Most HIM departments file by terminal digits, which is the only way to keep files expanding at an even rate. In a terminal digit filing system the last two, three, or four digits of the file number are treated as a single number. Since all numbers in the file are sorted by their ending digits, each section contains approximately the same number of folders, so the file shelves are divided for easy expansion.

A new, free toolkit from AHIMA offers best practices in terminal digit filing. Managers can use the kit to train new or existing staff by having employees review the kit and complete the exercises.

Freezing both the current ICD-9-CM and the new ICD-10-CM/PCS code sets will save organizations further cost and complexity by enabling them to focus on the system change without simultaneously managing code updates. The Centers for Medicare and Medicaid Services has been receiving recommendations on whether to freeze the code sets and, if so, for how long.

In a recently released statement, AHIMA recommends that:

• The final ICD-9-CM update should be FY 2012 (beginning October 2011, in conjunction with the federal government’s fiscal year).
• No updates should be made to ICD-10-CM/PCS for FY 2013 or FY 2014 (i.e., beginning October 2012).
• Updates to ICD-10-CM/PCS should resume in FY 2015 (October 2014).

Freezing code sets presents its own challenges, given that the practice of medicine will keep evolving. AHIMA recommends that exceptions should be allowed for urgently needed codes. Organizations requesting updates would be required to make a “clear and convincing” case to the Coordination and Maintenance Committee as to why the codes can’t wait for the next regularly scheduled update (such as the emergence of a new disease).

AHIMA recommends that the Coordination and Maintenance Committee, which maintains the code sets in the US, should continue to meet during the freeze in order to consider code proposals and avoid a backlog in 2014. “Working draft addenda” could keep the industry appraised of code changes slated to go into effect for FY 2015.

In addition, AHIMA recommends that flexibility be retained during the freeze to correct errors identified in the ICD-10-CM/PCS code sets, such as incorrect index entries or incorrect code references in instructional notes.

AHIMA offers ICD-10 information and resources at www.ahima.org/icd10.

The online version includes five separate appendixes, linked at the end of the brief:

• Appendix A excerpts portions of the HL7 EHR-System Records Management and Evidentiary Support Functional Profile Standard, which can be used to develop proposals for selecting an EHR system or as a checklist to evaluate current applications for basic record management functionality.
• Appendix B lists the various e-signature laws, regulations, and acts that organizations can refer to in developing and implementing e-signature functionality and policy.
• Appendix C outlines a sample e-signature model policy template, including important legal and compliance recommendations.
• Appendix D provides a glossary of terms that organizations can use in their e-signature policies.
• Appendix E provides practice guidance on making amendments, corrections, and deletions in transcribed reports.

Managing e-signatures is complex, but doing it correctly is critical  in supporting an organization’s legal health record. Successfully implementing and using e-signatures requires proper attention to individual system functionality, regulatory requirements, and organizational policy.

The delay, announced October 30, comes at the request of Congressional members, the FTC said. The rule was scheduled to go into effect November 1.

The announcement comes a week after the House of Representatives passed an amendment to the rule that would exclude certain businesses, including small healthcare, accounting, and legal practices. The House bill is currently in the Senate.

On the day FTC announced the delay, the US District Court for the District of Columbia ruled that the FTC may not apply the Red Flags Rule to attorneys.

This is the fourth delay for the rule, which was originally scheduled to take effect November 1, 2008. Industry groups, including healthcare providers and lawyers, have pushed for an exclusion, while others have complained that the rule lacked sufficient detail and guidance. The FTC has since been adding information and guidance online.

Long-term trouble can start during a brief check-in. A rushed or incomplete search of the organization’s MPI can cause clinical registrars to create duplicate patient records or even select the wrong record.

Faulty information entered at check-in streams straight through the system, risking treatment errors and leading to eventual billing problems. Entities that participate in health information exchange will export bad information into their networks.

Error-ridden MPIs also hamper an organization’s ability to understand its patient population and its own performance, both for internal and external reporting. Patient information spread across multiple records can distort measures of patient severity and overall risk of mortality. And correcting errors consumes time.

HIM departments often are the hub of identifying and mitigating registration errors. HIM staff sift through the MPI, merging duplicate records and  separating out information that has been overlaid into the wrong patient account.

But what HIM learns about the types of MPI errors occurring in patient registration may never be shared with that department. Because HIM and registration are typically managed through different departments, there can be an information exchange disconnect between the two areas. If registration staff do not know what they are doing wrong, how can they correct it?

Some facilities have instituted registration improvement programs, which can feature cross-department committees whose purpose is to reduce registration errors and clean up the MPI.

Providing Feedback to Registration

Not only do these registration improvement processes eventually reduce work for HIM, they also give vital feedback to registration staff about how their actions directly impact the medical record and patient care, according to Gwyndle Kravec, MBA, RHIA, CCS, director of HIM and privacy officer at Peninsula Regional Medical Center, based in Salisbury, MD. Peninsula instituted a registration improvement program that has greatly reduced MPI errors.

“I think this program heightens the awareness that this is an issue of data quality and that these [duplicate MPIs] do impact patient safety,” Kravec says. “When you heighten awareness of what the downstream effects are of having a duplicate medical record, then I think [registrars] are more conscientious of what they are doing. They want to get it right.”

Registration improvement programs can be simple or elaborate, depending on what investment a facility feels is appropriate to clean up its MPI and registration processes.

The HIM department at Christiana Care Health System, based in Newark, DE, has worked with the facility’s registration areas for several years to improve registration processes and reduce MPI duplicates and overlays. The initiative is an important part of ensuring health records are complete and accurate, says Kathy Westhafer, RHIA, CHPS, program manager for clinical information.

“We are looking for that MPI to really be the focus of how we identify the patient, that we have one record for the patient within the health system,” Westhafer says.

Each day a team of Christiana Care HIM professionals uses a clinical system tool that identifies possible MPI duplicates and overlays. A notification tool is also available for all staff to report possible duplicate MPI accounts. HIM staff investigates these suggested cases, merging duplicate MPIs or separating out information in overlay cases.

“That team is doing the research and determining if it is a situation where two people were merged inappropriately, in an overlay situation, or if it is really one person that has multiple records,” Westhafer says.

Because each ancillary area at Christiana Care conducts patient registration, duplicate and overlay MPI cases are compiled by HIM and separated by the specific ancillary area where the error occurred. Reports describing the circumstances of the error are circulated monthly to the various registration area managers. The information is used to create better registration processes as well as develop specific education for registration staff, Westhafer says.

Providing feedback to the registration departments is key to the facility’s MPI cleanup efforts. Instead of HIM doing cleanup work solely on the back end, registration now can use the information to improve accuracy on the front end, Westhafer says.

Since Christiana Care started its improvement processes, registration errors have been significantly reduced. A recent audit showed the organization’s MPI duplication rate accounts for fewer than 2 percent of all MPI records, a typical industry benchmark for MPI best practices, Westhafer says.

“We felt really good that the processes that we have put in place over the years seem to have worked,” she says.

Direct Training for Dramatic Results

In other organizations, HIM may have a more hands-on role in registration improvement efforts. At Peninsula, MPI duplication rates were so high that in 2007 the HIM department staff formed a committee and began direct education with registrars.

At that time, Peninsula’s registration staff was not taking enough time to accurately select or create MPI numbers. HIM staff struggled to fix the resulting duplicate accounts being entered into the system each day.

“We were processing 60 duplicates a week,” Kravec recalls. “Some of those were expected as part of our [trauma] registration process, but a majority of them were errors. So we had to get together because [the registration department] were not taking accountability. They were creating the error, and HIM was cleaning it up.”

The resulting committee, made up of representatives from HIM, patient registration, finance, IT, and labs, meets monthly to review duplication creation rates, discuss trends in registration data errors, and create new processes to correct the mistakes. A registrar is also invited to each meeting to discuss how a registration error occurred and how it could be prevented in the future.

Through the program, HIM collects all MPI account duplicates and sends them to the registration department manager. The registration manager uses the information for educational training in the department and monitoring which registrars are habitually creating errors. Under a disciplinary action program, a registrar who creates three duplicate MPI accounts within a rolling one-year time period is terminated from the organization. The policy holds registrars accountable for their mistakes and has helped reduce the number of errors committed, Kravec says.
 
Also, once a month the HIM operational manager will visit the registration department and conduct quality training with the registrars. The manager provides registrars the recent duplicate MPI rates and shares specific examples of recent registration errors that HIM has found. The HIM manager also observes the registrars at work, watching for any shortcuts that could lead to registration errors, Kravec says.

“There were so many errors and missing information in different records that we knew we needed to get something done,” Kravec says. “So we built in this ad-hoc way to do it where the HIM manager goes up [to registration] and does training on a monthly basis and brings true live examples where they registered a patient incorrectly.”

The registration improvement program has drastically reduced the number of MPI account duplicates at Peninsula.

In the first year of the program, MPI duplication rates dropped 23 percent from the previous year. By the end of the second year, rates had dropped 57 percent compared to rates before the improvement program was implemented.

“It is less resources I’m using, and my identity coordinator can certainly use their time doing better things than merging duplicate records,” Kravec says. “It is not just with one system—we have 17 downstream systems that it impacts. We have to coordinate and synchronize these merges so that patient safety is not impacted in a negative way.”

The registration improvement program at Peninsula is vital in keeping the duplication rates under control. It holds people accountable for their actions, Kravec says. “You do betterwhen you think somebody is watching,” she says. “Now if we stopped the program or stopped the [training] on these, I can see these numbers reversing.”

How Registration Errors Occur

The cause of registration errors varies from simple accidents to negligence.

The turnover rate for registration department employees is especially high in many facilities. With new employees regularly starting work, education on proper MPI creation is constantly needed, Westhafer says.

The rush to register patients can also affect error rates. At Peninsula, the emergency department has a policy that patients should be registered within two minutes so treatment is not delayed. Nearly 65 percent of Peninsula’s patients are admitted through the ED.

Registering a patient within two minutes is a lot of pressure, Kravec says, and with both patients and registrars in such a hurry, mistakes can easily be made. 

The most common registration error at Peninsula is misspelling a patient’s name when searching the MPI. Because of this, the MPI duplication committee has asked registrars to confirm at least three unique identifiers in a patient’s record—such as name, Social Security number, and date of birth—before assuming they have found the correct file.

Many registration mistakes can be avoided by requiring registrars to ask patients if they have ever been to the hospital before. “That is very simple, but there were some registrars that never asked that,” Kravec says.

Technological problems are partly to blame for some registration errors at Christiana Care. The facility’s registration system is nearly 20 years old and in dire need of upgrade, Westhafer says. “There are inherent problems with a 20-year-old system in that you are very limited in how you can search [for MPI records],” she says.

The organization has decided to replace the registration system, and Westhafer says staff is looking for a system that makes it easier for registrars to look up MPI records.

One guideline at Christiana Care contributes to duplicate records, intentionally. Registrars are instructed to create a new record if they cannot confirm they have correctly matched a patient to an existing record. “We have told registers, ‘when in doubt—unless you are positive—it is better for you to create a duplicate than it would be to choose somebody incorrectly,’” Westhafer says. HIM staff would rather merge a duplicate record than sort out patient information from an incorrect account, Westhafer explains.

Getting Started

Improvement programs do not need to be elaborate. Merely sharing duplicate creation rates with registration staff can help reduce errors. Registration management can use the rates to help develop new registration procedures, train registrars, and track improvement progress.

Facilities looking to create programs should first track their duplication rates. Identifying specific MPI issues will help organize a response to the problem. Next, they can create a project assessment and determine which facility departments would be affected by a registration improvement program. Contact those parties and invite them to help develop the project, Kravec recommends.

Regardless of how the errors occur, an important part of a registration improvement program is educating registrars about the impact their work has on the rest of the facility. Registration’s impact on patient care is a focal point of the education sessions HIM conducts at Peninsula, Kravec says.

Just educating registrars on the importance of finding the correct patient MPI during registration can have a positive impact on their work.

“Registrars didn’t have the full picture before this program,” Kravec says. “Now they have the full picture.”

Members may read all stories online in the AHIMA Body of Knowledge. Select features and practice briefs are also available publicly.

November-December 2009

Features

• Dispute Resolution: Planning for Disputed Information in EHRs and PHRs, by Lydia Washington, MS, RHIA, CPHIMS; Ethan Katsh, JD; and Norman Sondheimer, PhD
• Plan B: A Practical Approach to Downtime Planning in Medical Practices, by Cheryl Gregg Fahrenholz, RHIA, CCS-P; Lance J. Smith, RHIT, CCS-P; Kyle Tucker, RHIA, CCS; and Diana Warner, MS, RHIA, CHPS
• Converting MS-DRGs to ICD-10-CM/PCS: Methods Used, Lessons Learned, by Rhonda Butler, CCS, CCS-P, and Janice Bonazelli, RN

In Addition

• 75 Years of HIM Education, by Shirley Eichenwald Maki, MBA, RHIA, FAHIMA

Practice Brief

• Electronic Signature, Attestation, and Authorship (Updated)

Working Smart

• Fear Factor: Ambiguities in State Law Leave Some Providers Hesitant to Adopt EHRs, by Chris Dimick
• Genomics and HIM: Three Areas of Increasing Intersection, by W. Gregory Feero, MD, PhD; Selma Holden, MD; and Barbara Fuller, JD, RHIA, FAHIMA
• Medical Device Deliberations: Data Issues to Consider When Purchasing and Implementing New Devices, by Beth Acker, RHIA
• Communicating Security Efforts: Informing Consumers of Data Protection Programs Helps Build Trust, by John Parmigiani

Coding Notes

• FY 2010 Changes to the Hospital IPPS, by Kathy DeVault, RHIA, CCS
• Coding in Critical Access Hospitals, by Karen M. Kostick, RHIT, CCS, CCS-P

The amendment is intended to relieve the administrative burden on small businesses.

The Red Flags Rule, part of the Fair and Accurate Credit Transaction Act of 2003, requires “creditors” and financial institutions to develop and implement written identity theft prevention programs. As described in the rule, creditors are organizations that maintain consumer accounts that receive multiple payments or payments made in installments.

In full, HR 3763 amends the Fair Credit Reporting Act to exclude “any health care practice, accounting practice, or legal practice with 20 or fewer employees.” It also excludes any other business that the Federal Trade Commission, which oversees the rule, determines:

• knows all its customers or clients individually;
• only performs services in or around the residences of its customers; or 
• has not experienced incidents of identity theft, and identity theft is rare for businesses of that type.

The proposed amendment moved easily through the House. It was introduced October 8 and was voted on without debate on October 20. There were 400 votes to approve and no votes in opposition.

The House bill was received and read in the Senate and referred to the Committee on Banking, Housing, and Urban Affairs.

The Red Flags Rule was first scheduled to take effect November 2008. The Federal Trade Commission offered several delays to provide more guidance and give businesses more time to prepare.

Provider Burden or Consumer Protection?

Rep. John Adler (D-NJ) sponsored the bill. “The Federal Trade Commission went too far and went beyond the intent of Congress by considering non-financial, service-related industries to be ‘creditors’…,” he said in a floor speech before the vote.

“Its ruling would force thousands of small businesses to comply with burdensome, expensive regulations by forcing them to develop and implement an identity theft program.”

The American Medical Association also is opposed to inclusion of medical practices and has lobbied against it.

However, in a letter to the Senate committee chair, AHIMA argues that medical practices are already a target of identity thieves and that exempting them from the rule would motivate thieves to focus on them more.

AHIMA also noted that the bill has a much farther reach than might appear. Nearly half of physicians work in practices of six physicians or fewer, according to a 2008 report from the Centers for Medicare and Medicaid Services. At a time when medical identity theft and healthcare fraud are on the rise, the bill would exempt a large share of providers from having identity theft prevention programs.

In addition, the exemption would undermine efforts to raise awareness of identity theft and subsequent fraud within the healthcare industry, AHIMA wrote.

The Senate Committee on Banking, Housing, and Urban Affairs has yet to schedule discussion of the bill. With a full plate and the winter recess approaching, it is unclear if the committee will consider the House bill this year.

Updated Oct. 28

California law requires businesses and state agencies that have unencrypted personal information lost, stolen, or improperly accessed from their databases to notify affected consumers. However, the law does not specify what information the notification letters must contain.

Senate bill 20 would have ensured businesses include key information in their notices, such as the type of personal information breached, a description of the incident, the date it took place, and who to contact for more information.

The bill was vetoed, Schwarzenegger wrote in his explanation, because there is no evidence of a problem with the information businesses are currently providing consumers.

The veto does not dramatically affect state healthcare organizations, which beginning September 23 must meet similar requirements under federal breach notification laws. The federal laws require companies that handle personal health information to include specific information in breach notification letters, including date of the incident and the personal information breached.

However, the federal provisions—part of the American Recovery and Reinvestment Act’s HITECH section—only cover healthcare businesses, leaving California organizations such as banks and educational institutions open to include as much or as little information in their breach notifications as they deem appropriate.

Veto “Surprising”

Senate bill 20 was proposed by state senator Joe Simitian, who said it was necessary to ensure that victims receive the information they need to understand the problem and protect themselves from harm.

“This is one of the most surprising vetoes I’ve gotten while I’ve been here, over nine years,” Simitian said.

The bill had moved through the state legislature with strong support.

Simitian acknowledged that the majority of the notices that go out to consumers do contain adequate, helpful information. However, he said there have been instances of vague and meaningless breach notifications.

A survey of data breach victims included in a 2007 University of California-Berkeley School of Law paper found that 28 percent of those receiving a breach notification did not understand the “potential consequences of the breach after reading the letter.” Simitian cited this study as well as personal conversations with confused breach notification recipients to explain why legislation is needed.

The proposed additions to California’s privacy law would not break new ground. Several states have added similar breach notice requirements to their privacy laws, Simitian said. Setting notification requirements could also benefit businesses by spelling out their responsibilities. Having clear-cut requirements saves businesses from guessing at what they should do to be compliant.

While he feels the breach notification content requirements were not necessarily a bad idea, California-based healthcare attorney Reece Hirsch said he can understand why the bill was vetoed. Hirsch, a partner with Morgan Lewis’s FDA/Healthcare regulation practice, has helped clients draft many breach notifications. The breach notification requirements proposed in the bill are considered best practices in the field and already followed, he noted.

“Most companies responding to a security breach under the existing law would typically include the elements that are stated in senate bill 20,” Hirsch said. “Certainly there are consumer groups who have felt that these notices are maybe confusing, not as forthcoming as they should be.

“But by and large I am not sure that the elements that were specified in senate bill 20 would really affect a real change in the sorts of notices that consumers are seeing under the current California law.”

No Copy for the Attorney General

Senate bill 20 also called on businesses to send a copy of their breach notifications to the California attorney general if the breach affected more than 500 people. The provision was included to give law enforcement and the legislature a way to track privacy breaches across industries and identify trends, Simitian said.

In his veto message, Schwarzenegger wrote there was “no additional consumer benefit” to the provision because the bill does not require the attorney general to do anything with the notices.

“I thought there was a little irony in the veto message suggesting that we didn’t have evidence of the nature of the problem, and then going on to say ‘and by the way, why on earth would you want to have a place where there is a repository of this information,’” Simitian said.

Under state law that took effect January 1 of this year, healthcare organizations are already required to report breaches of any size to the California Department of Public Health, Center for Health Care Quality, which has power to investigate and fine organizations.

However, sending a breach notice directly to the attorney general could have increased an organization’s chance of being prosecuted, Hirsch noted. The federal breach notification provisions give attorneys general the power to enforce privacy protections and take enforcement action against healthcare organizations that have experienced a breach of protected health information.

Though the bill was vetoed, Simitian said he will have conversations with the California governor’s office on how to get the bill passed. He plans to reintroduce the legislation next year.

The Federal Content Requirements

Two federal laws govern breach notification. A rule promulgated by the Department of Health and Human Services governs HIPAA covered entities; a rule published by the Federal Trade Commission applies to noncovered entities such as personal health record vendors.

The rule governing covered entities spells out that breach notifications must:

• Be written in plain language
• Describe what happened, including the date of breach and discovery (if known)
• Describe the types of unsecured personal information involved in the breach
• Provide steps individuals should take to protect themselves
• Give a brief description of what the healthcare organization is doing to investigate, mitigate harm, and protect against further breaches
• Describe contact procedures for patient questions, including a toll-free telephone number

The rule currently exists as an interim final rule, meaning that it could be modified based on public comments. The comment period ends this Friday, October 23. The FTC law governing noncovered entities has similar content requirements, though it provides less detail.

The California bill would have required businesses to include two items in addition to what the federal laws specify:

• Contact information for credit reporting agencies
• A statement describing whether there was a delay in notification because of law enforcement investigations

• Sample project communication plan
• Sample project plan
• Sample project progress report
• Sample issues log

The online version also includes a list of communication aids that organizations may use in the transition to ICD-10-CM/PCS and a contact form for the major stakeholders leading the ICD-10-CM/PCS implementation.

As the practice brief notes, planning for the transition to ICD-10-CM/PCS is a multifaceted effort. Defining the organization’s data management plan will facilitate a smooth transition to ICD-10-CM/PCS and optimize its greater specificity.

The conversion project offered an early test of the General Equivalence Mappings and provides organizations with a process for converting their own applications to ICD-10-CM/PCS.

Rhonda Butler and Janice Bonazelli, senior clinical analysts at 3M Health Information Systems, offer an overview of the conversion in this early look into the upcoming November/December issue of the Journal.