶ … corrections be date- and time-Stamped?

Because medical records are becoming more and more digitized, corrections can be entered and altered at any time. According to AMA guidelines any changes to a patient's medical record should follow strict protocol. Authorized personnel may be the only persons allowed to make changes and these changes are to be date and time stamped, as well as marked with the identification of the individual making the changes. As to whether this should be done, I believe the answer is yes. Because patient files are no longer thick file folders filled with handwritten notes that can concretely show changes to a record by a physician, there needs to be some equivalent in digitized files. Putting in authorization fail safes as well as requiring a date and time stamp can help to keep a patient's history from being maliciously tampered with.

When should the patient be advised of the existence of computerized databases containing medical information about the patient?

The time spent with a physician can be an incredibly vulnerable time for a patient and as such it requires immense trust and confidentiality. In fact, the doctor-patient confidentiality concept is what allows patients to feel as though they can share anything with their doctor. When it comes to records, many patients have a belief that their histories will only be viewed by their physicians and any relevant third parties, but this view is an assumption on the patient's part. Looking into a concrete file can be easily done by someone in a medical office or hospital. With the advent of computerization, histories can be easily lumped together to create databases and according to the AMA, patients should absolutely be advised of these databases containing their medical information.

The time that the patient should be advised is prior to any release of the information by their attending physician and they should also be advised of any parties, no matter how remote, that could be privy to their information. Full disclosure is needed to acquire the consent of the patient to a particular treatment and depending on the degree of sensitivity in regards to the data - an appropriate level of security is assigned to the file in question. These safeguards and communication between physician and patient create a more open and trusting dialog.

3. When should the patient be notified of purging of archaic or inaccurate information?

Adding information to a patient's digitized file can sometimes result in mistakes. In regards to the purging of archaic and/or inaccurate information within a computerized database, the patient should be informed before and after the purging has taken place. Measures in place to stop the occurrence of misinformation include the stipulation that physician maintained computerized records should never be mixed with other clients within a computer service bureau and that procedures must be in place to prevent the inadvertent mixing of reports in the first place. Creating these policies is imperative to establishing the legitimacy of having digitized patient files.

4. When should the computerized medical database be online to the computer terminal?

With patient records being computerized and maintained in large electronic databases, the question exists as to when any records should be available at a particular terminal. In other words, should the database be available and online at any time? According to the AMA, the answer is no. Medical databases should only be available when an authorized program requires data. Restricting the time that the database is available will contribute to the restriction of access, and contribute to the retention of patient privacy.

5. When the computer service bureau destroys or erases records, should the erasure be verified by the bureau to the physician?

Digital data can seem ephemeral with the ways in which it can be altered and destroyed. Because of this ease of manipulation there are many security safeguards in place in conjunction with specific policies. When a computer service bureau either erases or destroys records, there are procedures in place to notify a physician. If the service's relationship with the physician is terminated, all computer files must be physically given back to the physician who supplied them. The destruction/erasure of records can only be done if a physician has their own copy of the information. Any routine or needed file erasure must be verified in writing to the physician. Constant communication and checking-in between a physician and computer service bureau is essential to maintaining transparency.

6. Should individuals and organizations with access to the databases be identified to the patient?

Computerized databases can have a myriad of people with access to them, and as such should be included in any disclosures to the patient in regards to inclusion within a database. In fact the AMA specifically states that, "All individuals and organizations with some form of access to the computerized data bases, and the level of access permitted, should be specifically identified in advance" (AMA 5.07). Without these notifications there is no full disclosure and the patient cannot consent to a given treatment. If any data will be distributed that retains patient identifiable characteristics, both the physician and patient most be notified in advance. Only after notification is given and a patient has consented to the distribution, can the computer service bureau release reports to any organizations that are outside of the care environment. Everyone that could have access to a patient's information must be made clear to a patient so that they have the express say in the dissemination of any information that is in regards to themselves. This gives an unprecedented control to the patient in reference to information that refers to them specifically.

7. Does the AMA mention encryption as a technique for security? Define encryption and explain any methods mentioned.