HL7 EHR System Functional Model – Record Infrastructure (RI) Chapter DRAFT Revised: 27 September 2011, 2nd pass in progress Section/ID#: Type: Conformance Criteria Name: RI.1 – Record Lifecycle Header Manage Record Lifecycle Actions are taken to support patient health. Actions are taken in provision of healthcare to individuals. Actions are taken as the result of rules-based EHR System algorithms. Actors (i.e., patients, providers, users, systems) take Actions. (Actions broadly encompass tasks, acts, procedures or services performed or provided.) Actions have corresponding Entries in the EHR Record, i.e., Action instances correspond to Record Entry instances. These Record Entries provide persistent evidence of Action occurrence, context, disposition, facts, findings and observations. The EHRS Functional Model does not specify a particular relationship of Actions and corresponding Record Entries. It may be one to one, many to one or even one to many. Actions have associated metadata (e.g., who, what, when, where, why, how, under what conditions, in what context). The corresponding Record Entry captures this metadata along with other Action and Record Entry related information. Record Entries may be encapsulated to bind author/system/time signatures to data and metadata content. Each Record Entry also includes its own provenance metadata such as who (author) and when (documented). The EHR System captures Actions taken and creates corresponding Record Entries. The EHR System subsequently manages those Entries, according to scope of practice, organizational policy and jurisdictional law. Record Entries may be created during the course of the Action or Record Entries may be created sometime thereafter. The Actor/Source of the Record Entry may be the same as an Actor performing the Action or not. Actions and related Record Entries capture a chronology of patient health and healthcare and also a chronology of operations and services provided in a healthcare enterprise. Record Entries reflect changes in health information from the time it was created, to the time it was amended, sent, received, etc. In this manner, each Record Entry serves as persistent evidence of an Action taken, enabling providers to maintain comprehensive information that may be needed for legal, business, and disclosure purposes. To satisfy these purposes, Record Entries must also be retained and persisted without alteration. Record Entries have both a lifecycle and a lifespan. Lifecycle Events include originate/retain, amend, verify, attest, access/view, transmit/receive, and more. Lifecycle Events occur at various points in a Record Entry lifespan, always starting with a point of origination and retention (i.e., when the Entry is first created and stored). A Record Entry may have a pre and post Event state if content is modified. In this case, the original Record Entry is preserved (with signature binding) and a new Entry is created (with new signature binding). A Record Entry contains data and metadata, in multiple formats, following various conventions and standards. Included are tagged and delimited data, structured (concise, encoded), unstructured (free form), data formatted as text, documents, images, audio, waveforms, in ASCII, binary or other encoding. Record Lifecycle Events also Initiate a corresponding Audit Trigger and Audit Log Entry (see TI.2.1.1). The EHR System manages Record Lifecycle Events for each Record Entry, including pre and post Event record states, continuity, persistence and related Record Audit Logs. Action examples include: (1) In the direct care of a patient, a healthcare professional creates or amends health information to be contained in a history and physical; (2) A medical device can supply the EHR system with a test result; (3) The EHR system can alert the healthcare professional of a potential drug-drug interaction. Section/ID#: Type: Conformance Criteria Name: As described here, Record Lifecycle Events (as per Section RI.1.1) are those required to manage Record Entries in persistent storage over the full course of Record Lifespan (as per Section RI.1.2). RI.1.1 Header Record Lifecycle Statement: 1. The system SHALL conform to Section RI.1.1.2.1, Manage/Persist Record Entry, as the final step to Manage Record Lifecycle conclude each Record Lifecycle Event in Section RI.1.1. Description: As above References: ISO 21089 – Health Informatics – Trusted End-to-End Information Flows HL7 Electronic Health Record Lifecycle Model DSTU RI.1.1.1 Header Originate and Retain Record Entry Statement: Originate and Retain a Record Entry (1 instance) Description: Occurs when Record Entry is originated – typically during the course of an Action itself, to document the Action and context. • An identified Author or Source is responsible for Record Entry content. • Record Entry contains Metadata about the Action and its circumstances, e.g., who, what, when, where, facts, findings, observations, etc. • An Audit Trigger is initiated to track Record Entry origination and retention. Reference: ISO 21089, Section 12.2.2. DC.1, DC.1.1.1, DC.1.1.3.2, DC.1.3.3, DC.1.8.4, DC.1.8.5, DC.2, DC.2.3.2, DC.2.4.5.1-2, DC.3, DC.3.1.1, DC.3.1.3, DC.3.2.2.4, S.1, S.2, S.3, IN.1.1, IN.1.2, IN.1.3, IN.1.5, IN.1.8, IN.1.9, RI.1.1.1, RI.1.1.2, RI.1.1.5.1-2 1. The system SHALL provide the ability to capture (originate) a Record Entry instance corresponding to an Action instance and context. 2. The system SHALL capture a unique instance identifier for each Record Entry. 3. The system SHALL conform to Section TI.2.1.1.1, Originate/Retain Record Entry Audit Trigger. 4. The system SHALL capture the full set of identity, event and provenance Audit Metadata, conforming to Section TI.2.1.1.1. 5. The system SHALL capture the signature event (e.g., digital signature) of the origination entry Author, binding signature to Record Entry content. 6. The system SHALL provide the ability to capture both structured and unstructured content in Record Entries. 7. The system SHALL provide the ability to capture Record Entries from information recorded during system downtime. 8. The system SHOULD provide the ability to integrate Record Entries from Information recorded during system downtime. 9. The system SHALL provide the ability to capture date/time of an Action was taken or data was collected if different than date/time of the Record Entry. 10. The system SHOULD capture metadata that identifies the source of non-originated Record Entry (e.g., templated, copied, duplicated, or boilerplate information). 11. The system MAY provide the ability to tag unstructured Record Entry content to organize it according to need, for example, in a time-related fashion or by application-specific groups (such as photographs, handwritten notes, or auditory sounds), or by order of relative importance. 12. The system MAY capture and maintain a Record Entry encoded as a standards-based data object (e.g., HL7 Continuity of Care or other HL7 CDA R2 Document). 13. The system MAY capture and maintain a standards-based data object to mirror (be duplicate and Section/ID#: Type: Name: RI.1.1.2 Header Amend Record Entry Content Statement: Amend content of an Record Entry (1 instance) Description: Occurs when Record Entry content is modified (from its original or previously retained state) – typically upon conclusion of an Action, to correct, update or complete content. • Amended Record Entry content is the responsibility of authorized amendment Author(s). • The amendment becomes part of the Act Record revision history, where the original content and any previous amendments are retained without alteration. • After amendment, the System is responsible for retention of the Record Entry and its revision history. • An Audit Trigger is initiated to track Record Entry amendment. Reference: ISO 21089, Section 12.3.2 RI.1.1.3 Header Translate Record Entry Content Statement: Translate content of Record Entries (1 or more instances) Description: Occurs when Record Entries are amended to include translation of content – typically to transform coded data from one coding/classification scheme to another, also from one human language to another. • Translated (amended) Record Entry content is the responsibility of translating System – which invokes mapping/translation rules for each relevant record attribute. • The translation amendment becomes part of the Record Entry revision history, where original content and any previous amendments are retained without alteration. • After translation amendment, the System is responsible for retention of the Record Entry and its revision history (including the translation event). • An Audit Trigger is initiated to track Record Entry translation. Conformance Criteria synchronous with) internal Record Entry representation. DC.1, DC.1.1.1, DC.1.1.3.2, DC.1.3.3, DC.1.8.4, DC.1.8.5, DC.2, DC.2.3.2, DC.2.4.5.1-2, DC.3, DC.3.1.1, DC.3.1.3, DC.3.2.2-4, S.1, S.2, S.3, S.3.1.5, IN.1.1, IN.1.2, IN.1.3, IN.1.5, IN.1.8, IN.1.9, RI.1.1.1, RI.1.1.2, RI.1.1.5.1-2 1. The system SHALL provide the ability to update (amend) Record Entry content. 2. The system SHALL maintain the original and all previously amended versions of the Record Entry, retaining each version instance without alteration. 3. The system SHALL capture a new uniquely identifiable version of the Record Entry, incorporating amended content. 4. The system SHALL conform to Section TI.2.1.1.2, Amend Record Entry Audit Trigger. 5. The system SHALL capture the full set of identity, event and provenance Audit Metadata, conforming to Section TI.2.1.1.2. 6. The system SHALL capture the signature event (e.g., digital signature) of the amendment Author, binding signature to Record Entry content. 7. The system SHALL capture the reason for amendment as Audit Metadata, as per Section TI.2.1.1.2, e.g., to add information, to correct erroneous information or to augment/supplement Record Entry. DC.1, DC.2, DC.3, S.1, S.2, S.3, S.3.1.5, IN.1.1, IN.1.2, IN.1.3, IN.1.5, IN.1.8, IN.1.9, RI.1.1.2, RI.1.1.5.12, IN.4.1-3, IN.5.1-2 1. The system SHOULD provide the ability to render coded Record Entry content translated from one coding/classification system to another. 2. The system SHOULD provide the ability to render coded Record Entry content translated from one value set to another. 3. The system MAY provide the ability to render Record Entry content translated from one human language to another. 4. The system SHOULD maintain the original and all previously amended versions of the Record Entry, retaining each version instance without alteration. 5. The system SHOULD capture a new uniquely identifiable version of the Record Entry, incorporating translated content. 6. The system SHOULD conform to Section TI.2.1.1.3, Translate Record Entry Audit Trigger. 7. The system SHOULD capture the full set of identity, event and provenance Audit Metadata, conforming to Section TI.2.1.1.3. Section/ID#: Type: Name: Reference: ISO 21089, Sections 12.3.2 and 12.4. RI.1.1.4 Header Attest Record Entry Content Statement: Attest to content of Record Entry (1 instance) Description: Occurs when Record Entry content is attested for accuracy and completeness – typically during/after conclusion of an Action. • Attested Record Entry content is the responsibility of Attesting Author. The Attesting Author may be someone other than the originating Author, i.e., a supervisor, proctor, preceptor or other designated individual. • An Audit Trigger is initiated to track Record Entry attestation. Reference: ISO 21089, Section 12.2.2. RI.1.1.5 Header View/Access Record Entry Content Statement: View/Access content of Record Entries (1 or more instances) Description: Occurs when Record Entries are viewed or accessed. • Viewed Record Entry content is the responsibility of authorized User(s). • An Audit Trigger is initiated to track Record Entry views and access. Reference: ISO 21089, Section 12.5. RI.1.1.6 Header Transmit and/or Disclose Record Entries Statement: Transmit/Disclose content of Record Entries (1 or more instances) Description: Occurs when Record Entry content is transmitted and/or disclosed – typically to an external entity or system. • Transmittal may include original Record Entry content with subsequent amendment(s), if any. • Transmittal of Record Entries is the responsibility of the System – which invokes relevant rules. • An Audit Trigger is initiated to track Record Entry transmittal and Conformance Criteria DC.1, DC.1.8.3, DC.2, DC.3, S.1, S.2, S.3, IN.1.1, IN.1.2, IN.1.3, IN.1.5, IN.1.8, IN.1.9, RI.1.1.2, RI.1.1.5.1-2 1. The system SHALL provide the ability to attest Record Entry content. 2. The system SHALL conform to Section TI.2.1.1.4, Attest Record Entry Audit Trigger. 3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section TI.2.1.1.4. 4. The system SHALL capture the signature event (e.g., digital signature) of the Attesting Author, binding signature to Record Entry content. DC.1, DC.1.1.3.1, DC.1.1.4, DC.1.1.5, DC.1.8.3, DC.1.8.5, DC.2, DC.3, S.1, S.2, S.3, IN.1.1, IN.1.2, IN.1.3, IN.1.5, IN.1.9, RI.1.1.1, RI.1.1.2, RI.1.1.5.1-2 1. The system MAY mask Record Entry content to access by authorized entities. 2. The system SHALL provide the ability to render Record Entry content, including original version and any subsequent amendments. 3. The system SHALL provide the ability to render Record Entry content down to the discrete element or item, including encoded fields. 4. The system SHALL conform to Section TI.2.1.1.5, View/Access Record Entry Audit Trigger. 5. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section TI.2.1.1.5. DC.1, DC.2, DC.3, DC.3.1.1, DC.3.1.3, DC.3.2.2-4, S.1, S.2, S.2.1.2, S.2.2, S.2.2.1-3, S.3, S.3.3.3-6, S.3.6, IN.1.1, IN.1.2, IN.1.6, IN,1.7, IN.1.9, RI.1.1.1, RI.1.1.2, RI.1.1.3, RI.1.1.5.1-2, IN.4.1-3, IN.5.1-2 1. The system SHOULD provide the ability to transmit Record Entry content to external systems, retaining original, unaltered content and signature bindings, Action and Record Entry provenance and metadata. 2. The system SHALL provide the ability to transmit Record Entry extracts to external systems, including content, context, provenance and metadata. 3. The system SHALL identify the patient or individual subject of transmitted/disclosed Record Entry content. 4. The system SHALL capture a log entry for disclosure of protected Record Entry content, according to organizational policy and jurisdictional law. 5. If a specific recipient is known, the system SHOULD transmit (disclose) protected Record Entry content according to established permissions, organizational policy and jurisdictional law governing Section/ID#: Type: Name: disclosure. Reference: ISO 21089, Section 12.8.1. RI.1.1.7 Header Receive and Retain Record Entries Statement: Receive and retain/persist content of Record Entries (1 or more instances) Description: Occurs when Record Entry content is received – typically from an external system. • Receipt of Record Entries is the responsibility of the System – which invokes relevant rules. • An Audit Trigger is initiated to track Record Entry receipt and retention. Reference: ISO 21089, Section 12.8.1. RI.1.1.8 Header De-identify Record Entries Statement: De-identify content of Record Entries (1 or more instances) Description: Occurs when Record Entry content is transformed into de-identified version. • De-identification of Record Entries may be initiated by User command. • De-identification of Record Entries is the responsibility of the System – which invokes relevant rules. Conformance Criteria disclosure. 6. If known and explicit as to Record Entry content being transmitted, the system SHOULD transmit corresponding authorizations and patient consent permissions. 7. The system SHALL conform to Section TI.2.1.1.6, Transmit/Disclose Record Entry Audit Trigger. 8. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section TI.2.1.1.6. 9. The system SHALL conform to Section IN.1.6, Secure Data Exchange. 10. The system SHALL provide the ability to extract Record Entry content prior to transmittal/disclosure, conforming to Section RI.1.1.11, Extract Record Entry Content. 11. The system SHALL provide the ability to de-identify Record Entry content prior to transmittal/disclosure, conforming to Section RI.1.1.8, De-Identify Record Entries. 12. The system SHALL provide the ability to transmit updates (new versions) of Record Entry Content to known recipients of prior versions according to organizational policy and jurisdictional law. 13. The system SHALL provide the ability to transmit with each exchange the most recent or all versions of Record Entry Content depending on organizational policy and jurisdictional law. DC.1, DC.2, DC.3, DC.3.1.1, DC.3.1.3, DC.3.2.2-4, S.1, S.2, S.2.1.2, S.2.2, S.2.2.1-3, S.3, S.3.3.3-6, S.3.6, IN.1.1, IN.1.2, IN.1.6, IN,1.7, IN.1.9, RI.1.1.1, RI.1.1.2, RI.1.1.3, RI.1.1.5.1-2, IN.4.1-3, IN.5.1-2 1. The system SHOULD provide the ability to capture and maintain Record Entry content from external systems, retaining and persisting original unaltered content and signature bindings, Action and Record Entry provenance and metadata. 2. The system SHALL provide the ability to capture and maintain Record Entry extracts from external systems, retaining and persisting source, identity, record content, corresponding provenance and metadata. 3. The system SHALL identify the patient or individual subject of received Record Entry content. 4. If received with Record Entry content, the system SHOULD control subsequent data access to that permitted by corresponding authorizations and patient consents. 5. The system SHALL conform to Section TI.2.1.1.7, Receive/Retain Record Entry Audit Trigger. 6. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section TI.2.1.1.7. S.1.5, S.2, S.2.2, IN.1.1, IN.1.2, IN.1.9, RI.1.1.1, RI.1.1.2, RI.1.1.3, RI.1.1.5.1-2 1. The system SHALL provide the ability to de-identify Record Entry content according to organizational policy and/or jurisdictional law. 2. The system SHALL conform to Section TI.2.1.1.8, De-Identify Record Entry Audit Trigger. 3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section TI.2.1.1.8. Section/ID#: Type: Name: • An Audit Trigger is initiated to track Record Entry de-identification. Reference: ISO 21089, Section 12.6.1. RI.1.1.9 Header Pseudomynize Record Entries Statement: Provide pseudomynized identity for Record Entries (1 or more instances) Description: Occurs when Record Entry is transformed into an pseudomynized version. • Pseudomynization allows records to be later re-identified. • Pseudomynization of Record Entries may be initiated by User command. • Pseudomynization of Record Entries is the responsibility of the System – which invokes relevant rules. • An Audit Trigger is initiated to track Record Entry pseudomynization. Reference: ISO 21089, Section 12.6.1. RI.1.1.10 Header Re-identify Record Entries Statement: Re-identify previously aliased identity for content of Record Entries (1 or more instances) Description: Occurs when Record Entries are re-identified from a previously aliased version. • Re-identification of Record Entries is the responsibility of the System – which invokes relevant rules. • An Audit Trigger is initiated to track Record Entry re-identification. ISO 21089, Section 12.6.2. RI.1.1.11 Header Extract Record Entry Content Statement: Extract Record Entry content to produce subsets, derivations, summaries or aggregations (Multiple instances) Conformance Criteria S.1.5, S.2, S.2.2, IN.1.1, IN.1.2, IN.1.9, RI.1.1.1, RI.1.1.2, RI.1.1.3, RI.1.1.5.1-2 1. The system SHALL provide the ability to pseudomynize (or associate new identity with) patient Record Entries according to organizational policy and/or jurisdictional law. 2. The system SHALL conform to Section TI.2.1.1.9, Pseudomynize Record Entry Audit Trigger. 3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section TI.2.1.1.9. IN.1.1, IN.1.2, IN.1.9, RI.1.1.2 1. The system SHALL provide the ability to re-identify (or associate original identity with) Record Entry content according to organizational policy and/or jurisdictional law. 2. The system SHALL conform to Section TI.2.1.1.10, Re-Identify Record Entry Audit Trigger. 3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section TI.2.1.1.10. None specified 1. The system SHALL provide the ability to extract Record Entry content to produce subsets, derivations, summaries or aggregations according to organizational policy and/or jurisdictional law. 2. The system SHALL provide the ability to de-identify Record Entries during extraction in accordance with Section RI.1.1.8, De-Identify Record Entries. Section/ID#: Type: Name: Description: Occurs when Record Entry content is extracted to render subsets, derivations, summaries or aggregations. • Extraction of Record Entry content may be initiated by User command and/or rules-based algorithm. • Extraction of Record Entry content is the responsibility of the System – which invokes relevant rules. • An Audit Trigger is initiated to track Record Entry content extraction. ISO 21089, Section 12.7. RI.1.1.12 Header Archive Record Entries Statement: Archive Record Entries (1 or more instances) Description: Occurs when Record Entries are archived – typically to off-line (less readily available) storage media. • Archival of Record Entries may be initiated by User command. • Archival of Record Entries is the responsibility of the System – which invokes relevant rules. • An Audit Trigger is initiated to track Record Entry archival. ISO 21089, Section 12.10. RI.1.1.13 Header Destroy or Identify Record Entries as Missing Statement: Destroy or Identify Record Entries as Missing (1 or more instances) Conformance Criteria 3. The system SHALL provide the ability to extract Record Entry content based on queries with selection criteria, for example, key words, date/time range, full text search. 4. The system SHALL provide the ability to extract metadata associated with Record Entry content. 5. The system SHOULD provide the ability to extract, with parameterized selection criteria, across the complete data set that constitutes all Record Entries for a patient. 6. The system SHOULD provide the ability to extract and present a full chronicle of the healthcare process from assembled Record Entries. 7. The system SHOULD provide the ability to extract and present a full chronicle of healthcare delivered to a patient from assembled Record Entries. 8. The system SHALL provide the ability to extract Record Entry content for various purposes, including administrative, financial, research, quality analysis and public health. 9. The system SHOULD provide the ability to extract Record Entries for system migration. 10. The system SHOULD provide the ability to manage a set of over-riding parameters to exclude sensitive or privileged Record Entry content from extraction. 11. The system MAY provide the ability to extract unstructured Record Entry content and convert it into structured data. 12. The system SHALL conform to Section TI.2.1.1.11, Extract Record Entry Audit Trigger. 13. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section TI.2.1.1.11. DC.1.1.1, IN.1.1, IN.1.2, RI.1.1.1, RI.1.1.2, RI.1.1.5.1-2 1. The system SHALL provide the ability to manage archival of Record Entries to off-line or near-line media according to organizational policy and/or jurisdictional law. 2. The system SHALL provide the ability to manage (configure) archival parameters for Record Entries (e.g., what and when to archive). 3. The system SHALL archive Record Entries according to Section IN.8, Archive and Retrieval. 4. The system SHALL conform to Section TI.2.1.1.12, Archive Record Entry Audit Trigger. 5. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section TI.2.1.1.12. S.2.2, IN.1.1, IN.1.2, RI.1.1.1, RI.1.1.2, RI.1.1.5.1-2 1. The system SHALL provide the ability to delete (destroy) Record Entries (e.g., those exceeding their legal retention period) according to organizational policy and/or jurisdictional law. 2. The system MAY provide the ability to restore (reverse, re-activate) previously deleted Record Entries. Section/ID#: Type: Name: Description: Occurs when Record Entries are destroyed or identified as missing. • Destruction typically occurs after conclusion of the legal retention period. • Destruction of Record Entries may be initiated by User command. • Destruction of Record Entries is the responsibility of the System – which invokes relevant rules. • An Audit Trigger is initiated to track Record Entry Destruction or Notation as Missing. ISO 21089, Section 12.11. RI.1.1.14 Header Deprecate Record Entries Statement: Deprecate Record Entries as invalid (1 or more instances) Description: Occurs when Record Entries are deprecated if found to be improperly identified or otherwise invalid. • Deprecation of Record Entries may be initiated by User command. • Deprecation of Record Entries is the responsibility of the System – which invokes relevant rules. • An Audit Trigger is initiated to track Record Entry Deprecation. RI.1.1.15 Header Re-Activate Record Entries Statement: Re-activate Record Entries (1 or more instances) Description: Occurs when Record Entries are made active again after previously Destroy or Deprecate. • Re-activation of Record Entries may be initiated by User command. • Re-activation of Record Entries is the responsibility of the System – which invokes relevant rules. • An Audit Trigger is initiated to track Record Entry Re-Activation. RI.1.1.16 Header Merge Record Entries Statement: Merge Record Entries (2 or more instances) Conformance Criteria 3. The system SHALL provide the ability to tag Record Entries as missing. 4. The system SHALL conform to Section TI.2.1.1.13, Destroy Record Entry Audit Trigger. 5. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section TI.2.1.1.13. DC1.1.1 1. The system SHALL provide the ability to deprecate Record Entries as invalid according to organizational policy and/or jurisdictional law. 2. The system SHALL conform to Section TI.2.1.1.14, Deprecate Record Entry Audit Trigger. 3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section TI.2.1.1.14. 1. The system SHALL provide the ability to re-activate (previously destroyed or deprecated) Record Entries according to organizational policy and/or jurisdictional law. 2. The system SHALL conform to Section TI.2.1.1.15, Re-Activate Record Entry Audit Trigger. 3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section TI.2.1.1.15. 1. The system SHALL provide the ability to logically merge patient Record Entries according to organizational policy and/or jurisdictional law. Section/ID#: Type: Name: Description: Occurs when Record Entries are merged together. • Entries may be merged if duplicate patient records are found. RI.1.1.17 Header Unmerge Record Entries Statement: Unmerge previously merged Record Entries (2 or more instances) Description: Occurs when Record Entries must be unmerged from previous merge, as in RI.1.1.16. RI.1.1.18 Header Link Record Entries Statement: Link Record Entries (2 or more instances) Description: Occurs when Record Entries are linked together. • Entries may be linked for a single an encounter (patient visit) • Entries may be linked for an episode (patient problem) • Entries may be linked for a selected population cohort RI.1.1.19 Header Unlink Record Entries Statement: Unlink previously linked Record Entries (2 or more instances) Description: Occurs when Record Entries must be unlinked from previous linkage, as in RI.1.1.18. RI.1.1.20 Header Place Record Entries on Legal Hold Statement: Hold Record Entries in an unaltered state for legal hold period (1 or more instances) Description: Occurs when Record Entries must be marked (and held in an unaltered Conformance Criteria 2. The system SHALL conform to Section TI.2.1.1.16, Link Record Entry Audit Trigger. 3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section TI.2.1.1.16. 1. The system SHALL provide the ability to unmerge multiple patient Record Entries according to organizational policy and/or jurisdictional law. 2. The system SHALL conform to Section TI.2.1.1.17, Link Record Entry Audit Trigger. 3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section TI.2.1.1.17. 1. The system SHALL provide the ability to logically link patient Record Entries according to organizational policy and/or jurisdictional law. 2. The system SHALL conform to Section TI.2.1.1.18, Link Record Entry Audit Trigger. 3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section TI.2.1.1.18. 1. The system SHALL provide the ability to unlink multiple patient Record Entries according to organizational policy and/or jurisdictional law. 2. The system SHALL conform to Section TI.2.1.1.19, Link Record Entry Audit Trigger. 3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section TI.2.1.1.19. 1. The system SHALL conform to Section RI.1.1.2.2, Manage Record Entries for Legal Hold. 2. The system SHALL provide the ability to manage a specified set of patient Record Entries during period of legal hold, marking as to on hold status and preventing alteration. 3. The system SHALL conform to Section TI.2.1.1.20, Place Legal Hold on Record Entry Audit Trigger. 4. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section TI.2.1.1.20. Section/ID#: Type: Name: state) for purposes of a legal hold (typically as the result of court or legal action). RI.1.1.21 Header Release Record Entries from Legal Hold Statement: Release legal hold on Record Entries (1 or more instances) Conformance Criteria 1. The system SHALL provide the ability to release patient Record Entries from legal hold status. 2. The system SHALL conform to Section TI.2.1.1.21, Remove Legal Hold on Record Entry Audit Trigger. 3. The system SHALL capture the full set of identity and event Audit Metadata, conforming to Section TI.2.1.1.21. Description: Occurs when Record Entries are released from legal hold (previously marked and held in unaltered state), as in RI.1.1.20. RI.1.2 – Record Lifespan Header Manage Record Lifespan Record Lifecycle Events (Section RI.1.1) are those required to manage Record Entries in persistent storage over the full course of Record Lifespan (Section RI.1.2). See Section RI.1.1, Record Lifecycle, for further description. RI.1.2.1 DC.1, DC.1.1.1, DC.1.1.3.2, DC.1.3.3, DC.1.8.4, DC.1.8.5, DC.2, DC.2.3.2, DC.2.4.5.1-2, DC.3, DC.3.1.1, DC.3.1.3, DC.3.2.2-4, S.1, S.2, S.3, S.3.1.5, IN.1.1, IN.1.2, IN.1.3, IN.1.5, IN.1.8, IN.1.9, RI.1.1.1, Header RI.1.1.2, RI.1.1.5.1-2 Manage Record Entries Statement: 1. The system SHALL manage each Record Entry as a persistent, indelible (unalterable) data object, Manage/Persist Record Entries (Multiple instances) including its revision history. 2. The system SHALL manage (persist) each Record Entry for its applicable retention period according Description: to scope of practice, organizational policy and jurisdictional law. Occurs upon Record Entry origination/retention and thereafter on a 3. The system SHALL manage (persist) the full set of identity, event and provenance Audit Metadata for continuous and uninterrupted basis for lifespan of each Record Entry. each Record Entry, conforming to Section TI.2.1.1, Record Entry Audit Triggers. • Ensures long-term retention and preservation of EHR Record Entries, 4. The system SHALL manage (persist) the signature event (e.g., digital signature) of each Record without alteration. Entry. 5. The system SHALL manage Record Entries with data content in standard and non-standard formats. Reference: ISO 21089, Section 12.2.2 6. The system SHALL manage Record Entries containing both structured and unstructured data. 7. The system SHOULD manage Record Entry content with tagged or delimited elements including data formatted as text, documents, images, audio, waveforms, in ASCII, binary and other encodings. 8. The system SHOULD manage Record Entries in clinical and business contexts. 9. The system SHOULD provide the ability to specify sets of clinical and business context data, to be captured in or linked to Record Entries. 10. The system SHOULD provide the ability to extract all available elements included in the definition of a legal medical record (including Audit Log Entries and the decoded translation of anything stored only in code form) in accordance with user scope of practice, organizational policy and/or jurisdictional law. 11. The system MAY (automatically or manually) provide the ability to tag specific Record Entries for deletion according to user scope of practice, organizational policy and/or jurisdictional law. 12. IF allowing tags for specific Record Entry deletion, THEN the system SHALL provide the ability to manage the set of tagged Entries, allowing review and confirmation before actual deletion occurs according to user scope of practice, organizational policy and/or jurisdictional law. Section/ID#: Type: Name: Conformance Criteria 13. IF allowing tags for specific Record Entry deletion, THEN the system SHALL provide the ability to delete Entries according to user scope of practice, organizational policy and/or jurisdictional law. 14. IF allowing tags for specific Record Entry deletion, THEN the system SHALL provide the ability to confirm that the destruction occurred according to user scope of practice, organizational policy and/or jurisdictional law. 15. The system MAY provide the ability to undelete Record Entries according to user scope of practice, organizational policy and/or jurisdictional law. 16. The system MAY transmit record destruction date information along with existing data when transmitting Record Entries (or extracts) to another entity. 17. The system SHOULD manage health care information for organizations that have multiple facilities according to scope of practice. RI.1.2.2 Header Manage Record Entries for Legal Hold Statement: Manage/Preserve Record Entries for Legal Hold (Multiple instances) Description: Occurs when a set of Record Entries is designated to be held for legal purposes or proceedings. • Ensures preservation of a set of Record Entries for a designated time, held without alteration. RI.1.3 Header Manage Record States Statement: Manage health record information during the various states of completion. Description: Health record information may reside in various states that must be managed. This section uses the terms record, report, note, and documentation generically and interchangeably when describing the states and management issues. An important underlying principle for managing record states is the need to retain health information records 1. The system SHALL conform to Section RI.1.1.20, Place Record Entries on Legal Hold. 2. The system SHALL conform to Section RI.1.1.21, Remove Record Entries from Legal Hold. 3. The system SHALL provide the ability to control access to data/records during legal hold, preventing un-auditable alteration or unauthorized use for preservation purposes. 4. The system SHALL provide the ability to maintain records beyond normal retention period according to organizational policy or jurisdictional law. 5. The system SHOULD provide the ability to capture the reason for preserving records beyond the normal retention period. 6. The system SHOULD provide the ability to render a legal hold notice identifying who to contact for questions when a user attempts to alter a record on legal hold. 7. The system MAY tag medical record elements to metadata to provide the business context, conforming to RI.1.2.1, Manage Record Entries, Conformance Criteria 7-8. 8. The system MAY provide the ability to render Record Entry content preserved for a legal hold by type, class or encounter (for example: medical record entry or report, e-mail, metadata, etc.), conforming to Section RI.1.1.11, Extract Record Entry Content. Section/ID#: Type: Name: that have been viewed for patient care purposes even if it has not been completed or attested. This principle has important legal impact because it provides a record of what the provider relied on for clinical decisionmaking. For example, if a report was available in pending state and a clinician used the information to make decisions, it is important to retain the pending version even after the final version was available. Determining if the report was used for patient care may be challenging. Access logs could provide a mechanism to determine if the information was used. RI.1.3.1 Header Manage Record Pending State Statement: Manage health record information during the various states of completion. Description: Health record information may reside in various states that must be managed. An important underlying principle for managing record states is the need to retain health information records that have been viewed for patient care purposes even if it has not been completed or attested. This principle has important legal impact because it provides a record of what the provider relied on for clinical decision-making. For example, if a record entry was available in pending state and a clinician accessed the information to make decisions, it is important to retain the pending version even after the final version was available. Determining if the record entry was accessed for patient care may be challenging. Access logs should show if the information was accessed/viewed. RI.1.3.2 Header Manage Record Corrected, Amended, Augmented State Statement: Manage health record information that may be amended, corrected or augmented after finalization (or signature/attestation). Description: Clinicians need the ability to correct, amend or augment record entries once they have been completed. When an amendment, Conformance Criteria 1. The system SHOULD provide the ability to manage the length of time a Record Entry can be in a pending or inactive state before being administratively closed. 2. The system MAY present a notification to the author or designate that a Record Entry will be administratively closed after a designated period of time. 3. The system MAY present pending Record Entries in accordance with the organization’s business rules. 4. IF the system displays pending Record Entries, THEN the system SHALL tag and present that a Record Entry is pending or incomplete. 5. The system SHOULD provide the ability to update a Record Entry status to one of: - complete, - complete while retaining incomplete version of the Entry if viewed for patient care or used by the system, - mark as erroneous and retain if Entry used for patient care or by the system, or - discard if Entry never viewed for patient care purposes. 6. The system SHOULD provide the ability to manage administrative closure of a Record Entry after a period of inactivity in accordance with organizational policy and jurisdictional law. 7. The system SHALL capture a date/time stamp and identify the author each time a Record Entry is updated including when opened, when updated, with the signature event and when officially closed, conforming to Section TI.2.1.1 (Record Entry Audit Triggers). 1. The system SHALL provide the ability to update a Record Entry for purposes of amendment, correction or augmentation, conforming to RI.1.1.2 (Amend Record Entry Content). 2. The system SHALL provide the ability to tag a Record Entry as an amendment (additional information), a correction of erroneous information and the reason, or an augmentation to supplement content. Section/ID#: Type: Name: correction or augmentation has been made, principles for documentation practices require that the original documentation must be accessible, readable, and unobliterated. A user must have a clear indication that modifications have been made to the entry. There is optionallity in how a system may identify a record entry that has been corrected or amended – a flag or indicator could be displayed, the text could be in a different font, etc. The original record entry is not required to be displayed, but can be linked or traced back. The original record entry should be retained for the legally prescribed timeframe as defined by organizational policy and/or jurisdictional law. RI.1.3.3 Header Manage Record Succession and Version Control Statement: Retain previous versions of a record entry and manage succession. Description: The system must have a mechanism to handle versions and succession of record entries (such as a preliminary and final lab reports, amended or corrected documents). Versioning and succession management is based on a record entry’s content and/or status change over time. A version of a record entry is one of the following: 1) A completed and attested record entry; 2) A record entry completed and attested which has been modified one or more times 3) A record entry that has been viewed for clinical decision-making purposes by an individual other than the author 4) A record entry that has been captured in an incomplete state per organization business rules and updated over time (i.e., a preliminary lab test). 5) A record entry that electively, according to the author, must be preserved in the current state at a given point in time (i.e., History and Physical). Certain types of records are typically handled in versions, for example: - Lab results (preliminary and final) - Dictated reports - Work ups (over course of days) The prior version of record entries should be retained for the legally prescribed timeframe as defined by organizational policy and jurisdictional law. RI.1.3.4 Header Manage Record Retraction Conformance Criteria 3. The system SHALL capture, maintain and render the corresponding date, time and user specifying when and by whom a Record Entry was amended, corrected or augmented, conforming to TI.2.1.1.2, Amend Record Entry Audit Trigger. 4. The system SHALL present the current version and provide a link or clear direction for accessing previous version(s) of the Record Entry. 5. The system SHALL manage all versions of the record entry for the legal retention period, conforming to Section RI.1.2.1, Manage Record Entries. 1. The system MAY provide the ability to manage Record Entries that become new versions when their state changes (e.g. augmented, amended, corrected, etc.). 2. The system SHALL provide the ability to update a Record Entry and save it as a new version. 3. The system SHALL capture, maintain and render the date, time and user for the original and each updated version(s) of the Record Entry. 4. The system SHALL manage the succession of record entries in chronological version order. Section/ID#: Type: Name: Statement: Remove a record entry from view if it is deemed erroneous and cite the reason. Description: Record retraction is used to reverse changes that have been made to an existing record entries. Once a record entry has been retracted, it is no longer visible in standard queries, though it remains accessible in EHR audit records should evidence ever be required for legal or other exceptional circumstances. Canada Health Infoway provides the following definition for retraction: This mechanism allows an existing record to be “removed” from the EHR if it is deemed erroneous. It can also be used to reverse changes that have been made to an existing record. Once a record has been retracted, it is no longer visible in standard queries, though it remains accessible in EHR audit records should evidence ever be required for legal or other exceptional circumstances. After retracting an erroneous record, a user has the ability to resubmit a corrected record with no visible indication that there was ever a previous version. Retract generally has significant constraints upon its use because of the risks of removing data from a patient’s record that might have been used by others in making decisions. The specifics will vary by jurisdiction, and potentially even by type of data. There are times that a record is entered in an EHR and completed then found to be erroneous, i.e., the record may belong to another individual. In these cases, it is necessary to remove that record from view (storing it in case it may be needed for litigation or investigation purposes, etc.). After retracting an erroneous record, a user has the ability to resubmit a corrected record with no visible indication that there was ever a previous version. RI.1.4 Header Manage Record Completeness Statement: Support the ability to identify a patient health record or portion thereof as complete and identify the status as defined by the organization. Description: The EHR-S must provide the ability for an organization to define minimum elements and timeframes for completion at the report level and at the record level. Provide a report that identifies completion and timeliness status by patient/ health record number or other specified parameters. Prior to disclosure for legal proceedings or other official purposes, an organization analyzes the health record for completeness. EHR systems Conformance Criteria 1. The system SHALL provide the ability to hide a Record Entry from view and retain it such that it is only visible upon specific request and with appropriate authorization. 2. The system SHOULD provide the ability to capture users who viewed a Record Entry prior to its retraction and notify them of the retraction. 3. The system SHOULD provide the ability to capture and retain the reason why a Record Entry was retracted. 1. The system SHALL provide the ability to manage timeframes for completion of specified health record content according to organizational business rules. 2. The system SHOULD provide the ability to tag by patient/health record number the completeness status of specified health record content noting identified deficiencies. 3. The system SHOULD provide the ability to render a report by patient/health record number indicating the completeness status of specified health record content noting identified deficiencies. 4. The system SHOULD provide the ability to render a a visual indicator denoting that the content of a specified health record is incomplete according to organizational business rules. 5. The system SHOULD provide the ability to render a reminder to clinicians for the completion of specified health record content (at the data or report level) according to organizational business rules Section/ID#: Type: Name: must provide the ability to define a minimum set of content to be analyzed for timeliness and completeness and provide a report of the status. RI.2 Header Manage Record Synchronization Statement: Maintain synchronization involving: - Interaction with entity directories; - Linkage of received data with existing entity records; - Geographic location of each health record component; and - Communication of changes between key systems. Description: An EHR-S may consist of a set of components or applications; each application manages a subset of the health information. Therefore it is important that, through various interoperability mechanisms, an EHR-S maintains all the relevant information regarding the health record in synchrony. For example, if a physician orders an MRI, a set of diagnostic images and a radiology report will be created. As a result, the patient demographic information, the order for MRI, the diagnostic images associated with the order, and the report associated with the study must all be synchronized in order for the clinicians to receive a synchronized view the complete record (with respect to time and geographic location). Conformance Criteria (e.g., complete attestation, complete a section). 6. The system MAY tag patient information that has been not been previously presented to the clinician. 7. IF the system tags patient information from internal or external systems that has not been previously presented to the clinician, then it MAY present a notification to that clinician, according to user role, scope of practice and/or jurisdictional law. 1. The system SHALL conform to function IN.5.1 (Interchange Standards). 2. The system SHOULD conform to function IN.3 (Registry and Directory Services). 3. The system SHOULD provide the ability to link record entries to external information. 4. The system SHOULD store the location of each known record entry in order to enable authorized access to a complete logical health record if the EHR is distributed among several applications, services, or devices within the EHR-S. 5. The system SHALL provide the ability to manage date and time-related information between applications, components, services, systems, and devices. Date and time need to be consistent across the applications that are part of the EHR system. Synchronization demonstrates a sequence and chain of events for reconstruction and is relevant during a legal proceeding. Maintenance of synchronization activities could be relevant during a legal proceeding. Note: Standards exist for Consistent Date and Time. RI.3 Header Manage Record Archive and Restore Statement: 1. The system SHALL provide the ability to archive and restore information according to scope of Provide for archiving and restoring of EHR information in accordance with scope of practice, organizational policy, or jurisdictional law. Description: EHR information must be transitioned over its lifecycle from online data structures to near-line or off-line data structures. The archive function performs this transition of data and records from an online, production EHR-S to offline storage for information that is not being purged/destroyed. The system must provide such archive and restore functions to extract and preserve indefinitely, information that has been selected to be removed from the live production EHR-S database and retained. Information must be archived and restored in such a manner as to permit it to be returned to its original or similar information structures. Archived information should also include corresponding metadata to ensure logical and semantic consistency of the information for subsequent access upon restoration. The archive function should provide both an automated, configurable capability as well as a user-invoked archival function to enable selected data and records to be preserved, or flagged for preservation. In the first instance, rules are specified to enable the system to conduct archiving in an unattended fashion. This is often the case for periodic system maintenance requirements (e.g. nightly processing where archival, data summarization and possibly purging of information occurs). In the second instance the system should provide the ability to select data or records to be preserved for future reference and access, such as in the case where selected records need to be preserved and retained for litigation. In restoring information, it may occur that the information being restored is a subset of the information that was originally archived such as in the case where a complete patient encounter was archived and only a particular study or result is to be restored. The system may provide for such finer granularity of restoration. Archiving and restoring of information must be performed in a timely fashion, consistent with the operational requirements of both EHR users and system and technology capabilities. The system must enable compliance with data and records retention according to scope of practice, organizational policy or jurisdictional law. practice, organizational policy, and/or jurisdictional law. 2. The system SHALL provide the ability for an authorized user to tag information to be archived. 3. The system SHALL provide the ability to archive or restore metadata that is associated with information that has been archived or restored. 4. The system SHOULD provide the ability to enter a target destination when restoring information (e.g., original data location, temporary user storage, or a research/analysis database). 5. The system SHOULD provide the ability to tag records to be archived for removed or retained from the online database in the archive process. 6. The system SHOULD provide the ability to enter a schedule for archive and restore processing. 7. The system MAY provide the ability to selectively restore portions of archived information.