Update: Guidelines for Defining the Legal Health Record for Disclosure Purposes

Historically, the definition of the legal health record was fairly straightforward: the contents of the paper chart (together with radiology films or the results of other imaging studies) formed the healthcare provider’s legal business record. Patients had limited interest in or access to the information contained in their records.

However, with the advent of various electronic media, the Internet, and the consumer’s enhanced role in compiling their health information, the definition of the legal health record has become more complex. The need to ensure information is accessible for its ultimate purposes, regardless of the technologies employed or users involved, remains. Therefore, the definition of the legal health record must be reassessed in light of new technologies, users, and uses.

Each organization must define the content of the legal health record to best fit its system capabilities and legal environment. Considerations for the content of the legal health record should include ease of access to different components of patient care information, guidance from the medical staff and the organization’s legal counsel, community standards of care, federal regulations, state law and regulations, standards of accrediting agencies, and the requirements of third-party payers.

A patient’s health record plays many roles in addition to those involved in caring for a patient where documentation of the patient’s health history, health status (sickness and wellness), observations, measurements, and prognosis are recorded. This documentation allows the record to serve as the legal record substantiating healthcare services provided to the patient. It also serves as a method of communication among healthcare providers caring for a patient and provides supporting documentation for reimbursement of services provided to a patient.

The legal health record is a subset of the entire patient database, which serves as the legal business record for the organization. The roles of the legal health record are to:

  • Support the decisions made in a patient’s care
  • Support the revenue sought from third-party payers
  • Document the services provided as legal testimony regarding the patient’s illness or injury, response to treatment, and caregiver decisions

Recognizing the challenges associated with the impact of technology on the legal health record, AHIMA formed a work group of members from provider settings, law practices, information technology vendors, and information systems consultants to develop guidelines to assist organizations in defining their health records for legal applications.

This practice brief discusses the issues involved in ensuring that a health record serves the legal needs of the provider or facility whether in a paper-based, hybrid (a combination of paper and electronic), or fully electronic state. The rules that permit the patient’s health record to constitute the legal business record must be taken into account, and the organization must be able to fulfill its obligations with the legal health record regardless of the physical state of the health record.

It is imperative that healthcare organizations define their legal health records. There is no one-size-fits-all definition of the legal health record. Laws and regulations governing the content vary by practice setting and state. However, there are common principles to be followed in creating a definition.

Definition of the Legal Health Record

The legal health record is generated at or for a healthcare organization as its business record and is the record that will be disclosed upon request. It does not affect the discoverability of other information held by the organization. The custodian of the legal health record is the health information manager in collaboration with information technology personnel. HIM professionals oversee the operational functions related to collecting, protecting, and archiving the legal health record, while information technology staff manage the technical infrastructure of the electronic health record.

The legal health record is the documentation of healthcare services provided to an individual during any aspect of healthcare delivery in any type of healthcare organization. It is consumer- or patient-centric. The legal health record contains individually identifiable data, stored on any medium, and collected and directly used in documenting healthcare or health status.

Legal health records must meet accepted standards as defined by applicable Centers for Medicare and Medicaid Services Conditions of Participation, federal regulations, state laws, and standards of accrediting agencies such as the Joint Commission on Accreditation of Healthcare Organizations, as well as the policies of the healthcare provider.1

Legal health records are records of care in any health-related setting used by healthcare professionals while providing patient care service or for administrative, business, or payment purposes. Some types of documentation that comprise the legal health record may physically exist in separate and multiple paper-based or electronic or computer-based databases.

The Legal Paper-based Health Record

The 2001 practice brief “Definition of the Health Record for Legal Purposes” defines the legal paper-based health record as “the legal business record generated at or for a healthcare organization. This record would be released upon request.”2

The Legal Hybrid Health Record

When the legal health record consists of information created as paper documents and information created in electronic media, it is considered to be in a hybrid environment. Organizational policies should document the information that is considered the legal health record and identify the source (paper or electronic) of that information. A matrix can be used for this purpose.3 Policies should also indicate when the record is considered complete. The hybrid record transition plan and policy should define the “legal source of truth,” reflecting whether the legal record is paper, hybrid, or fully electronic. This policy provides for a specific schedule that provides both retrospective and prospective dates wherein the user can identify the source legal record.

The paper portion of the legal health record is collected and archived in paper or plastic folders. Electronic portions of the record are collected and archived in source systems or in electronic folders in the EHR system. There must be a clear indication of the locations where portions of a patient record are located.

Electronic versus Legal Health Records

An electronic health record (EHR) system is generally thought of as the portal through which clinicians access a patient’s health record, order treatments or therapy, and document care delivered to patients. Many healthcare providers have eliminated the paper record and use EHR systems as their organizations’ legal records (although a paper record may be “published” for release of information purposes). Many other organizations are planning a similar transition. EHR systems allow providers to gather multiple types of data about a patient (e.g., clinical, financial, administrative, and research).

Healthcare informaticists agree that an EHR system is not one or even two or more products. Rather, an EHR system consists of a plethora of integrated component information systems and technologies. The electronic files that make up the EHR system’s component information systems and technologies consist of different data types, and the data in the files consist of different data formats. (See “Data Formats of the EHR,” below, for a description of format types.)

Data Formats of the EHR

Some data formats are structured and some are unstructured. For example, the data elements in a patient's automated laboratory order, result, or demographic and financial information system are coded and alphanumeric. Their fields are predefined and limited. In other words, the type of data is discrete, and the format of these data is structured. Consequently, when a healthcare professional searches a database for one or more coded, discrete data elements based on the search parameters, the engine can easily find, retrieve, and manipulate the element.

However, the format of the data contained in a patient's transcribed radiology or pathology result, history and physical, or clinical note system using word-processing technology is unstructured. Free-text data, as opposed to discrete, structured data, are generated by word processors, and their fields are not predefined and limited. Consequently, when a healthcare professional searches unstructured text, the search engine cannot easily find, retrieve, and manipulate one or more data elements embedded in the text.

Likewise, the format of the data contained in a patient's dictated radiology or pathology result, history and physical, or clinical note system using speech recognition technology (real-time speech in, text out) is unstructured. However, the speech recognition technology's engine takes the unstructured, free-text speech data and codifies the data, often with the help of templates. Hence, the format of the outputted text data becomes structured, with predefined and limited fields. Search engines then easily can find, retrieve, and manipulate one or more data elements embedded in the text.

Diagnostic image data stored in a diagnostic image management system, such as a picture archiving and communications system, represent a different type of data: bit-mapped data. However, the format of bit-mapped data is also unstructured. Saving each bit of the original image creates the image file. In other words, the image is a raster image, the smallest unit of which is a picture element or pixel. Together, hundreds of pixels simulate the image. Examples of digital modalities that generate digital diagnostic image data are digitized x-rays or computed radiography and computed tomography, magnetic resonance, and nuclear medicine scans. Most diagnostic image data remain based on analog, photographic films, such as analog x-rays. To digitize these data, these analog films must be digitally scanned, using film digitizers.

Document image data are yet another type of data; document image data are bit mapped, and the format is unstructured. These data are stored in an electronic document management system. These data are based on analog paper documents or on analog photographic film documents. Most often, analog paper-based documents contain handwritten notes, marks, or signatures. However, such documents can include preprinted documents (such as forms), photocopies of original documents, or computer-generated documents available only in hard copy. Analog photographic film-based documents are processed using an analog camera and film, similar to analog x-rays. Therefore, both the analog paper-based and the photographic film-based documents must be digitally scanned, using scanning devices that are similar to fax machines.

The EHR system's component information systems and technologies consist of additional data types, the formats of which also are unstructured.

Real audio data consist of sound bytes, such as digital heart sounds.

Motion or streaming video or frame data, such as cardiac catheterizations (cine), consist of digitized film attributes, such as fast forwarding.

The files that consist of vector graphic (or signal-tracing) data are created by saving lines plotted between a series of points, accounting for the familiar ECGs, EEGs, and fetal traces.

As such, portions of the legal EHR may be located in various electronic systems. These input systems may include laboratory information systems, pharmacy information systems, picture archiving and communications systems (PACS), cardiology information systems, results reporting systems, computerized provider order entry systems, nurse care planning systems, word-processing systems, and fetal trace monitoring systems.

Depending on their size and structure, healthcare providers may store structured clinical and administrative data in a database or clinical data repository. In addition, healthcare providers may store unstructured patient clinical data in separate databases or repositories (e.g., PACS archive, fetal trace archive) and provide pointers from the clinical portal to these various repositories. In this manner, architecturally, these databases are logically but not physically linked.

Defining the Subset of Data that Constitutes the Legal EHR

The challenge for HIM professionals in defining a legal health record in an EHR system is to determine which data elements, electronic-structured documents, images, audio files, and video files become part of the legal electronic health record. The first step is to determine what legal entities enforce regulations, guidelines, standards, or laws to the healthcare organization defining its legal health record. Although these various entities may have defined a legal record in paper terms (e.g., requiring a medication sheet rather than an electronic medication administration record), these entities’ definitions must become the basis for the legal health record definition at the organization.

The second step is to determine whether the records are created in the ordinary course of business of the healthcare provider or entity.

The third step is creating a matrix (or other document) that defines each element in the legal health record. Such a matrix could include a column indicating whether that particular element would be released on first request or subpoena.

HIPAA and the Legal Health Record

The HIPAA privacy rule requires that organizations identify their “designated record set,” which is defined as “a group of records maintained by or for a covered entity that is: (i) the medical records and billing records about individuals maintained by or for a covered health care provider; (ii) the enrollment, payment, claims adjudication or case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or part, by or for the covered entity to make decisions about individuals.”4 Healthcare providers are required to define the data or documents that meet this definition. The legal health record will be a subset of this designated record set that meets the requirements for a business record used for legal purposes. Organizations must list those specific data elements and documents within the designated record set that comprise its legal health record. Source media (paper versus electronic) should be defined. If electronic, the source system should also be defined. The owners of these differential source data should be reflected in the designated record set policy and should also be documented. This matrix or document can include the column suggested above as to whether it is released on first request or subpoena.

Information from the legal health record is disclosed in response to authorized requests for copies of a patient health record. Electronic records should be transmitted in a method that minimizes the risk of a breach of security and protects the patient’s privacy as defined in the HIPAA privacy and security standards and by the privacy and security policies of the healthcare provider. HIPAA does not define a preferred method of electronic transmission. However, some states require that copies of medical records provided to patients be in “human-perceptible form,” which might limit the ability of the provider to transmit the electronic portions of the legal health record directly to third parties (such as a personal health record vendor, for example).

Facility policies should also address copying paper records, printing copies of electronic documents, and transmitting of protected health information to authorized requestors via courier, mail, fax, e-mail, and other processes. In addition, facility policies must address, in accordance with HIPAA privacy standards, the method for documenting errors, corrections, or addendums in both paper and electronic documents and ensure that original and amended versions of a document are available and produced for official (or certified) copies of health records.

Considerations for Defining the Legal Health Record for Legal Purposes

As stated previously, there is no one-size-fits-all definition of the legal record because laws and regulations governing the content vary by practice setting and by state. However, there are common principles to be followed in creating a definition. This section addresses health record issues to assist healthcare organizations in defining the content of their legal records. Final definition of the legal health record rests with individual healthcare organizations and their legal counsels.

Alerts, Reminders, and Pop-Ups

Alerts, reminders, pop-ups, and similar tools are used as aides in the clinical decision-making process. The tools themselves are not considered part of the legal health record; however, associated documentation is considered a component. For example, a provider is alerted to perform a diabetic foot exam on a diabetic patient. The initial alert that prompts the provider is not part of the legal health record, but the subsequent action taken by the provider, including the condition acted upon and the associated note detailing the exam, is considered part of the record.

Similarly, any annotations, notes, and results created by the provider as a result of an alert, reminder, or pop-up are also considered part of the legal health record. Once the documentation, results, and graphs have been entered in an electronic manner, those alerts acted upon and results become a permanent part of the record and are maintained in a manner similar to any other information contained within the legal health record.

Continuing Care Records

Continuing care records are records received from another healthcare provider. Historically, these records were generally not considered part of the legal health record unless they were used in the provision of patient care. In the electronic health record it may be difficult to determine if information was viewed or used in delivering healthcare. It may be necessary to define such information as part of the legal health record. Policies should reflect the proper disposition of health records from external sources (e.g., other healthcare providers) if they are not integrated into the electronic and legal health record.

Data and Documents to Be Considered Part of the Record

  • Advance directives
  • Allergy records
  • Alerts and reminders (see “Alerts, Reminders, and Pop-Ups,” above)
  • Analog and digital patient photographs for identification purposes only
  • Anesthesia records
  • Care plans
  • Consent forms for care, treatment, and research
  • Consultation reports
  • Diagnostic images
  • Discharge instructions
  • Discharge summaries
  • E-mail messages containing patient-provider or provider-provider communications regarding care or treatment of specific patients5
  • Emergency department records
  • Fetal monitoring strips from which interpretations are derived
  • Functional status assessments
  • Graphic records
  • History and physical examination records
  • Immunization records
  • Instant messages containing patient-provider or provider-provider communications regarding care or treatment of specific patients6
  • Intake and output records
  • Medication administration records
  • Medication orders
  • Medication profiles
  • Minimum data sets (MDS, OASIS, IRF PAI)
  • Nursing assessments
  • Operative and procedure reports
  • Orders for treatment including diagnostic tests for laboratory and radiology
  • Pathology reports
  • Patient-submitted documentation
  • Patient education or teaching documents
  • Patient identifiers (medical record number)
  • Photographs (digital and analog)
  • Post-it notes and annotations containing patient-provider or provider-provider communications regarding care or treatment of specific patients
  • Practice guidelines or protocols and clinical pathways that imbed patient data
  • Problem lists
  • Progress notes and documentation (multidisciplinary, excluding psychotherapy notes)
  • Psychology and psychiatric assessments and summaries (excluding psychotherapy notes)
  • Records received from another healthcare provider if they were relied on to provide healthcare to the patient (see “Continuing Care Records,” above)
  • Research records of tests and treatments7
  • Respiratory therapy, physical therapy, speech therapy, and occupational therapy records
  • Results of tests and studies from laboratory and radiology
  • Standing orders
  • Telephone messages containing patient-provider or provider-provider communications regarding care or treatment of specific patients
  • Telephone orders
  • Trauma tapes
  • Verbal orders
  • Wave forms such as ECGs and EMGs from which interpretations are derived
  • Any other information required by the Medicare Conditions of Participation, state provider licensure statutes or rules, or by any third-party payer as a condition of reimbursement

Data from Source Systems

Source-system data are the data from which interpretations, summaries, and notes are derived. They may be designated part of the legal health record, whether or not they are integrated into a single system or maintained as part of the source system.

Records from source systems may be considered part of the legal health record, based on the content of the source system’s record. Historically, reports or findings upon which clinical decision making is based are parts of the legal health record. For example, the written result of a test such as an x-ray, an ECG, or other similar procedures are always part of the record, whether these reports are integrated into a single system or part of a source system.

Working notes used by a provider in completing a final report are not considered part of the legal health record unless they are made available to others providing care to a patient. However, documents that are kept in a separate system of record (such as notes from a particular area of specialty that are kept separately but are final products) are always considered part of the record.

The determining factor in whether something is to be considered part of the legal health record is not where the information resides or the format of the information, but rather how the information is used and whether it is reasonable to expect the information to be routinely released when a request for a complete medical record is received.

The legal health record excludes health records that are not official business records of a healthcare organization.

Downtime Procedure Documents

In the event that the EHR system is unavailable, a process must be implemented to continue with documentation of patient care and responses to that care. For most facilities, this process will be paper-based.

Once the EHR system is restored, the information from the downtime documents must be made part of the EHR, which may incorporate data entry, scanning, or recreating documents in various subsystems.

Emerging Issues

As EHR technology evolves, a number of challenges to the definition of the legal health record are emerging. Organizations must resolve these challenges with their legal counsel and information technology departments. Many of these items have not historically been included in the legal health record and will entail new storage and retrieval costs if they are defined as part of the record. Some examples of documents and data that should be evaluated for inclusion or exclusion include:

  • Audio files of dictation
  • Audio files of patient telephone calls
  • Nursing shift-to-shift reports (handwritten or audio)
  • Telephone consultation audio files
  • Videos of office visits
  • Videos of procedures
  • Videos of telemedicine consultations

Personal Health Records

Orgnizational policy should address how personal health information will or will not be incorporated into the patient’s health record. Copies of personal health records that are created, owned, and managed by the patient and are provided to a healthcare organization should be considered part of the legal health record, if so defined by the organization and if the information is used to provide patient care services, review patient data, or document observations, actions, or instructions. This includes patient-owned, -managed, and -populated tracking records, such as medication tracking records and glucose and insulin tracking records. (See “Personal Health Record Formats”, below, for an outline of formats.)

Personal Health Record Formats

PHRs electronically may include subsets of personal health information from provider organization databases into the electronic records of authorized patients, their families, other providers, and sometimes health payers and employers. A range of people and groups maintain the records, including the patients, their families, and other providers.

PHRs come in a variety of forms and formats, with no single sign or sponsorship model yet to emerge. Currently, the most common PHR variations and models include:

Shared data record: The shared data record model consumes the largest number of PHRs and is the most effective. Here, both provider (or employer or health plan) and patient maintain the record. In addition, the provider (or employer or health plan) supports the record. As such, the patient receives and adds information over time. The focus of this model is to keep track of health events, medications, or specific physiological indicators, such as exercise and nutrition.

EHR extensions: The EHR extension model extends the EHR into cyberspace so that an authorized patient can access the provider's record and check on the record's content. Often this model also allows an authorized patient to extract data from the healthcare provider's record. The record is still maintained by the provider but is available to the patient in an online format.

Provider-sponsored information management: The provider-sponsored information management model represents provider-sponsored information management by creating communication vehicles between patient and provider. Such vehicles can include reminders for immunizations or flu shots, appointment scheduling, prescription refill capabilities, and monitoring tools for disease management in which regular collection of data from the patient is required.

Documents Not Included in the Legal Health Record

Administrative Data and Documents

Administrative data and documents should be provided the same level of confidentiality as the legal health record. However, administrative data should not be considered part of the legal health record and would not be produced in response to a subpoena for the medical record. Healthcare organizations might more appropriately consider some administrative data and documents as working documents.

Administrative data are patient-identifiable data used for administrative, regulatory, healthcare operation, and payment (financial) purposes. Examples of administrative data include:

  • Abbreviation and do-not-use abbreviation lists
  • Audit trails related to the EHR
  • Authorization forms for release of information
  • Birth and death certificate worksheets
  • Correspondence concerning requests for records
  • Databases containing patient information
  • Event history and audit trails
  • Financial and insurance forms
  • Incident or patient safety reports
  • Indices (disease, operation, death)
  • Institutional review board lists
  • Logs
  • Notice of privacy practices acknowledgments (unless the organization chooses to classify them as part of the health record)
  • Patient-identifiable claims
  • Patient-identifiable data reviewed for quality assurance or utilization management
  • Protocols and clinical pathways, practice guidelines, and other knowledge sources that do not imbed patient data
  • Psychotherapy notes
  • Registries
  • Staff roles and access rights
  • Work lists and works-in-progress

Derived Data and Documents

Derived or administrative data are derived from the primary healthcare record and contain selected data elements to aid in the provision, support, evaluation, or advancement of patient care. Derived data and documents should be provided the same level of confidentiality as the legal health record. However, derived data should not be considered part of the record and would not be produced in response to a subpoena for the medical record.

Derived data consist of information aggregated or summarized from patient records so that there are no means to identify patients. Examples of derived data are:

  • Accreditation reports
  • Anonymous patient data for research purposes
  • Best-practice guidelines created from aggregate patient data
  • OASIS reports
  • ORYX, Quality Indicator, Quality Measure, or other reports
  • Public health reports that do not contain patient-identifiable data
  • Statistical reports
  • Transmission reports for MDS, OASIS, and IRF PAI

Notes

  1. For example, as defined by the Centers for Medicare and Medicaid Services for hospitals found in Condition of Participation 482.24, the medical record includes “at least written documents, computerized electronic information, radiology film and scans, laboratory reports and pathology slides, videos, audio recordings, and other forms of information regarding the condition of a patient.”
  2. Amatayakul, Margret, et al. “Definition of the Health Record for Legal Purposes.” Journal of AHIMA 72, no. 9 (2001): 88A–H.
  3. AHIMA e-HIMTM Work Group on Health Information Management in a Hybrid Environment. “The Complete Medical Record in a Hybrid EHR Environment,” parts I–III. October 2003. Available online in the FORE Library: HIM Body of Knowledge at www.ahima.org.
  4. “Standards for Privacy of Individually Identifiable Health Information; Final Rule.” 45 CFR Parts 160 and 164. Federal Register 65, no. 250 (2000). Available online at http://aspe.hhs.gov/admnsimp.
  5. In the paper world, conversations between a provider and patient or between providers (e.g., hallway consultations) are not always recorded and made part of the medical record. With many EHR systems, such conversations can occur electronically via e-mail and instant messaging. In other systems, records or portions of records can be forwarded to another provider’s work queue for review and comment. HIM professionals need to work with counsel and leaders of the medical staff to determine if such e-mails and notations are to be included as part of the legal health record.
  6. Ibid.
  7. Organizational policies should differentiate whether research records are part of the legal health record or if the research center maintains its own records. This should be verified with the institutional review board, since this may influence whether they are part of the legal health record.

References

Ceners for Medicare and Medicaid Services. “Conditions of Participation for Hospitals.” Available online at www.cms.hhs.gov/manuals/107_som/som107ap_a_hospitals.pdf.

HIMSS. “HIMSS Electronic Health Record Definitional Model, Version 1.1.” Available online at www.himss.org/content/files/ehrattributes070703.pdf.

Health Level Seven. “The Legal Aspects of the Electronic Health Record.” Unpublished work product of the HL7 work group on legal aspects of the EHR. May 2005.

“Standards for Privacy of Individually Identifiable Health Information; Final Rule.” 45 CFR Part 164.501. Federal Register 65, no. 250 (2003). Available online at www.hhs.gov/ocr/hipaa.

Prepared by

Kathleen Addison, CCHRA(C)
James H. Braden, MBA
Jacqueline E. Cupp, RHIA
Darla Emmert, RHIT
Lois A. Hall, RHIT
Terri Hall, MHA, RHIT, CPC
Barbara Hess, MBA, CHP, PAHM
Deborah Kohn, RHIA, CHE, CPHIMS
Michele T. Kruse, MBA, RHIA
Kelly McLendon, RHIA
Julie McQueary, RHIA
Debra Musa, RHIT
Keith L. Olenik, MA, RHIA, CHP
Carol Ann Quinsey, RHIA, CHPS
Rebecca Reynolds, MHA, RHIA
Cheryl Servais, MPH, RHIA
Amy Watters, RHIA
Lou Ann Wiedemann, MS, RHIA
Melinda Wilkins, MEd, RHIA
Michele Wills, RHIA
Nancy E. Vogt, RHIT, CHP

Acknowledgments

Mary D. Brandt, MBA, RHIA, CHE, CHPS
Jill Callahan Dennis, JD, RHIA
Michelle Dougherty, RHIA, CHP
Kathy Giannangelo, RHIA, CCS
Karen G. Grant, RHIA, CHP
Matthew J. Greene, RHIA, CCS
Kathleen A. Frawley, JD, MS, RHIA
Barry S. Herrin, CHE, Esq.
Godwin O. Odia, MBA, RHIA
Donald Simborg
Andrea B. Thomas, MBA, RHIA, CPHS
Lydia M. Washington, MS, RHIA, CPHIMS
Carolann M. Weishar, RHIA

This work group was supported by a grant to FORE from Precyse Solutions, Inc.

Article citation:
AHIMA e-HIM Work Group on the Legal Health Record. "Update: Guidelines for Defining the Legal Health Record for Disclosure Purposes." Journal of AHIMA 76, no.8 (September 2005): 64A-G.