Lost medical records are process errors that can cause significant medical issues affecting patient privacy, care and safety. Furthermore, Federal laws mandate the secure creation, retention and use of medical records to ensure the highest quality of care, security and privacy for patients. Consequently, health care providers, often under severe budgetary limitations, struggle to comply with these legal, medical and ethical mandates. Research appears to show that medical records issues, including but not limited to lost medical records, can best be handled through exclusively electronic medical records, provided certain requirements are met. According to the Bureau of Primary Health Care, lost medical records constitute one of the common "process errors" that could cause medical issues such as incorrect diagnosis, delay in diagnosis and delay in treatment (BPHC Task Force on Patient Safety, January 2001, p. 19). Furthermore, using studies from Colorado, Utah and New York, the report estimates that 44,000 -- 98,000 hospitalized people die in the U.S. annually due to medical errors (BPHC Task Force on Patient Safety, January 2001, p. 5). Consequently, addressing those errors, here reduced to the loss of medical records, is a high priority for the U.S. Health Care System.

b. Medical Records in Summer Practice Setting

The Summer Practice Setting uses a hybrid of paper, electronic and microfiche medical records. Paper records are created and maintained "on the floor." Paper records are kept either readily available for immediate use or kept in a central location at the facility. Access to paper records is restricted and must be requested and signed out at that location. Paper records have reputedly been lost in the past. To compensate for those losses, data from the paper records is entered by medical personnel, including nurses, in coded areas on an electronic system. There is a backup system of electronic records in case the main system crashes; however, possibly due to budget constraints, the backup system appears to be an unreliable patchwork quilt and both the main electronic records system and backup system have reputedly "crashed" in the past, resulting in at least the temporary loss of medical information and, at times, entire medical records. In case the paper and electronic records are lost, microfiche backups of medical records are made and stored in double-locked storage areas in other locations. Access to microfiche records is severely restricted to the director of medical records and/or his/her representatives, and can be obtained upon request. In addition, if a medical record is lost, a new medical record must be created and it must be clearly designated as a replacement medical record. If the original medical record is found, the replacement record must be placed within the original medical record. In sum, the summer practice provider has 3 methods for dealing with lost medical records: if paper records are lost, the provider may rely on the electronic system; if the electronic system crashes, the provider may use the backup system; if all else fails, the provider may rely on microfiche records provided upon request. Full-time health care staff currently working at the facility does not recall a loss of microfiche records at any time. While great effort is obviously made to avoid the loss of medical records, the summer practice provider is obviously struggling with a hybrid system that does not seem well-coordinated and appears to create more administrative work for the health care providers.

c. Medical Records Plan

The proposed medical records plan would use an entirely electronic system brought to full compliance with HIPAA and the HITECH Act, with backups on reputable third party systems, with contractual requirements that the third party provider is bound by HIPAA and the HITECH Act, and with immediate retrieval-upon-electronic-request of lost medical records from the third party's server. Research shows that electronic medical records can provide the optimum system for handling medical records, including avoiding the loss of medical records and/or retrieving lost medical records. Axway, a provider of information technology for medical records systems, cites both HIPAA regulations and the HITECH Act as reasons for adopting electronic records (Axway, 2010, p. 1). Axway specifically cites HIPAA's enhanced mandate for confidential, secure medical information (U.S. Department of Health & Human Services, 2012). In addition, Axway explains the HITECH Act's requirement that health care providers strengthen security for Protected Health Information (PHI), and the Act's encouragement of electronic health/medical records (HER/EMR) (Practice Fusion, 2009), ideally to reduce healthcare costs and improve the quality of patient outcomes (Axway, 2010, p. 1). Consequently, the projected nurse practitioner's office would adopt an electronic medical records plan.

Even electronic medical records plans have proven problematic...

First, there are major potential security problems: Torrey points to the loss of patient records at the Veterans' Administration in 2006 to show that important patient data can be and has been lost (Torrey, Limitations of electronic patient record keeping: Privacy and security issues, 2009). Secondly, electronic medical records are often kept by third party computer servers and the third parties do not have the same HIPAA privacy restrictions that apply to health care providers; consequently, unless the third party is contractually bound to privacy, there are no laws restraining the third party from using the data as they wish (Torrey, Limitations of electronic patient record keeping: Privacy and security issues, 2009). Third, many EMR systems are "local," being tailored for a specific health care provider in a specific area of the country. This local nature of the EMR creates difficulties for patients who are injured or become ill away from their normal health care providers because their medical records cannot be accessed when they are most needed (Torrey, 2008). Fourth, there is a lack of standardization of electronic medical records across the country: EMR systems appear to be typically tailored for specific clients according to varying degrees of sophistication because there are few if any nationwide standards for EMR (Torrey, 2008). Due to all these potential problems, the health care provider must consciously take great care to ensure security, privacy, universality and standardization of its/his/her electronic medical records system.
Experts have suggested 5 steps, in no particular order of importance, which should be taken to ensure security, privacy, universality and standardization of electronic medical records systems, per HIPAA and the HITECH Act. First, the health care provider must secure all Protected Health Information (PHI) "in motion" through e-mail, file transfer, internal electronic data interchanges or external electronic data interchange (Axway, 2010). In order to fulfill this step, the health care provider must define, manage and enforce policies controlling information flow. Some EMI providers are offering "delivery-based policies" that automatically control information flow, including "who can interact with whom," and allowing the health care provider to block/quarantine an interaction; strip sensitive attachments from e-mails; return messages unanswered; notify managers; alter the information; reroute the information so it moves through secure and encrypted channels (Axway, 2010, pp. 1-2). Secondly, the health care provider must ensure the security of PHI "at rest" on the server by encryption technology that meets NIST 800-52 or FIPS 140-2 requirements to ensure the integrity of the data and its delivery. This will ensure that only authorized users may access the information, that the electronic medical record will not be lost, and that PHI is securely destroyed and/or retained (Axway, 2010, p. 2). Third, the electronic medical records system must detect and report breaches in the system, as §13402 of Title XIII HITECH/ARRA requires: "Following a breach of unsecured protected health information covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities that a breach has occurred" (Practice Fusion, 2009). Consequently, electronic medical records must be constantly monitored throughout the system, their movements must be tracked and sufficient compatibility for transfer must be made with the systems of external providers (Axway, 2010, p. 2). Fourth, the electronic medical system must ensure that business associates are in compliance with HIPAA and the HITECH Act so there are no breaches of privacy or losses of medical information. Experts suggest building a "community" of electronic exchange for effective, efficient data exchange without breaches or loss (Axway, 2010, pp. 2-3). Finally, the electronic medical records plan should create a core competence for the exchange of information. The HITECH Act offers incentives for "meaningful use" of electronic data exchange for 90 consecutive days. Meaningful use consists of integrated, automated exchange of EHR/EMR between separate, independent information systems through: Managed File Transfer (MFT) that involves incorporating lab results into EMR/HER and ensuring the exchange of large files such as x-ray films with secure MFT; Electronic Data Interchange (EDI) in secure and efficient systems that can exchange large files quickly and easily so no data is lost; secure e-mail that is "security aware" and allows facilitated messages among health care providers (Axway, 2010) (Axway, 2010, p. 3).

3. Conclusion

The security of medical records is a daily issue with significant impacts on the privacy, security and treatment of patients. Consequently, providers struggle to maintain the security, privacy…