HIPAA
Security and Electronic Signature Standards (2002) addresses the following policies and practices, and procedures: (a few examples)
Security and confidentiality policies
- Requirement for a time source behind the firewall for secure and accurate networking.
Audit Trails
- Requirement for Legally Traceable Time® to support Time Stamps, Audit Trails, File Logs, etc… that HIPAA mandates, especially as it relates to Electronic Health Records.
CMS Conditions of Participation for Hospitals §482.24.
Defined standards and requirements for medical records, whether they are in paper or electronic format. These regulations are the foundation for maintaining a legally sound health records.
Time synchronization supports the following regulation statement:
- All entries in the medical record must be timed, date, and authenticated, and a method established to identify the author. The identification may include written signatures, initials, computer key, or other code. Authentication may include signatures, written initials or computer entry.
ASTM
- Subcommittee E31.20 (Security and Privacy)
- Authentication of Computer-based Health Information
ISO/IEC 15408-1
- Security protection profile for a healthcare IT application system
JCAHO
Provides guidelines for the appropriate authentication of medical record entries
- Standard IM 7.1.1 states that only authorized individuals may make entries in the medical record.
- Standard IM 7.8 states that every medical record entry must be dated, its author identified and, when necessary, authenticated.
FDA 21 CFR Part 11
Section 11.10 describes measures designed to ensure the integrity of system operations and information stored in the system. Such measures include: (1) validation; (2) the ability to generate accurate and complete copies of records; (3) archival protection of records; (4) use of computer-generated, time-stamped audit trails; (5) use of appropriate controls over systems documentation; and (6) a determination that persons who develop, maintain, or use electronic records and signature systems have the education, training, and experience to perform their assigned tasks.
HL7 EHR Models and Profiles
HL7 EHR Interoperability Model
The HL7 EHR Interoperability Model (EHR/IM) establishes an industry consensus view of "What is EHR Interoperability?" It provides a reference list of characteristics of (and requirements for) interoperable EHR records.
2.7c: An Act occurs at a specific date/time and has an elapsed time - date/time consistent with a Master Clock system
HL7 EHR Functional Model
The HL7 EHR Functional Model (EHR-S FM) specifies over 160 functions that may be present in an Electronic Health Record System.
IN.1.5 – Non-Rupudiation: time stamp is important for non-repudiation
IN.1.6 – Secure Data Exchange: use standardized time-keeping per the IHE consistent time profile
IN.2.3 – Synchronization: synchronize data
HL7 Works in Process
Current work involvess specifying the requirements of a legal EHR. Under consideration for the HL7 Legal EHR Functional Profile includes:
Auditable Records: date and time stamps are important for audit capabilities with standardized time-keeping per the IHE consistent time profile.
Chronology of Events: Shall maintain proper chronology of events.
IHE IT Infrastructure Technical Framework
Also used in radiology, cardiology, and patient care devices (PCD) technical framework
| Problem |
IHE Domain |
IHE Integration Profile |
Transaction |
Actors |
| Inconsistent Time |
Infrastructure
Radiology
Cardiology
Patient Care Devices
|
Consistent Time (CT) |
NTP or SNTP
request/send |
Time Client
Time Server |
Consistent Time (CT)
The Consistent Time Integration Profile provides a means to ensure that the system clocks and time stamps of the many computers in a network are well synchronized. This profile specifies synchronization with a median error less than 1 second.
CT Actors
Time Client – Establishes time synchronization with one or more Time Servers using the NTP protocol and either the NTP or SNTP algorithms. Maintains the local computer system clock synchronization with UTC based on synchronization with the Time Servers.
Time Server – Provides NTP time services to Time Clients. It is either directly synchronized to a UTC master clock (e.g., satellite time signal) or is synchronized by being grouped with a Time Client to other Time Server(s).
Diagram of a time server with medical device systems as time clients in a simulated multi-vendor hospital environment (ppt).
CT Transactions
Maintain Time - NTP transactions used to maintain time synchronization.
The Certification Commission for Healthcare Information Technology (CCHIT)
2007 Certification of Ambulatory and Inpatient EHRs - FINAL SECURITY CRITERIA
In this criteria, there is a requirement for the accuracy of time as it relates to the Electronic Health Record. The statements are as follows:
The system shall provide authorized administrators with the capability to read all audit information from the audit records in one of the following two ways: 1) The system shall provide the audit records in a manner suitable for the user to interpret the information. The system shall provide the capability to generate reports based on ranges of system date and time that audit records were collected. 2) The system shall be able to export logs into text format and correlate records based on time (e.g., UTC synchronization).
S7 -
S8.1 -
S8.2 -
NQA/CMS Reporting Hospital Quality Data
Inpatient Hospital Quality Measures
Metrics requiring synchronized time between hospital arrival and treatment records.
Paitents with Acute Myocardial Infarction
- AMI-7a: Fibrolytic therapy received within 30 minutes of hospital arrival
- AMI-8a: Primary PCI received within 90 minutes of hospital arriveal
Patients with Pneumonia
- PN-5b: Initial antibiotic received within 4 hours of hospital arrival
Primary Stroke Center Certification
The Joint Commission's Certificate of Distinction for Primary Stroke Centers
Required measurements:
- Arrival time
- Diagnostic brain image completed and results reported to or reviewed by the stroke team within 45 minutes
- Time to thrombolytic administration
Chest Pain Center Accreditation
Synchronized time is an important process improvement tool as required by Chest Pain Center accreditation in two ways: as a functional facility design practice and for accurate performance metrics.
KEY ELEMENT #7: Functional Facility Design
“Clocks are synchronized within the main ED, Triage area, 12-Lead ECG machines and Cath lab.”
KEY ELEMENT #2: Emergency Assessment of Patients with Symptoms of ACS – Timely Diagnosis and Treatment
Examples of measurements and Procedures:
“Tracking time of arrival”
“Time to first”…. [ECG, biomarker result, fibrinolysis, balloon, primary PCI, etc.]
“ECGs repeated at five (5) to ten (10) minute intervals”
“Return calls in ten (10) minutes”