F842

(Rev. 173, Issued: 11-22-17, Effective: 11-28-17, Implementation: 11-28-17)

§483.20(f)(5) Resident-identifiable information.

1. A facility may not release information that is resident-identifiable to the public.
2. The facility may release information that is resident-identifiable to an agent only in accordance with a contract under which the agent agrees not to use or disclose the information except to the extent the facility itself is permitted to do so.

§483.70(i) Medical records.

§483.70(i)(1) In accordance with accepted professional standards and practices, the facility must maintain medical records on each resident that are—

1. Complete;
2. Accurately documented;
3. Readily accessible; and
4. Systematically organized

§483.70(i)(2) The facility must keep confidential all information contained in the resident’s records, regardless of the form or storage method of the records, except when release is—

1. To the individual, or their resident representative where permitted by applicable law;
2. Required by Law;
3. For treatment, payment, or health care operations, as permitted by and in compliance with 45 CFR 164.506;
4. For public health activities, reporting of abuse, neglect, or domestic violence, health oversight activities, judicial and administrative proceedings, law enforcement purposes, organ donation purposes, research purposes, or to coroners, medical examiners, funeral directors, and to avert a serious threat to health or safety as permitted by and in compliance with 45 CFR 164.512.

§483.70(i)(3) The facility must safeguard medical record information against loss, destruction, or unauthorized use.

§483.70(i)(4) Medical records must be retained for—

1. The period of time required by State law; or
2. Five years from the date of discharge when there is no requirement in State law; or
3. For a minor, 3 years after a resident reaches legal age under State law.

§483.70(i)(5) The medical record must contain—

1. Sufficient information to identify the resident;
2. A record of the resident’s assessments;
3. The comprehensive plan of care and services provided;
4. The results of any preadmission screening and resident review evaluations and determinations conducted by the State;
5. Physician, nurse, and other licensed professionals progress notes; and

6. Laboratory, radiology and other diagnostic services reports as required under §483.50.

GUIDANCE §483.70(i)

The medical record shall reflect a resident’s progress toward achieving their person- centered plan of care objectives and goals and the improvement and maintenance of their clinical, functional, mental and psychosocial status. Staff must document a resident’s medical and non-medical status when any positive or negative condition change occurs, at a periodic reassessment and during the annual comprehensive assessment. The medical record must also reflect the resident’s condition and the care and services provided across all disciplines to ensure information is available to facilitate communication among the interdisciplinary team.

The medical record must contain an accurate representation of the actual experiences of the resident and include enough information to provide a picture of the resident’s progress, including his/her response to treatments and/or services, and changes in his/her condition, plan of care goals, objectives and/or interventions.

Except for the annual comprehensive assessment, periodic reassessments when a significant change in status occurs, and quarterly monitoring assessments, regulations do not define the documentation frequency of a resident’s progress. Professional standards of practice however suggests documentation include a resident’s care plan implementation progress.

Resident Assessment Instrument (RAI) data is part of a resident’s medical record and is protected from improper disclosure by facilities under current Federal law. Facilities are required by §§1819(c)(1)(A)(iv) and 1919(c)(1)(A)(iv) of the Act and §483.70(l)(2) and (l)(3) to keep confidential all information contained in the resident’s medical record and to maintain safeguards against the unauthorized use of a resident’s information, regardless of the storage method of the records.

At §483.20(f)(5), Resident-identifiable information, it requires that a facility may not release information that is resident-identifiable to the public and that the facility may release information that is resident-identifiable to an agent only in accordance with a contract under which the agent agrees not to use or disclose the information except to the extent the facility itself is permitted to do so. If a deficiency is identified related to this regulation cite the deficient practice here at F842.

Electronic Health Records (EHR) - Facilities using an electronic format for medical or other resident documentation (for example, documenting progress notes, medication administration, electronic claims filing, etc.) must comply with the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules 45 CFR Parts 160 and 164. Surveyors are not responsible for assessing compliance with these rules. The Department of Health and Human Services’ Office for Civil Rights has primary responsibility for enforcing the HIPAA Privacy and Security Rules. The surveyors’ responsibility is to assess compliance with the regulatory requirement for maintaining the content and confidentiality of the medical record. If there are concerns that the facility’s practice may constitute violations of the HIPAA privacy or security rules, refer these concerns to HHS’ Office for Civil Rights.

The facility is responsible for ensuring the backup of data and security of information. CMS encourages the development of systems that permit appropriate sharing of clinical information across providers, if the development of such systems is fully consistent with the requirement for protecting the confidentiality of the medical record.

Surveyors should not evaluate the features of the EHR system. Instead focus on how the EHR system is being used in the facility.

Use of Electronic Signatures – Electronic signatures are acceptable whether or not the record is entirely electronic. If a facility uses these signatures, they must have policies that identify those individuals who are authorized to sign electronically and describe the security safeguards to prevent unauthorized use of these signatures. Such security safeguards include, but are not limited to, the following:

• Built-in safeguards to minimize the possibility of fraud;
• That each staff responsible for an attestation has an individualized identifier;
• The date and time is recorded from the computer’s internal clock at the time of entry;
• An entry is not to be changed after it has been recorded, and;
• The computer program controls what sections/areas any individual can access or enter data, based on the individual’s personal identifier (and, therefore his/her level of professional qualifications).

When rubber stamp signatures are authorized by the facility’s management, the individual whose signature the stamp represents shall place in the administrative offices of the facility a signed statement to the effect that he/she is the only one who has the stamp and uses it. A list of computer codes and written signatures must be readily available and maintained under adequate safeguards. Refer to §483.30(b) Physician Visits, for additional guidance.

INVESTIGATIVE PROCEDURES §483.70(i)

When reviewing a resident’s medical record, determine if the record, including any archived information, is accessible to and provides sufficient information for appropriate staff to respond to the changing status and needs of the resident. For example:

• Does the medical record provide sufficient information for staff to respond to the changing status and needs of the resident?
• How does the facility ensure medical records are accessible to staff?
• How does the facility handle the archiving of documentation?

Interview facility staff to determine the facility’s policies and practice for maintaining confidentiality of resident’s records. Concerns regarding medical record confidentially, storage (including archiving) should be reviewed under this tag.

Determine through observations, record review and interviews:

• How facility staff ensure confidentiality of resident records?
• If there is a problem with confidentiality, is it systematic, that is, does the problem lie in the recordkeeping system, or with a staff person’s use of records, e.g., leaving records in a place easily accessible to residents, visitors, or other unauthorized persons?
• Are computer screens showing information left unattended and readily observable or accessible by others not authorized to view this information?
• Are there documents publicly posted such as passwords or other information, which could be evidence of noncompliance with confidentiality?

Use of Electronic Records in the Survey Process

There are no requirements for the use of Electronic Health Record (EHR) systems, however if a facility uses an EHR system, it must grant access to the survey team timely (i.e., before the end of the first day of the survey). If access to an EHR is required by the surveyor, the facility will:

1. 1. Provide the surveyor with instructions, guidance, or information on how to use its EHR system; and,
   2. Designate an individual who will, when requested by the surveyor, access the system, respond to any questions or assist the surveyor as needed in a timely fashion.

The facility must make available to surveyors upon their request, a printout of any record or part of a record. Surveyors should only request printed copies when needed to support a potential deficient practice or if additional information is needed that is not contained in the EHR.

If facility staff impedes the survey process by purposefully and/or unnecessarily delaying or restricting access to records this may lead to noncompliance and potential enforcement actions. If this situation occurs surveyors should contact their supervisors and if needed they would then contact the CMS Regional Office for assistance.

KEY ELEMENTS OF NONCOMPLIANCE

To cite deficient practice at F842, the surveyor’s investigation will generally show that the facility failed to do any of the following:

• Ensure resident-identifiable information was not released to the public or any unauthorized entity as stated in §483.20(f)(5)(ii); or
• Ensure that any resident-identifiable information released to an agent, was to an agent in accordance with a contract under which the agent agreed not to disclose any information the facility would not also be able to release publicly; or
• Maintain medical records on each resident in accordance with accepted professional standards and practices that are:
  • Complete;
  • Accurately documented;
  • Readily accessible; and 
  • Systematically organized.