Information Vulnerabilities: Technical Failures and Lack of IG May Cause Loss of Medical Records

  • September 21,2017

Posted By on Sep 21, 2017

Keep up with the latest on information governance as this key strategy emerges for addressing a myriad of information management challenges in healthcare. This blog will highlight the trends and opportunities IG presents for ensuring information is treated as an organizational asset.

By Lori L. Richter, MA, RHIA, CPHIT, CPEHR, CHPS


Imagine… As a patient, you are stressed and in pain and overhear someone in the hallway say, “The EHR is down.”

Imagine… As a provider, a patient in your clinic states they were in the emergency room (ER) two days ago with stomach pain and the pain has come back. You try to review your records to obtain the results from labs and documentation from the ER providers but the information isn’t available.

Imagine… A patient complains to their surgeon of pain in their hip, the same hip they had replaced five years ago. The surgeon tries to retrieve the implant record and finds out the system was archived.

Imagine… As the CFO for your hospital, you are told you have to pay back money to Medicare because your documentation did not properly support medical necessity in the medical record.

The reality… Disparate systems, lack of proper policies and procedures, and poor technology has led to unavailable, incomplete, or inaccurate records. Credibility, accountability, and a diminished reputation for the organization and the care it can provide is on the line. Employees, physicians, and patients could lose respect for and faith in the care the organization provides to them; credibility is easy to lose and hard to earn.

Ensuring a Strong EHR System with Information Governance

Are decisions being made about business continuity, record retention, and documentation backups in your electronic health record (EHR) by teams who may not thoroughly understand regulatory implications or information integrity requirements? Do any of the “imagine” scenarios above sound familiar? Maybe you’ve even experienced similar situations as a patient (I have).

Strategic thinking and operational thinking are both needed to ensure that valuable input and direction for a strong EHR platform stem from good information governance (IG) practices. The best way to start IG at your facility is to assemble a multidisciplinary information governance committee before a disaster occurs or before new regulations are implemented. AHIMA’s IG Toolkit 3.0 outlines the roles, responsibilities, and elements of a successful IG committee. The IG committee assesses the needs of the organization and determines the IG plan.

The IG plan should include documentation and considerations for end-to-end life cycle management activities. Life cycle management includes storage technologies, standards, and protections. As plans are made to address information life cycle management, refer to the supplemental resources from the AHIMA toolkits “Disaster Planning for Health Information” and “Disaster Planning and Recovery.”

Reliance on the integrity and availability of EHR systems and information is more important now than ever as a way to successfully complete daily clinical and business operations. EHR systems are being rolled out and optimized to meet modified Stage 2 “meaningful use” EHR Incentive Program requirements, and for the 2019 Stage 3 requirements. To successfully meet meaningful use requirements, organizations need trustworthy, reliable, accurate, and clean information. Strong IG practices will help organizations to ensure these requirements are met.

Information Vulnerabilities

Once the data and information is gone, then what? Entities should follow pre-defined steps for remediation and mitigation of risk when it has been identified that legal medical records (within the regulatory record retention period) have become inaccessible with/without recovery due to a technical disaster and when no projected timeline for full recovery of the application is known. These disasters may come in the form of a tape backup error, server failure, or a ransonware event, rendering the data and information unavailable.

Information governance teams should follow a standardized team approach to mitigating risk when a technical failure occurs, causing data and information to become inaccessible. The following steps should be considered when working on your organization’s pre-determined information recovery plan.

  1. Contact your IT team to report the critical issue immediately to ensure the right team is assigned, understanding the criticality and impact to your patients and organization
  2. A business owner should be identified to manage the project and help facilitate discussions, next steps, downtime processes, and accountable parties
  3. The business owner must quickly identify team members to make up a core team to assess next steps; Core team to include: clinical sponsor, health information management (HIM) leadership, compliance, risk management, legal, and IT in the categories of disaster recovery, applications, and server teams.
  4. Legal and compliance should be contacted for guidance on responses to requestors of records that are unavailable
  5. The business owner should notify executive leadership to brief them on the extent of the data loss and subsequent mitigation steps
  6. Marketing should be contacted and placed on standby to manage communications with medical staff or others, as necessary
  7. HIM should begin assessing processes (options) for recreation, and should identify what is inaccessible (years, charts, accounts) and within the legal record retention period for the entity(s). Determine what documentation should be rescued or recreated. Using record retention requirements as a guide, first rescue those records that continue to require retention. Attempt to recover the remaining records once those requiring continued retention have been recovered. Time is a critical factor and the need to move as quickly as possible to recover or restore the damaged or missing information is imperative.
  2. Finalize recreation options as well as IT resources and assistance: server recovery, availability of ‘shadow’ copies, availability of records in other systems (for example, radiology reports in the radiology system could be resent to HIM for filing).
  3. Various steps may be taken to recreate the medical record using available multi-part forms, computer generated reprints of dictations, test results and copies from the hospital, physician practices or other settings. To the extent records are completely destroyed or cannot be restored by a damage restoration company, reconstruction should occur.
  4. Response letters must be produced for requestors if charts are unavailable; in response to: subpoenas, court orders, or other administrative requests; patient or legal personal representative requests; payor requests; clinical requests (internal); clinical requests (external).
  5. If unable to reconstruct part or all of a patient’s health information, document the date, the information lost, and the event precipitating the loss.
  6. A business owner, or designee, should work with entity’s legal and surveyor response team (The Joint Commission, State, Medicare, etc.) to complete written analysis to produce during a review when and if necessary.
Credibility: A Universal Goal

The above steps aren’t necessarily sequential, some may be done in parallel and you may find additional nuances to add to a plan for your specific organization. This list is a good place to start, and hopefully offers some items for consideration and discussions with your IG team.

I’d like to leave you with one last thought—it’s a definition of a word we all want to ensure our patients use when thinking of our organization: credibility. To be called credible is to be acknowledges as an organization that people trust and believe in, that is trustworthy, reliable, and dependable. And I think any healthcare organization would agree that to be worthy of the term is a worthwhile and important goal.


Lori L. Richter ( is the national director for EHR compliance in the corporate responsibility department at Catholic Health Initiatives.