My HIM career began like many others?in frank conversation with a high school guidance counselor regarding career direction. I wanted to pursue a career in healthcare, but wasn't interested in direct patient care. Focused exploration led me to discover a degree in health information technology at my local college. Now, 30 years later, I'm celebrating a long and successful HIM career.
This column is devoted to restraint and seclusion documentation; it provides support for, and a tool for, 100% review of patients in restraints and/or seclusion.
The Joint Commission and CMS have a common goal of reducing the use of restraints and seclusion in hospitals. Hospitals have come a long way in meeting this goal, and requirements for improvement (RFI) usually are received because of poor documentation in the medical record. Generally, recommendations result from lack of physician orders, physicians not seeing patients on-site, incomplete orders as to the reason for restraints and/or seclusion, and care plans not including the goal to remove patients from restraints and/or seclusion.
Often during surveys, there will be no patients in restraints or seclusion and the surveyors will ask for closed records to review. Once the medical record is closed, little can be done to correct documentation. Therefore, a solid open record review is essential to avoid recommendations.
A process for reviews
Review of open records of patients in restraints and/or seclusion can be performed in several ways. Of utmost importance is the development of a method to identify patients in restraints and seclusion on a daily basis, and to review new and recurring patients until they are discharged. For example:
1.Nurses, clinical documentation specialists, and tracer teams (plus others?) can review medical records each day to ensure documentation compliance
2.If the hospital has an EMR, HIM staff can review open records online to identify discrepancies in documentation and report back to each unit
3.HIM and IT staff can collaborate to develop a method of importing information directly from the EMR to identify documentation errors
Any of these methods should eliminate errors as long as they are corrected as soon as possible before patients are discharged.
Q: I am a certified case manager working in an acute care hospital. As part of our job requirements, when working in the emergency room (ER), we are asked to problem solve throughout the day. We often get requests for information on patients seen in the ER who have since been discharged.
Discharge planning has long been a challenge for organizations, but proposed revisions to Medicare'sConditions of Participation announced in November 2015 may make the process even more difficult.
Creating and conducting an organizationwide risk analysis: Part 2
Editor's note: This is part two of a series about implementing an organizationwide risk analysis. See the May 2016 issue of BOH for part one.
Performing a regular organizationwide risk analysis is a basic HIPAA requirement and also simply good business practice. Beyond checking off an item on the HIPAA compliance list, a risk analysis will help an organization identify and rank security weaknesses, efficiently use resources to address them, and ultimately protect the security and integrity of an organization's data, including PHI, financial, and business operations information. Yet in a world of competing demands and limited resources, a risk analysis may be put off until it's too late. Even if one is completed, security officers may encounter obstacles when trying to act on the results of the risk analysis.
The purpose of a risk analysis is to develop a strategic plan of action that addresses and corrects vulnerabilities, and shouldn't be used to simply create a report on the current state of security, says Kate Borten, CISSP, CISM, HCISPP, founder of The Marblehead Group in Marblehead, Massachusetts. "Only when an organization performs periodic and as-needed risk assessments, and then mitigates significant risks, can the ISO [information security officer] and leadership have the confidence that their security program is functioning and adequate," she says.
A risk analysis is one of several activities that is part of a risk management program, says Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP, manager of risk advisory and forensic services at Wipfli, LLP, in Eau Claire, Wisconsin. The risk management program is about managing risks to the organization (i.e., business mission, image, reputation, and patient safety and privacy), organizational assets, and workforce. An organization can't mitigate risks it isn't aware of and doesn't understand.
Risks are first identified, then analyzed and evaluated based on what action is needed, Ensenbach says. They also must be monitored on an ongoing basis, a vital step that if missed can undermine an otherwise solid risk management program.
Information systems activity review is a fancy way of saying you need to monitor your network and your applications including who is looking at and manipulating your patient information. That can be an expensive, or even almost impossible, proposition when it comes to regular monitoring of access to patient information stored in electronic health records (EHR). Two of the well-known automated audit logging tools on the market, FairWarning and Iatric, are well outside the budget for small- to medium-sized covered entities (CE). The manual option, checking audit logs by hand, is slow and ineffective.
