The Honorable Michael O. Leavitt
Chairman
American Health Information Community
200 Independence Avenue, S.W.
Washington, D.C. 20201
Dear Mr. Chairman:
On September 18, 2007, three members of the Model Requirements Executive Team (MRET) brought together under a contract awarded to Research Triangle Institute International by the Office of the National Coordinator for Health Information Technology (ONC) presented recommendations to the American Health Information Community (AHIC) on initial requirements for electronic health records (EHRs) that seek to increase documentation accuracy and fraud management within the health care system. At the aforementioned AHIC meeting, the Confidentiality, Privacy and Security (CPS) and the Electronic Health Record (EHR) AHIC Workgroups were asked to evaluate the MRET recommendations in their area of expertise, hear additional public comment, and offer additional insight from their Workgroup’s perspective.
The CPS Workgroup was specifically asked to evaluate Requirement 8. This is as follows:
Requirement 8: Auditor Access to Patient Record
8.0 The system shall have the capacity to allow authorized entities read-only access to the EHR according to agreed upon uses and only as a part of an identified audit subject to appropriate authentication, authorization, and access control functionality. Such access controls shall also support the applicable release of information protocols, local audit policies, minimum necessary criteria, and other contractual arrangements and, laws, and:
8.1 Require “auditor” be a supported class of user
8.2 Limit access to pertinent functions and views only for patient records covered by
the audit.
8.3 Access remains controlled by the facility and the same authentication and audit supports would apply.
8.4 Remote access may be offered if agreed to by the organization subject to the aforementioned protocols and suitable authentication
8.5 Demonstrate the ability to provide a paper copy of such information in the event access to the EHR is not possible.
The EHR Workgroup was specifically asked to evaluate MRET Requirements 5 and 6. These requirements are as follows:
Requirement 5: Evaluation and Management (E&M) Coding
5.1 The system shall be capable of prompting for omitted necessary administrative data or codes. This could include the capability to prompt a physician if the selected E&M code is not consistent with the documentation in the encounter note.
5.2 Prompts that are driven by E&M administrative processes shall not explicitly or implicitly direct a user to add documentation. This does not apply to prompts for additional documentation for E&M levels already achieved, for medical necessity or for quality guidelines/clinical decision support.
Requirement 6: Proxy Authorship
6.1 Retain date/time/user stamp of original data entry person when data entered “on behalf” of another author.
6.2 If an assistant is used to enter date that will subsequently be signed by a provider,
retain the date/time/use stamp of the data entry person as well as the provider.
Mr. Chairman, the CPS Workgroup has reviewed Requirement 8 and offers the following response. After Workgroup discussion, we have determined that Requirement 8 is consistent with Health Insurance Portability and Accountability Act (HIPAA) requirements and does not provide auditors with any new access rights to EHRs. Dr. Reed Gelzer, a Workgroup chairman of the MRET effort and Rebecca Busch, a member of the MRET, participated in our discussion of Requirement 8 and explained the MRET made this recommendation to encourage further discussion in the area of auditor access to EHRs and to promote EHRs capable of implementing clear policies to limit auditor access to EHRs. The CPS Workgroup believes that Requirement #8 would benefit from further specificity. In doing so, we would expect that this refinement would take into account different types of auditors (8.1), their levels of access depending upon their role (8.2), and the related access controls specified by the facility (8.3).
Mr. Chairman, the EHR Workgroup was pleased to have Dr. Reed Gelzer, a MRET Workgroup chairman, lead a detailed discussion on December 4th with the EHR workgroup members regarding Requirements 5 & 6. The Workgroup deliberated and determined that Requirements 5 & 6 were beneficial and offer no suggested modifications. We are hopeful work will continue in this area and will be utilized to inform the efforts of the Certification Commission for Health Information Technology. Regarding Requirement 5.1, the Workgroup had considerable discussion on whether such a capability should be mandated or just strongly suggested using the terminology “should” rather that “shall”. The EHR Workgroup finally concluded that it is appropriate to ensure systems “shall” have this prompting capability noting that enabling/ disenabling such functionality will be at the discretion of the institution and their governing policies/ practices.
Thank you for giving us the opportunity to submit our views on this report. We look forward to discussing this recommendation with you and the members of the American Health Information Community.
Sincerely yours,
| Kirk Nahra | Deven McGraw |
| Co-Chair | Co-Chair |
| Confidentiality, Privacy, and Security Workgroup | Confidentiality, Privacy, and Security Workgroup |
| Jonathan Perlin | Lillee Smith Gelinas |
| Co-Chair | Co-Chair |
| Electronic Health Records Workgroup | Electronic Health Records Workgroup |