commission

profilejrunner
Week2AsmtJCHIMStandards2014.pdf

Effective Date: August 25, 2014

Chapter: Information Management

Overview: Every episode of care generates health information that must be managed systematically by the organization. All data and information used by the organization are categorized, filed, and maintained. The system should accurately capture health information generated by the delivery of care, treatment, or services. Health information should be accessed by authorized users who will use health information to provide safe, quality care. Unauthorized access can be limited by the adoption of policies that address the privacy, security, and integrity of health information.

Depending on the type of organization, the system used for information management may be basic or sophisticated. As technology develops, many organizations find their information management systems in a state of transition from paper to fully electronic or a combination of the two. Regardless of the type of system used, these standards are designed to be equally compatible with noncomputerized systems and evolving technologies.

About This Chapter: As with other chapters, planning is the initial focus of “Information Management” (IM). A well planned system meets the internal and external information needs of the organization with efficiency and accuracy. Planning also provides for continuity in the event that the organization’s operations are disrupted or fail. The organization also plans to protect the privacy, security, and integrity of the data and information it collects, which results in preserving confidentiality. The chapter concludes with a standard on maintaining accurate health information.

Requirements in this chapter apply to all types of information managed by the organization, unless the requirement specifically limits the type of information to health information. Refer to the Glossary for a definition of health information.

Chapter Outline:

Program: Ambulatory

Page 1 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932...

I. Planning for Management of Information (IM.01.01.01, IM.01.01.03)

II. Health Information

A. Protecting the Privacy of Health Information (IM.02.01.01, IM.02.01.03)

B. Capturing, Storing, and Retrieving Data (IM.02.02.01, IM.02.02.03)

III. Knowledge-Based Information (IM.03.01.01)

IV. Monitoring Data and Health Information Management Processes (IM.04.01.01)

EP Attributes Icon Legend: CMS CMS Crosswalk

EP Criticality level is 1 - Immediate Threat to Health or Safety

A EP belongs to Scoring Category 'A' EP Criticality level is 2 - Situational Decision Rules

C EP belongs to Scoring Category 'C' EP Criticality level is 3 - Direct Impact.

M EP requires Measure of Success D Documentation is required

ESP-1 EP applies to Early Survey Option NEW EP is new or changed as of the selected effective date.

© 2014 The Joint Commission, © 2014 Joint Commission Resources E-dition is a registered trademark of The Joint Commission

Page 2 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932...

Chapter: Information Management

IM.01.01.01: The organization plans for managing information.

Rationale: Not applicable.

Introduction: Introduction to Standard IM.01.01.01 Planning is the most critical part of the organization’s information management process and requires the collaborative involvement of all levels and areas of the organization. The organization’s plan for information management considers the full spectrum of data generated and used by the organization; financial data, human resources data, supply inventories, and health information are examples of the different types of data that are considered in the information management planning process. Planning for the management of information does not necessarily result in a single, comprehensive written information management plan; however, planning does establish clear relationships between the organization’s needs and its goals. In addition to the organization’s goals, the organization’s mission, services, staff, patient safety practices, modes of service delivery, resources, and technology are considered during the information management planning process.

The flow of information within the organization, as well as to and from external organizations, is another important consideration for information management planning. Planning takes into account the data and information required to support relationships with outside providers, services, contractors, purchasers, and payers. By identifying internal and external information needs, organizations can make information available when and where it is needed. Organizations that understand the flow of information can achieve efficient data collection and distribution, along with effective security of health information. Elements of Performance

1 The organization identifies the internal and external information needed to provide safe, quality care. EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

A ESP-1

Program: Ambulatory

Page 3 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932...

2 The organization identifies how data and information enter, flow within, and leave the organization. EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

A ESP-1

3 The organization uses the identified information to guide development of processes to manage information. EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

A ESP-1

4 Staff and licensed independent practitioners, selected by the organization, participate in the assessment, selection, integration, and use of information management systems for the delivery of care, treatment, or services. EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

A

© 2014 The Joint Commission, © 2014 Joint Commission Resources E-dition is a registered trademark of The Joint Commission

Page 4 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932...

Chapter: Information Management

IM.01.01.03: The organization plans for continuity of its information management processes.

Rationale: Not applicable.

Introduction: Introduction to Standard IM.01.01.03 The primary goal of the information continuity process is to return the organization to normal operations as soon as possible with minimal downtime and no data loss. The organization needs to be prepared for events that could impact the availability of data and information regardless of whether interruptions are scheduled or unscheduled (due to a local or regional disaster or an emergency). Interruptions to an organization’s information system can potentially have a devastating impact on its ability to deliver quality care and continue its business operations. Planning for emergency situations helps the organization mitigate the impact that interruptions, emergencies, and disasters have on its ability to manage information. The organization plans for interruptions by training staff on alternative procedures, testing the organization’s Emergency Management Plan, conducting regularly scheduled data backups, and testing data restoration procedures.

Regardless of whether an organization uses a paper-based system or an electronic system, a plan to address the process for information continuity, including knowledge-based information, should be in place. Organizations that plan for maintaining access to electronic information systems by using various electronic backup and restore procedures can quickly recover from interruptions with minimal downtime and data loss. Elements of Performance

1 The organization has a written plan for managing interruptions to its information processes (paper-based, electronic, or a mix of paper- based and electronic). (See also EM.01.01.01, EP 6) EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

D A ESP-1

2 The organization's plan for managing interruptions to information processes addresses the following: Scheduled and unscheduled

Program: Ambulatory

Page 5 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932...

interruptions of electronic information systems. (See also IM.03.01.01, EP 1; EM.01.01.01, EP 6) EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

A ESP-1

3 The organization's plan for managing interruptions to information processes addresses the following: Training for staff and licensed independent practitioners on alternative procedures to follow when electronic information systems are unavailable. (See also EM.01.01.01, EP 6) EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

A ESP-1

4 The organization's plan for managing interruptions to information processes addresses the following: Backup of electronic information systems. (See also EM.01.01.01, EP 6) EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

A ESP-1

5 The organization's plan for managing interruptions to electronic information processes is tested for effectiveness according to time frames defined by the organization. EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

A

6 The organization implements its plan for managing interruptions to information processes to maintain access to information needed for patient care, treatment, or services. (See also IM.03.01.01, EP 1) EP Attributes

Page 6 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932...

New FSA CMS MOS CR DOC SC ESP

- Information Technology

A

© 2014 The Joint Commission, © 2014 Joint Commission Resources E-dition is a registered trademark of The Joint Commission

Page 7 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932...

Chapter: Information Management

IM.02.01.01: The organization protects the privacy of health information.

Rationale: Not applicable.

Introduction: Introduction to Standard IM.02.01.01 The privacy of health information is a critical information management concern. Privacy of health information applies to electronic, paper, and verbal communications. Protecting the privacy of health information is the responsibility of the entire organization. Organizations protect privacy by limiting the use of information to only what is needed to provide care, treatment, or services.

Privacy, along with security, results in the confidentiality of health information. Health information is kept confidential when the information is secure (kept from intentional harm) and its use is limited (privacy). The end result of protecting the security and privacy of the information system is the preservation of confidentiality. To illustrate this relationship, confidentiality is violated in situations when a patient’s health information is used or accessed by an individual who does not have permission to access the information or uses it for purposes outside of delivering care, treatment, or services. A confidentiality violation occurs when an individual is able to bypass security measures and systems to gain access to health information. *

Footnote *: For additional guidance about limiting the use of information, refer to 45 CFR 164.502(b) and 164.514(d) under “Minimum Necessary” within the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Elements of Performance

1 The organization has a written policy addressing the privacy of health information. (See also RI.01.01.01, EP 7) Note: For ambulatory surgical centers that elect to use The Joint Commission deemed status option: The organization must comply with Section 45 of the Code of Federal Regulations parts 160 and 164, generally known as the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. EP Attributes

Program: Ambulatory

Page 8 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932...

New FSA CMS MOS CR DOC SC ESP

- Information Technology

§416.50(g) D A ESP-1

2 The organization implements its policy on the privacy of health information. (See also RI.01.01.01, EP 7) Note: For ambulatory surgical centers that elect to use The Joint Commission deemed status option: The organization must comply with Section 45 of the Code of Federal Regulations parts 160 and 164, generally known as the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

§416.50(g) A

3 The organization uses health information only for purposes permitted by law and regulation or as further limited by its policy on privacy. (See also MM.01.01.01, EP 1; RI.01.01.01, EP 7) Note: For ambulatory surgical centers that elect to use The Joint Commission deemed status option: The organization must comply with Section 45 of the Code of Federal Regulations parts 160 and 164, generally known as the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

§416.50(g) A

4 The organization discloses health information only as authorized by the patient or as otherwise consistent with law and regulation. (See also RI.01.01.01, EP 7) Note: For ambulatory surgical centers that elect to use The Joint Commission deemed status option: The organization must comply with Section 45 of the Code of Federal Regulations parts 160 and 164, generally known as the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. EP Attributes

New FSA CMS MOS CR DOC SC ESP

Page 9 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932...

- Information Technology

§416.50(g) A

5 The organization monitors compliance with its policy on the privacy of health information. (See also RI.01.01.01, EP 7) Note: For ambulatory surgical centers that elect to use The Joint Commission deemed status option: The organization must comply with Section 45 of the Code of Federal Regulations parts 160 and 164, generally known as the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

§416.50(g) A

© 2014 The Joint Commission, © 2014 Joint Commission Resources E-dition is a registered trademark of The Joint Commission

Page 10 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932...

Chapter: Information Management

IM.02.01.03: The organization maintains the security and integrity of health information.

Rationale: Not applicable.

Introduction: Introduction to Standard IM.02.01.03 The integrity and security of health information are closely related. Health information is collected and processed through various information sources and systems throughout the organization. As a result, breaches in security can lead to the unauthorized disclosure or alteration of health information. When this occurs, the integrity of the data and information is compromised. Even simple mistakes, such as writing the incorrect date of service or diagnosis, can undermine data integrity just as easily as intentional breaches. For these reasons, an examination of the use of paper and electronic information systems is considered in the organization’s approach to maintaining the security and integrity of health information. Regardless of the type of system, security measures should address the use of security levels, passwords, and other forms of controlled access. Because information technology and its associated security measures are continuously changing, the organization should do its best to stay informed about technological developments and best practices that can help it improve information security and therefore protect data integrity.

Monitoring access to health information can help organizations be vigilant about protecting health information security. Regular security audits can identify system vulnerabilities in addition to security policy violations. For example, as part of the process, the organization could identify system users who have altered, edited, or deleted information. The results from this audit process can be used to validate that user permissions are appropriately set. Conducting security audits can be particularly effective in identifying when employee turnover causes vulnerabilities in security because user access and permissions were not removed or updated. Elements of Performance

1 The organization has a written policy that addresses the security of health information, including access, use, and disclosure. Note: For ambulatory surgical centers that elect to use The Joint Commission deemed status option: The organization must comply with Section 45 of the Code of Federal Regulations parts 160 and 164,

Program: Ambulatory

Page 11 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932...

generally known as the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

§416.50(g) D A ESP-1

2 The organization has a written policy addressing the integrity of health information against loss, damage, unauthorized alteration, unintentional change, and accidental destruction. EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

D A ESP-1

3 The organization has a written policy addressing the intentional destruction of health information. EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

D A ESP-1

4 The organization has a written policy that defines when and by whom the removal of health information is permitted. Note: Removal refers to those actions that place health information outside the organization's control. EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

§416.47(a) D A ESP-1

5 The organization protects against unauthorized access, use, and disclosure of health information. Note: For ambulatory surgical centers that elect to use The Joint Commission deemed status option: The organization must comply with Section 45 of the Code of Federal Regulations parts 160 and 164, generally known as the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

Page 12 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932...

EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

§416.50(g) C

6 The organization protects health information against loss, damage, unauthorized alteration, unintentional change, and accidental destruction. EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

C

7 The organization controls the intentional destruction of health information. EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

A

8 The organization monitors compliance with its policies on the security and integrity of health information. Note: For ambulatory surgical centers that elect to use The Joint Commission deemed status option: The organization must comply with Section 45 of the Code of Federal Regulations parts 160 and 164, generally known as the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

§416.50(g) A

© 2014 The Joint Commission, © 2014 Joint Commission Resources E-dition is a registered trademark of The Joint Commission

Page 13 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932...

Chapter: Information Management

IM.02.02.01: The organization effectively manages the collection of health information. Rationale: Within the organization, health information can come from multiple sources. The use of standardized formats and terminology can help clarify information that is used by different individuals for various purposes. Capturing data in standardized language can lead to greater data integrity and reliability, as well as an increased potential for ease of use by internal and external systems and users. The more consistent the organization’s efforts are to capture accurate data in standardized language, the more likely the organization will be to rely on that data for patient-related purposes, including reimbursement, risk management, performance improvement, and infection surveillance. Introduction: Not applicable

Elements of Performance

1 The organization uses uniform data sets to standardize data collection throughout the organization. EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

A

2 The organization uses standardized terminology, definitions, abbreviations, acronyms, symbols, and dose designations. EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

D A ESP-1

3 The organization follows its list of prohibited abbreviations, acronyms, symbols, and dose designations, which includes the following: - U,u - IU - Q.D., QD, q.d., qd - Q.O.D., QOD, q.o.d, qod

Program: Ambulatory

Page 14 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932...

- Trailing zero (X.0 mg) - Lack of leading zero (.X mg) - MS - MSO4 - MgSO4 Note 1: A trailing zero may be used only when required to demonstrate the level of precision of the value being reported, such as for laboratory results, imaging studies that report the size of lesions, or catheter/tube sizes. It may not be used in medication orders or other medication-related documentation. Note 2: The prohibited list applies to all orders, preprinted forms, and medication-related documentation. Medication-related documentation can be either handwritten or electronic. EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

M C

© 2014 The Joint Commission, © 2014 Joint Commission Resources E-dition is a registered trademark of The Joint Commission

Page 15 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932...

Chapter: Information Management

IM.02.02.03: The organization retrieves, disseminates, and transmits health information in useful formats. Rationale: The ease of use of health information between systems and users contributes to its potential usefulness within the organization and for external reporting purposes. Data stored in different formats cannot easily be converted to a new format or transferred to other organizations or providers. For example, immediate access to infection control data can impact patient safety within the organization and outside of the organization. As more organizations automate various processes and activities, these systems need to allow for transmitting and receiving critical data while maintaining data integrity. Introduction: Introduction to Standard IM.02.02.03 Standardizing the collection of data, a concept that is supported by the requirements of Standard IM.02.02.03, helps with the effective dissemination of data and information. Consistency in data collection systems (paper-based, electronic, or a combination) creates the foundation for retrieving and disseminating data and information in the most useful format. For information about data collection and dissemination, visit the websites of the Office of the National Coordinator for Health Information Technology (ONC) (http://www.healthit.gov/) and the Certification Commission for Healthcare Information Technology (CCHIT) (http://www.cchit.org). Elements of Performance

2 The organization's storage and retrieval systems make health information accessible when needed for patient care, treatment, or services. (See also IC.01.02.01, EP 1) EP Attributes

New FSA CMS MOS CR DOC SC ESP

- Information Technology

§416.47(a) A

3 The organization disseminates data and information in useful formats within time frames that are defined by the organization and consistent with law and regulation. EP Attributes

Program: Ambulatory

Page 16 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932...

New FSA CMS MOS CR DOC SC ESP

- Information Technology

M C

13 For organizations in California that provide computed tomography (CT) services: The organization complies with radiation event reporting requirements specified in section 115113 of the California Health and Safety Code. EP Attributes

New FSA CMS MOS CR DOC SC ESP

M C

© 2014 The Joint Commission, © 2014 Joint Commission Resources E-dition is a registered trademark of The Joint Commission

Page 17 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932...

Chapter: Information Management

IM.03.01.01: Knowledge-based information resources are available, current, and authoritative.

Rationale: Not applicable.

Introduction: Not applicable

Elements of Performance

1 The organization provides access to knowledge-based information resources during hours of operation. (See also IM.01.01.03, EPs 2 and 6) EP Attributes

New FSA CMS MOS CR DOC SC ESP

A

© 2014 The Joint Commission, © 2014 Joint Commission Resources E-dition is a registered trademark of The Joint Commission

Program: Ambulatory

Page 18 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932...

Chapter: Information Management

IM.04.01.01: The organization maintains accurate health information. Rationale: The integrity and quality of health information influences the usefulness and effectiveness of all internal and downstream systems, as well as external reporting. When the integrity of the data has been compromised, additional resources will be needed to scan the data and correct errors. Inaccurate data can lead to poor decision making. Introduction: Not applicable

Elements of Performance

1 The organization has processes to check the accuracy of health information. EP Attributes

New FSA CMS MOS CR DOC SC ESP

A ESP-1

© 2014 The Joint Commission, © 2014 Joint Commission Resources E-dition is a registered trademark of The Joint Commission

Program: Ambulatory

Page 19 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932...