One of the biggest vulnerabilities for hospital and health system business workflow processes is the absence of digital patient initiated medical record requesting and the ability of the Health Information Management (HIM) department to electronically send, receive, and track internal and external medical records to successfully fulfill and securely complete the request in a closed loop requesting process.
This is a critical path and foundational step in attaining effective and timely transitions of care for patients, and delays in this process open the health system to associated legal liabilities. Patient appointments are not being scheduled until medical records are received by the scheduling provider. This pushes that important evaluation or assessment out further and delays the scheduling and delivery of care in the form of future procedures, treatments, therapies, medications, and durable medical equipment.
Some organizations are resting on the Health Information Exchange (HIE) sharing capabilities provided by a specific EMR vendor; however, there are still venues that are not a part of the platform, requiring additional options to be utilized by the organization. While we wait for the panacea of interoperable medical records, there is a middle step that needs to occur.
That step involves online patient requesting of medical records and electronic sending and receiving by HIM. We need to get rid of faxing the paper request form and the dangerously antiquated processes of printing medical records or making a disc and mailing it.
In working with several major health systems across the US, I can attest that following processes do not yet exist. Organizations implemented robust EMR solutions and have historically not done anything about digital patient requesting of records and improved medical record sending/receiving. Nearly every health system website currently advises the patient to download and print a request form, complete it with pen by hand, and return it by faxing and or mailing it in.
Below are seven considerations to improve digital record requesting/sending/receiving:
- If a medical record is lost in transit via mail, fax, or courier, this is considered a data breach and needs to be reported by the sending organization if it was not received by the intended receiving organization. This area is a rich market for medical malpractice attorneys to tap into; therefore, organizations should be aggressive in developing digital requesting, sending, and receiving, along with closed loop notification processes.
- Health systems need to develop an online medical request pathway that’s as simple as ordering or a pizza or an airline ticket. Complete with digital signature. Having a hand-written pen signature on the form is useless because it is never validated as an authentic signature by the sending organization. Anyone can fill out a medical request form and easily forge a signature. If you have the patient’s demographic information and you complete a medical record request form, you can get that patient’s medical information, regardless whether you are a legitimate requester or not. Making this process digital can potentially improve identity confirmation/validation processes, and at the very least would be no less effective than the current paper requesting process. Considering that one can easily request prescriptions electronically, and most major pharmacies already have a robust enrollment process, there is already a model to follow.
- Health systems need to develop workflows for the internal HIM operationalization of digital medical record requesting processes and request management. Within the HIM departments, the staff are currently handling fax machines, incoming postal mail, and more. Very few organizations are not tracking what has been sent or received, how it was sent or received, when it was sent or received, or who sent or received it. There needs to be as much process transparency for medical records as there is for your online pizza order. The HIPAA rule requires tracking of PHI as it enters, transits, and leaves the organization.
- Email size limits prevent physician offices and HIM offices from receiving them by PDFs or other attachments to emails from patients (and this isn’t secure anyway — but highlighting that is also not an effective work around) and portals do not offer upload functionality for patients.
- If a patient physically mails records to the medical records office, the patient has no idea if the records were received and incorporated into the EMR. The physician has no idea if they have been received and if they are ready for review. Patients are discouraged from physically dropping off medical records at the HIM office. Lacking a single point of health information submission leaves the organization open to multiple points of entry from various clinics into a longitudinal record, where documents can be misfiled or mislabeled within the record. Multiple entries may exist for the same information scanned in by different clinics.
- This brings us to the next point: health systems need closed loop digital email and SMS notifications for the patient and the provider that medical records have been requested, processed, sent, and/or received. Currently, no one knows where the record requesting process is at in the process of being received–> processed–> completed–> and finally available for provider review. Again, the online pizza order tracker exists, but nothing for medical records. And this is also not compliant with the Security Rule.
- There is no transparency or timeline expectation by HIM departments for when the patient and provider can expect them to be processed and sent. Saying, “we’ll send it in a couple of weeks” puts patient safety at risk by delaying care, and lacks the tracking to monitor for and prevent information breaches. A reasonable time line for start completion is 24-hour turnaround — converting this into an electronic transactional process cuts down on the man hours required to manually handle these processes, thereby increasing the productivity level of current staffing models.
Bottom line, if your organization has an EMR and it cannot process a medical record request for a patient within 24 hours of receiving it, you should be worried — and maybe a little embarrassed. The HIM department should not be able to de-prioritize a patient’s care by sending medical records whenever it is convenient in their current workflow process — but they are doing exactly that when they make patients “wait a few weeks or so” and fail to turn around records for all conditions within a necessary 24-hour timeframe. Health systems are allowing non-clinical individuals in HIM to decide what the level of urgency is clinically appropriate for each request. This is a massive problem when it comes to continuity and timeliness of transitions in patient care, and it needs to change. Now.
This piece was written by Amy Stiner, RN, Lead Cerner Advisor with the Defense Acquisition and Policy Department at MITRE. She has more than 20 years of industry experience, working as consultant, project director, and integration specialists for a number of organizations. Please note that the ideas expressed in this piece are Amy Stiner’s alone and do not represent MITRE’s or government sponsors’ positions, strategies, or opinions.
rmckee says
Are organizations willing to utilize remote positive patient ID to release records? I have heard resistance due to not being able to compare a picture ID with a “live” person making the request. Would appreciate hearing more on this aspect of the process.
Amy Stiner says
Thanks for the question! I would like to hear more here as well. I can say that I’ve never been asked for a picture ID with a fax or mail in medical record request. Just signature on the form and the records are eventually sent at some point. The picture ID has never been part of a remote mail or fax request based on my experience.
I may have been asked for ID when I picked up in person at Northwestern once. I don’t remember but if I had been, that would have been the only time. Faxed and mailed requests never ask for it.
Having said that, I’m curious to hear more here as well. I also don’t think a photo ID is required for registering for a patient portal access for most organizations.