Electronic records generally
Arkansas Code § 20-10-203; Arkansas Code § 20-10-216; Arkansas Code § 20-10-224
(a)
- (1) Facilities have the option of utilizing electronic records rather than, or in addition to, paper or “hardcopy” records.
(2) The facility must have:
- (A) Safeguards to prevent unauthorized access to the records; and
- (B) A process for reconstruction of the records in the event of a system breakdown.
(b) Any electronic record or signature system shall, at a minimum:
(1)
- (A)
(i) Require authentication and dating of all entries.
(ii) "Authentication" means identification of the author of an entry by that author and no other, and that reflects the date of entry.
- (B) An authenticated record shall be evidence that the entry to the record was what the author entered.
(C)
- (i) To correct or enhance an entry, further authenticated entries may be made, by the original author, or by any other author, as long as the subsequent entries are authenticated as to who entered them, complete with date and time stamp of the entry, and that the original entries are not modified.
- (ii) “Entry” means:
- (a) (a) Any changes, deletions, or additions to a record; or
(b) (b) The creation of a record.
(D) The electronic system utilized by the facility shall:
(i) Retain all entries for the life of the medical record; and
- (ii) Record the date and time of any entry, as well as identifying the individual who performed the entry.
- (E) The electronic system must not allow any original signed entry or any stored data to be modified from its original content except for computer technicians correcting program malfunction or abnormality.
- (F) A complete audit trail of all events as well as all “before” and “after” data must be maintained;
(2)
(A) Require data access controls using unique personal identifiers to ensure that unauthorized individuals cannot:
- (i) Make entries to a record; or
- (ii) Create or enter an electronic signature for a record.
- (B) The facility shall maintain a master list of authorized users, past and present.
- (C) Facilities shall terminate user access when the user leaves employment with the facility;
(3)
- (A) Include physical, technical, and administrative safeguards to ensure confidentiality of patient medical records, including procedures to limit access to only authorized users.
(B) The authorized user must certify in writing that:
- (i) The identifier will not be shared with or used by any other person; and
- (ii) They are aware of the requirements and penalties related to improper usage of their unique personal identifier;
(4)
- (A) Provide audit controls.
- (B) The system must be capable of tracking and logging user activity within its electronic files.
(C) These audit logs shall include the:
- (i) Date and time of access; and
- (ii) User ID under which access occurred.
- (D) These logs shall be maintained a minimum of six (6) years.
(E) The facility must certify in writing that it is:
- (i) Monitoring the audit logs to:
- (a) (a) Identify questionable data access activities;
(b) (b) Identify breaches; and
(c) (c) Assess the security program; and
- (ii) Taking corrective actions when a breach in the security system becomes known;
(5)
- (A) Have a data recovery plan.
- (B) Data must be backed up either locally or remotely.
- (C) Backup media shall be stored at both on-site and off-site locations or alternatively at multiple offsite locations.
(D)
- (i) The backup system must have the capability of timely restoring the data to the facility or to the central server in the event of a system failure.
- (ii) Barring a natural disaster of epic proportions (e.g., earthquake, tornado), “timely” means that the restoration of the backup occurs within a period of time that will permit no more than minimal disruption in the delivery of care and services to the residents.
(E) Pending restoration from backup, the facility shall:
- (i) Maintain newly generated records in a paper format; and
- (ii) Copy or transfer the contents of the paper records to the electronic system upon restoration of the system and backup.
- (F) A full backup shall be performed at least weekly, with incremental or differential backups daily.
- (G) Back up media shall be maintained both locally and at the off-site location or alternatively at multiple off-site locations until the next full weekly backup is successfully completed.
(H)
- (i) Backups shall be tested periodically, but no less than monthly.
- (ii) Testing shall include restoration of the backup to a computer or system that shall not interfere with, or overwrite, current records.
- (I) If utilizing a third-party company for computer data storage and retrieval, the facility shall require that said third-party company shall comply with these requirements; and
(6)
- (A) Provide access to United States Department of Health and Human Services and Centers for Medicare and Medicaid Services personnel.
- (B) Access may be by means of an identifier created for the United States Department of Health and Human Services, Office of Long-Term Care, or Centers for Medicare and Medicaid Services personnel, by a printout of the record, or both, as requested by United States Department of Health and Human Services, office, or Centers for Medicare and Medicaid Services personnel.
- (C) Access must be in a “human readable” format and shall be provided in a manner that permits United States Department of Health and Human Services, office, or Centers for Medicare and Medicaid Services personnel to view the records without facility personnel being present.
(D) Access shall:
- (i) Include all entries and accompanying logs; and
- (ii) List the date and time of any entry, as well as identifying the individual who performed the entry.
- (E) Any computer system utilized, whether in-house or from a third-party vendor, must comply with this part.