Since moving back to my home state, I tend to see a bit more of my father than I had over the previous couple years (shocking, right? It’s almost as if there was a causal relationship between the distance I was from my parents’ house and the frequency with which I visited my parents’ house). My dad runs a chiropractic practice and, like many healthcare providers across the country, has been moving toward electronic recordkeeping for his patient files.
I’m not sure if he underestimated the difficulty and complexity inherent to shifting thirty years of personal habit fairly quickly or not. Because he (like me!) is a creature of habit, I somehow doubt he made the decision to switch lightly. It all seemed to go pretty well so far as I can tell, at least in terms of the day-to-day record creation, storage, retrieval, and so on.
A couple months ago, however, I was visiting my folks and deep in conversation with my mother. During a lull, Dad asks me to come take a look at a couple documents. Now that he’s made the switch to electronic health records, he has to be able to prove that such records are being kept secure, safe, and private. A risk analysis is not uncommon, but I don’t think he had considered the term before. With paper records, his responsibility was to ensure that the patient files were kept away from unauthorized eyes and accessible by only a few personnel. The principles haven’t changed with the shift to electronic records, but the methods by which an electronic record could be inadvertently or purposefully divulged, tampered with, stolen, or destroyed were, to him, myriad. He had a difficult time wrapping his head around the risk analysis and was unsure where to start. The government’s guidelines, as one can imagine, did more to confuse the issue than clear it up.
The answer or solution isn’t anything revolutionary: over the course of several conversations, and with some consulting of colleagues in the field, we developed a framework and form with which he could start assessing his electronic records: how they were stored, who had access, what sorts of risk were they exposed to and the varying levels of that risk. The work remains up to him to actually apply the framework to his scenario, but I feel confident that he knows enough of the questions to ask the the format the information he records needs to be in.
I’m writing about this because, although his three-person business is a fairly different context than many of our professional scenarios, it highlights the difficulty stakeholders in your institutions probably have with the concepts of a records audit, a risk analysis, or assessment of the recordkeeping landscape. We may not all be full-time records managers (my position is not fully devoted to RIM), but we bring a certain way of thinking to a conversation about one’s recordkeeping environment. If I can be frank, the first couple conversations I had with my father about this were frustrating (and it’s not just because I lived in his house during my teenage years, or that I am coming to realize that I’m turning into him): we were coming from two wildly different points of view, and it took a while to find a common language. It’s worth keeping in mind, particularly if you’re in a position to be setting up a new records program or realigning an old one.