Legal requirements for EMR

Experts who have seen the topic of “computer clinical history” set out a series of requirements for it to have legal validity.

Inviolability and inalterability of data

This includes security measures to prevent the entry of strangers into the system , preventing consultation, deletion or modification of data already incorporated by unauthorized persons. For this it is convenient that it is equipped with an alarm system / alerts. In OpenEMR, the activation of the possible registers is a way to be able to detect who, when and how it made each change in the database.

The System Administrator can access this information. If periodic “backups” were also made, there is even more certainty about who made each addition or change in the clinical history. This requirement is common in the systems used for Clinical Trials, following the strict rules of the FDA and the Good Clinical Practices, which place a lot of emphasis on that no one can tamper with medical records. This requirement could be met by “closing” the visits definitively, once an appropriate lapse of one hour or so has passed.

File Recovery

The system should contemplate the possibility of the data being stored in one or more copies of security (back up), that facilitate their transport and even generate copies easily and economically for the patient. This function can be performed from the same OpenEMR software, in the Administration – Backup option. In addition, it can be accessed from the web hosting platform or “hosting”. What refers to a patient is exported with the option Document on Continuity of Care, which is in .xml format under the HL7 standard.

Information durability

They must also ensure the conservation of the hardware that contains the software, that is to say that it must be stored in a suitable medium that resists elements and time. This software must always be contained in a hardware from which it is easy to extract information with current devices (for example if the data is stored on diskettes and taking into account that this type of floppy disk is no longer manufactured, it should be stored in another type of hardware such as pendrives, DVDs or cloud storage). This is quite obvious. OpenEMR software works equally on a server dedicated to an internal network, or on the web (cloud). In both cases it is easy to make a backup on a removable medium, or to another site on the web. It is common to use Google Drive or Dropbox for free storage, which facilitates the backup even more.

Temporary continuity

The computer program must not allow the filling sequence of the clinical history to be altered, that is, it is not possible modify the temporary continuation of events and acts. In the current version of OpenEMR, the way it is configured by default, it is POSSIBLE to edit a visit already closed, without requirements. It would be useful to be able to close this option, for the purposes of legal protection. However, when the doctor comes in good faith, it is very common to want to edit the record of an old visit to improve the data entered. Even so, if you want to analyze this topic, the record keeps all the dates and actions carried out, together with the user who made them.

Guarantee on the possibility of inspection by the corresponding entity (justice, state control agencies, etc.) Just as the handwritten medical history is required, it is essential that the computer system admit access to the authorities that exercise controls by the public administration, as well as by the justice system. There is a requirement that the North American standard for Significant (meaningful use) that imposes a form of emergency access, with recovery of a password by email. Therefore, OpenEMR complies with this legal requirement.

Assurance of the referral of the medical record to the court that requests it and collections for possible judicial sequestration. Clinical history is usually essential as evidence in court, that is why it should also be contemplated the possibility of being remitted to the court that requires it. In contrast to the one made on paper, the digitized one avoids anticipatory measures, such as judicial abduction, since it becomes unnecessary because each copy that is made has the same value as the original. Given that most computer systems perform automatic backup, almost always there is a backup to which access for legal purposes. However, the law could force those who use this system to make a backup copy and keep them for a certain period. That’s why the clinical history maintenance contracts should contemplate this situation, and cover the cost of storage required.

From another point of view, the Law of Habeas Data in Argentina and other countries, regulates the security requirements for databases with information from third parties, applicable to any system administrator who maintains data from third parties. This law imposes requirements of good computer practice, applied mainly to the keyword and backup copies.

Reference: Many phrases were obtained from: Dr. Rodolfo Zotto – Persona Magazine.