Notice: AHIMA has begun work on a new Body of Knowledge that will provide enhanced search and retrieval capabilities. As a result, the AHIMA Compendium is being phased out. The Compendium will remain available until launch of the new Body of Knowledge, but no new statements will be added. If you have questions, comments, or concerns, please contact us. (Log in with your AHIMA user name and password, and select "Practice Related and Compendium.") We appreciate your time and your opinion.
Ensure ECRM strategies encompass nontext data [195]
November 2, 2011
Practices must ensure electronic content and records management (ECRM) strategies are in place to manage the life cycle of all data formats retained, including nontext data.
Refer to documented maintenance needs of nontext media when evaluating equipment and devices [194]
November 2, 2011
Healthcare practices should reference their policies and procedures on maintaining nontext media when evaluating equipment and devices to ensure they can maintain their data in the best interest of the patient and the practice.
Establish clear criteria for retention, storage, access, and disclosure of nontext media [193]
November 2, 2011
Healthcare practices must establish policies and procedures for nontext media that establish clear criteria for retention and destruction, storage, access controls, and tracking of access and disclosures.
Include nontext data in record set definitions to ensure they are produced in e-discovery requests [192]
November 2, 2011
The organization must clearly define its designated record set and legal health record to ensure that nontext data maintained within the EHR can be accessed and produced pursuant to an e-discovery request.
Monitor privacy and security sanctions data regularly [191]
September 29, 2011
Organizations should evaluate the data they collect on privacy and security disciplinary patterns to ensure comparable violations result in comparable sanctions for all roles within the organization and across all entities within a multisite health system.
Define key terms in privacy and security sanctions policies to avoid ambiguity [190]
September 29, 2011
Organizations must clearly define key terms in their privacy and security sanctions policies, identifying violation categories and their respective sanctions (based on category). A clear sanction process will enable consistent enforcement across the organization.
Create privacy and security sanctions that cover all workforce members [189]
September 29, 2011
An organization’s privacy and security sanctions policy and enforcement provisions must be broad enough to encompass all workforce members who have access to protected health information created and maintained by the organization.
Apply privacy and security sanctions consistently across the organization [188]
September 29, 2011
Sanctions imposed for privacy and security violations must be consistent across the organization, regardless of the violator’s status, with comparable discipline imposed for comparable violations.
Categorize privacy and security sanctions according to the nature of the incident [187]
September 29, 2011
Healthcare organizations should categorize sanctions according to the nature of the privacy or security incident to help standardize corrective action determinations, assist with trending privacy and security violations, and make reporting easier.
Align privacy and security sanctions with other organizational corrective action policies [186]
September 29, 2011
Sanctions for privacy and security violations must be developed and standardized to complement and support all applicable organizational human resources and professional staff corrective action policies and processes.
Search by keyword or browse by category to research best practices in health information management. Read the source documents to better understand... [more]
Search the Compendium
Browse by Category
Browse by Date
Search Other AHIMA Resources
