Report of Sub-Group Task II (data connectivity) with reports of Sub-Group

Task I (standards) and Sub-Group Task III (data ownership) incorporated

Recommendations
On
Electronic Medical Records
Standards
In
India

Version 2.0
October 2012
Recommendations of EMR Standards
Committee, constituted by an order of
Ministry of Health & Family Welfare,
Government of India

Sub-Group Task I (Standards)

Members:
1. Prof. Dr. S.V. Mani, TCS, Group Head, Sub-Group Task I
2. Dr. R.R. Sudhir, Shankar Netralaya
3. Ms. Kala Rao, TCS
4. Dr. Ashok Kumar, CBHI
5. Ms. Jyoti Vij , FICCI
6. Dr. Sameer A. Khan, Fortis Hospital

Sub-Group Task II (Data Connectivity)

Members:
1. Mr. B S Bedi, Adviser, CDAC, Group Head, Sub-Group Task II
2. Dr. Thanga Prabhu, Clinical Director, GE India, Member
3. Dr. Supten Sarbadhikari: Prof, Health Informatics, Coimbatore, Member
4. Mr. Chayan Kanti Dhar, National Informatics Center
5. Mr. Gaur Sundar, Project Manager, Medical Informatics Group, CDAC (Pune),
6. Dr. S. B. Bhattacharyya, Health Informatics Consultant, Ex-President, IAMI

Sub-Group Task III (Data Ownership)

Members:
1. Prof. Saroj K. Mishra ,SGPGI , Lucknow , Group Head, Sub-Group Task III
2. Prof. Indrajit Bhattacharya , IIHMR, New Delhi
3. Prof. Sita Naik, MCI
4. Dr. Karanveer Singh, Sir Gangaram Hospital
5. Dr. Naveen Jain, CDAC
6. Dr. Arun Bal
7 . Mr. Madhu Aravind, Healthhiway
N. B.
This document incorporates the recommendations by the various Sub-Groups and
consolidated into one document for easy reference.
As there was considerable overlap in the areas of recommendations of sub-group Task I
responsible for standards and sub-group Task II responsible for data connectivity, most of the
recommendations were made primarily by the members of task group II in close consultation
with the chairman of sub-group Task I Prof. (Dr.) S. V. Mani.

TABLE OF CONTENTS
1.

EXECUTIVE SUMMARY .................................................................................................................................. 5

2.

BACKGROUND .............................................................................................................................................. 7

3.

MAJOR STAKEHOLDERS ................................................................................................................................ 9

4.

ELECTRONIC HEALTH RECORDS/ELECTRONIC MEDICAL RECORDS ............................................................... 10

STUDY & ANALYSIS OF NATIONAL EHR/EMR PROGRAMS AROUND THE WORLD.....................................................................10

5.

INTEROPERABILITY AND STANDARDS ......................................................................................................... 14

GOALS .......................................................................................................................................................................14
CATEGORIES FOR ADOPTION OF STANDARDS ......................................................................................................................15
Vocabulary Standards .................................................................................................................................................15
Content Exchange Standards ......................................................................................................................................16
Transport Standards ...................................................................................................................................................16
Privacy and Security Standards ..................................................................................................................................17
CLINICAL STANDARDS ...................................................................................................................................................19
RECOMMENDED HEALTHCARE IT STANDARDS (FOR INDIA)...................................................................................................19
HEALTHCARE INFORMATICS STANDARDS ...........................................................................................................................21
Issues
22
Trends
22
6.

EMR MINIMUM DATA SET (MDS) ............................................................................................................... 23

7.

OTHER STANDARDS .................................................................................................................................... 27

HARDWARE ................................................................................................................................................................27
CONNECTIVITY.............................................................................................................................................................27
SOFTWARE .................................................................................................................................................................27
8.
DATA OWNERSHIP OF EMR ............................................................................................................................28
TECHNICAL SECURITY GUIDELINES: ...................................................................................................................... 32
(I)
ELECTRONIC DATA STORAGE: ...............................................................................................................................32
(II ) ELECTRONIC DATA TRANSMISSION: ...........................................................................................................................32
(III) DATA ACCESS ........................................................................................................................................................32
(IV) DATA SHARING: .....................................................................................................................................................32
(V) DATA AUDIT: ........................................................................................................................................................33
(VI) GENERAL SOFTWARE / APPLICATION REQUIREMENTS:...................................................................................................33
ADMINISTRATIVE GUIDELINES: ............................................................................................................................ 33
CERTIFICATION PROCESS: ..............................................................................................................................................33
PHYSICAL SECURITY GUIDELINES: ........................................................................................................................ 34
10.

REFERENCES ............................................................................................................................................... 35

11.

ANNEXURES ................................................................................................................................................ 36

ANNEXURE I................................................................................................................................................................36
GO related to Sub-Groups Formation ..........................................................................................................................36

Committee Discussions ................................................................................................................................................39

ISP: INTERNET SERVICE PROVIDER ..................................................................................................................................53
VARIABLE CONTRIBUTION HEALTH PLAN: IN CONTRAST TO A FIXED CONTRIBUTION PLAN, A VARIABLE CONTRIBUTION INVOLVES
EMPLOYERS COMMITTING TO A SPECIFIED LEVEL OF BENEFITS FUNDING FOR ITS EMPLOYEES, REGARDLESS OF THE ACTUAL BENEFIT PRICE.
EMPLOYERS ARE THUS LOCKED INTO VARIABLE CONTRIBUTION ARRANGEMENTS BECAUSE THEY ARE COMMITTED TO FUNDING A CERTAIN
BENEFIT STRUCTURE WITHOUT KNOWING WHAT THE FUTURE COSTS MAY BE IF PREMIUMS ARE RAISED. SEE ALSO FIXED CONTRIBUTION
HEALTH PLAN. ............................................................................................................................................................63
VITAL STATISTICS: STATISTICS RELATING TO BIRTHS (NATALITY), DEATHS (MORTALITY), MARRIAGES, HEALTH, AND DISEASE (MORBIDITY).
VITAL STATISTICS FOR THE UNITED STATES ARE PUBLISHED BY THE NATIONAL CENTER FOR HEALTH STATISTICS. VITAL STATISTICS CAN BE
OBTAINED FROM CDC, STATE HEALTH DEPARTMENTS, COUNTY HEALTH DEPARTMENTS AND OTHER AGENCIES. AN INDIVIDUAL PATIENTS
VITAL STATISTICS IN A HEALTH CARE SETTING MAY ALSO REFER SIMPLY TO BLOOD PRESSURE, TEMPERATURE, HEIGHT AND WEIGHT, ETC.
................................................................................................................................................................................63
ANNEXURE VI .............................................................................................................................................................67
PROPOSED PORTABLE HEALTH RECORD ............................................................................................................................67
ANNEXURE VII ............................................................................................................................................................68
Privacy and Security in Meaningful Use Rule ...............................................................................................................68
ANNEXURE VIII ...........................................................................................................................................................69
HIPAA 45 CFR Part 142 Subpart C, Security and Electronic Signature Standards. ....................................................69
45 CFR PART 164 .......................................................................................................................................................75

LIST OF TABLES
TABLE 1: WORLDWIDE HCIT PROGRAMS ..............................................................................................................................11
TABLE 2: COUNTRY-WISE HCIT STANDARDS USAGE ................................................................................................................11
TABLE 3: COUNTRY-WISE DATA EXCHANGE STANDARDS USAGE ................................................................................................12
TABLE 4: COUNTRY-WISE STANDARDS ADOPTION STATISTICS ....................................................................................................13
TABLE 5: PRIVACY & SECURITY STANDARDS ...........................................................................................................................18
TABLE 6: HCIT STANDARDS (RELEVANT TO INDIA- INITIAL SET) .................................................................................................21
TABLE 7: HEALTH INFORMATICS STANDARDS .........................................................................................................................22
TABLE 8: EMR MDS ........................................................................................................................................................26

1. EXECUTIVE SUMMARY
Healthcare systems are highly complex, fragmented and use multiple information technology
systems. With vendors incorporating different standards for similar or same systems, it is little
wonder that all-round inefficiency, waste and errors in healthcare information and delivery
management are all too commonplace an occurrence. Consequently, a patients medical
information often gets trapped in silos of legacy systems, unable to be shared with members of
the healthcare community. These are some of the several motivations driving an effort to
encourage standardization, integration and electronic information exchange amongst the
various healthcare providers.
In order to be meaningful, health record of an individual needs to be from conception (better)
or birth (at the very least). As one progresses through ones life, every record of every clinical
encounter represents an event in ones life. Each of these records may be insignificant or
significant depending on the current problems that the person suffers from.
Developmental Origins of Health and Diseases (DOHAD) has successfully proven the importance
of developmental records of individuals in predicting and/or explaining the diseases that a
person is suffering from. In the current largely paper-based medical records world, invaluable
data is more often than not unavailable at the right time in the hands of the clinical care
providers to permit better care. This is largely due to the inefficiencies inherent to the paperbased system. In an electronic world, it is very much possible, provided certain important steps
are taken beforehand to ensure the availability of the right information at the right time.
Increasingly it is becoming extremely necessary to ensure that the right information in right
quantities is available for the right patient at the right time to ensure that the patient receives
right care the five Rs of information requirement.
Electronic health records are a summary of the various electronic medical records that get
generated during any clinical encounter. Without standards, a life-long summary is not possible
as different records from different sources spread across ~80+ years will potentially need to be
brought into one summary. To achieve this, a set of pre-defined standards for information
exchange that includes images, clinical codes and a minimum data set is imperative.
This report provides a structured overview of the key EMR standards with respect to Indian
conditions. Since the field of ICT standards in the health sector is very wide and difficult to
overview, it focuses primarily on the key standards only limited to hardware, software and
connectivity. The various definitions, understanding of the term electronic medical records,
world-wide trends, the recommended HCIT standards, high level requirements and minimum
data sets are provided.
A background on EMR and EHR and its use is provided, followed by a list of the various
stakeholders. A short study of the efforts world-wide including country-wise analysis of similar
efforts and their current state is also outlined. A detailed discussion on the interoperability and
standards that include a discussion on the goals, categories of adoption of standards, clinical
5

standards, EMR/EHR, preservation and security aspects, healthcare informatics standards, and
the various coding systems is carried out followed by the detailing of the minimum data set that
any Indian EMR must have.
While any vendor may choose to have any additionally relevant information captured and
presented, all must conform to the MDS. There are additional notes that are essentially for
industry and vendor guidance in designing and building an EMR. The conclusions include draft
recommendations and final observations. A short reference section and glossary is added for
everyones benefit.
It is important to note that the users of this document are advised to peruse and amalgamate,
as necessary, the various provisions detailed in the Recommendations on Guidelines, Standards
& Practices for Telemedicine in India as submitted by DIT, MCIT, Govt. of India to MoH&FW,
Govt. of India, in July 2007.2
In conclusion, it must be added that these standards cannot be considered either in isolation or
as etched in stone for all eternity. These will need to undergo periodic (at a maximum of 12
months interval) review and update as necessary. This document must be a living document.

2. BACKGROUND
Health Care sector in India has witnessed significant growth during the last few years, both in
quality and capacity. Relatively lower cost of health care, as compared to developed countries,
coupled with international quality, has positioned India as a major destination for health care
services. In spite of such developments, heath care facilities in the country remain inadequate
to meet the needs of the citizens, particularly in rural areas, where approximately 70% of the
people live.
To address these problems, the government has launched major national initiatives such as
National Rural Health Mission, establishment of six new AIIMS like institutions, up gradation of
existing public hospitals and labs, etc. Management of communicable as well as noncommunicable diseases has also been a major area of concern to the government. An
Integrated Disease Surveillance Program (IDSP) is already under implementation. The Noncommunicable Disease Risk Factor Surveillance under IDSP will track trends of selected major
risk factors in the urban and rural population, aged between 15 and 64 years. Innovative
systems are, however, required for quick reporting of such incidents when they occur and to
implement an effective system of intervention to provide the best diagnostic and medical care
to the affected patients and prevent further spread of the disease.
India also has a strong base for medical research. Extensive work is being done as a part of
postgraduate work in medical institutions, ICMR labs and other institutions. There is, however,
a strong need of sharing of knowledge and resources amongst the researchers and healthcare
providers.
In addition, private sector has initiated massive investments in various facets of healthcare. This
is expected to position health care as one of the largest service sectors and a significant
contributor to the GDP. As the health sector is poised for major growth in next decade, the
sheer size of healthcare sector in the country will necessitate extensive use of information and
communication technology (ICT) infrastructure, services and databases for policy planning and
implementation. Such a framework would require services based on inter-operable and
sharable technology, standards utilization, connecting various institutions and service
providers. The use of international experience, best practices and open technologies may be
necessary in some scenarios.
Technology is a critical tool in achieving the benefits of health information exchange (HIE).
However, technology alone is not sufficient. Healthcare industry stakeholders that base their
HIE solutions solely on technology do so at the expense of underlying health information
management principles. An abundance of disparate HIE principles, models, definitions,
products, and standards camouflages some crucial policy and process decisions an HIE initiative
must make in the early stages of its development. Transmitting patient data electronically
without attending to the business processes surrounding data capture, translation, and
transmission has the potential to increase patient risks and healthcare costs. Data accessibility,

reliability, and accuracy are critical factors in obtaining the trust of stakeholders, including
consumers, and in sustaining long-term data exchange on a large scale.3
Electronic health records can improve care by enabling functions that paper medical records
cannot deliver:
EHRs can make a patients health information available when and where it is needed
too often care has to wait because the chart is in one place and needed in another. EHRs
enable clinicians secure access to information needed to support high quality and
efficient care.
EHRs can bring a patients total health information together to support better health
care decisions, and more coordinated care.
EHRs can support better follow-up information for patients for example, after a clinical
visit or hospital stay, instructions and information for the patient can be effortlessly
provided and reminders for other follow-up care can be sent easily or even
automatically to the patient.
EHRs can improve patient and provider convenience patients can have their
prescriptions ordered and ready even before they leave the providers office, and
insurance claims can be filed immediately from the providers office.5
It would certainly not be out of place to mention here that it will be particularly useful to review 45

CFR Part 164 for Security and Privacy aspects associated with EHR/EMR design, development,
implementation, maintenance and use, as well as 45 CFR 160 for administrative requirements
associated with code sets, data entry formats and standard unique identifiers.

3. MAJOR STAKEHOLDERS

Citizens
Health care providers and payers
Education, research institutions and investigators
Government departments and institutions
Public health agencies and NGOs
Pharmaceutical industry and medical device makers
Telemedicine institutions
Software and hardware vendors

4. ELECTRONIC HEALTH RECORDS/ELECTRONIC MEDICAL

RECORDS
According to the "Integrated Care EHR", as defined in ISO/DTR 20514, an EMR is a repository
of information regarding the health of a subject of care in computer-processable form that is
able to be stored and transmitted securely, and is accessible by multiple authorized users.
It has a commonly agreed logical information model which is independent of EHR systems and
its chief purpose is the support of continuing, efficient and quality integrated health care and it
contains information which is retrospective, concurrent and prospective.
Broadly speaking, an EMR is a specific recording/episode of encounter and is case or purpose
specific Telemedicine/Care, while an EHR is an aggregation of EMRs and is usually life-long.
The benefits that an EMR is expected to bring in are:
Paperless medical history
Reduced healthcare costs
Empowering the stakeholders to be able to deliver right treatment at the right time
Promote the practice of evidence-based medicine
Accelerate research and building effective medical practices
Usher in ease in maintaining health information of patients
With proper backup policies increase lifespan of health records of individuals that is
from conception to cremation
safety with access, audit and authorization control mechanisms
Faster search and updates

Study & Analysis of National EHR/EMR Programs Around the World1

Review of Healthcare IT Programs World-wide
Country

National Healthcare IT Program

Australia

HealthConnect

Austria

ELGA

Canada

EHRS Blueprint

Denmark

MedCom

England

Spine

Hong Kong

eHR Infrastructure

Conducted by Conducted by Medical Informatics Group, C-DAC, as part of Project for Building Distributed
National EHR funded by DIT, MCIT, Govt. of India

10

Netherlands

AORTA

Singapore

EMRX

Sweden

National Patient Summary (NPO)

Taiwan

Health Information Network (HIN)

Table 1: Worldwide HCIT Programs

Country-wise Usage of Standards

Table 2: Country-wise HCIT Standards Usage

11

Country-wise Use of Exchange Standards

Table 3: Country-wise Data Exchange Standards Usage

12

Country-wise Statistics of Standards Adoption

Table 4: Country-wise Standards Adoption Statistics

13

5. INTEROPERABILITY AND STANDARDS

The recommendations outlined in this section are an incremental approach to adopting
standards, implementation specifications, and criteria to enhance the interoperability,
functionality, utility, and security of health information technology and to support its
widespread adoption. It is to be kept in mind that these standards should be flexible and
modifiable to adapt to the demographic and resource variance observed in a large and
developing country like India.
It is important to recognize that interoperability and standardization can occur at many
different levels. To achieve interoperability, information models would need to be harmonized
into a consistent representation.(8)
In other cases, organizations may use the same information model, but use different
vocabularies or code sets (for example, Systematized Nomenclature of Medicine Clinical Terms
(SNOMED CT) or ICD10-CM within those information models. To achieve interoperability at
this level, standardizing vocabularies, or mapping between different vocabularies (using tools
like Unified Medical Language System (UMLS)) may be necessary. For some levels, (such as the
network transport protocol), an industry standard that is widely used (e.g. Transmission Control
Protocol (TCP) and the Internet Protocol (IP), (TCP/IP)) will likely be the most appropriate.
Ultimately, to achieve semantic interoperability, it is anticipated that multiple layers network
transportation protocols, data and services descriptions, information models, and vocabularies
and code sets will need to be standardized and/or harmonized to produce an inclusive,
consistent representation of the interoperability requirements.
It is further anticipated that using a harmonization process will integrate different
representations of health care information into a consistent representation and maintain and
update that consistent representation over time. For an information model, this process could
include merging related concepts, adding new concepts, and mapping concepts from one
representation of health care information to another. Similar processes to support
standardization of data and services descriptions and vocabularies and codes sets may also be
needed.
It is also recognized that a sustainable and incremental approach to the adoption of standards
will require processes for harmonizing both current and future standards. This will allow the
incremental updating of the initial set of standards, implementation specifications, and
certification criteria and provide a framework to maintain them. The decision to adopt such
updates will be informed and guided by recommendations from an appropriate authority akin
to a National Health Information Authority.

Goals
Promote interoperability and where necessary be specific about certain content exchange
and vocabulary standards to establish a path forward toward semantic interoperability
Support the evolution and timely maintenance of adopted standards

14

Promote technical innovation using adopted standards

Encourage participation and adoption by all vendors and stakeholders
Keep implementation costs as low as reasonably possible
Consider best practices, experiences, policies and frameworks
To the extent possible, adopt standards that are modular and not interdependent.

Categories for adoption of standards

Vocabulary Standards
(i.e., standardized nomenclatures and code sets used to describe clinical problems and
procedures, medications, and allergies);
a) Logical Observation Identifiers Names and Codes (LOINC): The purpose of LOINC is to
facilitate the exchange and pooling of clinical results for clinical care, outcomes
management, and research by providing a set of universal codes and names to identify
laboratory and other clinical observations. The Regenstrief Institute Inc., an internationally
renowned healthcare and informatics research organization, maintains the LOINC database
and supporting documentation, and the RELMA mapping program.
b) International Classification of Diseases (ICD10): The ICD is the international standard
diagnostic classification for all general epidemiological, many health management purposes
and clinical use.
c) Systematized Nomenclature of Medicine--Clinical Terms (SNOMED-CT): is a comprehensive
clinical terminology, originally created by the College of American Pathologists (CAP) and
owned, maintained, and distributed by the International Health Terminology Standards
Development Organization (IHTSDO), a non-for-profit association in Denmark.
d) Current Procedural Terminology, 4th Edition (CPT 4): The CPT-4 is a uniform coding system
consisting of descriptive terms and identifying codes that are used primarily to identify
medical services and procedures furnished by physicians and other health care
professionals.
e) RxNORM: RxNorm, produced by the National Library of Medicine (NLM) provides
normalized names for clinical drugs and links its names to many of the drug vocabularies
commonly used in pharmacy management and drug interaction software, including those of
First Databank, Micromedex, MediSpan, Gold Standard Alchemy, and Multum. By providing
links between these vocabularies, RxNorm can mediate messages between systems not
using the same software and vocabulary.
f) ATC Anatomic Therapeutic Chemical Classification of Drugs: is used for the classification of
drugs. It is controlled by the WHO Collaborating Centre for Drug Statistics Methodology
(WHOCC), and was first published in 1976. This pharmaceutical coding system divides drugs
into different groups according to the organ or system on which they act and/or their
therapeutic and chemical characteristics. Each bottom-level ATC code stands for a
pharmaceutically used substance in a single indication (or use). This means that one drug
can have more than one code: acetylsalicylic acid (aspirin), for example, has A01AD05 as a
drug for local oral treatment, B01AC06 as a platelet inhibitor, and N02BA01 as an analgesic
and antipyretic. On the other hand, several different brands share the same code if they
have the same active substance and indications.

15

Content Exchange Standards

(i.e., standards used to share clinical information such as clinical summaries, prescriptions, and
structured electronic documents)
a) Health Level Seven (HL7) Clinical Document Architecture: is an XML-based markup standard
intended to specify the encoding, structure and semantics of clinical documents for
exchange. CDA is being used also in electronic health records projects to provide a standard
format for entry, retrieval and storage of health information
b) HL7 2.5.1: defines a series of electronic messages to support administrative, logistical,
financial as well as clinical processes and mostly uses a textual, non-XML encoding syntax
based on delimiters. HL7 v2.x has allowed for the interoperability between electronic
Patient Administration Systems (PAS), Electronic Practice Management (EPM) systems,
Laboratory Information Systems (LIS), Dietary, Pharmacy and Billing systems as well as
Electronic Medical Record (EMR) or Electronic Health Record (EHR) systems
c) Continuity of Care Record (CCR) is a health record standard specification developed jointly
by ASTM International, the Massachusetts Medical Society (MMS), the Healthcare
Information and Management Systems Society (HIMSS), the American Academy of Family
Physicians (AAFP), the American Academy of Pediatrics (AAP), and other health informatics
vendors. It is a core data set of the most relevant administrative, demographic, and clinical
information facts about a patient's healthcare, covering one or more healthcare
encounters. It provides a means for one healthcare practitioner, system, or setting to
aggregate all of the pertinent data about a patient and forward it to another practitioner,
system, or setting to support the continuity of care. The primary use case for the CCR is to
provide a snapshot in time containing the pertinent clinical, demographic, and
administrative data for a specific patient. To ensure interchangeability of electronic CCRs,
this specification specifies XML coding that is required when the CCR is created in a
structured electronic format. Conditions of security and privacy for a CCR instance must be
established in a way that allows only properly authenticated and authorized access to the
CCR document instance or its elements. The CCR consists of three core components: the
CCR Header, the CCR Body, and the CCR Footer.
d) Digital Imaging and Communications in Medicine (DICOM): The DICOM Standards
Committee exists to create and maintain international standards for communication of
biomedical diagnostic and therapeutic information in disciplines that use digital images and
associated data. The goals of DICOM are to achieve compatibility and to improve workflow
efficiency between imaging systems and other information systems in healthcare
environments worldwide. DICOM currently defines an upper layer protocol (ULP) that is
used over TCP/IP (independent of the physical network), messages, services, information
objects and an association negotiation mechanism. These definitions ensure that any two
implementations of a compatible set of services and information objects can effectively
communicate.

Transport Standards
(i.e., standards used to establish a common, predictable, secure communication protocol
between systems)

16

SOAP, originally defined as ''Simple Object Access Protocol'', is a protocol specification for
exchanging structured information in the implementation of Web Services in computer
networks. It relies on Extensible Markup Language (XML) as its message format, and usually
relies on other Application Layer protocols (most notably Remote Procedure Call (RPC) and
HyperText Transfer Protocol (HTTP)) for message negotiation and transmission. SOAP can form
the foundation layer of a web services protocol stack, providing a basic messaging framework
upon which web services can be built. The SOAP architecture consists of several layers of
specifications for message format, message exchange patterns (MEP), underlying transport
protocol bindings, message processing models, and protocol extensibility.

Privacy and Security Standards

N.B.: Additional information may be referenced from the relevant sections of the document
Recommendations on Guidelines, Standards & Practices for Telemedicine in India as submitted
by DIT, MCIT, Govt. of India2
Furthermore, it is advisable to take cognizance of the provisions of HIPAA Part 142 Subpart C,
Security and Electronic Signature Standards as available at
http://aspe.hhs.gov/admnsimp/nprm/sec13.htm that lists out in considerable details the
requirements under these headings (please see Annexures III & IV below). The members of subgroup Task II find it worthy enough to recommend that these be taken into consideration with
sufficient weightage during finalization of the requirements related to these points.
For example, authentication, access control, transmission security, which relate to and span
across all of the other types of related standards.
Row
#

Purpose

General
Encryption
and A symmetric 128 bit fixed-block cipher algorithm
Decryption of Electronic Health capable of using a 128, 192, or 256 bit encryption key
Information
must be used

Encryption and Decryption of An encrypted and integrity protected link must be

Electronic Health Information implemented (e.g., TLS, IPv6, IPv4 with IPsec).
for exchange

Record Actions Related to

Electronic Health Information
(i.e., audit log)

Adopted Standard

The date, time, patient identification (name or

number), and user identification (name or number)
must be recorded when electronic health information
is created, modified, deleted, or printed. An indication
of which action(s) occurred must also be recorded
(e.g., modification).

17

Record Treatment, Payment, The date, time, patient identification (name or

and Health Care Operations number), user identification (name or number), and a
Disclosures
description of the disclosure must be recorded.

Table 5: Privacy & Security Standards

Provisions under EHR Meaningful Use [45 CFR]

The following are the provisions detailed in the document.
Item
Encryption and decryption of
electronic health information

Description
Any encryption algorithm identified by the National Institute of Standards
and Technology (NIST) as an approved security function in Annex A of the
Federal Information Processing Standards (FIPS) Publication 1402

Electronic health information

exchange
Record actions related to
electronic health information

Any encrypted and integrity protected link

Verification that electronic

health information has not
been altered in transit

A hashing algorithm with a security strength equal to or greater than

SHA1 (Secure Hash Algorithm (SHA1) as specified by the National
Institute of Standards and Technology (NIST) in FIPS PUB 1803 (October,
2008)) must be used to verify that electronic health information has not
been altered
The date, time, patient identification, user identification, and a
description of the disclosure must be recorded for disclosures for
treatment, payment, and health care operations, as these terms are
defined at 45 CFR 164.501
Assign a unique name and/or number for identifying and tracking user
identity and establish controls that permit only authorized users to access
electronic health information
Permit authorized users (who are authorized for emergency situations) to
access electronic health information during an emergency
Terminate an electronic session after a predetermined time of inactivity
Record actions: Record actions related to electronic health information
Generate audit log: Enable a user to generate an audit log for a specific
time period and to sort entries in the audit log
The date, time, patient identification, and user identification must be
recorded when electronic health information is created, modified,
accessed, or deleted; and an indication of which action(s) occurred and by
whom must also be recorded
Create a message digest
Verify upon receipt of electronically exchanged health information that
such information has not been altered
Detection: Detect the alteration of audit logs
Verify that a person or entity seeking access to electronic health
information is the one claimed and is authorized to access such

Record treatment, payment,

and health care operations
disclosures

Access control
Emergency access
Automatic log-off

Audit log

Integrity

Authentication

The date, time, patient identification, and user identification must be

recorded when electronic health information is created, modified,
accessed, or deleted; and an indication of which action(s) occurred and by
whom must also be recorded

18

information

General encryption

Encrypt and decrypt electronic health information unless it is determined

that the use of such algorithm would pose a significant security risk for
Certified EHR Technology

Encryption when exchanging

electronic health information

Encrypt and decrypt electronic health information when exchanged

Optional

Accounting of disclosures: Record disclosures made for treatment,

payment, and health care operations
The date, time, patient identification, user identification, and a
description of the disclosure must be recorded for disclosures for
treatment, payment, and health care operations

Terminologies and classifications are integral to medical research, public health reporting, and
healthcare payment analysis. They are essential to achieve interoperability for a successful
India wide health information system that results in increased patient safety.

Clinical Standards
Clinical standards are health information standards to capture a patient's health information in
a more coherent manner. This health information can include all or part thereof as relevant of
the following:
The illness a patient is suffering from
The physician's observation of the patient's illness
The diagnostic tests that need to be carried out to ascertain the patients illness and to give
the patient better treatment
The results of the diagnostic tests
The kind of treatment to be given to the patient
The way the treatment should be given to the patient

Recommended Healthcare IT Standards (for India)

Name
Phase 1
UHID

Class

Comments

Unique Health Identifier to act as UID as a unique (primary

Patient Identifier
or secondary) patient
identifier.
The
UID
should be used to
identify a particular
patient
across
all
organizations (and their
EMR systems); Aadhar
number is recommended
for use in EMR as either
the
primary
or

19

secondary, where the

primary is an internal
unique health identifier
used by the healthcare
provider organisation
XML (eXtensible Markup for data capture, integration and To access via SOAPLanguage)
presentation layer
simple object access
protocol
HL7 CDA (xml)
Clinical Document Architecture
CCR (ASTM)
Clinical Data for enterprises likely As it is expressed in the
to be used by organizations that standard
data
have not yet adopted any standard interchange
language
(e.g., early stage companies), to known as XML, it can
support new business models, in potentially be created,
disruptive
applications
that read and interpreted by
achieve cost savings and/or quality any EHR or EMR
improvements by creating NEW software application
PROCESSES, often involving parties
that are not currently exchanging
information
CCD (HL7)
Clinical Data for Inter Department Likely to be used by
documents (the CDA CCD)
organizations
that
already use HL7 for
processes INTERNAL TO
THE ORGANIZATION (or
with existing trading
partners), e.g., hospitals
sending
test
result
information to doctors
and where implementers
have already incurred
significant fixed costs to
adapt HL7 as a broad
enterprise standard
N. B.: CCR is stated to be
a
faster/cheaper
alternative to CCD

RXNORM/ATC-AHFS
Medicines
Pharmacologic-Therapeutic

Needs to be researched
as there is no universal

20

Classification/NDC
national drug classification,
FDB-first databank (USA)
Indian Drugs MIMS/CIMS
from CMPmedica
Dictionary of Medicine & Medicines & Medical devices
Devices, UK
LOINC
Clinical Laboratory Observations

HL7 V2.x or 3.0

Messaging

HL7 V3.0 RIM

DICOM 3.0
CPT 4 or 5, US
OPCS4, UK
SNOMED-CT
WHO ICD 10
WHO PCS
WHO ICF

Reference Information Model

Medical Images
Procedure & Therapy classification
Procedure & Therapy classification
Clinical Terminology
Disease classification
Procedure coding system
International
classification
of
functioning, disability & health

Phase 2
DSM

Psychiatric conditions

NIC/NOC/NANDA
ADA
CDT 2, US

Nursing
Dental
Dental Procedures

drug reference database.

The
WHO
Drug
Dictionary may be a
good choice to begin
with
UK standard used in NHS
includes devices & drugs
Published and
maintained by the
Regenstrief Institute,
USA, this is an universally
accepted code for
laboratory observations
As HL7 is still not widely
present in India, propose
start with version 3

Diagnostic & statistical

manual
of
mental
disorders

Table 6: HCIT Standards (relevant to India- Initial Set)

Healthcare Informatics Standards

Organization

Standards

21

National Recommendations for

Health Information
Infrastructure in India

Information Technology Infrastructure for Health (ITIH)

framework
Recommendations on Guidelines, Standards & Practices for
Telemedicine in India
Indian health information network development (iHIND)
recommendations from the National Knowledge
International Organization for Requirements for Electronic Health Record Architecture (ISO / TS
Standardization (ISO)
18308)
European
Committee
Standardization (CEN)

for CEN / TC 251 EN 13606

Code of Federal Regulations Health Information Technology Standards, Implementation

(CFR)
Specifications, and Certification Criteria and Certification Programs
for Health Information Technology (Title 45, Part 170)
American Society for Testing & Continuity of Care Record (CCR)
Materials (ASTM)
Health Level 7 (HL7)

HL7 v2.x
HL7 v3
HL7 Clinical Document Architecture (CDA)
EHR - System Functional Model

HL7 & ASTM Collaboration

Continuity of Care Document (CCD)

National
Electrical Digital Imaging and Communications in Medicine (DICOM PS 3.0
Manufacturers
Association 2004 onwards)
(NEMA)
Office of National Coordinator EHR Meaningful Use
for
Health
Information
Technology (ONCHIT) United
States
Table 7: Health Informatics Standards

Issues

Unique Identification
Interoperability / Sharing
Integrated systems require consistent use of standards in e.g. medical terminologies and
high quality data to support information sharing across wide networks
Ethical, legal and technical issues linked to accuracy, security confidentiality and access
rights.
Common record architectures, structures
Clinical information standards and communications protocols

Trends

National UID and Healthcare

Distributed EHR Concept

22

6. EMR MINIMUM DATA SET (MDS)

The following MDS is recommended for an EMR to be used in India. Vendors are free and
indeed encouraged to opt for additional data to satisfy unmet demands of the various
stakeholders, principally the patients and the clinical care providers.
This recommendation also covers various standards for data formats, storage, exchange, etc.
The Minimum Data Set for a Telemedicine interaction is also defined. The recommendation
covers various security provisions that are relevant to any patient-clinical care provider
interaction.
Data Item
UHID
Patient Name

Patient Date of Birth

Patient Age
Patient Gender

Patient Occupation
Patient Address Type
Patient Address Line 1
Patient Address Line 2
Patient
City/Town/Village/Police
Station
Patient District
Patient State
Patient Pin Code
Patient Phone Type

Patient Phone Number

Emergency
Contact
Person UID
Emergency
Contact
Person Name
Emergency
Contact
Person Relationship

Data Type

Data
Format/Values
Length
Numeric
12
As per Aadhar Specifications
Alphanumeric 50
To be split into First Name,
Middle Name and Last (Family)
Name
Date
Fixed
dd.mm.YYYY
Numeric
9
dd.mm.yyy
Alphanumeric 1
To be shortened to one byte as
M, F, U or T. Systems should
translate and show the full
form on user screens
Alphanumeric 50
Alphanumeric 9
Current/Permanent/Previous
Alphanumeric 25
Alphanumeric 25
Alphanumeric 25
LOV List of values

Status

Alphanumeric
Alphanumeric
Alphanumeric
Alphanumeric

25
25
25
9

Mandatory
Mandatory
Optional
Optional

Numeric
Numeric

20
12

LOV List of values

LOV List of values
LOV List of values
Landline/Mobile/PP-Landline/
Neighbour Landline/Relation
Landline
/Neighbour
Mobile/Relation Mobile
(099)9999999999
As per Aadhar Specifications

Alphanumeric 50
Alphanumeric

Mandatory
Mandatory

Optional
Mandatory
Mandatory

Mandatory
Mandatory
Mandatory
Optional
Mandatory

Optional
Mandatory
Mandatory

Spouse/Parent/Child/Partner/
Cousin/Friend/Neighbour/

Mandatory

23

Emergency
Contact
Person Address Type
Emergency
Contact
Person Address Line 1
Emergency
Contact
Person Address Line 1
Emergency
Contact
Person Address Line 2
Emergency
Contact
Person
City/Town/Village/
Police Station
Emergency
Contact
Person District
Emergency
Contact
Person State
Emergency
Contact
Person Pin Code
Emergency
Contact
Person Phone Type

Alphanumeric 9

Emergency
Contact
Person Phone Number
Care Provider UID
Care Provider Name
Care Provider Address
Type
Care Provider Address
Line 1
Care Provider Address
Line 2
Care
Provider
City/Town/Village/
Police Station
Care Provider District
Care Provider State
Care Provider Pin Code
Care Provider Phone
Type

Numeric

Other
Current/Permanent/Previous

Mandatory

Alphanumeric 25

Mandatory

Alphanumeric 25

Mandatory

Alphanumeric 25

Optional

Alphanumeric 25

LOV List of values

Mandatory

Alphanumeric 25

LOV List of values

Mandatory

Alphanumeric 25

LOV List of values

Mandatory

Alphanumeric 25

LOV List of values

Optional

Alphanumeric 9

Landline/Mobile/PP-Landline/ Optional
Neighbour Landline/Relation
Landline
/Neighbour
Mobile/Relation Mobile
(099)9999999999
Optional

20

Numeric
12
Alphanumeric 50
Alphanumeric 9

As per Aadhar Specifications

Current/Permanent/Previous

Mandatory
Mandatory
Mandatory

Alphanumeric 25

Mandatory

Alphanumeric 25

Optional

Alphanumeric 25

LOV List of values

Mandatory

Alphanumeric
Alphanumeric
Alphanumeric
Alphanumeric

LOV List of values

LOV List of values
LOV List of values
Landline/Mobile/PP-Landline/
Neighbour Landline/Relation
Landline
/Neighbour

Mandatory
Mandatory
Optional
Optional

25
25
25
9

24

Care Provider Phone Numeric

20
Number
Episode Type
Alphanumeric 7
Episode Number
Numeric
4

4
255+
255+
255+
255+
255+

Mobile/Relation Mobile
(099)9999999999
New/Ongoing
9999 no prefixed 0

Optional
Optional
Optional
mandatory if
Episode
Type
is
enabled

Encounter Number
Reason for Visit
Present History
Past History
Family History
Menstrual & Obstetric
History

Numeric
Alphanumeric
Alphanumeric
Alphanumeric
Alphanumeric
Alphanumeric

Socio-economic History
Immunization History

Alphanumeric 255+
Alphanumeric

Clinical Exam Vitals

Systolic BP
Clinical Exam Vitals
Diastolic BP
Clinical Exam Pulse Rate
Clinical
Exam
Temperature
Clinical
Exam
Temperature Source

Numeric

999 no preceding 0

Optional

Numeric

999 no preceding 0

Optional

Numeric
Floating

3
6,2

999 no preceding 0
999.99

Optional
Optional

Alphanumeric 6

Oral/Armpit/Groin/Rectal

Clinical Exam Respiration

Rate
Clinical Exam Height
Clinical Exam Weight
Clinical
Exam
Observation
Investigation Results
Clinical Summary
Diagnosis Type
Diagnosis Code

Numeric

999 no preceding 0

Mandatory if
Temperature
is captured
Optional

Floating
6,2
Floating
6,2
Alphanumeric 255+
Alphanumeric
Alphanumeric
Alphanumeric
Alphanumeric

255+
255+
11
10

9999 no prefixed 0
Mandatory
Optional
Optional
Optional
LMP, Cycle Duration, Gravida, Optional
Parity to be captured as
structured data. LMP: date
type; Cycle Duration, Gravida,
Parity: numeric type;
Optional

999.99
999.99

Provisional/Final
Coding system dependent

Optional
Optional
Optional
Optional
Mandatory
Mandatory
Mandatory
25

Diagnosis
Treatment
Plan
Investigations
Treatment
Plan
Medication
Treatment
Plan
Procedure
Treatment Plan Referral
Other Treatment Plan
Type
Other Treatment Plan
Details

Alphanumeric 255+
Alphanumeric 255+

Mandatory
Optional

Alphanumeric 255+

Optional

Alphanumeric 255+

Optional

Alphanumeric 255+
Alphanumeric 10

Optional
Optional

Outcome

Alphanumeric 9

Diet/Life-style/ Others

Alphanumeric 255+

New
Visit/Better/Worse/Same/Fatal

Mandatory if
Other
Treatment
Type
is
selected
Mandatory

Table 8: EMR MDS

26

7. Other Standards
Hardware

Very difficult to propose as technology changes very quickly

Should be able to support conception-to-death medical records
Should be able to present a summary of life-long medical records
Should be able to support privacy, secrecy and audit trail

Connectivity

The EMR should be able to harness any telecommunications-related connectivity like the
Internet, LAN, WAN, WAP, CDMA, GSM or even Cloud Computing that will permit the
various EMRs of an individual to be integrated into a single life-long electronic health record
The connectivity must be true, have better 99.9% uptime and is able to allow data exchange
at sufficient speeds to allow one single EMR to be exchanged and displayed on the
requesting system in 1 second of request, irrespective of the distance between the system
making the request and the one executing it
The data exchange must be done in a secure manner to ensure data validity and nonrepudiability
The data exchange must further ensure that data integrity is maintained at all times

Software
It was concluded that the software should
Conform to the specified standards
Satisfy specified requirements
Be Interoperable

27

8. DATA OWNERSHIP OF EMR

The Ethical , Legal, Social Issues (ELSI ) guidelines for Electronic Medical Record ( EMR ) are
recommended as follows.
(i) The regulations mentioned in this document will apply to the following :
Healthcare provider: A health care provider is an individual or an institution that
provides preventive, curative, promotional or rehabilitative health care services in a
systematic way to individuals, families or communities. An individual health care
provider may be a health care professional, an allied health professional, a community
health worker, or another person trained and knowledgeable in medicine, nursing or
other allied health professions, or public/community health.
Institutions: These include hospitals, clinics, primary care centres and other service
delivery points of healthcare.
Insurance corporations: Organisations offering a health insurance policy. A health
insurance policy is a contract between an insurance provider (e.g. an insurance company
or a government) and an individual or his sponsor (e.g. an employer or a community
organization).
Data Stewards: persons or legal entities responsible for confidentiality and
management of the data contained in the Electronic Health Record ( EHR ).
Healthcare data consolidator : persons or legal entities who collect healthcare related
data from various healthcare providers
Model Legislative Language1
Restrictions on Health Care Information Collection Healthcare information must be
collected only to the extent necessary to carry out the purpose for which it is intended.
Collection and the Use only for Lawful Purpose Health care information must only be
collected and used for necessary and lawful purpose.
Notification to Patient Each person maintaining healthcare information must prepare
a formal, written statement of fair information practices observed by such person and
this must be provided to each patient.
Restriction on Use for Other purposes health care information may not be used for
any other purpose beyond that for which it is collected, except as otherwise provided.
Right to Access The patient ( or patient representative ) may have access to healthcare
information concerning the patient , has the right to healthcare information , and has
the right to have a notation made of any amendment or correction of such healthcare
information requested by the patient ( or patients representative ).
Required safeguards Any person maintaining, using or disseminating healthcare
information shall implement reasonable security practices and procedures for the
security of health care information and its storage, processing and transmission.

28

Addition protections Method to ensure the accuracy , reliability, relevance,

completeness and timeliness of healthcare information should be instituted.
Retention of relevant EHR has to be in sync with requirements of existing Indian laws
including IT Act 2000.

(ii) Protected health data is defined as:

Any information, whether oral or recorded in any form or medium that is created or
received by a health care provider, health insurance organization and third party agents
(TPA), public health authority, employer, life insurer, school or university , Most other
health information held by those who must follow the law ; and relates to the past,
present, or future physical or mental health or condition of an individual; the provision
of health care to an individual; or the past, present, or future payment for the provision
of health care to an individual.
(iii) Data ownership
A distinction is made between
a. The physical or electronic records, which are owned by the healthcare provider.
These are held in trust on behalf of the patient, and
b. The contained data which is the sensitive personal data of the patient , is owned
by the patient itself .
(iv) Data access and confidentiality
a. Regulations are to be enforced to ensure confidentiality of this data and the
patient should have a control over this.
b. Patients should have the rights to inspect and amend any inaccuracies in their
medical records. Rights to amend recorded data should be limited to correction of
errors in the recorded patient / medical details
c. Patients should have the rights to restrict access to and disclosure of individually
identifiable health information.
d. Data should be available to care providers on an as required basis
(v) Disclosure of information :
a. For use for treatment, payments and other healthcare operations: In all such
cases, a general consent must be taken from patient or next of kin, etc. as defined
by law.
b. For use for non-routine and most non-health care purposes: a specific consent
must be taken from the patient
c. Certain national priority activities should be specified for which health information
may be disclosed without patient's authorization.
(vi) Healthcare provider's responsibilities :
29

a. Protect and secure the stored health information

b. While providing patient information, remove patient identifying information, if it is
not necessary to be provided
c. Should ensure that there are appropriate means of informing the patient of
policies relating to his/her rights to health record privacy
d. Document all its privacy policies and ensure that they are implemented and
followed. This will include:
i. Develop internal privacy policies
ii. Designate a privacy officer who will be responsible for implementing
privacy policies, audit and quality assurance
iii. Provide privacy training to all its staff
(vii)

Other rights of patients

Patient should have the right to appoint a personal representative to carry out the
activities detailed below.
a. Patients should have the right to ask for a copy of its medical records held by a
healthcare organization. The healthcare organization can charge a reasonable fee
to meet the administrative costs involved or providing information to the patient
b. Patients should have the right to request a healthcare organization which holds its
medical records, to withhold specific information that he/she does not want
disclosed to other organizations or individuals.
c. Patient can demand information from a healthcare provider on the details of
disclosures performed of the patients medical records.

(viii)

Denial of information

Healthcare provider should be able to deny information to a patient or representative or

third party, in contravention of normal regulations, if in the opinion of a licensed
healthcare professional the release of information would endanger the life or safety of
others. This could include:
a. Information obtained from an anonymous source under a promise of
confidentiality.
b. Psychotherapy notes.
c. Information compiled for civil, criminal or administrative action.
(ix) Use and disclosure without individual authorization
Disclosures can be performed without individual authorization in the following
situations. However, as far as possible, and where appropriate, the data so provided
should be anonymised to remove information that will allow identification of the
patient.
With Identifiers, On production of court order

30

(x) Digital signatures may be used to prevent non-repudiation based on the specifics of the
use case.
Reference Guidelines for Digital Signatures, available at
http://egovstandards.gov.in/guidelines/Guidelines%20for%20Digital-signature/view
Additional Reference Guidelines for Information Security , available at
http://egovstandards.gov.in/guidelines/guidelines-for-information-security/view
Sub Committee of Task group III is placed at Annexure III.

31

9. DATA SECURITY
Technical Security Guidelines:
(i) Electronic Data Storage:
a. All information marked as PHI (Personal Health Indicators) should be encrypted.
Encryption level should be at least 128 bit. This model has to be followed for any PHI
data stored in mobile devices like cell phones, tablets, etc
b. Passwords should be stored as a one way hash to prevent any chance of thefts
c. Storage of data should be in a manner that it will withstand deterioration, corruption
and unauthorized destruction
(ii ) Electronic Data Transmission:
a. All data should be transmitted using SSL2 (minimum 128bit)
b. Digital signatures may be used to prevent non-repudiation based on the specifics of the
use case. If the EMR documents need to be upheld in a court of law, use of digital
signatures is a must.
(iii) Data Access:
a. In any application that uses EMR, there has to be a role based access control system.
In order to do so, the following guidelines need to be followed
i. Categorize and breakdown health data into logical and reasonable elements or
entities.
ii. Identify individual roles or job functions.
iii. Establish context and conditions of data use at a specific point in time, and
within a specific setting.
b. There is no restriction on the roles that the organization requires to perform its
activities, but it is recommended to closely mirror the roles documented in SNOMED
CT.
c. Audit and control procedures to ensure appropriate use of data by users as well as
detection of unauthorized individuals
(iv) Data Sharing:
a. Identifiable health information should not be disclosed without the informed consent of
the identified individual(s) except as required by law or for communication between the
patients current health care provider team.
b. When information is released pursuant to the individuals authorization the party
receiving the health information shall not further redisclose the information without the
individuals authorization to disclose the health information except in an emergency
treatment situation.

SSL = Secure Socket Layer

32

c. Aggregate data sharing for research, etc, should ensure that patient identity information
is de-identified so that there cannot be any link made back to the patient. Mechanisms
like k- anonymity maybe used to ensure patient privacy in this case.
(v) Data Audit:
a. The electronic health record system and other health information systems should be
designed to verify the identity
i. of the user and record each access to the record/database and
ii. the action taken (read, copy, update, etc).
b. In addition to documenting the access by
i. time, date, and individual it is also recommended that the
ii. purpose of the access be documented. Many authorizations
iii. contain a purpose statement that could be related to access.
iv. Internal organizational users should provide a purpose by
v. category (for example, patient treatment, patient billing, utilization
vi. Management, etc.).
c. There has to be a mechanism to identify source of each datum in the database.
(vi) General Software / Application Requirements:
a. Software should have a design safeguards to prevent allocation of data to the wrong
patient.
b. Software should ensure that Patient record is changed only via an amendment process.
Also, the amended current version should be maintained along with the previous
versions ensuring that data is not deleted.

Administrative Guidelines:
Certification Process:
a. A periodic certification / audit process (maybe yearly) is necessary to ensure compliance
b. Certification process has to cover artifacts that helps audit the following areas
i. Access by authorized users
ii. Appropriate use of health information
iii. Disclosure of health information
iv. Protection of data integrity
v. Amending health information
vi. Authentication of users
vii. Encryption of health information
viii. Use of digital signatures
ix.
Use of audit findings.
x.
Software change management process
xi.
Computer network vulnerabilities
xii. Physical Security measures
c. There has to be at least one person in the organization who would be trained as a Chief
Compliance Officer
33

d. There has to be a Incident Reporting process that would be used to report incidences
of non-compliance
e. Agreements with vendors and other business partners reinforce the commitment to
protect the confidentiality of health information. Organizations may also use
confidentiality agreements with staff to reinforce commitment to maintaining the
confidentiality of health information.

Physical Security Guidelines:

a. There has to be a process to control access to servers containing EMR data. Process has
to ensure that only the absolute necessary staff has access to this
b. Paper / Non-electronic data has to be secured using reasonable means. Such
information has to be in the control of the people who are authorized to access it.
c. Copies, faxes, printouts, or any medium containing
i. health information should be destroyed after use or retained in
ii. a secure location. Transmitted material should be accompanied
iii. by a statement of confidentiality and responsibility. The receiving
iv. party is then responsible for the security and confidentiality
v. of the transmitted/copied health information.

34

10.
(1)
(2)
(3)
(4)
(5)
(6)

(7)

(8)
(9)
(10)
(11)

REFERENCES

Final Recommendation, Framework for Information Technology Infrastructure for

Health in India (ITIHI), Volumes I & II, DIT, MCIT, Govt. of India
Recommendations on Guidelines, Standards & Practices for Telemedicine in India, DIT,
MCIT, Govt. of India
HIM Principles in Health Information Exchange (Practice Brief)
2006 HIMSS RHIO Definition Workgroup
http://healthit.hhs.gov/portal/server.pt?open=512&objID=2996&mode=2 (see below)
Institute of Medicine (2000). "To Err Is Human: Building a Safer Health System (2000)".
The National Academies Press. http://fermat.nap.edu/catalog/9728.html#toc. Retrieved
2006-06-20.
Charatan, Fred (2000). "Clinton acts to reduce medical mistakes". BMJ Publishing
Group.http://bmj.bmjjournals.com/cgi/content/full/320/7235/597?ijkey=190e9b6dd6e
8fec4ca3c2e353f290efb8237b334&keytype2=tf_ipsecsha. Retrieved 2006-03-17
Department of Health and Human Services, USA, USA Billing Code: 4150-45
HIPAA Laws: Privacy and Security 45 CFR 142
EHR Meaningful Use
CCR http://www.astm.org/Standards/E2369.htm

35

11.

Annexures

Annexure I
GO related to Sub-Groups Formation

Ministry of Health and Family Welfare

Department of Health and Family Welfare
Nirman Bhawan, New Delhi-110108
No. Z.28015/79/2010-Hosp.

Dated: 19 /10/2010

OFFICE MEMORANDUM
Subject: -

Standardization of Electronic Medical Records.

The undersigned is directed to refer to the decisions taken in the

meeting of EMR Standards Committee dated 30th Sept., 2010 regarding
constitution of Sub-Groups for taking up various tasks for development of
EMR standards. It has been decided to constitute the following SubGroups with the composition given herein as under:
1st

Sub-Groups for Development of EMR Standards

Tasks
Members of Sub Group
Group Head
Task 1: Standards
Prof. Dr. S.V.
7. Prof. Dr. S.V. Mani
Terminology, Coding 8. Dr. R.R. Sudhir
Mani, TCS
standards et al.
9. Ms. Kala Rao
10. Dr. Ashok Kumar
11. Ms. Jyoti vij/FICCI
12. Dr. Sameer A. Khan
Task
2
:
Data 1) Dr. B.S. Bedi
Dr. B.S. Bedi,
connectivity
2) Dr.Supten Sarbadhikari CDAC
Including hardware, 3) Dr. S.B. Bhattacharya
software
and 4) Dr. Thanga Prabhu
interoperability.
5) Mr. Sunder Gaur
6) Mr. S.K.Dhar, NIC
Task
3:
Data 7. Prof. Saroj K. Mishra
Prof.
S.K.
ownership
8. Prof.
Indrajit Mishra, SGPGI
Data protection and
Bhattacharya
security
including 9. Prof. Sita Naik, MCI
legal
10. Dr. Karanveer Singh
36

aspects/complaints,
guidelines
and
reports
already
available.

11. Dr. Naveen Jain, CDAC

12. Dr. Arun Bal
13. Mr. Madhu Aravind
Contd2/-2-

The Group Heads and the members of the sub groups are
requested to complete the tasks assigned to them within the stipulated
time frame as per the TOR.
Payment : All non-official members of the Sub-Groups, who are
outstation, will be eligible for reimbursement of air travel by the economy
class / shortest direct route and per diem @ Rs. 1000/- and other nonofficial members per diem @ Rs. 1000/- for the Sub-Groups meetings. Out
station non-official members will also be entitled for reimbursement of
hotel accommodation expenses as per actual subject to a ceiling of Rs.
5000/-. TA /DA of official members of the Sub-Groups for attending the
meetings shall be met from the same source from which their salary is
drawn.
This issues with the approval of Secretary (Health & Family
Welfare).

(V. P. Singh)
Deputy Secretary to the Govt. of India
Ph. No.2306 2791

To
All the members of the EMR Standard Committee / Sub-Groups (As per
list)
Copy to: PPS to HFM/ PPS to MOS(DT)/ PPS to Secretary (H&FW)/
PPS to DGHS/ PPS to AS & DG, CGHS /PS to JS (H)

37

Annexure II
Sub- Committee of Task Group III
Sl.
No.
1.

Names
Prof. Saroj K. Mishra
Sanjay Gandhi PG Inst. of Medical Sciences

2.

Prof. Indrajit Bhattacharya

IIHMR , New Delhi

3.

Mr. Madhu Aravind,

HealthHiway

4.

Dr.Karanvir Singh, Head -Medical Informatics

Gangaram Hospital

5.

Pawan Duggal , Supreme Court Advocate

6.

Dr. Sunil Jain ,Medico- Legal Expert

Gangaram Hospital

7.

Dr.Nalin Mehta, Bio- ethics Expert,

AIIMS

8.

Dr.Kusum Verma, Cytopathologist

Gangaram Hospital

9.

Dr.Vijay Kumar Aruldas, Public Health Specialist

Foundation for Research in Health Systems

38

ANNEXURE III
Preparatory Process for Draft Recommendations

Committee Discussions

Post formation initiation

Communication via email, teleconferences
Physical meetings where ever possible
o TSI Congress at Bhubaneshwar, Odisha
o Indo-Swedish Workshop at Pune, Maharashtra
o Informal discussion amongst sub-group members
o Informal meetings between important/nominated members and Chairman, subgroups

39

ANNEXURE IV
Glossary of Medical Terms
[A]
Access: The patients ability to obtain medical care. The ease of access is determined by such
components as the availability of medical services and their acceptability to the patient, the location of
health care facilities, transportation, hours of operation and cost of care. Access describes an
individuals ability to obtain appropriate health care services. Barriers to access can be financial
(insufficient monetary resources), geographic (distance to providers), organizational (lack of available
providers) and sociological (e.g., discrimination, language barriers). Efforts to improve access often focus
on providing/improving health coverage.
Actively-at-Work: Describes insurers policy requirement indicating that coverage will not go into effect
until the employees first day of work on or after the effective date of coverage. May also apply to
dependents disabled on the effective date.
Activities of Daily Living: (ADLs, ADL) - An individuals daily habits such as bathing, dressing and eating.
ADLs are often used as an assessment tool to determine an individuals ability to function at home, or in
a less restricted environment of care.
Addendum: Text that is added to a document after it has been finalized.
Adjudication: Processing claims according to contract.
ADSL (Asymmetric Digital Subscriber Line): A type of DSL that uses copper telephone lines to transmit
data faster than a traditional modem. ADSL only works within short distances because it uses high
frequencies with short signals.
Alerts: Pop-ups or reminders. An automated warning system such a clinical alerts, preventive health
maintenance, medication interactions etc.
Allergy List: This is a list of all the patients allergies.
Allowed Charge: is the amount, that Medicare approves for payment to a physician, but this amount
may not match the amount the physician gets paid by Medicare (due to co-pay or deductibles) and
usually does not match what the physician charges patients. Medicare normally pays 80 percent of the
approved charge and the beneficiary pays the remaining 20 percent. The allowed charge for a
nonparticipating physician is 95 percent of that for a participating physician. Non-participating
physicians may bill beneficiaries for an additional amount above the allowed charge. The CMS
intermediary in each state publishes these rates.
Allowable Costs: Covered expenses within a given health plan reflecting Items or elements of an
institutions costs, which is reimbursable under a payment formula. Both Medicare and Medicaid
reimburse hospitals on the basis of only certain costs. Allowable costs may exclude, for example, luxury
travel or marketing. CMS publishes an extensive list of rules governing these costs and provides
software for determining costs. Normally the costs which are not reasonable expenditures, which are
unnecessary, which are for the efficient delivery of health services to persons covered under the

40

program in question and are not reimbursed. The most common form of cost reimbursement is the
cost report methodology used for DRG-exempt services, such as many out-patient hospital based
programs, long-term care and skilled nursing units, physical rehab, psychiatric and substance abuse
inpatient programs. Some specialty hospitals receive all of their CMS reimbursement as cost based
reimbursement.
Ambulatory care: Any medical care delivered on an outpatient basis.
Annotator: A system function that allows an explanatory note or diagram to be added to an image.
Appointment Scheduler: The appointment scheduler which takes charge of your appointment tracking,
fixing and blocking.
ASP: Application Service Provider (a.k.a. - Web based)
ASP (Applications Service Provider): Application service provider is a business that provides computer
based services to customers over a network. Usually web based, within the EHR/EMR solution paradigm
it is a remotely hosted program and database. Advantages are reduced initial investment in hardware
and reduced responsibility in maintenance of server and data. The disadvantages are completely
dependent on internet connectivity and on the server host speed to access images, scanned documents,
etc. Long term cost is frequently greater.
ASP (Active Server Page): is dynamically generated web page with the use of ActiveX scripting, which
executes on the server instead on the Web browser (HTML). The Server executes the file and generates
an HTML formatted page for Search Engine Spiders or Web Browsers so it can be displayed properly.
Authentication: The verification of the identity of a person or process.
Authorization: Any document designating any permission. The HIPAA Privacy Rule requires
authorization or waiver of authorization for the use or disclosure of identifiable health information for
research (among other activities). The authorization must indicate if the health information used or
disclosed is existing information and/or new information that will be created. The authorization form
may be combined with the informed consent form, so that a patient need sign only one form. An
authorization must include the following specific elements: a description of what information will be
used and disclosed and for what purposes; a description of any information that will not be disclosed, if
applicable; a list of who will disclose the information and to whom it will be disclosed; an expiration date
for the disclosure; a statement that the authorization can be revoked; a statement that disclosed
information may be re-disclosed and no longer protected; a statement that if the individual does not
provide an authorization, she/he may not be able to receive the intended treatment; the subjects
signature and date.
[B]
Balance Billing: The practice of billing a patient for the fee amount remaining after insurer payment and
co-payment have been made. Under Medicare, the excess amount cannot be more than 15 percent
above the approved charge.

41

Balance Forward: An accounting reference for the amount outstanding on an account transferred from
another billing system. Primarily used during data migration from your legacy system to your new
Medinformatix system
Bed Days: Number of inpatient hospital days per 1,000 health plan members for a specified period,
usually annual.
Behavioral Health, Behavioral Healthcare: An umbrella term that includes mental health, psychiatric,
marriage and family counseling, addictions treatment and substance abuse. Services are provided by a
myriad of providers, including social workers, counselors, psychiatrist, psychologists, neurologists and
even family practice physicians. Many states have parity laws that attempt to require that behavioral
health insurance coverage be provided on par to physical health coverage.
Beneficiary (Also eligible; enrollee; member): Individual who is either using or eligible to use insurance
benefits, including health insurance benefits, under an insurance contract. It describes any person
eligible as either a subscriber or a dependent for a managed care service in accordance with a contract.
An individual who receives benefits from or is covered by an insurance policy or other health care
financing program.
Billed Claims: Fees submitted by a health care provider for services rendered to a covered person. Fees
billed and fees paid are rarely synonymous.
BMI (Body Mass Index): Calculation based on height and weight. This is similar to percent body fat and
demonstrates how much effect a persons weight is on their health.
BMI charts: BMI charts within EMR systems can manipulate data, perform calculations, and adapt to
user preferences and patient characteristics, users may expect greater functionality from electronic BMI
charts.
BSA (Body Surface Area): In physiology and medicine, the body surface area (BSA) is the measured or
calculated surface of a human body. For many clinical purposes BSA is a better indicator of metabolic
mass than body weight because it is less affected by abnormal adipose mass. Estimation of BSA is
simpler than many measures of volume.
[C]
Continuity of Care Document (CCD):
Continuity of Care Record (CCR): The continuity of care record is a standardized electronic snapshot of a
patients medical, insurance, and demographic information at any given point in time. Standardization
was established by the Healthcare Information and Management Systems Society (HIMSS), the American
Academy of Family Physicians (AAFP), other medical societies, and vendors and others in the healthcare
informatics industry. Data are transmitted in XML, a standard transmission language, enabling a
patients CCR to be shared among any number of providers. Each provider may make additions or
changes to the information in a patients CCR, which is kept up-to-date in real time. While not all of the
patients information is in the CCRdistinguishing it from most full-function electronic PHRscritical
information is available that may be useful in referrals, travel situations, and emergencies

42

Capitated payments: Payment for healthcare services based on the number of patients who are covered
for specific services over a specified period of time rather than the cost or number of services that are
actually provided.
Case Manager: A nurse, doctor, or social worker who works with patients, providers and insurers to
coordinate all services deemed necessary to provide the patient with a plan of medically necessary and
appropriate health care.
Case Management: Method designed to accommodate the specific health services needed by an
individual through a coordinated effort to achieve the desired health outcome in a cost effective
manner. The monitoring and coordination of treatment rendered to patients with specific diagnosis or
requiring high-cost or extensive services. Case management is the process by which all health-related
matters of a case are managed by a physician or nurse or designated health professional. Physician case
managers coordinate designated components of health care, such as appropriate referral to consultants,
specialists, hospitals, ancillary providers and services. Case management is intended to ensure
continuity of services and accessibility to overcome rigidity, fragmented services, and the missutilization of facilities and resources. It also attempts to match the appropriate intensity of services with
the patients needs over time.
Case Severity: A measure of intensity or gravity of a given condition or diagnosis for a patient. May have
direct correlation with the amount of service provided and the associated costs or payments allowed.
CCHIT: Acronym for Certification Commission for Healthcare Information Technology is the recognized
certification authority for electronic health records and their networks, and an independent, voluntary,
private-sector initiative.
Chain of Trust Agreement: Referred to in HIPAA rules, this is a contract needed to extend the
responsibility to protect health care data across a series of sub-contractual relationships.
CHAMPUS: Civilian Health and Medical Program of the Uniformed Services.
Charges: These are the published prices of services provided by a facility. CMS requires hospitals to
apply the same schedule of charges to all patients, regardless of the expected sources or amount of
payment. Controversy exists today because of the often wide disparity between published prices and
contract prices. The majority of payers, including Medicare and Medicaid, are becoming managed by
health plans that negotiate rates lower than published prices. Often these negotiated rates average 40%
to 60% of the published rates and may be all-inclusive bundled rates.
Chart Note: A document, written by the clinician or provider, which describes the details of a patients
encounter. It is sometimes referred to as a progress note.
Chief Complaint (CC)/Reason for Consultation (RFC)/Reason for Visit (ROV): for recording a patients
disease symptoms.
Citrix Server: A server solution, similar to Microsoft Terminal Services that provides remote access to
clients via the web or to dummy terminals in a network.
Clearinghouse: A company that provides clearing and settlement services for medical financial
transactions. Some of the more popular clearinghouses include Emdeon/WebMD, McKesson and THIN.

43

Client-Server: A network architecture which separates the client (often an application that uses a
graphical user interface) from the server.
Computerized Patient Record (CPR): Also known as an EMR or EHR. A patient's past, present, and future
clinical data stored in a server.
Computerized Physician Order Entry (CPOE): A system for physicians to electronically order labs,
imaging and prescriptions
CPT Code: A nationally recognizable five-digit number used to represent a service provided by a
healthcare provider.
Client/Server architecture: An information-transmission arrangement, in which a client program sends a
request to a server. When the server receives the request, it disconnects from the client and processes
the request. When the request is processed, the server reconnects to the client program and the
information is transferred to the client. This usually implies that the server is located on site as opposed
to the ASP (Application Server Provider) architecture.
Clinical Data Repository (CDR):A real-time database that consolidates data from a variety of clinical
sources to present a unified view of a single patient. It is optimized to allow clinicians to retrieve data for
a single patient rather than to identify a population of patients with common characteristics or to
facilitate the management of a specific clinical department.
Clinical Decision support system (CDSS): A clinical decision support system (CDSS) is software designed
to aid clinicians in decision making by matching individual patient characteristics to computerized
knowledge bases for the purpose of generating patient-specific assessments or recommendations.
Clinical Guidelines (Protocols): Clinical guidelines are recommendations based on the latest available
evidence for the appropriate treatment and care of a patients condition.
Clinical messaging: Communication of clinical information within the electronic medical record to other
healthcare personnel.
Claim: A request by an individual (or his or her provider) to that individuals insurance company to pay
for services obtained from a health care professional.
Claims Review: The method by which an enrollees health care service claims are reviewed prior to
reimbursement. The purpose is to validate the medical necessity of the provided services and to be sure
the cost of the service is not excessive.
CMS (formerly HCFA) : The Centers for Medicare & Medicaid Services (CMS), previously known as the
Health Care Financing Administration (HCFA), is a federal agency within the United States Department of
Health and Human Services (DHHS) that administers the Medicare program and works in partnership
with State governments to administer Medicaid, the State Childrens Health Insurance Program (SCHIP),
and health insurance portability standards.
CMS-1450: The uniform institutional claim form.
CMS-1500: The uniform professional claim form.

44

COBRA: See Consolidated Omnibus Budget Reconciliation Act.

Coded Data: Data are separated from personal identifiers through use of a code. As long as a link exists,
data are considered indirectly identifiable and not anonymous or anonymized. Coded data are not
covered by the HIPAA Privacy Rule, but are protected under the Common Rule.
Code Set: Under HIPAA, this is any set of codes used to encode data elements, such as tables of terms,
medical concepts, medical diagnostic codes, or medical procedure codes. This includes both the codes
and their descriptions.
Coding: A mechanism for identifying and defining physicians and hospitals services. Coding provides
universal definition and recognition of diagnoses, procedures and level of care. Coders usually work in
medical records departments and coding is a function of billing. Medicare fraud investigators look
closely at the medical record documentation, which supports codes and looks for consistency. Lack of
consistency of documentation can earmark a record as up-coded which is considered fraud. A national
certification exists for coding professionals and many compliance programs are raising standards of
quality for their coding procedures.
Co-Insurance (coinsurance): A cost-sharing requirement under a health insurance policy that provides
that the insured will assume a portion or percentage of the costs of covered services. Health care cost
which the covered person is responsible for paying, according to a fixed percentage or amount. A policy
provision frequently found in major medical insurance policies under which the insured individual and
the insurer share hospital and medical expenses according to a specified ratio. A type of cost sharing
where the insured party and insurer share payment of the approved charge for covered services in a
specified ratio after payment of the deductible. Under Medicare Part B, the beneficiary pays coinsurance
of 20 percent of allowed charges. Many HMOs provide 100% insurance (no coinsurance) for preventive
care or routing care provided in network.
Common Rule: Under HIPAA, it outlines the necessity of obtaining informed consent from patients.
Computer-Based Patient Record (CPR): A term for the process of replacing the traditional paper-based
chart through automated electronic means; generally includes the collection of patient-specific
information from various supplemental treatment systems, i.e., a day program and a personal care
provider; its display in graphical format; and its storage for individual and aggregate purposes. CPR is
also called digital medical record or electronic medical record.
Consolidated Omnibus Budget Reconciliation Act (COBRA): Federal law that continues health care
benefits for employees whose employment has been terminated. Employers are required to notify
employees of these benefit continuation options, and, failure to do so can result in penalties and fines
for the employer. It is an act that allows workers and their families to continue their employersponsored health insurance for a certain amount of time after terminating employment. COBRA imposes
different restrictions on individuals who leave their jobs voluntarily versus involuntarily (Department of
Labor, 2002).
Co-Payment, Co-payment, Co-pay: A cost-sharing arrangement in which the HMO enrollee pays a
specified flat amount for a specific service (such as $10 for an office visit or $5 for each prescription
drug). The amount paid must be nominal to avoid becoming a barrier to care. It does not vary with the
cost of the service and is usually a flat sum amount such as $10 for every prescription or doctor visit,
unlike co-insurance that is based on a percentage of the cost.

45

Cost Sharing: Payment method where a person is required to pay some health costs in order to receive
medical care. The general set of financing arrangements whereby the consumer must pay out-of-pocket
to receive care, either at the time of initiating care, or during the provision of health care services, or
both. This includes deductibles, coinsurance and co-payments, but not the share of the premium paid by
the person enrolled.
Current Procedural Terminology (CPT): A standardized mechanism of reporting services using numeric
codes as established and updated annually by the AMA. It is a manual that assigns five digit codes to
medical services and procedures to standardize claims processing and data analysis. The coding system
for physicians services developed by the CPT Editorial Panel of the American Medical Association; basis
of the Medicare coding system for physicians services. A medical code set of physician and other
services, maintained and copyrighted by the American Medical Association (AMA), and adopted by the
Secretary of HHS as the standard for reporting physician and other services on standard transactions.
See Coding.
Customary, prevailing, and reasonable (CPR): Current method of paying physicians under Medicare.
Payment for a service is limited to the lowest of (1) the physicians billed charge for the service, (2) the
physicians customary charge for the service, or (3) the prevailing charge for that service in the
community. Similar to the Usual, Customary, and Reasonable system used by private insurers.
[D]
Database Management System (DBMS): The separation of data from the computer application that
allows entry or editing of data.
Data Content: Under HIPAA, this is all the data elements and code sets inherent to a transaction, and
not related to the format of the transaction.
Decision Support System: Computer technologies used in healthcare that allow providers to collect and
analyze data in more sophisticated and complex ways. Activities supported include case mix, budgeting,
cost accounting, clinical protocols and pathways, outcomes, and actuarial analysis.
Deductibles: Amounts required to be paid by the insured under a health insurance contract, before
benefits become payable. This is usually expressed in terms of an annual amount.
DICOM (Digital Imaging and Communications in Medicine): Digital Imaging and Communications in
Medicine (DICOM) is a standard to aid the distribution and viewing of medical images, such as CT scans,
MRIs, and ultrasound.
Digital Imaging and Communications in Medicine (DICOM): A standard to define the connectivity and
communication between medical imaging devices.
Disease Management: A type of product or service now being offered by many large pharmaceutical
companies to get them into broader healthcare services. Bundles use of prescription drugs with
physician and allied professionals, linked to large databases created by the pharmaceutical companies,
to treat people with specific diseases. The claim is that this type of service provides higher quality of
care at more reasonable price than alternative, presumably more fragmented, care. The development of
such products by hugely capitalized companies should be the entire indicator necessary to convince a
provider of how the healthcare market is changing. Competition is coming from every directionother

46

providers of all types, payers, employers who are developing their own in-house service systems, the
drug companies.
Document Imaging: Is a process of converting paper documents into an electronic format usually
through a scanning process.
Documentation: The process of recording information.
Document Management: The Document Manager allows the medical institution to store vital patient
documents such as X-Rays, Paper Reports, and Lab Reports etc.
Drug Formulary: Varying lists of prescription drugs approved by a given health plan for distribution to a
covered person through specific pharmacies. Health plans often restrict or limit the type and number of
medicines allowed for reimbursement by limiting the drug formulary list. The list of prescription drugs
for which a particular employer or State Medicaid program will pay. Formularies are either closed,
including only certain drugs or open, including all drugs. Both types of formularies typically impose a
cost scale requiring consumers to pay more for certain brands or types of drugs. See also Formulary.
Drug Formulary Database: This EMR feature is used for electronic prescribing, electronic medical record
(EMR), and computerized physician order entry (CPOE) systems to present formulary status to the
provider while during the prescribing decision.
[E]
E/M level coding: Evaluation and Management level coding documentation of each visit which
identifies each service provided during an office visit.
EDI: Acronym for Electronic Data Interchange. Electronic communication between two parties, generally
for the filing of electronic claims to payers.
EDI Translator: Used in electronic claims and medical record transmissions, this is a software tool for
accepting an EDI transmission and converting the data into another format, or for converting a non-EDI
data file into an EDI format for transmission. See also Electronic Data Interchange.
Effective Date: The date on which a policys coverage of a risk goes into effect.
Electronic health records (EHR): is a distributed personal health record in digital format. The EHR
provides secure, real-time, patient-centric information to aid clinical decision-making by providing
access to a patients health information at the point of care.
Electronic Claim: A digital representation of a medical bill generated by a provider or by the providers
billing agent for submission using telecommunications to a health insurance payer. Most claims are
electronically submitted.
Electronic Data Interchange (EDI): The automated exchange of data and documents in a standardized
format. In health care, some common uses of this technology include claims submission and payment,
eligibility, and referral authorization. This refers to the exchange of routine business transactions from
one computer to another in a standard format, using standard communications protocols.

47

Electronic Medical Records (EMR): A computer-based record containing health care information. This
technology, when EMR fully developed, meets provider needs for real-time data access and evaluation
in medical care. Together with clinical workstations and clinical data repository technologies, the
provides the mechanism for longitudinal data storage and access. A motivation for healthcare entities to
implement this technology derives from the need for medical outcome studies, more efficient care,
speedier communication among providers and management of health plans. This record may contain
some, but not necessarily all, of the information that is in an individuals paper-based medical record.
One goal of HIPAA is to protect identifiable health information as the system moves from a paper-based
to an electronic medical record system. See also Computerized Medical Record.
EMR: Acronym for Electronic Medical Records. A computerized record of a patient's clinical,
demographic and administrative data. Also known as a computer-based patient record (CPR) or
electronic health record (EHR).
Electronic Eligibility: this EMR feature access a payer to deliver up-to-date insurance benefits eligibility
information on patients.
Electronic Health Records (EHR): Patient health records including treatment history, medical test
reports, and images stored in an electronic format that can be accessed by healthcare providers on a
computer network
EPR: Broadly defined, a personal health record is the documentation of any form of patient
informationincluding medical history, medicines, allergies, visit history, or vaccinationsthat patients
themselves may view, carry, amend, annotate, or maintain. Today, when we refer to PHRs, we typically
mean an online personal health recordwhich may variously be referred to as an ePHR, an Internet PHR,
an Internet medical record, or a consumer Internet Medical Record (CIMR). Generally, such records are
maintained in a secure and confidential environment, allowing only the individual, or people authorized
by the individual, to access the medical information. Not all electronic PHRs are Internet PHRs. PC-based
PHRs may be set up to capture medical information offline.
Electronic Super bill: An electronic encounter form used for coding and billing.
EPR (Electronic Patient Record): Electronically maintained information about an individuals lifetime
health status and healthcare from all specialties.
Evidence based medicine: Evidence-based medicine (EBM) is the integration of best research evidence
with clinical expertise to aid in the diagnosis and management of patients.
Explanation of Benefits (EOB): A statement from the patient's insurance company that breaks down
services rendered at time of doctor or hospital visit and amounts covered by insurance provider
[F]
Face Sheet: Also called a Summary Screen or Patient Dashboard. This screen includes a summary of
patient relevant information on one screen.
Family History: A list of the patients family medical history including the chronic medical problems of
parents, siblings, grandparents, etc.

48

Fee Schedules: A set maximum fee that an insurance company will pay a healthcare provider, it is a list
of all CPT and HCPCS codes and their corresponding charges. This can be variable based on insurance.
Fee schedules are usually associated with a particular payer and reflect the reimbursement rates
negotiated under the contract.
Fee-for-service: A health insurance plan that allows policyholders to pay for any provider service, submit
a claim to the insurance company, and get reimbursed if the service is covered by the insurance
provider
First DataBank: The leading provider of drug information. Provides context and integration information
for healthcare of every type at every level.
Formatting and Protocol Standards: Data exchange standards which are needed between CPR systems,
as well as CPT and other provider systems, to ensure uniformity in methods for data collection, data
storage and data presentation. Proactive providers are current in their knowledge of these standards
and work to ensure their information systems conform to the standards.
Formulary: An approved list of prescription drugs; a list of selected pharmaceuticals and their
appropriate dosages felt to be the most useful and cost effective for patient care. Organizations often
develop a formulary under the aegis of a pharmacy and therapeutics committee. In HMOs, physicians
are often required to prescribe from the formulary. See also Drug Formulary.
[G]
Growth Chart: A feature for a Primary Care or EMR that can be used for paediatric patients. Age, height,
weight, and head measurements can be entered over the patient's lifetime, and the feature creates a
line graph.
Group Insurance: Any insurance policy or health services contract by which groups of employees (and
often their dependents) are covered under a single policy or contract, issued by their employer or other
group entity.
Group Model HMO, Group Network HMO: An HMO that contracts with one or more independent group
practice to provide services to its members in one or more locations. Health care plan involving
contracts with physicians organized as a partnership, professional corporation, or other legal
association. It can also refer to an HMO model in which the HMO contracts with one or more medical
groups to provide services to members. In either case, the payer or health plan pays the medical group,
which is, in turn, is responsible for compensating physicians. The medical group may also be responsible
for paying or contracting with hospitals and other providers.
Group Practice: A group of persons licensed to practice medicine in the State, who, as their principal
professional activity, and as a group responsibility, engage or undertake to engage in the coordinated
practice of their profession primarily in one or more group practice facilities, and who in their
connection share common overhead expenses if and to the extent such expenses are paid by members
of the group, medical and other records, and substantial portions of the equipment and the
professional, technical, and administrative staffs. Group practices use the acronyms PA, IPA, MSO and
others. Group practices are far more common now than a decade ago because physicians seek to lower
costs, increase contracting power and share payer contracts.

49

[H]
Health and Human Services (HHS): The Department of Health and Human Services that is responsible
for health-related programs and issues. Formerly it was known as HEW, the Department of Health,
Education, and Welfare. The Office of Health Maintenance Organizations (OHMO) is part of HHS and
detailed information on most companies is available here through the Freedom of Information Act.
HCFA (CMS-1500 Form): The insurance claim form that a healthcare provider turns in to an insurance
company
HCFA 1500: The Health Care Finance Administrations standard form for submitting provider service
claims to third party companies or insurance carriers. HCFA is now called CMS, see CMS.
HCFA-1450: More commonly known as the UB-92 (Universal Bill). This is also an insurance claim form,
but is used for hospital visits and rural health claims. It is characterized by including more procedure
level reporting lines, as well as place for information such as hospital days.
Health: The state of complete physical, mental, and social well-being and not merely the absence of
disease or infirmity. It is recognized, however, that health has many dimensions (anatomical,
physiological, and mental) and is largely culturally defined. The relative importance of various disabilities
will differ depending upon the cultural milieu and the role of the affected individual in that culture. Most
attempts at measurement have been assessed in terms or morbidity and mortality.
Health Care, Healthcare: Care, services, and supplies related to the health of an individual. Health care
includes preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and
counseling, among other services. Healthcare also includes the sale and dispensing of prescription drugs
or devices.
Health Care Clearinghouse: A public or private entity that does either of the following (Entities,
including but not limited to, billing services, reprising companies, community health management
information systems or community health information systems, and value-added networks and
switches are health care clearinghouses if they perform these functions): 1) Processes or facilitates the
processing of information received from another entity in a nonstandard format or containing
nonstandard data content into standard data elements or a standard transaction; 2) Receives a standard
transaction from another entity and processes or facilitates the processing of information into
nonstandard format or nonstandard data content for a receiving entity. This term is used in the HIPAA
rules.
Health Care Financing Administration (HCFA): The federal government agency within the Department
of Health and Human Services which directs and oversees the Medicare and Medicaid programs (Titles
XVIII and XIX of the Social Security Act) and conducts research to support those programs. It is now
called CMS and generally it oversees the states administrations of Medicaid, while directly
administering Medicare. See CMS, or Center for Medicare and Medicaid Services.
Health Care Operations: Institutional activities that are necessary to maintain and monitor the
operations of the institution. Examples include but are not limited to: conducting quality assessment
and improvement activities; developing clinical guidelines; case management; reviewing the
competence or qualifications of health care professionals; education and training of students, trainees
and practitioners; fraud and abuse programs; business planning and management; and customer

50

service. Under the HIPAA Privacy Rule, these are allowable uses and disclosures of identifiable
information without specific authorization. Research is not considered part of health care operations.
Health Care Provider: Providers of medical or health care or researchers who provide health care are
health care providers. Normally health care providers are clinics, hospitals, doctors, dentists,
psychologists and similar professionals.
Healthcare Provider Taxonomy Codes: An administrative code set that classifies health care providers
by type and area of specialization. The code set will be used in certain adopted transactions. (Note: A
given provider may have more than one Healthcare Provider Taxonomy Code.)
Health Employer Data and Information Set (HEDIS): A set of HMO performance measures that are
maintained by the National Committee for Quality Assurance. HEDIS data is collected annually and
provides an informational resource for the public on issues of health plan quality.
Health Information: Information in any form (oral, written or otherwise) that relates to the past,
present or future physical or mental health of an individual. That information could be created or
received by a health care provider, a health plan, a public health authority, an employer, a life insurer, a
school, a university or a health care clearinghouse. All health information is protected by state and
federal confidentiality laws and by HIPAA privacy rules.
Health Insurance: Financial protection against the health care costs of the insured person. It may be
obtained in a group or individual policy.
Health Insurance Portability and Accountability Act of 1996 (HIPAA): A Federal law that allows persons
to qualify immediately for comparable health insurance coverage when they change their employment
relationships. This legislation sets a precedent for Federal involvement in insurance regulation. It sets
minimum standards for regulation of the small group insurance market and for a set group in the
individual insurance market in the area of portability and availability of health insurance. As a result of
this law, hospitals, doctors and insurance companies are now required to share patient medical records
and personal information on a wider basis. This wide-based sharing of medical records has led to privacy
rules, greater computerization of records and consumer concerns about confidentiality. In addition,
HIPAA required the creation of a federal law to protect personally identifiable health information; if that
did not occur by a specific date (which it did not), HIPAA directed the Department of Health and Human
Services (DHHS) to issue federal regulations with the same purpose. DHHS has issued HIPAA privacy
regulations (the HIPAA Privacy Rule) as well as other regulations under HIPAA. HIPAA gives HHS the
authority to mandate the use of standards for the electronic exchange of health care data; to specify
what medical and administrative code sets should be used within those standards; to require the use of
national identification systems for health care patients, providers, payers (or plans), and employers (or
sponsors); and to specify the types of measures required to protect the security and privacy of
personally identifiable health care information. This is also known as the Kennedy-Kassebaum Bill, the
Kassebaum-Kennedy Bill, K2, or Public Law 104-191.
Health Level Seven (HL7): A data interchange protocol for health care computer applications that
simplifies the ability of different vendor-supplied IS systems to interconnect. Although not a software
program in itself, HL7 requires that each healthcare software vendor program HL7 interfaces for its
products.

51

Health Maintenance Organization (HMO): HMOs offer prepaid, comprehensive health coverage for
both hospital and physician services. The HMO is paid monthly premiums or capitated rates by the
payers, which include employers, insurance companies, government agencies, and other groups
representing covered lives. The HMO must meet the specifications of the federal HMO act as well as
meeting many rules and regulations required at the state level. There are 4 basic models: group model,
individual practice association, network model and staff model. An HMO contracts with health care
providers, e.g., physicians, hospitals, and other health professionals. The members of an HMO are
required to use participating or approved providers for all health services and generally all services will
need to meet further approval by the HMO through its utilization program. Members are enrolled for a
specified period of time. HMOs may turn around and sub-capitate to other groups. For example, it may
carve-out certain benefit categories, such as mental health, and sub-capitate these to a mental health
HMO. Or the HMO may sub-capitate to a provider, provider group or provider network. HMOs are the
most restrictive form of managed care benefit plans because they restrict the procedures, providers and
benefits.
Help Desk: Service and support desk
HIPAA: The Health Insurance Portability and Accountability Act of 1996, is a set of federal regulations
which establishes national standards for health care information.

History of Present Illness (HPI): The HPI is the history of the patients chief complaint.
HL7 (Health Level 7): one of the American National Standards Institute accredited Standard Developing
Organization (SDO) - Health Level 7 domain is the standards for electronic interchange of clinical,
financial and administrative info among healthcare oriented computer systems. Is a not-for-profit
volunteer organization. It develops specifications, most widely used is the messaging standard that
enables disparate health care applications to exchange key sets of clinical and administrative data. It
promotes the use of standards within and among healthcare organizations to increase the effectiveness
and efficiency of healthcare delivery. It is an international community of healthcare subject matter
experts and information scientists collaborating to create standards for the exchange, management and
integration of electronic healthcare information.
Human Subject: Under HIPAA rules, this term refers to a living subject participating in research about
whom directly or indirectly identifiable health information or data are obtained or created.
Hybrid Record: Term used for when a provider uses a combination of paper and electronic medical
records during the transition phase to EMR.
[I]
International Classification of Diseases, Ninth Revision, Clinical Modification (ICD-9-CM, ICD-10-CM):
This is the universal coding method used to document the incidence of disease, injury, mortality and
illness. A diagnosis and procedure classification system designed to facilitate collection of uniform and
comparable health information. The ICD-9-CM was issued in 1979. This system is used to group patients
into DRGs, prepare hospital and physician billings and prepare cost reports. Classification of disease by
diagnosis codified into six-digit numbers. See also coding.

52

ICD-9: Internationally recognizable 3 to 5-digit code representing a medical diagnosis. Currently being
replaced by the ICD-10 code.
IPA: Independent Physician Association or Independent Practice Association. Group of independent
physicians that have joined together to negotiate contracts with payers, receive quantity discounts on
products
International Health Transaction Standards Development Organization (IHTSDO):
Informatics: The application of computer technology to the management of information.
Integration: Integration allows for secure communication between enterprise applications.
Interoperability: The capability to provide successful communication between end-users across a mixed
environment of different domains, networks, facilities and equipment.
Insurance Eligibility Check: to take care of the vital process of checking patients insurance eligibility
often results in billing errors, insurance coverage concerns and delays.
Immunization: A complete list of all immunizations that the patient has had.
ISP: Internet Service Provider
IT (Information Technology): The development, installation, and implementation of computer systems
and applications.
Independent Practice Association (IPA): or Organization (IPO) - A delivery model in which the HMO
contracts with a physician organization, which in turn contracts with individual physicians. The IPA
physicians practice in their own offices and continue to also see their FFS patients. The HMO reimburses
the IPA on a capitated basis; however, the IPA may reimburse the physicians on an FFS or capitated
basis.
Interface: A means of communication between two computer systems, two software applications or
two modules. Real time interface is a key element in healthcare information systems due to the need to
access patient care information and financial information instantaneously and comprehensively. Such
real time communication is the key to managing health care in a cost effective manner because it
provides the necessary decision-making information for clinicians, providers and payers.
Internal Medicine: Generally, that branch of medicine that is concerned with diseases that do not
require surgery, specifically, the study and treatment of internal organs and body systems; it
encompasses many subspecialties; internists, the doctors who practice Internal medicine, often serve as
family physicians to supervise general medical care.
[J]
J-Codes: A subset of the HCPCS Level II code set with a high-order value of J that has been used to
identify certain drugs and other items.

53

Joint Commission on the Accreditation of Healthcare Organizations (JCAHO): Formerly called JCAH, or
Joint Commission on Accreditation of Hospitals, this is the peer review organization which provides the
primary review of hospitals and healthcare providers. Many insurance companies require providers to
have this accreditation in order to seek 3rd party payment, although, many small hospitals cannot afford
the cost of accreditation. JCAHO usually surveys organizations once every 3 years, sending in a medical
and administrative team to review policies, patient records, professional credentialing procedures,
governance and quality improvement programs. JCAHO revises its standards annually.
[K]
Key Contributor Plan: This refers to a little known performance-based program with incentives for the
purpose of attracting, motivating and retaining key individuals or small groups.
[L]
LAN (Local Area Network): A LAN supplies networking capability to a group of computers in close
proximity to each other such as in an office building, a school, or a home.
Legacy Systems: Computer applications, both hardware and software, which have been inherited
through previous acquisition and installation. Most often, these systems run business applications that
are not integrated with each other. Newer systems which stress open design and distributed processing
capacity are gradually replacing such systems.
Legacy System: Term used to describe an old system (usually hardware and software), ie. old medical
billing software system.
Legacy System Integration: The integration of data between a legacy system and some other software
program most commonly using HL-7 standards.
LEPR (Longitudinal Patient Record): Longitudinal Patient Record is an EHR that includes all healthcare
information from all sources.
Legend Drug: Drug that the law says can only be obtained by prescription.
Length of Stay (LOS): The duration of an episode of care for a covered person. The number of days an
individual stays in a hospital or inpatient facility. May also be reviewed as Average Length of Stay (ALOS).
Licensing: A process most States employ, which involves the review and approval of applications from
HMOs prior to beginning operation in certain areas of the State. Areas examined by the licensing
authority include: fiscal soundness, network capacity, MIS, and quality assurance. The applicant must
demonstrate it can meet all existing statutory and regulatory requirements prior to beginning
operations.
Lifetime Limit: A cap on the benefits paid under a policy. Many policies have a lifetime limit of $1
million, which means that the insurer agrees to cover up to $1 million in covered services over the life of
the policy.
[M]

54

M.A. (Medical Assistant): If certified, is referred to as CMA. Some clinics have similar positions known as
Clinical Assistants. Used in most offices as a part of the nursing staff with responsibilities including
working up patients, triaging and returning patient calls and assisting the provider in general.
MD: Medical Doctor
Management Information System (MIS): The common term for the computer hardware and software
that provides the support of managing the plan.
Master Patient / Member Index: An index or file with a unique identifier for each patient or member
that serves as a key to a patients or members health record.
Maximum Allowable Actual Charge (MAAC): A limitation on billed charges for Medicare services
provided by nonparticipating physicians. For physicians with charges exceeding 115 percent of the
prevailing charge for nonparticipating physicians, MAACs limit increases in actual charges to 1 percent a
year. For physicians whose charges are less than 115 percent of the prevailing, MAACs limit actual
charge increases so they may not exceed 115 percent.
Maximum Defined Data Set: Under HIPAA, this is all of the required data elements for a particular
standard based on a specific implementation specification. An entity creating a transaction is free to
include whatever data any receiver might want or need. The recipient is free to ignore any portion of
the data that is not needed to conduct their part of the associated business transaction, unless the
inessential data is needed for coordination of benefits.
MEDCIN: Clinical documentation nomenclature designed to provide E&M level coding assistance to
providers through the use of an extensive database for documenting patient encounters.
Medical Code Sets: Codes that characterize a medical condition or treatment. These code sets are
usually maintained by professional societies and public health organizations. Compare to administrative
code sets.
Medical Transcription: A PDA-compliant medical transcription system that manages the transcription
cycle from the beginning to end by integrating voice recording, digital scripting, delivery of voice files to
the medical transcriptionist and final transcript receipt.
Medical Calculators: A diverse range of Medical Calculators that allows the medical practitioner to make
rapid, accurate calculations within seconds, with the focus on evidence based medicine.
Medication Reviewer: is a complete list of all medications that the patient is on or had been taking at
some point.
Medical Group Practice: The American Group Practice Association, the American Medical Association,
and the Medical Group Management Association define medical group practice as: provision of health
care services by a group of at least three licensed physicians engaged in a formally organized and legally
recognized entity sharing equipment, facilities, common records and personnel involved in both patient
care and business management.
Medical Informatics: Medical informatics is the systematic study, or science, of the identification,
collection, storage, communication, retrieval, and analysis of data about medical care services to
improve decisions made by physicians and managers of health care organizations. Medical informatics

55

will be as important to physicians and medical managers as the rules of financial accounting are to
auditors.
Medical Management Information System (MMIS): A data system that allows payers and purchasers to
track health care expenditure and utilization patterns. It may also be referred to as Health Information
System (HIS), Health Information Management (HIM) or Information System (IS). See also Electronic
Medical Record (EMR).
Mid-level Practitioner: Refers to the group of providers considered to be one-level below M.D.s and
D.O.s. Physician assistants (P.A.s) and Nurse Practitioners (N.P.s) are examples.
Modifier: A two-character code added to a CPT or HCPCS code that is used to help in the reimbursement
process. For example, a modifier can be used to explain that a procedure not normally covered when
billed on the same day as another is actually a separate and significant process, or that it is a rural health
procedure that gets higher reimbursement. Up to 4 modifiers can be attached to each CPT, although in
most cases only 1 or 2 are used.
Multi-Specialty Group: A group of doctors who represent various medical specialties and who work
together in a group practice.
[N]
National Council for Prescription Drug Programs: An ANSI-accredited group that maintains a number of
standard formats for use by the retail pharmacy industry, some of which have been adopted as HIPAA
standards.
National Drug Code (NDC): A medical code set maintained by the Food and Drug Administration that
contains codes for drugs that are FDA-approved. The Secretary of HHS adopted this code set as the
standard for reporting drugs and biologics on standard transactions. The classification system for drug
identification is similar to UPC code.
Neonatal Intensive Care Unit (Neo ICU): A hospital unit with special equipment for the care of
premature and seriously ill newborn infants.
Non-Participating Physician (or Provider): A provider, doctor or hospital that does not sign a contract to
participate in a health plan, usually which requires reduced rates from the provider. In the Medicare
Program, this refers to providers who are therefore not obligated to accept assignment on all Medicare
claims. In commercial plans, non-participating providers are also called out of network providers or out
of plan providers. If a beneficiary receives service from an out of network provider, the health plan
(other than Medicare) will pay for the service at a reduced rate or will not pay at all.
Non-Plan Provider: A health care provider without a contract with an insurer. A non plan Provider is
also known as nonparticipating provider.
Nurse Practitioner (NP): A registered nurse qualified and specially trained to provide primary care,
including primary health care in homes and in ambulatory care facilities, long-term care facilities, and
other health care institutions. Normally, NPs are licensed and possess masters degrees. Nurse
practitioners generally function under the supervision of a physician but not necessarily in his/her or her
presence. In some states, NPs are able to provide basic medical services without requiring MD or DO

56

supervision. They are either salaried or reimbursed on a fee-for-service basis. Nurse Practitioners are
sometimes considered midlevel practitioners.
NPI (National Provider Identifier): Fairly new 8 digit alphanumeric identifier given to all medical
facilities. Most M.D.s and DOS do not have NPIs at this time (they still use UPIN numbers). However,
mid-level practitioners usually do. NSF (National Standard Format): Standard format for electronic filing.
[O]
Occupancy Rate: A measure of inpatient health facility use, determined by dividing available bed days
by patient days. It measures the average percentage of a hospitals beds occupied and may be
institution-wide or specific for one department or service.
Ombudsperson or Ombudsman: A person within a managed care organization or a person outside of
the health care system (such as an appointee of the state) who is designated to receive and investigate
complaints from beneficiaries about quality of care, inability to access care, discrimination, and other
problems that beneficiaries may experience with their managed care organization. This individual often
functions as the beneficiarys advocate in pursuing grievances or complaints about denials of care or
inappropriate care. Organizations are mostly able to designate a member of their own staff as
ombudsman.
Open Access: A term describing a members ability to self-refer for specialty care. Open access
arrangements allow a member to see a participating provider without a referral from another doctor.
Health plan members abilities, rights or invitation to self refer for specialty care. Also called Open Panel.
Open Panel: A term describing a members ability to self-refer for specialty care. Open access
arrangements allow a member to see a participating provider without a referral from another doctor.
Health plan members abilities, rights or invitation to self refer for specialty care. Also called Open
Access.
Outcome: A clinical outcome is the result of medical or surgical intervention or nonintervention, or the
results of a specific health care service or benefit package. The valued results of care as experienced
primarily by the patient but also by physicians and all other participants in the processes contributing to
the outcomes.
Outcomes Management: Providers and payers alike wish to find a method of managing care in a way
that would produce the best outcomes. Managed care organizations are increasingly interested in
learning to manage the outcome of care rather than just managing the cost of care. It is thought that
through a database of outcomes experience, caregivers will know better which treatment modalities
result in consistently better outcomes for patients. Outcomes management may lead to the
development of clinical protocols. A clinical outcome is the result of medical or surgical intervention or
nonintervention. Managed services organizations are now attempting to better manage clinical
outcomes for their enrollees to increase the satisfaction of patients and payers while holding down
costs.
Outcomes Measurement: System used to systematically track clinical treatment and responses to that
treatment. The methods for measuring outcomes are quite varied among providers. Much disagreement
exists regarding the best practice or tools to utilize to measure outcomes. In fact, much disagreement

57

exists in the medical field about the definition of outcome itself. A tool to assess the impact of health
services in terms of improved quality and/or longevity of life and functioning.
Outcomes Research: Research on measures of changes in patient outcomes, that is, patient health
status and satisfaction, resulting from specific medical and health interventions. Attributing changes in
outcomes to medical care requires distinguishing the effects of care from the effects of the many other
factors that influence patients health and satisfaction. With the elimination of the physicians fiduciary
responsibility to the patient, outcomes data is gaining increasing importance for patient advocacy and
consumer protection. Outcomes research will also be used in the future by payers to identify potential
partners on the basis of good outcomes.
Outpatient Care: Care given a person who is not bedridden. It is also called ambulatory care. Many
surgeries and treatments are now provided on an outpatient basis, while previously they had been
considered reason for inpatient hospitalization. Some say this is the fastest growing segment of
healthcare.
Office Visit Levels: Otherwise know as E&M codes, the code varies from Level I to V depending on
complexity with V being the most complex.
[P]
Past Medical History, Past Surgical History, Screening (PMSS): This is a list of all the past surgery and
medical issues that the patient has been treated for.
Patient Liability: The dollar amount that an insured is legally obligated to pay for services rendered by a
provider. These may include co-payments, deductibles and payments for uncovered services.
P.A. (Physician Assistant): A mid-level provider. They are required to have a Bachelors degree and then
attend a rigorous 3-year training program mainly instructed by physicians. They are not physicians, but
in most states have similar rights and privileges. However, they must be supervised by a physician.
Past Medical History: A list of a patients past health problems, surgeries and specialists.
Patient Demographics: All the patients pertinent information such as first and last name, SSN, DOB,
insurance, etc.
Patient Origin Study: A study, generally undertaken by an individual health program or health planning
agency, to determine the geographic distribution of the residences of the patients served by one or
more health programs. Such studies help define catchment and medical trade areas and are useful in
locating and planning the development of new services.
Patient Portal: A secure web-based system that allows a patient to register for an appointment,
schedule an appointment, request prescription refills, send and receive secure patient-physician
messages, view lab results, pay their bills electronically, access physician directories.
Participating Physician: A primary care physician in practice in the payers managed care service area
who has entered into a contract.
Part A Medicare: Refers to the inpatient portion of benefits under the Medicare Program, covering
beneficiaries for inpatient hospital, home health, hospice, and limited skilled nursing facility services.

58

Beneficiaries are responsible for deductibles and copayments. Part A services are financed by the
Medicare HI Trust Fund, which consists of Medicare tax payments. Part B, on the other hand, refers to
outpatient coverage.
Part B Medicare: Refers to the outpatient benefits of Medicare. Medicare Supplementary Medical
Insurance (SMI) under Part B of Title XVII of the Social Security Act covers Medicare beneficiaries for
physician services, medical supplies, and other outpatient treatment. Beneficiaries are responsible for
monthly premiums, copayments, deductibles, and balance billing. Part B services are financed by a
combination of enrollee premiums and general tax revenues.
Participating Provider: Any provider licensed in the state of provision and contracted with an insurer.
Usually this refers to providers who are a part of a network. That network would be a panel of
participating providers. Payers assemble their own provider panels.
Payer (usually Third Party Payer): The public or private organization that is responsible for payment for
health care expenses. Payers may be insurance companies or self-insured employers.
PC Based: A program designed to run on an individual PC. This typically means data is not shared in real
time among other PCs (users).
PCP: Primary care physician who often acts as the primary gatekeeper in health plans. That is, often the
PCP must approval referrals to specialists. Particularly in HMOs and some PPOs, all members must
choose or are assigned a PCP.
PHR: A personal health record or PHR is typically a health record that is initiated and maintained by an
individual. An ideal PHR would provide a complete and accurate summary of the health and medical
history of an individual by gathering data from many sources and making this information accessible
online.
Physician Attestation: The requirement that the attending physician certify, in writing, the accuracy and
completion of the clinical information used for DRG assignment.
Physician Current Procedural Terminology (CPT): List of services and procedures performed by
providers, with each service/procedure having a unique 5-digit identifying code. CPT is the health care
industrys standard for reporting of physician services and procedures. Used in billing and records.
Picture Archive Communication System (PACS): Used by radiology and diagnostic imaging organizations
to electronically manage information and images
Physician Practice Organization (PPO): An arrangement between insurers and healthcare providers
where providers agree to a discounted fee-for-service in exchange for more patients
Progress Note: The documentation of a patient visit or encounter including all or part of the SOAP
format.
Practical Nurses: Practical nurses, also known as vocational nurses, provide nursing care and treatment
of patients under the supervision of a licensed physician or registered nurse. Licensure as a licensed
practical nurse (L.P.N.) or in California and Texas as a licensed vocational nurse (L.V.N.) is required.

59

Practice Parameters, Practice Guidelines: Systematically developed statements to standardize care and
to assist in practitioner and patient decisions about the appropriate health care for specific
circumstances. Practice guidelines are usually developed through a process that combines scientific
evidence of effectiveness with expert opinion. Practice guidelines are also referred to as clinical criteria,
protocols, algorithms, review criteria, and guidelines. The American Medical Association defines practice
parameters as strategies for patient management, developed to assist physicians in clinical decisionmaking. Practice parameters may also be referred to as practice options, practice guidelines, practice
policies, or practice standards.
Pre-Authorization: A cost containment feature of many group medical policies whereby the insured
must contact the insurer prior to a hospitalization or surgery and receive authorization for
Primary Care: Basic or general health care usually rendered by general practitioners, family
practitioners, internists, obstetricians and pediatricians who are often referred to as primary care
practitioners or PCPs. Professional and related services administered by an internist, family practitioner,
obstetrician-gynecologist or pediatrician in an ambulatory setting, with referral to secondary care
specialists, as necessary.
Primary Care Network (PCN): A group of primary care physicians who share the risk of providing care to
members of a given health plan.
Primary Care Physician, (PCP): A generalist such as a family practitioner, pediatrician, internist, or
obstetrician. In a managed care organization, a primary care physician is accountable for the total health
services of enrollees including referrals, procedures and hospitalization. Also see Primary Care Provider.
Primary Care Provider (PCP): The provider that serves as the initial interface between the member and
the medical care system. The PCP is usually a physician, selected by the member upon enrollment, who
is trained in one of the primary care specialties who treats and is responsible for coordinating the
treatment of members assigned to his/her plan. See also Gatekeeper.
Principal Diagnosis: The medical condition that is ultimately determined to have caused a patients
admission to the hospital. The principal diagnosis is used to assign every patient to a diagnosis related
group. This diagnosis may differ from the admitting and major diagnoses.
Prior Authorization: A formal process requiring a provider obtain approval to provide particular services
or procedures before they are done. This is usually required for nonemergency services that are
expensive or likely to be abused or overused. A managed care organization will identify those services
and procedures that require prior authorization, without which the provider may not be compensated.
Privacy: For purposes of the HIPAA Privacy Rule, privacy means an individuals interest in limiting who
has access to personal health care information. See also HIPAA Privacy Rule. Psychotherapy Notes:
These include notes recorded by the health care provider who is a mental health professional during a
counseling session, either in a private session or in a group. These notes are separate from
documentation placed in the medical chart and do not include prescriptions. Specific patient
authorization is required for use and disclosure of psychotherapy notes.
[R]

60

RAID (Redundant Array of Independent Disks): A way of storing the same data in different places on
multiple hard disks. Often used on servers to provide redundancy in the event of a hard drive failure.
Real Time: The instantaneous sharing of data among a user group. It is common to a client/server
database configuration.
Referral: Some insurance companies require that on specific plans a referral must be obtained for
certain procedures or visits to specialists. The referral is acquired by the primary care physician (PCP) by
contacting the insurance company by phone or mail. This is a request for the service. The referral
consists of an authorization code, a number of visits allowed (if applicable) and an expiration date.
Referring Provider: is the provider that referred the patient to a specialist or for a specific procedure.
Relational Database: A database program that stores data in a manner similar to Excel, with the
difference being the data elements are related (linked) to each other.
Remote Access: Data travels through a private, protected passage via the Internet, allowing healthcare
providers to access from home or another practice location and allows EMR vendor to perform system
maintenance off-site
Rendering/Performing Provider: The provider actually treating the patient.
Registered Nurses (R.N.s): Registered nurses are responsible for carrying out the physicians
instructions. They supervise practical nurses and other auxiliary personnel who perform routine care
and treatment of patients. Registered nurses provide nursing care to patients or perform specialized
duties in a variety of settings from hospital and clinics to schools and public health departments. A
license to practice nursing is required in all states. For licensure as a registered nurse (R.N.), an applicant
must have graduated from a school of nursing approved by the state board for nursing and have passed
a state board examination.
ROS (Review of Systems): A series of questions related to the system(s) that the patient is having
complaints about (i.e. respiratory for cold symptoms).
[S]
Secondary Care: Services provided by medical specialists who generally do not have first contact with
patients (e.g., cardiologist, urologists, dermatologists). In the U.S., however, there has been a trend
toward self-referral by patients for these services, rather than referral by primary care providers. This is
quite different from the practice in England, for example, where all patients must first seek care from
primary care providers and are then referred to secondary and/or tertiary providers, as needed.
SNOMED: (SNOMED CT) Systemized Nomenclature of Medicine Clinical Terms
SNOMED CT is the universal health care terminology. It is comprehensive and covers procedures,
diseases, and clinical data. SNOMED CT helps to structure and computerize the medical record. It allows
for a consistent way of indexing, storing, retrieving and aggregating clinical data across sites of care (i.e.
hospitals, doctors offices) and specialties. By standardizing the terminology, the variability in the way
data is captured, encoded and used for clinical care of patients and research is reduced. Allows for more
accurate reporting of data. It is currently available in English, Spanish and German.

61

SureScripts: Electronic exchange that links pharmacies and healthcare providers. Founded in 2001 by
NACDS to make the prescribing process safer and more efficient
SOAP Note: Progress note format utilized by Medinformatix that consists of Subjective, Objective,
Assessment and Plan sections.
Social History: A description of a patients social habits and history including marital status, alcohol and
drug use and exercise habits.
Subjective: Section in a progress note where a patients account of their current problem is
documented. Consists of chief complaint, HPI and ROS.
Superbill: Also known as an encounter form, route slip or fee slip. This is a paper charge capture tool
used to document coding for a specific patient visit. It is a printed form with patient information at the
top, and a subset of the providers/practices most commonly used ICD and/or CPT codes. The form
travels with the patient through the clinic. Providers check off items when they see the patient, and the
form then travels to the checkout desk or billing office where the codes are entered into the billing
system.
Supervising Provider: The physician that is supervising patient care for a mid-level. In some practices,
the supervising provider signs off on every chart after a mid-level sees a patient, while in others he is
simply available to assist if necessary. Physicians in some rural areas do not have to be on-site and can
supervise remotely.
SQL: Structured Query Language is a computer language aimed to store, manipulate and retrieve data
stored in relational databases.
Sx: Abbreviation for symptoms
Skilled Nursing Facility (SNF): A licensed institution, as defined by Medicare, which is primarily engaged
in the provision of skilled nursing care. SNFs are usually DRG or PPS exempt and are located within
hospitals, but sometimes are located in rehab facilities or nursing homes.
Solo Practice, Solo Practitioner: A physician who practices alone or with others but does not pool
income or expenses. This form of practice is becoming increasingly less common as physicians band
together for contracting, overhead costs and risk sharing.
Subscriber:- Person responsible for payment of premiums, or person whose employment is the basis for
membership in a health plan.
[T]
T1, T3 line: A high-speed internet connection provided via telephone lines often used by businesses
needing internet connection speeds greater than DSL/Cable.
Terminal Services: Microsoft's method for remote administration tasks that delivers the Windows
desktop and Windows-based applications to nearly any personal computing device, even devices that
can't run Windows.
Therapeutic Alternatives: Strong Drug products that provide the same pharmacological or chemical
effect in equivalent doses. Also see Drug Formulary.

62

Thin Client: Also know as a Dummy Terminal is a network computer without a hard-drive which
requires the constant connection to a server to operate.
Trial Balance: A detailed report of invoices for a patient.
Treatment: The provision of health care by one or more health care providers. Treatment includes any
consultation, referral or other exchanges of information to manage a patients care. The HIPAA Privacy
Notice explains that the HIPAA Privacy Rule allows Partners and its affiliates to use and disclose
protected health information for treatment purposes without specific authorization.
Treatment Episode: The period of treatment between admission and discharge from a modality, e.g.,
inpatient, residential, partial hospitalization, and outpatient, or the period of time between the first
procedure and last procedure on an outpatient basis for a given diagnosis. Many healthcare statistics
and profiles use this unit as a base for comparisons.
[U]
UB-92 - Uniform Billing Code of 1992: Bill form used to submit hospital insurance claims for payment by
third parties. Similar to HCFA 1500, but reserved for the inpatient component of health services. An
electronic format of the CMS-1450 paper claim form that has been in general use since 1993.
UNIX: A network capable, multi-user operating system used for workstations and servers. Many old
practice management, medical billing and EMR software were originally designed under the UNIX
operating system.
UB-92 Form: Form designed for hospitals to file a medical claim with the patient's insurance carrier.
UPIN (Unique Physician Identification Number): Unique Identification number given to each healthcare
provider. Frequently used in insurance billing and is currently being replaced by the NPI number.
UPIN: A standard 6 digit alphanumeric identifier assigned to providers. Can be used for single provider
or a group/facility.
URI: Abbreviation for Upper Respiratory Infection (Cold)
UTI: Abbreviation for Urinary Tract Infection (Bladder infection)
[V]
VPN: Virtual Private Network A VPN tunnel is a secure connection, typically firewall to firewall that
provides for remote access to your data server.
Variable Contribution Health Plan: In contrast to a fixed contribution plan, a variable contribution
involves employers committing to a specified level of benefits funding for its employees, regardless of
the actual benefit price. Employers are thus locked into variable contribution arrangements because
they are committed to funding a certain benefit structure without knowing what the future costs may
be if premiums are raised. See also Fixed Contribution Health Plan.
Vital Statistics: Statistics relating to births (natality), deaths (mortality), marriages, health, and disease
(morbidity). Vital statistics for the United States are published by the National Center for Health
Statistics. Vital statistics can be obtained from CDC, state health departments, county health
departments and other agencies. An individual patients vital statistics in a health care setting may also
refer simply to blood pressure, temperature, height and weight, etc.
[W]
Wave Scheduling: Scheduling patients in waves, i.e. scheduling several patients at the top of the hour
(in the same time slot), and several at the bottom of the hour. Patients rarely arrive on time, and offices
often run behind. Having blocks of busy and catch-up time can even this out. Modified wave scheduling

63

is a more recent trend where the schedule is based around the actual time spent with patients. Most
patient visits do not require the provider to be in the room with the patient for 100% of the time. Wave
scheduling allows more efficient scheduling by allowing for this. For example, a patient visiting an
ophthalmologist may spend 15 minutes of a half hour visit waiting for their eyes to dilate. The doctor is
only present for the last 15 minutes. Thus, another patient could be scheduled for the first 15 minutes.
Thus, modified wave scheduling refers to creating a schedule that accounts only for the providers time
spent with patients. This is only efficient if there is enough nursing staff to prepare several patients
simultaneously.
Waiting Periods: The length of time an individual must wait to become eligible for benefits for a specific
condition after overall coverage has begun.
Waiver : Approval that the Centers for Medicare and Medicaid Services (CMS, formerly called HCFA), the
federal agency that administers the Medicaid program, may grant to state Medicaid programs to
exempt them from specific aspects of Title XIX, the federal Medicaid law. Most federal waivers involve
loss of freedom of choice regarding which providers beneficiaries may use, exemption from
requirements that all Medicaid programs be operated throughout an entire state, or exemption from
requirements that any benefit must be available to all classes of beneficiaries (which enables states to
experiment with programs only available to special populations).
Waiver of Authorization: Under HIPAA, under limited circumstances, a waiver of the requirement for
authorization for use or disclosure of private health information may be obtained from the IRB by the
researcher. A waiver of authorization can be approved only if specific criteria have been met. See
Authorization also.
Workers Compensation: A state-mandated program providing insurance coverage for work-related
injuries and disabilities. Several states have either enacted or are considering changes to the Workers
Compensation Laws to allow employers to cover occupational injuries and illnesses within their own
existing group medical plans. Some employers pay premiums to the state or to insurance companies for
this coverage. Others are self-funded and use third party case management or administrative services to
manage the processes. See also Occupational Health.
[X]
XML (Extensible Markup Language): Used for defining data elements on a Web page and
communication between two business systems. Example: Standard messaging system for and EMR to
integrate with another software such as a practice management or drug formulary database.

64

ANNEXURE V
1. Aadhar (UID) Number is to be used as the Universal Patient Identifier; Since it is expected
that it would take time for this to be implemented across the country. Until that time, we
will need to accommodate other ID proof like PAN card/ License/ Voter I card etc.
2. Age is to be automatically calculated if date of birth is entered/available; once the patient's
age is available, all client systems must automatically "age" the patient. For this, unless the
patient's date of birth is available, the age will be approximated with the assumption that
the patient was born on the 1st day of January of the year that the entered age appears to
point to. The record display will need to clearly show that this age is an approximated one
and that the patient may actually be older by 1 additional year maximally
3. More than one reason for visit may be entered
4. Menstrual history is available only if the chosen gender is female
5. Both structured and unstructured data can be used wherever the data type is alphanumeric
and data length is 255+
6. If necessary, data type can be made longer wherever they are stated to be 255+
7. UOM3 of BP4 is mmHg
8. UOM of pulse rate is per minute
9. UOM of temperature is degrees Celsius
10. UOM of respiration rate is per minute
11. UOM of weight is kilograms
12. UOM of height is centimetres
13. More than one diagnoses may be entered
14. Wherever list of values have been mentioned, the first is the default
15. It must be ensured that the no encounter number is arbitrarily assigned. The networking
system will need to take care of this. Episode and Encounter Reconciliation through
appropriate merging and demerging will need to take place. However, this is a design and
development issue, and out of scope for the work of MDS5 proposal
16. It must be ensured that the no encounter number is arbitrarily assigned. The networking
system will need to take care of this. Episode and Encounter Reconciliation through
appropriate merging and demerging will need to take place. However, this is a design and
development issue, and out of scope for the work of MDS proposal
17. In Family History, the fields should be (i) relative, (ii) disease; This is actually implicit since
the user can enter any of the three types and there is no bar in entering all types. This can
appropriately be taken care of by system designers
18. Immunisation History should be a child table with multiple entries allowed, with a list of
values for each vaccine type and dates administered with current status (administered/notadministered)
19. Allergies will be a list of values (drug generics, etc.) that would, in future, allow allergy alerts
to be activated

UOM = Unit Of Measurement

BP = Blood Pressure
5
MDS = Minimum Data Set
4

65

20. Clinical Exam Height Data storage should always be in centimeters in the database.
However, the user module should allow entry in feet and inches, if desired, and should
convert and store it in cm
21. Diagnosis Code should allow multiple entries per encounter record
22. Sufficient redundancies must be built in to the system to ensure no complete downtime in
case of system failure due to any reason including hardware, networking and power
outages. Local records must be available 100% of time
23. Display from first record till date all encounters displaying the following
24. Reason for visit/Diagnosis
25. Encounter Date, Time & Location
26. Ability to view the encounter record details
27. Use SNOMED-CT for all clinical terms/observations
28. Use ICD-10 for all diagnoses for statistical and epidemiological studies
29. Use LOINC for all investigation observations
30. Use secured XML as file format for information exchange
31. Will contain a header section that contains patient and observer ID/details and encounter
date, time and location (ID/details)
32. Will contain a body section that contains all other encounter-specific details
33. Use the HCIT Standards as relevant to India (please refer to the table below)
34. Conform to the Minimum Data Sets
35. Must capture and display the following items:
a. Patient Name, Gender, Age/DOB
b. Observer Name
c. Date & Time of Visit
d. Problems/Diagnosis List
e. Current medications
f. Active allergies

66

Annexure VI
Proposed Portable Health Record
As patients move around the healthcare system there is a need to carry essential information to
ensure quality healthcare which will give their treating clinician basic information viz., medical
condition, drug/allergy information etc. CCR standard XML file format (as used in Google
Health), with demographics, insurance info, problem list/diagnoses, medications, allergy and
alerts, vital signs, and lab results, consultation reports, hospital discharge and operative reports
and test results (i.e. stress test, cardiac catheterization, relevant biochemistry and
histopathology) kept current and accurate by a persons healthcare team (nurses, doctors and
pharmacists) which includes the patient.

67

Annexure VII
Privacy and Security in Meaningful Use Rule
(as retrieved from http://www.hitechanswers.net/security-meaningful-use/)
Role of Security & Privacy in Meaningful Use
In general, HHS has specifically included encryption as a requirement for a Certified EHR
system (). The inclusion of encryption in meaningful use is indicative of the Federal
governments recognition that encryption is a critical technology in securing protected health
information (PHI).
Certified EHRs must be able to provide the patient an electronic copy of their health information
upon their request. This information must be provided within 96 hours from the time the provider
obtains the information, such as lab results, for example. This patient information must be
secured with at least a symmetric 128 bit fixed-block cipher algorithm capable of using 128, 192,
or 256 bit encryption key.
Certified EHRs must protect electronic health information by implementing controls and
encryption, such as:
Assigning a unique user name for each user
Encrypt and decrypt health information for backups, removable media, etc.
Event recording such as deletion of records
Audit review log
Systems to ensure health information has not been altered using a hash algorithm
Record disclosures made for treatment
Ensure identity management is in place

68

Annexure VIII
HIPAA 45 CFR Part 142 Subpart C, Security and Electronic Signature Standards.
See http://aspe.hhs.gov/admnsimp/nprm/sec13.htm

Technical Security Services and Mechanisms, and Electronic Signature Requirements and Implementation Features
Category Section
Req/Opt Item
Definition
Rule Reference
Procedure for
(documented instructions for obtaining

(c) (1) (i)

requires
Emergency
necessary information during a crisis)
142.308
Access
Context-based
(an access control procedure based on

(c) (1) (i)

access control
the context of a transaction (as opposed 142.308
to being based on attributes of the
initiator or target))
Role-based
(an alternative to traditional access

(c) (1) (i)

access
control models (e.g., discretionary or
142.308
non-discretionary access control
Technical
policies) that permits the specification
Security
and enforcement of enterprise-specific
Services
Access
security policies in a way that maps
(for
Control
more naturally to an organization's
informati
and
structure and business activities. With
on in
one of
RBAC, rather than attempting to map
place)
an organization's security policy to a
relatively low-level set of technical
controls (typically, access control lists),
each user is assigned to one or more
predefined roles, each of which has
been assigned the various privileges
needed to perform that role)
User-based
(a security mechanism used to grant

(c) (1) (i)

access
users of a system access based upon the 142.308
identity of the user)

(A)
(B) (1)

(B) (2)

(B) (3)

69

Encryption

and
optionall
y

Audit
Controls
Authori
zation
Control

Data
Authenti
cation

which are
requires
one of

Role-based
access
User-based
access

which is

Automatic
logoff
Entity
requires
Authenti
(both)
cation

Unique user
identifier

(transforming confidential plaintext into

ciphertext to protect it. An encryption
algorithm combines plaintext with other
values called keys, or ciphers, so the
data becomes unintelligible. Once
encrypted, data can be stored or
transmitted over unsecured lines.
Decrypting data reverses the encryption
algorithm process and makes the
plaintext available for further
processing)
(mechanisms employed to record and
examine system activity)
(see above)
(see above)
(The corroboration that data has not
been altered or destroyed in an
unauthorized manner. Examples of how
data corroboration may be assured
include the use of a check sum, double
keying, a message authentication code,
or digital signature.)
(a security procedure that causes an
electronic session to terminate after a
predetermined time of inactivity, such
as 15 minutes),
(a combination name/number assigned
and maintained in security procedures
for identifying and tracking individual
user identity)

142.308

(c) (1) (i)

(C)

142.308

142.308

142.308

142.308

(c) (1) (ii)

(C)

142.308

(c) (1) (v)

(A)

142.308

(c) (1) (v)

(B)

(c) (1) (iii) (A)

(c) (1) (iii) (B)
(c) (1) (iv) (B)

70

Biometric
identifier

Password
PIN

and
one of

Telephone
Callback

Token

(an identification system that identifies

a human from a measurement of a
physical feature or repeatable action of
the individual (for example, hand
geometry, retinal scan, iris scan,
fingerprint patterns, facial
characteristics, DNA sequence
characteristics, voice prints, and hand
written signature))
(confidential authentication information
composed of a string of characters)
(a number or code assigned to an
individual and used to provide
verification of identity)
(method of authenticating the identity of
the receiver and sender of information
through a series of "questions" and
"answers" sent back and forth
establishing the identity of each). For
example, when the communicating
systems exchange a series of
identification codes as part of the
initiation of a session to exchange
information, or when a host computer
disconnects the initial session before the
authentication is complete, and the host
calls the user back to establish a session
at a predetermined telephone number.
(a physical item necessary for user
identification when used in the context
of authentication. For example, an
electronic device that can be inserted in
a door or a computer system to obtain

142.308

(c) (1) (v)

(C) (1)

142.308

142.308

(c) (1) (v)

(C) (2)

(c) (1) (v)

(C) (3)

142.308

(c) (1) (v)

(C) (4)

142.308

(c) (1) (v)

(C) (5)

71

access)
Integrity
Controls
requires
(both)
Commu
nication
s/
Network
Controls

Message
Authentication
Access Controls

and
one of

Technical
Security
Mechanis
ms (for
informati
on
in transit)

Encryption
Alarm

PLUS
if over
an open
network

requires
(all of)
Audit Trail
Entity
Authentication

(a security mechanism employed to

ensure the validity of the information
being electronically transmitted or
stored).
(ensuring, typically with a message
authentication code, that a message
received (usually via a network)
matches the message sent).
(protection of sensitive communications
transmissions over open or private
networks so that they cannot be easily
intercepted and interpreted by parties
other than the intended recipient)
(see above)
(In communication systems, any device
that can sense an abnormal condition
within the system and provide, either
locally or remotely, a signal indicating
the presence of the abnormality. The
signal may be in any desired form
ranging from a simple contact closure
(or opening) to a time-phased automatic
shutdown and restart cycle.)
(the data collected and potentially used
to facilitate a security audit).
(a communications or network
mechanism to irrefutably identify
authorized users, programs, and
processes and to deny access to
unauthorized users, programs, and

142.308

(d) (1) (i)

(A)

142.308

(d) (1) (i)

(B)

142.308

(d) (1) (i)

(A)

142.308

142.308

(d) (1) (i)

(B)

142.308

142.308

(d) (2) (ii)

(d) (2) (i)

(d) (2) (iii)

72

processes)
Event Reporting

Message
Integrity
Nonrepudiation
requires
(all of)

User
Authentication
Ability to Add
Attributes

Electonic
Signature
Standard

and optionally
includes
(all, some, or none
of)

Continuity of
Signature
Capability
Countersignatur
es

(a network message indicating

operational irregularities in physical
elements of a network or a response to
the occurrence of a significant task,
typically the completion of a request for
information).
(the assurance of unaltered transmission
and receipt of a message from the
sender to the intended recipient).
(strong and substantial evidence of the
identity of the signer of a message, and
of message integrity, sufficient to
prevent a party from successfully
denying the origin, submission, or
delivery of the message and the
integrity of its contents).
(the provision of assurance of the
claimed identity of an entity).
(one possible capability of a digital
signature technology; for example, the
ability to add a time stamp as part of a
digital signature).
(the concept that the public verification
of a signature must not compromise the
ability of the signer to apply additional
secure signatures at a later date).
(The capability to prove the order of
application of signatures. This is
analogous to the normal business
practice of countersignatures, where a
party signs a document that has already

142.308

(d) (2) (iv)

142.310

(c) (1)

142.310

(c) (2)

142.310

142.310

(c) (3)

142.310

(d) (2)

142.310

(d) (3)

(d) (1)

73

been signed by another party.)

Independent
Verifiability
Interoperability

Multiple
Signatures
Transportability

(the capability to verify the signature

without the cooperation of the signer).
(the applications used on either side of a
communication, between trading
partners and/or between internal
components of an entity, are able to
read and correctly interpret the
information communicated from one to
the other).
(With this feature, multiple parties are
able to sign a document. Conceptually,
multiple signatures are simply appended
to the document.)
(the ability of a signed document to be
transported over an insecure network to
another system, while maintaining the
integrity of the document, including
content, signatures, signature attributes,
and (if present) document attributes)

142.310

142.310

(d) (4)

142.310

(d) (6)

142.310

(d) (7)

(d) (5)

74

45 CFR Part 164

Volume: 1
Date: 2010-10-01
Original Date: 2010-10-01
Title: Appendix A to Subpart C of Part 164 - Security Standards: Matrix
Context: Title 45 - Public Welfare.
SUBTITLE A - DEPARTMENT OF HEALTH AND HUMAN SERVICES.
SUB CHAPTER C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS.
PART 164 - SECURITY AND PRIVACY.
Subpart C - Security Standards for the Protection of Electronic Protected Health Information.
Pt. 164, Subpt. C, App. A Appendix A to Subpart C of Part 164Security Standards: Matrix
Standards

Sections

Implementation Specifications (R)=Required, (A)=Addressable

Administrative Safeguards
Security Management Process

164.308(a)(1) Risk Analysis (R)

Risk Management (R)
Sanction Policy (R)

75

Information System Activity Review (R)

Assigned Security Responsibility

164.308(a)(2) (R)

Workforce Security

164.308(a)(3) Authorization and/or Supervision (A)

Workforce Clearance Procedure
Termination Procedures (A)

Information Access Management

164.308(a)(4) Isolating Health care Clearinghouse Function (R)

Access Authorization (A)
Access Establishment and Modification (A)

Security Awareness and Training

164.308(a)(5) Security Reminders (A)

Protection from Malicious Software (A)
Log-in Monitoring (A)
Password Management (A)

Security Incident Procedures

164.308(a)(6) Response and Reporting (R)

76

Contingency Plan

164.308(a)(7) Data Backup Plan (R)

Disaster Recovery Plan (R)
Emergency Mode Operation Plan (R)
Testing and Revision Procedure (A)
Applications and Data Criticality Analysis (A)

Evaluation

164.308(a)(8) (R)

Business Associate Contracts and Other

Arrangement

164.308(b)(1) Written Contract or Other Arrangement (R)

Physical Safeguards
Facility Access Controls

164.310(a)(1) Contingency Operations (A)

Facility Security Plan (A)
Access Control and Validation Procedures (A)
Maintenance Records (A)

Workstation Use

164.310(b)

(R)

77

Workstation Security

164.310(c)

(R)

Device and Media Controls

164.310(d)(1) Disposal (R)

Media Re-use (R)
Accountability (A)
Data Backup and Storage (A)

Technical Safeguards (see 164.312)

Access Control

164.312(a)(1) Unique User Identification (R)

Emergency Access Procedure (R)
Automatic Logoff (A)
Encryption and Decryption (A)

Audit Controls

164.312(b)

(R)

Integrity

164.312(c)(1)

Mechanism to Authenticate Electronic Protected Health

Information (A)

Person or Entity Authentication

164.312(d)

(R)

78

Transmission Security

164.312(e)(1) Integrity Controls (A)

Encryption (A)

[http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/xml/CFR-2010-title45-vol1-part164-subpartC-appA.xml]

79