Helpful Tips

Patient records should:

Be written as soon as possible after an event has occurred, providing current information on the care and condition of the patient.
Be written clearly, legibly, and in such a manner that they cannot be erased.
Be written in such a manner that any alterations or additions are dated, timed, and signed in such a way that the original entry can still be read clearly.
Be accurately dated, timed and signed, with the name of the author being printed alongside the first entry.
Be readable on any photocopies.
Be written, wherever possible, with the involvement of the patient.
Be clear, unambiguous, and written in terms that the patient can understand. Abbreviations, if used, should follow common conventions.
Be consecutive.
Include medical observations: examinations, tests, diagnoses, prognoses, prescriptions, and other treatments.

Source:
Confidentiality: NHS Code of Practice, www.doh.gov.uk/ipu/confiden/protect/copv3.pdf from the BCMA Privacy Toolkit

For all types of records, staff working in medical offices where patient records are kept should:

Shut and lock doors and cabinets as required.
Wear building passes/ID if issued.
Control access to fax machines and not leave records unattended there.
Query the status of strangers.
Know whom to tell if anything suspicious or worrying is noted.
Not tell unauthorized personnel how security systems operate.
Not breach security themselves.
Sign confidentiality agreements that outline penalties for inappropriately collecting, using, or disclosing personal information.
Keep health records on-site wherever possible. When records must be taken off-site, they should be kept secure at all times. Laptop and handheld computers should be password protected. Data should be encrypted wherever possible.

Paper records should be:

Formally booked out from the normal filing system.
Tracked if transferred, with a note made or sent to the filing location of the transfer.
Returned to the filing location as soon as possible after completion of treatment.
Stored securely within the clinic or office, arranged so that the record can be found easily if needed urgently.
Stored closed when not in use so that contents are not seen accidentally.
Inaccessible to members of the public and not left—even for short periods—where they might be looked at by unauthorized persons.
Held in secure storage with clear labeling.

With electronic records, staff should:

Log-out of computer systems or applications when not in use (whether leaving for the day or a few minutes).
Not leave a terminal unattended and logged-in.
Keep computers away from public view and access.
Not share user IDs or passwords with other people. If other staff members have a need to access records, appropriate access should be organized for them—this must not be by using other users’ IDs or passwords.
Change passwords at regular intervals to prevent anyone else using them.
Not use short passwords, or use names or words that are known to be associated with them (e.g., children’s or pet names or birthdays). Passwords should never be written down.
Revoke user IDs and passwords as soon as authorized users resign or are dismissed.
Always clear the screen of a previous patient’s information before seeing another.
Use a password-protected log-out to prevent casual viewing of patient information by others.
Install firewall software where Internet access to computer systems exists.
Use audit trails to track when a record is accessed, by whom, and whether the accessing individual has the necessary authorization.
Ensure data backup intervals and methods, and disaster recovery plans, are in place and periodically reviewed.
For large computer systems, develop and implement rules on access levels for different users for different purposes.

Sources:
Confidentiality: NHS Code of Practice. www.doh.gov.uk/ipu/confiden/protect/copv3.pdf
Johns Hopkins University Information Security Institute; American Health Information
Management Assn. www.ama-assn.org/amednews/2001/01/29/tesa0129.htm from BCMA privacy toolkit