Notice: AHIMA has begun work on a new Body of Knowledge that will provide enhanced search and retrieval capabilities. As a result, the AHIMA Compendium is being phased out. The Compendium will remain available until launch of the new Body of Knowledge, but no new statements will be added. If you have questions, comments, or concerns, please contact us. (Log in with your AHIMA user name and password, and select "Practice Related and Compendium.") We appreciate your time and your opinion.
Practices must ensure electronic content and records management (ECRM) strategies are in place to manage the life cycle of all data formats retained, including nontext data.
Healthcare practices should reference their policies and procedures on maintaining nontext media when evaluating equipment and devices to ensure they can maintain their data in the best interest of the patient and the practice.
Healthcare practices must establish policies and procedures for nontext media that establish clear criteria for retention and destruction, storage, access controls, and tracking of access and disclosures.
The organization must clearly define its designated record set and legal health record to ensure that nontext data maintained within the EHR can be accessed and produced pursuant to an e-discovery request.
Organizations should evaluate the data they collect on privacy and security disciplinary patterns to ensure comparable violations result in comparable sanctions for all roles within the organization and across all entities within a multisite health system.
Organizations must clearly define key terms in their privacy and security sanctions policies, identifying violation categories and their respective sanctions (based on category). A clear sanction process will enable consistent enforcement across the organization.
An organization’s privacy and security sanctions policy and enforcement provisions must be broad enough to encompass all workforce members who have access to protected health information created and maintained by the organization.
Sanctions imposed for privacy and security violations must be consistent across the organization, regardless of the violator’s status, with comparable discipline imposed for comparable violations.
Healthcare organizations should categorize sanctions according to the nature of the privacy or security incident to help standardize corrective action determinations, assist with trending privacy and security violations, and make reporting easier.
Sanctions for privacy and security violations must be developed and standardized to complement and support all applicable organizational human resources and professional staff corrective action policies and processes.