HL7 EHR System Functional Model – Record Infrastructure (RI

advertisement
HL7 EHR System Functional Model – Record Infrastructure (RI) Chapter DRAFT
Revised: 27 September 2011, 2nd pass in progress
Section/ID#:
Type:
Conformance Criteria
Name:
RI.1 – Record Lifecycle
Header
Manage Record Lifecycle
Actions are taken to support patient health. Actions are taken in provision of healthcare to individuals. Actions are taken as the result of rules-based EHR System algorithms. Actors
(i.e., patients, providers, users, systems) take Actions. (Actions broadly encompass tasks, acts, procedures or services performed or provided.)
Actions have corresponding Entries in the EHR Record, i.e., Action instances correspond to Record Entry instances. These Record Entries provide persistent evidence of Action
occurrence, context, disposition, facts, findings and observations. The EHRS Functional Model does not specify a particular relationship of Actions and corresponding Record
Entries. It may be one to one, many to one or even one to many.
Actions have associated metadata (e.g., who, what, when, where, why, how, under what conditions, in what context). The corresponding Record Entry captures this metadata along
with other Action and Record Entry related information. Record Entries may be encapsulated to bind author/system/time signatures to data and metadata content.
Each Record Entry also includes its own provenance metadata such as who (author) and when (documented). The EHR System captures Actions taken and creates corresponding
Record Entries. The EHR System subsequently manages those Entries, according to scope of practice, organizational policy and jurisdictional law.
Record Entries may be created during the course of the Action or Record Entries may be created sometime thereafter. The Actor/Source of the Record Entry may be the same as an
Actor performing the Action or not.
Actions and related Record Entries capture a chronology of patient health and healthcare and also a chronology of operations and services provided in a healthcare enterprise.
Record Entries reflect changes in health information from the time it was created, to the time it was amended, sent, received, etc. In this manner, each Record Entry serves as
persistent evidence of an Action taken, enabling providers to maintain comprehensive information that may be needed for legal, business, and disclosure purposes. To satisfy these
purposes, Record Entries must also be retained and persisted without alteration.
Record Entries have both a lifecycle and a lifespan. Lifecycle Events include originate/retain, amend, verify, attest, access/view, transmit/receive, and more. Lifecycle Events occur
at various points in a Record Entry lifespan, always starting with a point of origination and retention (i.e., when the Entry is first created and stored).
A Record Entry may have a pre and post Event state if content is modified. In this case, the original Record Entry is preserved (with signature binding) and a new Entry is created
(with new signature binding).
A Record Entry contains data and metadata, in multiple formats, following various conventions and standards. Included are tagged and delimited data, structured (concise, encoded),
unstructured (free form), data formatted as text, documents, images, audio, waveforms, in ASCII, binary or other encoding.
Record Lifecycle Events also Initiate a corresponding Audit Trigger and Audit Log Entry (see TI.2.1.1). The EHR System manages Record Lifecycle Events for each Record Entry,
including pre and post Event record states, continuity, persistence and related Record Audit Logs.
Action examples include: (1) In the direct care of a patient, a healthcare professional creates or amends health information to be contained in a history and physical; (2) A medical
device can supply the EHR system with a test result; (3) The EHR system can alert the healthcare professional of a potential drug-drug interaction.
Section/ID#:
Type:
Conformance Criteria
Name:
As described here, Record Lifecycle Events (as per Section RI.1.1) are those required to manage Record Entries in persistent storage over the full course of Record Lifespan (as per
Section RI.1.2).
RI.1.1
Header
Record Lifecycle
Statement:
1. The system SHALL conform to Section RI.1.1.2.1, Manage/Persist Record Entry, as the final step to
Manage Record Lifecycle
conclude each Record Lifecycle Event in Section RI.1.1.
Description:
As above
References:
ISO 21089 – Health Informatics – Trusted End-to-End Information
Flows
HL7 Electronic Health Record Lifecycle Model DSTU
RI.1.1.1
Header
Originate and Retain Record Entry
Statement:
Originate and Retain a Record Entry (1 instance)
Description:
Occurs when Record Entry is originated – typically during the course of
an Action itself, to document the Action and context.
• An identified Author or Source is responsible for Record Entry content.
• Record Entry contains Metadata about the Action and its
circumstances, e.g., who, what, when, where, facts, findings,
observations, etc.
• An Audit Trigger is initiated to track Record Entry origination and
retention.
Reference: ISO 21089, Section 12.2.2.
DC.1, DC.1.1.1, DC.1.1.3.2, DC.1.3.3, DC.1.8.4, DC.1.8.5, DC.2, DC.2.3.2, DC.2.4.5.1-2, DC.3, DC.3.1.1,
DC.3.1.3, DC.3.2.2.4, S.1, S.2, S.3, IN.1.1, IN.1.2, IN.1.3, IN.1.5, IN.1.8,
IN.1.9, RI.1.1.1, RI.1.1.2, RI.1.1.5.1-2
1. The system SHALL provide the ability to capture (originate) a Record Entry instance corresponding to
an Action instance and context.
2. The system SHALL capture a unique instance identifier for each Record Entry.
3. The system SHALL conform to Section TI.2.1.1.1, Originate/Retain Record Entry Audit Trigger.
4. The system SHALL capture the full set of identity, event and provenance Audit Metadata, conforming
to Section TI.2.1.1.1.
5. The system SHALL capture the signature event (e.g., digital signature) of the origination entry Author,
binding signature to Record Entry content.
6. The system SHALL provide the ability to capture both structured and unstructured content in Record
Entries.
7. The system SHALL provide the ability to capture Record Entries from information recorded during
system downtime.
8. The system SHOULD provide the ability to integrate Record Entries from Information recorded during
system downtime.
9. The system SHALL provide the ability to capture date/time of an Action was taken or data was
collected if different than date/time of the Record Entry.
10. The system SHOULD capture metadata that identifies the source of non-originated Record Entry
(e.g., templated, copied, duplicated, or boilerplate information).
11. The system MAY provide the ability to tag unstructured Record Entry content to organize it according
to need, for example, in a time-related fashion or by application-specific groups (such as photographs,
handwritten notes, or auditory sounds), or by order of relative importance.
12. The system MAY capture and maintain a Record Entry encoded as a standards-based data object
(e.g., HL7 Continuity of Care or other HL7 CDA R2 Document).
13. The system MAY capture and maintain a standards-based data object to mirror (be duplicate and
Section/ID#:
Type:
Name:
RI.1.1.2
Header
Amend Record Entry Content
Statement:
Amend content of an Record Entry (1 instance)
Description:
Occurs when Record Entry content is modified (from its original or
previously retained state) – typically upon conclusion of an Action, to
correct, update or complete content.
• Amended Record Entry content is the responsibility of authorized
amendment Author(s).
• The amendment becomes part of the Act Record revision history,
where the original content and any
previous amendments are retained without alteration.
• After amendment, the System is responsible for retention of the Record
Entry and its revision history.
• An Audit Trigger is initiated to track Record Entry amendment.
Reference: ISO 21089, Section 12.3.2
RI.1.1.3
Header
Translate Record Entry Content
Statement:
Translate content of Record Entries (1 or more instances)
Description:
Occurs when Record Entries are amended to include translation of
content – typically to transform coded data
from one coding/classification scheme to another, also from one human
language to another.
• Translated (amended) Record Entry content is the responsibility of
translating System – which invokes
mapping/translation rules for each relevant record attribute.
• The translation amendment becomes part of the Record Entry revision
history, where original content and
any previous amendments are retained without alteration.
• After translation amendment, the System is responsible for retention of
the Record Entry and its revision
history (including the translation event).
• An Audit Trigger is initiated to track Record Entry translation.
Conformance Criteria
synchronous with) internal Record Entry representation.
DC.1, DC.1.1.1, DC.1.1.3.2, DC.1.3.3, DC.1.8.4, DC.1.8.5, DC.2, DC.2.3.2, DC.2.4.5.1-2, DC.3, DC.3.1.1,
DC.3.1.3, DC.3.2.2-4, S.1, S.2, S.3, S.3.1.5, IN.1.1, IN.1.2, IN.1.3, IN.1.5, IN.1.8, IN.1.9, RI.1.1.1,
RI.1.1.2, RI.1.1.5.1-2
1. The system SHALL provide the ability to update (amend) Record Entry content.
2. The system SHALL maintain the original and all previously amended versions of the Record Entry,
retaining each version instance without alteration.
3. The system SHALL capture a new uniquely identifiable version of the Record Entry, incorporating
amended content.
4. The system SHALL conform to Section TI.2.1.1.2, Amend Record Entry Audit Trigger.
5. The system SHALL capture the full set of identity, event and provenance Audit Metadata, conforming
to Section TI.2.1.1.2.
6. The system SHALL capture the signature event (e.g., digital signature) of the amendment Author,
binding signature to Record Entry content.
7. The system SHALL capture the reason for amendment as Audit Metadata, as per Section TI.2.1.1.2,
e.g., to add information, to correct erroneous information or to augment/supplement Record Entry.
DC.1, DC.2, DC.3, S.1, S.2, S.3, S.3.1.5, IN.1.1, IN.1.2, IN.1.3, IN.1.5, IN.1.8, IN.1.9, RI.1.1.2, RI.1.1.5.12, IN.4.1-3, IN.5.1-2
1. The system SHOULD provide the ability to render coded Record Entry content translated from one
coding/classification system to another.
2. The system SHOULD provide the ability to render coded Record Entry content translated from one
value set to another.
3. The system MAY provide the ability to render Record Entry content translated from one human
language to another.
4. The system SHOULD maintain the original and all previously amended versions of the Record Entry,
retaining each version instance without alteration.
5. The system SHOULD capture a new uniquely identifiable version of the Record Entry, incorporating
translated content.
6. The system SHOULD conform to Section TI.2.1.1.3, Translate Record Entry Audit Trigger.
7. The system SHOULD capture the full set of identity, event and provenance Audit Metadata,
conforming to Section TI.2.1.1.3.
Section/ID#:
Type:
Name:
Reference: ISO 21089, Sections 12.3.2 and 12.4.
RI.1.1.4
Header
Attest Record Entry Content
Statement:
Attest to content of Record Entry (1 instance)
Description:
Occurs when Record Entry content is attested for accuracy and
completeness – typically during/after conclusion of an Action.
• Attested Record Entry content is the responsibility of Attesting Author.
The Attesting Author may be someone other than the originating Author,
i.e., a supervisor, proctor, preceptor or other designated individual.
• An Audit Trigger is initiated to track Record Entry attestation.
Reference: ISO 21089, Section 12.2.2.
RI.1.1.5
Header
View/Access Record Entry Content
Statement:
View/Access content of Record Entries (1 or more instances)
Description:
Occurs when Record Entries are viewed or accessed.
• Viewed Record Entry content is the responsibility of authorized User(s).
• An Audit Trigger is initiated to track Record Entry views and access.
Reference: ISO 21089, Section 12.5.
RI.1.1.6
Header
Transmit and/or Disclose Record Entries
Statement:
Transmit/Disclose content of Record Entries (1 or more instances)
Description:
Occurs when Record Entry content is transmitted and/or disclosed –
typically to an external entity or system.
• Transmittal may include original Record Entry content with subsequent
amendment(s), if any.
• Transmittal of Record Entries is the responsibility of the System – which
invokes relevant rules.
• An Audit Trigger is initiated to track Record Entry transmittal and
Conformance Criteria
DC.1, DC.1.8.3, DC.2, DC.3, S.1, S.2, S.3, IN.1.1, IN.1.2, IN.1.3, IN.1.5, IN.1.8, IN.1.9, RI.1.1.2,
RI.1.1.5.1-2
1. The system SHALL provide the ability to attest Record Entry content.
2. The system SHALL conform to Section TI.2.1.1.4, Attest Record Entry Audit Trigger.
3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section
TI.2.1.1.4.
4. The system SHALL capture the signature event (e.g., digital signature) of the Attesting Author, binding
signature to Record Entry content.
DC.1, DC.1.1.3.1, DC.1.1.4, DC.1.1.5, DC.1.8.3, DC.1.8.5, DC.2, DC.3, S.1, S.2, S.3, IN.1.1, IN.1.2,
IN.1.3, IN.1.5, IN.1.9, RI.1.1.1, RI.1.1.2, RI.1.1.5.1-2
1. The system MAY mask Record Entry content to access by authorized entities.
2. The system SHALL provide the ability to render Record Entry content, including original version and
any subsequent amendments.
3. The system SHALL provide the ability to render Record Entry content down to the discrete element or
item, including encoded fields.
4. The system SHALL conform to Section TI.2.1.1.5, View/Access Record Entry Audit Trigger.
5. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section
TI.2.1.1.5.
DC.1, DC.2, DC.3, DC.3.1.1, DC.3.1.3, DC.3.2.2-4, S.1, S.2, S.2.1.2, S.2.2, S.2.2.1-3, S.3, S.3.3.3-6,
S.3.6, IN.1.1, IN.1.2, IN.1.6, IN,1.7, IN.1.9, RI.1.1.1, RI.1.1.2, RI.1.1.3, RI.1.1.5.1-2, IN.4.1-3, IN.5.1-2
1. The system SHOULD provide the ability to transmit Record Entry content to external systems,
retaining original, unaltered content and signature bindings, Action and Record Entry provenance and
metadata.
2. The system SHALL provide the ability to transmit Record Entry extracts to external systems, including
content, context, provenance and metadata.
3. The system SHALL identify the patient or individual subject of transmitted/disclosed Record Entry
content.
4. The system SHALL capture a log entry for disclosure of protected Record Entry content, according to
organizational policy and jurisdictional law.
5. If a specific recipient is known, the system SHOULD transmit (disclose) protected Record Entry
content according to established permissions, organizational policy and jurisdictional law governing
Section/ID#:
Type:
Name:
disclosure.
Reference: ISO 21089, Section 12.8.1.
RI.1.1.7
Header
Receive and Retain Record Entries
Statement:
Receive and retain/persist content of Record Entries (1 or more
instances)
Description:
Occurs when Record Entry content is received – typically from an
external system.
• Receipt of Record Entries is the responsibility of the System – which
invokes relevant rules.
• An Audit Trigger is initiated to track Record Entry receipt and retention.
Reference: ISO 21089, Section 12.8.1.
RI.1.1.8
Header
De-identify Record Entries
Statement:
De-identify content of Record Entries (1 or more instances)
Description:
Occurs when Record Entry content is transformed into de-identified
version.
• De-identification of Record Entries may be initiated by User command.
• De-identification of Record Entries is the responsibility of the System –
which invokes relevant rules.
Conformance Criteria
disclosure.
6. If known and explicit as to Record Entry content being transmitted, the system SHOULD transmit
corresponding authorizations and patient consent permissions.
7. The system SHALL conform to Section TI.2.1.1.6, Transmit/Disclose Record Entry Audit Trigger.
8. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section
TI.2.1.1.6.
9. The system SHALL conform to Section IN.1.6, Secure Data Exchange.
10. The system SHALL provide the ability to extract Record Entry content prior to transmittal/disclosure,
conforming to Section RI.1.1.11, Extract Record Entry Content.
11. The system SHALL provide the ability to de-identify Record Entry content prior to
transmittal/disclosure, conforming to Section RI.1.1.8, De-Identify Record Entries.
12. The system SHALL provide the ability to transmit updates (new versions) of Record Entry Content to
known recipients of prior versions according to organizational policy and jurisdictional law.
13. The system SHALL provide the ability to transmit with each exchange the most recent or all versions
of Record Entry Content depending on organizational policy and jurisdictional law.
DC.1, DC.2, DC.3, DC.3.1.1, DC.3.1.3, DC.3.2.2-4, S.1, S.2, S.2.1.2, S.2.2, S.2.2.1-3, S.3, S.3.3.3-6,
S.3.6, IN.1.1, IN.1.2, IN.1.6, IN,1.7, IN.1.9, RI.1.1.1, RI.1.1.2, RI.1.1.3, RI.1.1.5.1-2, IN.4.1-3, IN.5.1-2
1. The system SHOULD provide the ability to capture and maintain Record Entry content from external
systems, retaining and persisting original unaltered content and signature bindings, Action and Record
Entry provenance and metadata.
2. The system SHALL provide the ability to capture and maintain Record Entry extracts from external
systems, retaining and persisting source, identity, record content, corresponding provenance and
metadata.
3. The system SHALL identify the patient or individual subject of received Record Entry content.
4. If received with Record Entry content, the system SHOULD control subsequent data access to that
permitted by corresponding authorizations and patient consents.
5. The system SHALL conform to Section TI.2.1.1.7, Receive/Retain Record Entry Audit Trigger.
6. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section
TI.2.1.1.7.
S.1.5, S.2, S.2.2, IN.1.1, IN.1.2, IN.1.9, RI.1.1.1, RI.1.1.2, RI.1.1.3, RI.1.1.5.1-2
1. The system SHALL provide the ability to de-identify Record Entry content according to organizational
policy and/or jurisdictional law.
2. The system SHALL conform to Section TI.2.1.1.8, De-Identify Record Entry Audit Trigger.
3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section
TI.2.1.1.8.
Section/ID#:
Type:
Name:
• An Audit Trigger is initiated to track Record Entry de-identification.
Reference: ISO 21089, Section 12.6.1.
RI.1.1.9
Header
Pseudomynize Record Entries
Statement:
Provide pseudomynized identity for Record Entries (1 or more instances)
Description:
Occurs when Record Entry is transformed into an pseudomynized
version.
• Pseudomynization allows records to be later re-identified.
• Pseudomynization of Record Entries may be initiated by User
command.
• Pseudomynization of Record Entries is the responsibility of the System
– which invokes relevant rules.
• An Audit Trigger is initiated to track Record Entry pseudomynization.
Reference: ISO 21089, Section 12.6.1.
RI.1.1.10
Header
Re-identify Record Entries
Statement:
Re-identify previously aliased identity for content of Record Entries (1 or
more instances)
Description:
Occurs when Record Entries are re-identified from a previously aliased
version.
• Re-identification of Record Entries is the responsibility of the System –
which invokes relevant rules.
• An Audit Trigger is initiated to track Record Entry re-identification.
ISO 21089, Section 12.6.2.
RI.1.1.11
Header
Extract Record Entry Content
Statement:
Extract Record Entry content to produce subsets, derivations, summaries
or aggregations (Multiple instances)
Conformance Criteria
S.1.5, S.2, S.2.2, IN.1.1, IN.1.2, IN.1.9, RI.1.1.1, RI.1.1.2, RI.1.1.3, RI.1.1.5.1-2
1. The system SHALL provide the ability to pseudomynize (or associate new identity with) patient Record
Entries according to organizational policy and/or jurisdictional law.
2. The system SHALL conform to Section TI.2.1.1.9, Pseudomynize Record Entry Audit Trigger.
3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section
TI.2.1.1.9.
IN.1.1, IN.1.2, IN.1.9, RI.1.1.2
1. The system SHALL provide the ability to re-identify (or associate original identity with) Record Entry
content according to organizational policy and/or jurisdictional law.
2. The system SHALL conform to Section TI.2.1.1.10, Re-Identify Record Entry Audit Trigger.
3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section
TI.2.1.1.10.
None specified
1. The system SHALL provide the ability to extract Record Entry content to produce subsets, derivations,
summaries or aggregations according to organizational policy and/or jurisdictional law.
2. The system SHALL provide the ability to de-identify Record Entries during extraction in accordance
with Section RI.1.1.8, De-Identify Record Entries.
Section/ID#:
Type:
Name:
Description:
Occurs when Record Entry content is extracted to render subsets,
derivations, summaries or aggregations.
• Extraction of Record Entry content may be initiated by User command
and/or rules-based algorithm.
• Extraction of Record Entry content is the responsibility of the System –
which invokes relevant rules.
• An Audit Trigger is initiated to track Record Entry content extraction.
ISO 21089, Section 12.7.
RI.1.1.12
Header
Archive Record Entries
Statement:
Archive Record Entries (1 or more instances)
Description:
Occurs when Record Entries are archived – typically to off-line (less
readily available) storage media.
• Archival of Record Entries may be initiated by User command.
• Archival of Record Entries is the responsibility of the System – which
invokes relevant rules.
• An Audit Trigger is initiated to track Record Entry archival.
ISO 21089, Section 12.10.
RI.1.1.13
Header
Destroy or Identify Record Entries as Missing
Statement:
Destroy or Identify Record Entries as Missing (1 or more instances)
Conformance Criteria
3. The system SHALL provide the ability to extract Record Entry content based on queries with selection
criteria, for example, key words, date/time range, full text search.
4. The system SHALL provide the ability to extract metadata associated with Record Entry content.
5. The system SHOULD provide the ability to extract, with parameterized selection criteria, across the
complete data set that constitutes all Record Entries for a patient.
6. The system SHOULD provide the ability to extract and present a full chronicle of the healthcare
process from assembled Record Entries.
7. The system SHOULD provide the ability to extract and present a full chronicle of healthcare delivered
to a patient from assembled Record Entries.
8. The system SHALL provide the ability to extract Record Entry content for various purposes, including
administrative, financial, research, quality analysis and public health.
9. The system SHOULD provide the ability to extract Record Entries for system migration.
10. The system SHOULD provide the ability to manage a set of over-riding parameters to exclude
sensitive or privileged Record Entry content from extraction.
11. The system MAY provide the ability to extract unstructured Record Entry content and convert it into
structured data.
12. The system SHALL conform to Section TI.2.1.1.11, Extract Record Entry Audit Trigger.
13. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section
TI.2.1.1.11.
DC.1.1.1, IN.1.1, IN.1.2, RI.1.1.1, RI.1.1.2, RI.1.1.5.1-2
1. The system SHALL provide the ability to manage archival of Record Entries to off-line or near-line
media according to organizational policy and/or jurisdictional law.
2. The system SHALL provide the ability to manage (configure) archival parameters for Record Entries
(e.g., what and when to archive).
3. The system SHALL archive Record Entries according to Section IN.8, Archive and Retrieval.
4. The system SHALL conform to Section TI.2.1.1.12, Archive Record Entry Audit Trigger.
5. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section
TI.2.1.1.12.
S.2.2, IN.1.1, IN.1.2, RI.1.1.1, RI.1.1.2, RI.1.1.5.1-2
1. The system SHALL provide the ability to delete (destroy) Record Entries (e.g., those exceeding their
legal retention period) according to organizational policy and/or jurisdictional law.
2. The system MAY provide the ability to restore (reverse, re-activate) previously deleted Record Entries.
Section/ID#:
Type:
Name:
Description:
Occurs when Record Entries are destroyed or identified as missing.
• Destruction typically occurs after conclusion of the legal retention
period.
• Destruction of Record Entries may be initiated by User command.
• Destruction of Record Entries is the responsibility of the System –
which invokes relevant rules.
• An Audit Trigger is initiated to track Record Entry Destruction or
Notation as Missing.
ISO 21089, Section 12.11.
RI.1.1.14
Header
Deprecate Record Entries
Statement:
Deprecate Record Entries as invalid (1 or more instances)
Description:
Occurs when Record Entries are deprecated if found to be improperly
identified or otherwise invalid.
• Deprecation of Record Entries may be initiated by User command.
• Deprecation of Record Entries is the responsibility of the System –
which invokes relevant rules.
• An Audit Trigger is initiated to track Record Entry Deprecation.
RI.1.1.15
Header
Re-Activate Record Entries
Statement:
Re-activate Record Entries (1 or more instances)
Description:
Occurs when Record Entries are made active again after previously
Destroy or Deprecate.
• Re-activation of Record Entries may be initiated by User command.
• Re-activation of Record Entries is the responsibility of the System –
which invokes relevant rules.
• An Audit Trigger is initiated to track Record Entry Re-Activation.
RI.1.1.16
Header
Merge Record Entries
Statement:
Merge Record Entries (2 or more instances)
Conformance Criteria
3. The system SHALL provide the ability to tag Record Entries as missing.
4. The system SHALL conform to Section TI.2.1.1.13, Destroy Record Entry Audit Trigger.
5. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section
TI.2.1.1.13.
DC1.1.1
1. The system SHALL provide the ability to deprecate Record Entries as invalid according to
organizational policy and/or jurisdictional law.
2. The system SHALL conform to Section TI.2.1.1.14, Deprecate Record Entry Audit Trigger.
3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section
TI.2.1.1.14.
1. The system SHALL provide the ability to re-activate (previously destroyed or deprecated) Record
Entries according to organizational policy and/or jurisdictional law.
2. The system SHALL conform to Section TI.2.1.1.15, Re-Activate Record Entry Audit Trigger.
3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section
TI.2.1.1.15.
1. The system SHALL provide the ability to logically merge patient Record Entries according to
organizational policy and/or jurisdictional law.
Section/ID#:
Type:
Name:
Description:
Occurs when Record Entries are merged together.
• Entries may be merged if duplicate patient records are found.
RI.1.1.17
Header
Unmerge Record Entries
Statement:
Unmerge previously merged Record Entries (2 or more instances)
Description:
Occurs when Record Entries must be unmerged from previous merge, as
in RI.1.1.16.
RI.1.1.18
Header
Link Record Entries
Statement:
Link Record Entries (2 or more instances)
Description:
Occurs when Record Entries are linked together.
• Entries may be linked for a single an encounter (patient visit)
• Entries may be linked for an episode (patient problem)
• Entries may be linked for a selected population cohort
RI.1.1.19
Header
Unlink Record Entries
Statement:
Unlink previously linked Record Entries (2 or more instances)
Description:
Occurs when Record Entries must be unlinked from previous linkage, as
in RI.1.1.18.
RI.1.1.20
Header
Place Record Entries on Legal Hold
Statement:
Hold Record Entries in an unaltered state for legal hold period (1 or more
instances)
Description:
Occurs when Record Entries must be marked (and held in an unaltered
Conformance Criteria
2. The system SHALL conform to Section TI.2.1.1.16, Link Record Entry Audit Trigger.
3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section
TI.2.1.1.16.
1. The system SHALL provide the ability to unmerge multiple patient Record Entries according to
organizational policy and/or jurisdictional law.
2. The system SHALL conform to Section TI.2.1.1.17, Link Record Entry Audit Trigger.
3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section
TI.2.1.1.17.
1. The system SHALL provide the ability to logically link patient Record Entries according to
organizational policy and/or jurisdictional law.
2. The system SHALL conform to Section TI.2.1.1.18, Link Record Entry Audit Trigger.
3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section
TI.2.1.1.18.
1. The system SHALL provide the ability to unlink multiple patient Record Entries according to
organizational policy and/or jurisdictional law.
2. The system SHALL conform to Section TI.2.1.1.19, Link Record Entry Audit Trigger.
3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section
TI.2.1.1.19.
1. The system SHALL conform to Section RI.1.1.2.2, Manage Record Entries for Legal Hold.
2. The system SHALL provide the ability to manage a specified set of patient Record Entries during
period of legal hold, marking as to on hold status and preventing alteration.
3. The system SHALL conform to Section TI.2.1.1.20, Place Legal Hold on Record Entry Audit Trigger.
4. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section
TI.2.1.1.20.
Section/ID#:
Type:
Name:
state) for purposes of a legal hold (typically as the result of court or legal
action).
RI.1.1.21
Header
Release Record Entries from Legal Hold
Statement:
Release legal hold on Record Entries (1 or more instances)
Conformance Criteria
1. The system SHALL provide the ability to release patient Record Entries from legal hold status.
2. The system SHALL conform to Section TI.2.1.1.21, Remove Legal Hold on Record Entry Audit
Trigger.
3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section
TI.2.1.1.21.
Description:
Occurs when Record Entries are released from legal hold (previously
marked and held in unaltered state), as in RI.1.1.20.
RI.1.2 – Record Lifespan
Header
Manage Record Lifespan
Record Lifecycle Events (Section RI.1.1) are those required to manage Record Entries in persistent storage over the full course of Record Lifespan (Section RI.1.2). See Section
RI.1.1, Record Lifecycle, for further description.
RI.1.2.1
DC.1, DC.1.1.1, DC.1.1.3.2, DC.1.3.3, DC.1.8.4, DC.1.8.5, DC.2, DC.2.3.2, DC.2.4.5.1-2, DC.3, DC.3.1.1,
DC.3.1.3, DC.3.2.2-4, S.1, S.2, S.3, S.3.1.5, IN.1.1, IN.1.2, IN.1.3, IN.1.5, IN.1.8, IN.1.9, RI.1.1.1,
Header
RI.1.1.2, RI.1.1.5.1-2
Manage Record Entries
Statement:
1. The system SHALL manage each Record Entry as a persistent, indelible (unalterable) data object,
Manage/Persist Record Entries (Multiple instances)
including its revision history.
2. The system SHALL manage (persist) each Record Entry for its applicable retention period according
Description:
to scope of practice, organizational policy and jurisdictional law.
Occurs upon Record Entry origination/retention and thereafter on a
3. The system SHALL manage (persist) the full set of identity, event and provenance Audit Metadata for
continuous and uninterrupted basis for lifespan of each Record Entry.
each Record Entry, conforming to Section TI.2.1.1, Record Entry Audit Triggers.
• Ensures long-term retention and preservation of EHR Record Entries,
4. The system SHALL manage (persist) the signature event (e.g., digital signature) of each Record
without alteration.
Entry.
5. The system SHALL manage Record Entries with data content in standard and non-standard formats.
Reference: ISO 21089, Section 12.2.2
6. The system SHALL manage Record Entries containing both structured and unstructured data.
7. The system SHOULD manage Record Entry content with tagged or delimited elements including data
formatted as text, documents, images, audio, waveforms, in ASCII, binary and other encodings.
8. The system SHOULD manage Record Entries in clinical and business contexts.
9. The system SHOULD provide the ability to specify sets of clinical and business context data, to be
captured in or linked to Record Entries.
10. The system SHOULD provide the ability to extract all available elements included in the definition of
a legal medical record (including Audit Log Entries and the decoded translation of anything stored only in
code form) in accordance with user scope of practice, organizational policy and/or jurisdictional law.
11. The system MAY (automatically or manually) provide the ability to tag specific Record Entries for
deletion according to user scope of practice, organizational policy and/or jurisdictional law.
12. IF allowing tags for specific Record Entry deletion, THEN the system SHALL provide the ability to
manage the set of tagged Entries, allowing review and confirmation before actual deletion occurs
according to user scope of practice, organizational policy and/or jurisdictional law.
Section/ID#:
Type:
Name:
Conformance Criteria
13. IF allowing tags for specific Record Entry deletion, THEN the system SHALL provide the ability to
delete Entries according to user scope of practice, organizational policy and/or jurisdictional law.
14. IF allowing tags for specific Record Entry deletion, THEN the system SHALL provide the ability to
confirm that the destruction occurred according to user scope of practice, organizational policy and/or
jurisdictional law.
15. The system MAY provide the ability to undelete Record Entries according to user scope of practice,
organizational policy and/or jurisdictional law.
16. The system MAY transmit record destruction date information along with existing data when
transmitting Record Entries (or extracts) to another entity.
17. The system SHOULD manage health care information for organizations that have multiple facilities
according to scope of practice.
RI.1.2.2
Header
Manage Record Entries for Legal Hold
Statement:
Manage/Preserve Record Entries for Legal Hold (Multiple instances)
Description:
Occurs when a set of Record Entries is designated to be held for legal
purposes or proceedings.
• Ensures preservation of a set of Record Entries for a designated time,
held without alteration.
RI.1.3
Header
Manage Record States
Statement: Manage health record information during the various states
of completion.
Description: Health record information may reside in various states that
must be managed. This section uses the terms record, report, note, and
documentation generically and interchangeably when describing the
states and management issues. An important underlying principle for
managing record states is the need to retain health information records
1. The system SHALL conform to Section RI.1.1.20, Place Record Entries on Legal Hold.
2. The system SHALL conform to Section RI.1.1.21, Remove Record Entries from Legal Hold.
3. The system SHALL provide the ability to control access to data/records during legal hold, preventing
un-auditable alteration or unauthorized use for preservation purposes.
4. The system SHALL provide the ability to maintain records beyond normal retention period according
to organizational policy or jurisdictional law.
5. The system SHOULD provide the ability to capture the reason for preserving records beyond the
normal retention period.
6. The system SHOULD provide the ability to render a legal hold notice identifying who to contact for
questions when a user attempts to alter a record on legal hold.
7. The system MAY tag medical record elements to metadata to provide the business context,
conforming to RI.1.2.1, Manage Record Entries, Conformance Criteria 7-8.
8. The system MAY provide the ability to render Record Entry content preserved for a legal hold by type,
class or encounter (for example: medical record entry or report, e-mail, metadata, etc.), conforming to
Section RI.1.1.11, Extract Record Entry Content.
Section/ID#:
Type:
Name:
that have been viewed for patient care purposes even if it has not been
completed or attested. This principle has important legal impact because
it provides a record of what the provider relied on for clinical decisionmaking. For example, if a report was available in pending state and a
clinician used the information to make decisions, it is important to retain
the pending version even after the final version was available.
Determining if the report was used for patient care may be challenging.
Access logs could provide a mechanism to determine if the information
was used.
RI.1.3.1
Header
Manage Record Pending State
Statement: Manage health record information during the various states
of completion.
Description: Health record information may reside in various states that
must be managed. An important underlying principle for managing record
states is the need to retain health information records that have been
viewed for patient care purposes even if it has not been completed or
attested. This principle has important legal impact because it provides a
record of what the provider relied on for clinical decision-making. For
example, if a record entry was available in pending state and a clinician
accessed the information to make decisions, it is important to retain the
pending version even after the final version was available. Determining if
the record entry was accessed for patient care may be challenging.
Access logs should show if the information was accessed/viewed.
RI.1.3.2
Header
Manage Record Corrected, Amended, Augmented State
Statement: Manage health record information that may be amended,
corrected or augmented after finalization (or signature/attestation).
Description: Clinicians need the ability to correct, amend or augment
record entries once they have been completed. When an amendment,
Conformance Criteria
1. The system SHOULD provide the ability to manage the length of time a Record Entry can be in a
pending or inactive state before being administratively closed.
2. The system MAY present a notification to the author or designate that a Record Entry will be
administratively closed after a designated period of time.
3. The system MAY present pending Record Entries in accordance with the organization’s business
rules.
4. IF the system displays pending Record Entries, THEN the system SHALL tag and present that a
Record Entry is pending or incomplete.
5. The system SHOULD provide the ability to update a Record Entry status to one of:
- complete,
- complete while retaining incomplete version of the Entry if viewed for patient care or used by the
system,
- mark as erroneous and retain if Entry used for patient care or by the system, or
- discard if Entry never viewed for patient care purposes.
6. The system SHOULD provide the ability to manage administrative closure of a Record Entry after a
period of inactivity in accordance with organizational policy and jurisdictional law.
7. The system SHALL capture a date/time stamp and identify the author each time a Record Entry is
updated including when opened, when updated, with the signature event and when officially closed,
conforming to Section TI.2.1.1 (Record Entry Audit Triggers).
1. The system SHALL provide the ability to update a Record Entry for purposes of amendment,
correction or augmentation, conforming to RI.1.1.2 (Amend Record Entry Content).
2. The system SHALL provide the ability to tag a Record Entry as an amendment (additional
information), a correction of erroneous information and the reason, or an augmentation to supplement
content.
Section/ID#:
Type:
Name:
correction or augmentation has been made, principles for documentation
practices require that the original documentation must be accessible,
readable, and unobliterated. A user must have a clear indication that
modifications have been made to the entry. There is optionallity in how a
system may identify a record entry that has been corrected or amended
– a flag or indicator could be displayed, the text could be in a different
font, etc. The original record entry is not required to be displayed, but
can be linked or traced back. The original record entry should be
retained for the legally prescribed timeframe as defined by organizational
policy and/or jurisdictional law.
RI.1.3.3
Header
Manage Record Succession and Version Control
Statement: Retain previous versions of a record entry and manage
succession.
Description: The system must have a mechanism to handle versions
and succession of record entries (such as a preliminary and final lab
reports, amended or corrected documents). Versioning and succession
management is based on a record entry’s content and/or status change
over time.
A version of a record entry is one of the following:
1) A completed and attested record entry;
2) A record entry completed and attested which has been modified one
or more times
3) A record entry that has been viewed for clinical decision-making
purposes by an individual other than the author
4) A record entry that has been captured in an incomplete state per
organization business rules and updated over time (i.e., a preliminary lab
test).
5) A record entry that electively, according to the author, must be
preserved in the current state at a given point in time (i.e., History and
Physical).
Certain types of records are typically handled in versions, for example:
- Lab results (preliminary and final)
- Dictated reports
- Work ups (over course of days)
The prior version of record entries should be retained for the legally
prescribed timeframe as defined by organizational policy and
jurisdictional law.
RI.1.3.4
Header
Manage Record Retraction
Conformance Criteria
3. The system SHALL capture, maintain and render the corresponding date, time and user specifying
when and by whom a Record Entry was amended, corrected or augmented, conforming to TI.2.1.1.2,
Amend Record Entry Audit Trigger.
4. The system SHALL present the current version and provide a link or clear direction for accessing
previous version(s) of the Record Entry.
5. The system SHALL manage all versions of the record entry for the legal retention period, conforming
to Section RI.1.2.1, Manage Record Entries.
1. The system MAY provide the ability to manage Record Entries that become new versions when their
state changes (e.g. augmented, amended, corrected, etc.).
2. The system SHALL provide the ability to update a Record Entry and save it as a new version.
3. The system SHALL capture, maintain and render the date, time and user for the original and each
updated version(s) of the Record Entry.
4. The system SHALL manage the succession of record entries in chronological version order.
Section/ID#:
Type:
Name:
Statement: Remove a record entry from view if it is deemed erroneous
and cite the reason.
Description: Record retraction is used to reverse changes that have
been made to an existing record entries. Once a record entry has been
retracted, it is no longer visible in standard queries, though it remains
accessible in EHR audit records should evidence ever be required for
legal or other exceptional circumstances.
Canada Health Infoway provides the following definition for retraction:
This mechanism allows an existing record to be “removed” from the EHR
if it is deemed erroneous. It can also be used to reverse changes that
have been made to an existing record. Once a record has been
retracted, it is no longer visible in standard queries, though it remains
accessible in EHR audit records should evidence ever be required for
legal or other exceptional circumstances. After retracting an erroneous
record, a user has the ability to resubmit a corrected record with no
visible indication that there was ever a previous version. Retract
generally has significant constraints upon its use because of the risks of
removing data from a patient’s record that might have been used by
others in making decisions. The specifics will vary by jurisdiction, and
potentially even by type of data.
There are times that a record is entered in an EHR and completed then
found to be erroneous, i.e., the record may belong to another individual.
In these cases, it is necessary to remove that record from view (storing it
in case it may be needed for litigation or investigation purposes, etc.).
After retracting an erroneous record, a user has the ability to resubmit a
corrected record with no visible indication that there was ever a previous
version.
RI.1.4
Header
Manage Record Completeness
Statement: Support the ability to identify a patient health record or
portion thereof as complete and identify the status as defined by the
organization.
Description: The EHR-S must provide the ability for an organization to
define minimum elements and timeframes for completion at the report
level and at the record level. Provide a report that identifies completion
and timeliness status by patient/ health record number or other specified
parameters.
Prior to disclosure for legal proceedings or other official purposes, an
organization analyzes the health record for completeness. EHR systems
Conformance Criteria
1. The system SHALL provide the ability to hide a Record Entry from view and retain it such that it is only
visible upon specific request and with appropriate authorization.
2. The system SHOULD provide the ability to capture users who viewed a Record Entry prior to its
retraction and notify them of the retraction.
3. The system SHOULD provide the ability to capture and retain the reason why a Record Entry was
retracted.
1. The system SHALL provide the ability to manage timeframes for completion of specified health record
content according to organizational business rules.
2. The system SHOULD provide the ability to tag by patient/health record number the completeness
status of specified health record content noting identified deficiencies.
3. The system SHOULD provide the ability to render a report by patient/health record number indicating
the completeness status of specified health record content noting identified deficiencies.
4. The system SHOULD provide the ability to render a a visual indicator denoting that the content of a
specified health record is incomplete according to organizational business rules.
5. The system SHOULD provide the ability to render a reminder to clinicians for the completion of
specified health record content (at the data or report level) according to organizational business rules
Section/ID#:
Type:
Name:
must provide the ability to define a minimum set of content to be
analyzed for timeliness and completeness and provide a report of the
status.
RI.2
Header
Manage Record Synchronization
Statement: Maintain synchronization involving:
- Interaction with entity directories;
- Linkage of received data with existing entity records;
- Geographic location of each health record component; and
- Communication of changes between key systems.
Description: An EHR-S may consist of a set of components or
applications; each application manages a subset of the health
information. Therefore it is important that, through various interoperability
mechanisms, an EHR-S maintains all the relevant information regarding
the health record in synchrony. For example, if a physician orders an
MRI, a set of diagnostic images and a radiology report will be created. As
a result, the patient demographic information, the order for MRI, the
diagnostic images associated with the order, and the report associated
with the study must all be synchronized in order for the clinicians to
receive a synchronized view the complete record (with respect to time
and geographic location).
Conformance Criteria
(e.g., complete attestation, complete a section).
6. The system MAY tag patient information that has been not been previously presented to the clinician.
7. IF the system tags patient information from internal or external systems that has not been previously
presented to the clinician, then it MAY present a notification to that clinician, according to user role, scope
of practice and/or jurisdictional law.
1. The system SHALL conform to function IN.5.1 (Interchange Standards).
2. The system SHOULD conform to function IN.3 (Registry and Directory Services).
3. The system SHOULD provide the ability to link record entries to external information.
4. The system SHOULD store the location of each known record entry in order to enable authorized
access to a complete logical health record if the EHR is distributed among several applications, services,
or devices within the EHR-S.
5. The system SHALL provide the ability to manage date and time-related information between
applications, components, services, systems, and devices.
Date and time need to be consistent across the applications that are part
of the EHR system.
Synchronization demonstrates a sequence and chain of events for
reconstruction and is relevant during a legal proceeding. Maintenance of
synchronization activities could be relevant during a legal proceeding.
Note: Standards exist for Consistent Date and Time.
RI.3
Header
Manage Record Archive and Restore
Statement:
1. The system SHALL provide the ability to archive and restore information according to scope of
Provide for archiving and restoring of EHR information in accordance
with scope of practice, organizational policy, or jurisdictional law.
Description:
EHR information must be transitioned over its lifecycle from online data
structures to near-line or off-line data structures. The archive function
performs this transition of data and records from an online, production
EHR-S to offline storage for information that is not being
purged/destroyed. The system must provide such archive and restore
functions to extract and preserve indefinitely, information that has been
selected to be removed from the live production EHR-S database and
retained.
Information must be archived and restored in such a manner as to permit
it to be returned to its original or similar information structures. Archived
information should also include corresponding metadata to ensure logical
and semantic consistency of the information for subsequent access upon
restoration.
The archive function should provide both an automated, configurable
capability as well as a user-invoked archival function to enable selected
data and records to be preserved, or flagged for preservation. In the first
instance, rules are specified to enable the system to conduct archiving in
an unattended fashion. This is often the case for periodic system
maintenance requirements (e.g. nightly processing where archival, data
summarization and possibly purging of information occurs). In the
second instance the system should provide the ability to select data or
records to be preserved for future reference and access, such as in the
case where selected records need to be preserved and retained for
litigation.
In restoring information, it may occur that the information being restored
is a subset of the information that was originally archived such as in the
case where a complete patient encounter was archived and only a
particular study or result is to be restored. The system may provide for
such finer granularity of restoration.
Archiving and restoring of information must be performed in a timely
fashion, consistent with the operational requirements of both EHR users
and system and technology capabilities.
The system must enable compliance with data and records retention
according to scope of practice, organizational policy or jurisdictional law.
practice, organizational policy, and/or jurisdictional law.
2. The system SHALL provide the ability for an authorized user to tag information to be archived.
3. The system SHALL provide the ability to archive or restore metadata that is associated with
information that has been archived or restored.
4. The system SHOULD provide the ability to enter a target destination when restoring information (e.g.,
original data location, temporary user storage, or a research/analysis database).
5. The system SHOULD provide the ability to tag records to be archived for removed or retained from the
online database in the archive process.
6. The system SHOULD provide the ability to enter a schedule for archive and restore processing.
7. The system MAY provide the ability to selectively restore portions of archived information.
Download