Prevent Technology-Related Errors
December 09, 2008

Safely implementing health information and converging technologies


Applicable Joint Commission Standards

IM.1.10 | IM.2.20 | IM.2.30 | LD.4.20 | LD.4.40

Standard IM.1.10 (IM.01.01.01**)
The hospital plans and designs information management processes to meet internal and external information needs.

Rationale for IM.1.10
Hospitals vary in size, complexity, governance, structure, decision-making processes, and resources. Information management systems and processes vary accordingly. Only by first identifying the information needs can one then evaluate the extent to which they are planned for, and at what performance level the needs are being met. Planning for the management of information does not require a formal written information plan, but does require evidence of a planned approach that identifies the hospital’s information needs and supports its goals and objectives.

Elements of Performance for IM.1.10

  1. The hospital bases its information management processes on an assessment of internal and external information needs.
    • The assessment identifies the flow of information throughout a hospital, including information storage and feedback mechanisms.
    • The assessment identifies the data and information needed: within and among departments, services, or programs; within and among the staff, the administration, and the governance for supporting relationships with outside services and contractors; with licensing, accrediting, and regulatory bodies; with purchasers, payers, and employers; for supporting informational needs between the hospital and the patients; and for participating in research and databases.
  2. To guide development of processes for managing information used internally and externally, the hospital assesses its information management needs based on the following:
    • Its mission
    • Its goals
    • Its services
    • Staff
    • Patient safety considerations
    • Quality of care, treatment, and services
    • Mode(s) of service delivery
    • Resources
    • Access to affordable technology
    • Identification of barriers to effective communication among caregivers
  3. The hospital bases its management, staffing, and material resource allocations for information management on the scope and complexity of care, treatment, and services provided.
  4. Identified staff participates in assessment, selection, integration, and use of information management systems for clinical/service and hospital information.
  5. The hospital has an ongoing process to assess the needs of the hospital, departments, and individuals for knowledge-based information.
  6. The hospital uses the assessment for knowledge-based information as a basis for planning.

-Top-

Standard IM.2.20 (IM.02.01.03**)
Information security, including data integrity, is maintained.

Rationale for IM.2.20
Policies and procedures address security procedures that allow only authorized staff to gain access to data and information. These policies range from access to the paper chart to the various security levels and distribution of passwords in an electronic system. The basic premise of the policies is to provide the security and protection for sensitive patient, staff, and other information, while facilitating access to data by those who have a legitimate need. The capture, storage, and retrieval processes for data and information are designed to provide for timely access without compromising the data and information’s security and integrity.

Elements of Performance for IM.2.20

  1. The hospital has a written policy(ies) for addressing information security, including data integrity* that is based on and consistent with law or regulation.
  2. The hospital’s policy, including changes to the policy, has been communicated to staff.
  3. The hospital implements the policy.
  4. The hospital monitors compliance with the policy.
  5. The hospital improves information security, including data integrity, by monitoring information and developments in technology.
  6. The hospital develops and implements controls to safeguard data and information, including the clinical record, against loss, destruction, and tampering.
  7. Controls to safeguard data and information include the following:
    • Policies indicating when the removal of records is permitted
    • Protection against unauthorized intrusion, corruption, or damage
    • Minimization of the risk of falsification of data and information
    • Guidelines for preventing the loss and destruction of records
    • Guidelines for destroying copies of records
    • Protection of records in a manner that minimizes the possibility of damage from fire and water
  8. Policies and procedures, including plans for implementation, for electronic information systems address the following: data integrity, authentication,† nonrepudiation,‡ encryption, § as warranted, and auditability,|| as appropriate to the system and types of information, for example, patient information and billing information.

-Top-


Standard IM.2.30 (IM.01.01.03**)
Continuity of information is maintained.

Rationale for IM.2.30
The purpose of the business continuity/disaster recovery plan is to identify the most critical information needs for patient care, treatment, and services and business processes, and the impact on the hospital if these information systems were severely interrupted. The plan identifies alternative means for processing data, providing for recovery of data, and returning to normal operations as soon as possible.

Elements of Performance for IM.2.30

  1. The hospital has a business continuity/disaster recovery plan for its information systems.
  2. For electronic systems, the business continuity/disaster recovery plan includes the following:
    • Plans for scheduled and unscheduled interruptions, which includes end-user training with the downtime procedures
    • Contingency plans for operational interruptions (hardware, software, or other systems failure)

* Integrity In the context of data security, data integrity means the protection of data from accidental or unauthorized intentional change.
Authentication The validation of correctness for both the information itself and the person who is the author or user of information.
Nonrepudiation The inability to dispute a document’s content or authorship.
§ Encryption The process of transforming plain text (readable) into cipher text that is unreadable without a special software key.
|| Auditability The ability to do a methodical examination and verification of all information activities such as entering and accessing.

-Top-


Standard LD.4.20 (LD.04.04.03**)
New or modified services or processes are designed well.

Elements of Performance for LD.4.20
The design of new or modified services or processes incorporates the following:

  1. The needs and expectations of patients, staff, and others
  2. The results of performance improvement activities, when available
  3. Information about potential risks to patients, when available
  4. Current knowledge, when available and relevant (for example, practice guidelines, successful practices, information from relevant literature and clinical standards)
  5. Information about sentinel events, when available and relevant
  6. Testing and analysis to determine whether the proposed design or redesign is an improvement
  7. The leaders collaborate with staff and appropriate stakeholders to design services.

-Top-


Standard LD.4.40 (LD.04.04.05**)
The leaders ensure that an integrated patient safety program is implemented throughout the hospital.

Rationale for LD.4.40
The leaders should work to foster a safe environment throughout the hospital by integrating safety priorities into all relevant hospital processes, functions, and services. In pursuit of this effort, a patient safety program can work to improve safety by reducing the risk of system or process failures. As part of its responsibility to communicate objectives and coordinate efforts to integrate patient care and support services throughout the hospital and with contracted services, leadership takes the lead in developing, implementing, and overseeing a patient safety program. The standard does not require the creation of new structures or “offices” in the hospital; rather, the standard emphasizes the need to integrate all patient-safety activities, both existing and newly created, with the hospital’s leadership identified as accountable for this integration.

Elements of Performance for LD.4.40
The patient safety program includes the following:

  1. One or more qualified individuals or an interdisciplinary group assigned to manage the hospitalwide safety program
  2. Definition of the scope of the program’s oversight, typically ranging from no-harm, frequently occurring “slips” to sentinel events with serious adverse outcomes
  3. Integration into and participation of all components of the hospital into the hospitalwide program
  4. Procedures for immediately responding to system or process failures, including care, treatment, or services for the affected individual(s), containing risk to others, and preserving factual information for subsequent analysis
  5. Clear systems for internal and external reporting of information about system or process failures
  6. Defined responses to various types of unanticipated adverse events and processes for conducting proactive risk assessment/risk reduction activities
  7. Defined support systems* for staff members who have been involved in a sentinel event
  8. Reports, at least annually, to the hospital’s governance or authority on system or process failures and actions taken to improve safety, both proactively and in response to actual occurrences

**The 2009 standards have been renumbered as part of the Standards Improvement Initiative