Documentation is often used as evidence during litigation. If your documentation is nonexistent or incomplete, there is no evidence to support your recall of events. If your documentation is solid, it can help support your oral account of events and demonstrate that you met or exceeded the standard of care. With this in mind, when considering documentation from a risk-management perspective, it is important that you:

• Follow your facility or practice policy regarding documentation. Ensure that documentation at least meets minimal payer and regulatory requirements.
• Record information only on proper forms and write legibly. If your handwriting is illegible, the note may be considered as not having been written at all.
• Include the date, time, and your signature on every note. Often, there will be questions regarding the timing of events within the course of a day. If you include the time, there will be no question as to the chronology of events.
• Record information as close as possible to the time that you deliver care. Don't document in advance, and don't leave important notations for the end of the day or the end of the week.
• Use only common abbreviations that are approved by your facility or practice.
• Do not change the documentation after the fact. Identify any revisions in documentation as such, according to your facility or practice policy, to eliminate any questions about authenticity.
• Describe the individual's symptoms as they are elicited and offered. Use quotations properly. If the individual reports an adverse situation, make sure that you respond accordingly, and document your response or assessment of the situation.
• Be objective and factual; never allow opinions or emotions to become a part of the medical record.
• Report the facts in an organized and systematic manner with adequate detail and in chronological order.
• Document all telephone calls involving pertinent patient or client information. This includes cancellations, conversations with other care providers or referral sources, etc. Also document any handouts, instructions, or follow-up information that you give the individual and/or caregivers with parameters and dates. Include the individual's name and, if used, identifier on each page.
• If you use interpretive services to communicate with an individual who speaks a different language or has a hearing loss or other disability that makes communication difficult, document the method of interpretation that was provided, such as face-to-face or telephone interpretation; the name and credentials of the interpreter; what instruction was given; and the result of the instruction, such as "patient verbalizes understanding" or "patient can demonstrate." Be certain that a HIPAA business associate agreement is in place if the interpreter is not an employee or provided by the patient.
• Follow internal protocol and external regulations (including HIPAA privacy and security regulations) and policies relative to patient confidentiality, including when handling incoming calls related to an individual's condition and/or using electronic documentation. These regulations and policies may come from federal, state, and local governments, reimbursement sources, and other entities.
• When using electronic documentation, take steps to protect the confidentiality of the patient's record, and alert authorized users to their responsibility to maintain the confidentiality of the record at all times.
• Document all communications related to the attempts to contact referral sources and payment sources, such as insurers. In addition, document any communication with anyone.
• Release records only upon consultation with your risk manager and in accordance with organizational and practice policies and laws.
• Provide documentation for each physical therapy visit.
• Report any information regarding a patient or client incident separately from the medical record, using the proper incident report form.

(Information in the bulleted list is adapted and excerpted from APTA's publications "Risk Management in Physical Therapy: A Quick Reference," second edition, and "Spanish for Physical Therapists: Tools for Effective Communication.")

Click on the links below to jump to content of interest.

Confidentiality / Incident Reporting / Maintaining Patient Records / Electronic Health Records / Fraud and Abuse

Confidentiality

Documentation of a patient's or client's care must be kept confidential. All patient and client documentation must be kept in a secure area, with access limited to appropriate staff. Documentation in hard copy or electronic formats must not be accessible or readable by unauthorized individuals. If there is a name on the chart, it should be kept face down so the name is not displayed, and the chart should never be left unattended. Therapists should be careful not to discuss cases in open areas, such as elevators or lunchrooms.

The Health Insurance Portability and Accountability Act, or HIPAA, addresses the security and privacy of protected health information in all mediums. It includes provisions for establishing and maintaining proper access, use and disclosure of protected health information, and electronic protected health information, which includes patient and client care documentation and related data such as billing records. Some of the main objectives of HIPAA are to decrease fraud and abuse and protect patient's rights, including the privacy of health-related data. It is important that you have procedures in place related to HIPAA and that you know the regulations for governing you as a covered entity for releasing any patient information.

You may encounter other specific agreements, such as the HIPAA Business Associate agreement. The definition of a business associate is a person or organization that performs a function or activity on behalf of a "covered entity" — an example is an interpreter service that is providing interpretation services for your patient or client.

APTA has additional information about HIPAA on the association's HIPAA webpage. Also find information in the Medicare Learning Network's HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules.

For pediatric patients and clients: PTs who provide services to children in federally funded school settings to which the Individuals with Disabilities Education Act applies should follow the provisions of the Family Educational Rights and Privacy Act, or FERPA, governing educational records. FERPA is a federal law that protects the privacy of student educational records. Physical therapy documentation in this setting would be considered a part of the child's educational record. More information about FERPA is available at the U.S. Department of Education's FERPA website.

Incident Reporting

Many physical therapists and physical therapist assistants assume that their own personal risk-management strategies are sufficient to protect them and their practice from potential liability. But successful mitigation of risk requires familiarity with and adherence to a broad spectrum of documentation requirements.

It is important that PTs and PTAs understand how to comply with relevant laws and regulations by identifying risk areas that could lead to potential liability.

An incident report is not part of the patient's medical record, but it may be used later in litigation. The incident report:

1. Informs the administration of the incident so management can perform a root cause analysis to prevent similar incidents in the future.
2. Alerts administration to a potential claim and the need for investigation.

For additional information on the topic of incident reporting and patient safety, refer to these resources:

• The Joint Commission website has information on patient safety that includes proactive approaches to designing or redesigning a patient-centered system that aims to improve quality of care and patient safety. The Commission on Accreditation of Rehabilitation Facilities website also has patient safety standards. If you are Joint Commission- or CARF-accredited, you will definitely want to be sure that you are in compliance with any standards or requirements they may have regarding incident reporting. If you are not accredited by either of these groups, you may still find their standards and guidelines useful as you craft and review your policies and procedures in this area.
• If you have workers' compensation insurance for your staff, then you might find it useful to contact your workers’ compensation insurance carrier to see if they have any particular forms or information that they look for on incident reports. You can find more information about worker safety at the Occupational Safety and Health Administration website.
• HPSO’s Physical Therapy Professional Liability Exposure Claim Report provides key findings about malpractice and license defense claims with associated risk-management recommendations.
• HPSO Risk Control Self-Assessment Checklist

The following are some general do’s and don'ts related to incident reporting.

What you should do:

• Do follow the incident reporting policy that is in place in your workplace and alert the risk manager and/or immediate supervisor to what has happened as soon as possible.
• Do notify the referring physician or other health care provider immediately whenever an injury occurs, existing signs or symptoms worsen, or new signs or symptoms develop.
• Do ensure that the patient or client receives appropriate care after an incident. Most facilities provide this care at no cost.
• Do listen to your patient's or client's concerns, be supportive, and be calm.
• Do record only factual information regarding the incident when you fill out an incident report. Once you complete an incident report, it should be given directly to the supervisor or risk manager, and you should wait for further direction before doing anything else.
• Do isolate, tag, and secure any equipment involved in an incident so that it will not be used again until it has been certified as completely safe.
• Do be available for follow-up as needed after the incident. If it seems likely that the incident is going to lead to a claim, you will want to immediately consult with your risk manager or supervisor and notify your professional liability carrier, who can provide guidance.

What you should not do:

• Do not discuss the relative guilt or innocence of anyone involved in an incident or problems with any piece of equipment used.
• Do not engage in conversation with the patient after the event; refer all inquiries to the appropriate party identified by the risk manager or carrier.
• Do not make inferences related to cause in your incident report. When completing an incident report or an unusual occurrence report, it is critical that you only report factual information regarding the incident.
• Do not enter your incident report into the patient's or client's chart.
• Do not attempt or document attempts to do further investigation into the cause of the incident. This is the responsibility of your organization's risk manager and/or designated attorney. Any notes or documents may be discoverable (to what extent will vary by state). This is the reason a risk manager or attorney should be responsible for the investigation.

Maintaining Patient Records

The following are commonly asked questions about maintaining patient and client records:

What should the patient or client record contain?
The specific content of medical records may vary from clinic to clinic depending on state law, survey or accreditation standards, payer regulations, and local facility policy. Content also can vary according to specific patient-client-related needs, events, and activities. Below is a list of documents and forms that may be included in patient and client records (this list is not inclusive):

• Signed consent for treatment.
• Referral, if indicated.
• Privacy notice receipt acknowledgement.
• Insurance verification (authorization, signed certification, recertification, etc.).
• Copies of any pertinent reports (labs, X-rays, etc.).
• Evaluations or reevaluations (including special reports or results of objective tests or measures).
• Plan of care if it is not contained in the evaluation or reevaluation.
• Daily visit or encounter notes and summary of progress (including copies of patient education and home exercise materials).
• Progress reports.
• Equipment information.
• Discontinuation summary or conclusion of the episode of care.
• Letters and communications.
• Flow sheets and exercise forms.
• No-show or cancellation documentation.
• Service, billing, and activity logs.
• Letters of medical necessity.

How long do I need to maintain patient and client records?
There is not a simple answer to this question. Many factors must be taken into consideration. State laws generally govern how long medical records are to be retained. In addition, some states have legal requirements for the retention of business records, which may include medical records. Because of the variability between states, you should contact your state licensing board for requirements for your state. A link to state licensing boards can be found on the Federation of State Boards of Physical Therapy website.

The Health Insurance Portability and Accountability Act of 1996, or HIPAA, requires a covered entity, such as a physical therapist practice that bills Medicare, to retain required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later. HIPAA requirements preempt state laws if they require shorter periods, but your state law may require a longer retention period.

Read more about HIPAA record retention requirements in this "Medicare Learning Network Matters" bulletin from the Centers for Medicare and Medicaid Services.

The statute of limitations also needs to be considered in determining medical record retention. This is the time limit after an incident by which an individual must file a lawsuit. Because medical records can be a defendant's most important piece of evidence in a lawsuit, practices should ensure that retention periods exceed statutes of limitations. The statute of limitations is typically different for minors than for adults. The statute of limitations varies from state to state and is typically different for minors and adults, so physical therapists should check with their state licensing board or liability insurance carrier for this information.

In addition, there may be regulations regarding the retention of records in the Medicare Conditions of Participation.

Pediatric Patients and Clients

PTs who provide services to children in federally funded school settings to which the Individuals with Disabilities Education Act (IDEA) applies should follow the provisions of the Family Educational Rights and Privacy Act, or FERPA. FERPA protects the privacy of student educational records, which, in this setting, include physical therapy documentation. More information about FERPA is available at the US Department of Education's FERPA website.

How long do I need to maintain billing records?
CMS requires providers or suppliers "to maintain ordering and referring documentation, including the NPI, received from a physician or eligible NPP," in order to match the information on the Medicare claims form. Ordering and referring documentation must be maintained for seven years from the date of service. However, it is important to check all rules, regulations, or standards that might apply, such as state statutes, and adhere to whichever is most strict.

Do I need to keep two charts on patients and clients who use two different insurances?
No. The medical record for the individual should be in one chart. All patient and client management should be documented in one place and should be inclusive of all diagnoses, regardless of insurance.

Can I take the patient and client charts home to complete them?
According to HIPAA and other federal and state regulations, health information is protected and must remain confidential. A concern with taking charts home is how they are transported to and from the office and who might have access to the medical records at any given time. If you transport records anywhere, you must ensure that they are kept in a locked bag and remain accessible only to you at all times.

Can I use my home computer to document patient and client records?
According to HIPAA, FERPA, and other federal and state regulations, health information is considered "protected" and must remain confidential. If you use a personal computer for documentation of services, you must comply with all federal and state regulations regarding confidentiality, such as password access, encryption, and other security and privacy measures.

Electronic Health Records

The U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology has detailed resources that lay out considerations that you might take in developing security policies and measures for your EHR system. It will be helpful to keep a written EHR policy and provide some form of education to your staff on how to safely use the system within the facility and off-site.

Some key considerations to keep in mind regarding documentation in electronic health records include:

• Password-protect all computer devices.
• Activate the auto-logoff feature for devices and the secure web link (if possible) after a short time of inactivity.
• Avoid using tablets in public areas.
• Install privacy screens for onsite computers and tablets to prevent unwanted disclosure to people nearby.
• Disable mechanisms to download information from computers and tablets to another device or use encrypted messaging if the personal health information is shared electronically.
• Create clear response actions if a tablet or device is lost or stolen.
• Avoid copying each note from one visit to another.

More detailed guidance is available in the resources below:

• The Joint Commission: Preventing copy-and-paste errors in EHRs.
• ONC: Health Information Technology Privacy and Security Resources for Providers.

Fraud and Abuse

Fraud, abuse, and waste are major concerns because they result in overutilization of services and increased costs for payers, corrupt medical decision-making, and can lead to unfair competition in the marketplace. It puts patients' health and welfare at risk by potentially exposing them to unnecessary services and ultimately taking money away from necessary care.