On the record
Professor Selma Smith provides practical tips to help ensure you record what is necessary and appropriate in patient notes – and that you store records safely
What makes a comprehensive medical record? A good place to start is the HPCSA’s Guidelines on the Keeping of Patient Records (booklet 14).
Patient records need to include:
- Personal (identifying) particulars
- Bio-psychosocial history of the patient, including allergies and idiosyncrasies
- Time, date and place of every consultation
- Assessment of the patient’s condition
- Proposed clinical management of the patient
- Medication and dosage prescribed
- Patient’s reaction to treatment or medication, including adverse effects
- Test results
- Imaging investigation results
- Information on the times that the patient was booked off from work and the relevant reasons
- Written proof of informed consent, where applicable.
Recording an “assessment of the patient’s condition” might seem straightforward. Yet often, when patient records are examined in response to a clinical negligence claim, this detail is interpreted in many different ways. Interpretations vary from detailed notes on history, examination and diagnosis, to just the noting of a diagnosis, eg, “tension headache”. The latter version is not of much help if a doctor needs to defend him/herself against a complaint of negligence for missing a slow growing meningioma.
When defending doctors against negligence claims, it is very valuable if notes reflect findings that influenced diagnostic and management decisions
On the one hand is the need to write concise notes to save time, whilst on the other hand, doctors need to be able to justify their clinical actions and diagnoses, which involves more elaborate note keeping. When defending doctors against negligence claims, it is very valuable if notes reflect findings that influenced diagnostic and management decisions. These findings do not have to be described in detail.
A comment of “no meningial irritation/no cranial pressure” in the notes of a patient with headache is helpful in illustrating that due consideration was given to so called “red flag” conditions at the time of consultation. If patients were given information on their condition, or possible danger signs, a note “advised on condition” is very helpful in defending against the complaint of a patient that s/he was not informed. Documenting the use of written information leaflets is even more valuable.
Problems can also arise with information that is noted, but gets “lost” within the patient file. An example of this is the note of “blood tests taken”, which can easily be overlooked. Although all practices should have a system by which new results are evaluated as they are received this is not always fail proof. A useful tip, as a backup, is to write all special investigations requested in a contrasting colour ink such as red ink, or to use highlighters. This is very easily seen when paging through a file before a consultation. The doctor can then ensure that tests are appropriately acted on during the consultation.
Correcting an error as described by the above guidelines is specific to paper records: an error or incorrect entry discovered in the record may be corrected by placing a line through it with ink and correcting it. The date of change must be entered and the correction must be signed in full. The original record must remain intact and fully legible. Additional entries added at a later date must be dated and signed in full. The reason for an amendment or error should also be specified on the record. Electronic records need to be captured in a format that permits once only writing, so that old information cannot be overwritten, but new information can be added.
What not to write is as important as what to write. Disparaging comments indicating the doctor’s irritation or dislike of a patient must never be reflected in a patient’s notes. Remember, notes may be read by the patient and appear in open court.
Keeping patient records safe
Simply put, the storage and safekeeping of patient records is about access control and protecting data against loss or corruption. All systems that handle personal information are subjected to security and privacy issues. The Protection of Personal information (POPI) legislation endeavours to establish and formalise minimum requirements to be adhered to in the handling of personal information. POPI affects all private and public organisations that process personal information. It places an extra responsibility on doctors to monitor, preserve and self-report the flow of personal information in their practices to help protect patient privacy.
The privilege to have access to such information comes with great responsibility to the practitioner, who has an ethical and legal duty to keep accurate records
Access control ensures confidentiality; one of the cornerstones on which the doctor-patient relationship is built. Because the patient is assured that information disclosed during consultation is confidential, intimate information about his/her life can be shared with his/her medical practitioner. The privilege to have access to such information comes with great responsibility to the practitioner, who has an ethical and legal duty to keep accurate records and to keep this information confidential as stated in the National Health Act (no 61 of 2003).
Such a duty of confidentiality relates not only to sensitive health information, but to all information that is held about patients. This information includes demographic detail and even the fact that the patient is registered as a patient of the practice. Electronic data needs virus protection. Electronic clinical records need to be encrypted and password protected to prevent unauthorised access.
All employees need to sign confidentiality agreements and must be trained in security awareness as part of the induction process, eg, access control also entails not letting patient records lie around, face up or open and not having computer monitors display information to all passing by.
Access to electronic data must be gained by a personal password – do not share passwords. Local networks need to be protected by firewalls. Beware of unsecured memory sticks and mobile devices carrying patient information. When sharing data electronically outside of the local office network, data needs to be encrypted. Doctors need to look closely at the security practices of contractors and service providers, and contracts with contractors need to have data protection clauses.
Doctors are only permitted to release information about their patients in certain circumstances:
- With consent of the patient
- When disclosure is required by statute, for example the requirement to notify certain communicable diseases
- At the instruction of a court
- When it is in the public interest, for instance when there is a risk of death or serious harm to the patient or others
- In the case of a deceased patient with the written consent of the next of kin or the executor of the deceased’s estate. Whether or not consent was legally required, the patient/next of kin must be informed that information was released.
Records must be kept physically secure: records need to be stored in rooms or cabinets that can be locked and preferably are fireproof
Storing patient records
The HPCSA requires patient information to be stored in a safe place for at least six years from the date it becomes dormant. Under some circumstances, such as the records of minors, mentally incompetent patients and in terms of the Occupational Health and Safety Act (Act No 85 of 1993) this period can be even longer. Records must be kept physically secure: records need to be stored in rooms or cabinets that can be locked and preferably are fireproof.
Professor Selma Smith is Adjunct Professor, Department of Family Medicine, University of Pretoria
Case study: Safe storage
Dr Z was a community service officer on a general surgery ward. He was keen to pursue a career in general surgery, and as a result often worked extra hours to gain additional theatre experience. He kept a tally on his tablet of the surgery he had assisted, which included a list of patient names, ages and details of the procedure performed.
One evening, Dr Z’s car was broken into and his tablet was stolen. He was concerned that his tablet was not password protected and reported the loss to his consultant as well as the police.
Patient information should be held securely and in compliance with data protection legislation
- Remember that confidential information includes a patient’s name and address.
- You should ensure any tablet, PC, or smartphone which contains confidential patient information is password protected. Any memory sticks used should be safe sticks.
- Patient information should be held securely and in compliance with data protection legislation. Inadvertent disclosure of confidential information should not occur. High-risk areas where breaches can occur are in lifts, canteens, at printers and on medical wards.
- Notes should reflect findings that influenced diagnostic and management decisions.
- Records must be protected against unauthorised access by passwords, firewalls and encryption.
- Electronic clinical records need to be captured in a format that permits once only writing.
- Contracts with employees and contractors must include confidentiality and data protection clauses.
- Employees need to be trained to ensure security awareness.
- All records need to be kept in a safe place – dormant records should be kept for six years or more.