The Joint Commission Standards (2-3 page paper w/cover page & reference page)

focus on the Information Management (IM) standards (see attachment). Choose 5 of the IM standards and discuss how you would ensure compliance with these 5 standards. Include steps for a process for each standard that would help to ensure compliance. 

Things to think about:

-Who would be involved one the process?

-What type of resources are needed to comply with the standard?

-How does the standard specifically relate to Healthcare Information Management (HIM) and how should the HIM Department be involved in the process? 

Effective Date: August 25, 2014

Chapter: Information Management

Overview:
Every episode of care generates health information that must be
managed systematically by the organization. All data and
information used by the organization are categorized, filed, and
maintained. The system should accurately capture health
information generated by the delivery of care, treatment, or
services. Health information should be accessed by authorized users
who will use health information to provide safe, quality care.
Unauthorized access can be limited by the adoption of policies that
address the privacy, security, and integrity of health information.

Depending on the type of organization, the system used for
information management may be basic or sophisticated. As
technology develops, many organizations find their information
management systems in a state of transition from paper to fully
electronic or a combination of the two. Regardless of the type of
system used, these standards are designed to be equally compatible
with noncomputerized systems and evolving technologies.

About This Chapter:
As with other chapters, planning is the initial focus of “Information
Management” (IM). A well planned system meets the internal and
external information needs of the organization with efficiency and
accuracy. Planning also provides for continuity in the event that the
organization’s operations are disrupted or fail. The organization also
plans to protect the privacy, security, and integrity of the data and
information it collects, which results in preserving confidentiality.
The chapter concludes with a standard on maintaining accurate
health information.

Requirements in this chapter apply to all types of information
managed by the organization, unless the requirement specifically
limits the type of information to health information. Refer to the
Glossary for a definition of health information.

Chapter Outline:

Program: Ambulatory

Page 1 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932…

I. Planning for Management of Information (IM.01.01.01,
IM.01.01.03)

II. Health Information

A. Protecting the Privacy of Health Information (IM.02.01.01,
IM.02.01.03)

B. Capturing, Storing, and Retrieving Data (IM.02.02.01,
IM.02.02.03)

III. Knowledge-Based Information (IM.03.01.01)

IV. Monitoring Data and Health Information Management Processes
(IM.04.01.01)

EP Attributes Icon Legend:
CMS CMS Crosswalk

EP Criticality level is 1 – Immediate Threat to
Health or Safety

A EP belongs to Scoring Category ‘A’ EP Criticality level is 2 – Situational Decision
Rules

C EP belongs to Scoring Category ‘C’ EP Criticality level is 3 – Direct Impact.

M EP requires Measure of Success D Documentation is required

ESP-1 EP applies to Early Survey Option NEW EP is new or changed as of the selected effective
date.

© 2014 The Joint Commission, © 2014 Joint Commission Resources
E-dition is a registered trademark of The Joint Commission

Page 2 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932…

Chapter: Information Management

IM.01.01.01: The organization plans for managing information.

Rationale: Not applicable.

Introduction: Introduction to Standard IM.01.01.01
Planning is the most critical part of the organization’s information
management process and requires the collaborative involvement of all
levels and areas of the organization. The organization’s plan for
information management considers the full spectrum of data generated
and used by the organization; financial data, human resources data,
supply inventories, and health information are examples of the different
types of data that are considered in the information management
planning process. Planning for the management of information does not
necessarily result in a single, comprehensive written information
management plan; however, planning does establish clear relationships
between the organization’s needs and its goals. In addition to the
organization’s goals, the organization’s mission, services, staff, patient
safety practices, modes of service delivery, resources, and technology
are considered during the information management planning process.

The flow of information within the organization, as well as to and from
external organizations, is another important consideration for
information management planning. Planning takes into account the data
and information required to support relationships with outside providers,
services, contractors, purchasers, and payers. By identifying internal and
external information needs, organizations can make information
available when and where it is needed. Organizations that understand
the flow of information can achieve efficient data collection and
distribution, along with effective security of health information.

Elements of Performance

1 The organization identifies the internal and external information
needed to provide safe, quality care.

EP Attributes

New FSA CMS MOS CR DOC SC ESP

– Information
Technology

A ESP-1

Program: Ambulatory

Page 3 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932…

2 The organization identifies how data and information enter, flow within,
and leave the organization.
EP Attributes

New FSA CMS MOS CR DOC SC ESP
– Information
Technology
A ESP-1

3 The organization uses the identified information to guide development
of processes to manage information.
EP Attributes

New FSA CMS MOS CR DOC SC ESP
– Information
Technology
A ESP-1

4 Staff and licensed independent practitioners, selected by the
organization, participate in the assessment, selection, integration, and
use of information management systems for the delivery of care,
treatment, or services.
EP Attributes

New FSA CMS MOS CR DOC SC ESP
– Information
Technology

A

© 2014 The Joint Commission, © 2014 Joint Commission Resources
E-dition is a registered trademark of The Joint Commission

Page 4 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932…

Chapter: Information Management

IM.01.01.03: The organization plans for continuity of its
information management processes.

Rationale: Not applicable.

Introduction: Introduction to Standard IM.01.01.03
The primary goal of the information continuity process is to return the
organization to normal operations as soon as possible with minimal
downtime and no data loss. The organization needs to be prepared for
events that could impact the availability of data and information
regardless of whether interruptions are scheduled or unscheduled (due
to a local or regional disaster or an emergency). Interruptions to an
organization’s information system can potentially have a devastating
impact on its ability to deliver quality care and continue its business
operations. Planning for emergency situations helps the organization
mitigate the impact that interruptions, emergencies, and disasters have
on its ability to manage information. The organization plans for
interruptions by training staff on alternative procedures, testing the
organization’s Emergency Management Plan, conducting regularly
scheduled data backups, and testing data restoration procedures.

Regardless of whether an organization uses a paper-based system or an
electronic system, a plan to address the process for information
continuity, including knowledge-based information, should be in place.
Organizations that plan for maintaining access to electronic information
systems by using various electronic backup and restore procedures can
quickly recover from interruptions with minimal downtime and data loss.
Elements of Performance

1 The organization has a written plan for managing interruptions to its
information processes (paper-based, electronic, or a mix of paper-
based and electronic). (See also EM.01.01.01, EP 6)
EP Attributes

New FSA CMS MOS CR DOC SC ESP
– Information
Technology

D A ESP-1

2 The organization’s plan for managing interruptions to information
processes addresses the following: Scheduled and unscheduled

Program: Ambulatory

Page 5 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932…

interruptions of electronic information systems. (See also IM.03.01.01,
EP 1; EM.01.01.01, EP 6)
EP Attributes

New FSA CMS MOS CR DOC SC ESP
– Information
Technology
A ESP-1

3 The organization’s plan for managing interruptions to information
processes addresses the following: Training for staff and licensed
independent practitioners on alternative procedures to follow when
electronic information systems are unavailable. (See also EM.01.01.01,
EP 6)
EP Attributes

New FSA CMS MOS CR DOC SC ESP
– Information
Technology
A ESP-1

4 The organization’s plan for managing interruptions to information
processes addresses the following: Backup of electronic information
systems. (See also EM.01.01.01, EP 6)
EP Attributes

New FSA CMS MOS CR DOC SC ESP
– Information
Technology
A ESP-1

5 The organization’s plan for managing interruptions to electronic
information processes is tested for effectiveness according to time
frames defined by the organization.
EP Attributes

New FSA CMS MOS CR DOC SC ESP
– Information
Technology
A

6 The organization implements its plan for managing interruptions to
information processes to maintain access to information needed for
patient care, treatment, or services. (See also IM.03.01.01, EP 1)
EP Attributes

Page 6 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932…

New FSA CMS MOS CR DOC SC ESP
– Information
Technology
A
© 2014 The Joint Commission, © 2014 Joint Commission Resources
E-dition is a registered trademark of The Joint Commission

Page 7 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932…

Chapter: Information Management

IM.02.01.01: The organization protects the privacy of health
information.

Rationale: Not applicable.

Introduction: Introduction to Standard IM.02.01.01
The privacy of health information is a critical information management
concern. Privacy of health information applies to electronic, paper, and
verbal communications. Protecting the privacy of health information is
the responsibility of the entire organization. Organizations protect
privacy by limiting the use of information to only what is needed to
provide care, treatment, or services.

Privacy, along with security, results in the confidentiality of health
information. Health information is kept confidential when the information
is secure (kept from intentional harm) and its use is limited (privacy).
The end result of protecting the security and privacy of the information
system is the preservation of confidentiality. To illustrate this
relationship, confidentiality is violated in situations when a patient’s
health information is used or accessed by an individual who does not
have permission to access the information or uses it for purposes outside
of delivering care, treatment, or services. A confidentiality violation
occurs when an individual is able to bypass security measures and
systems to gain access to health information. *

Footnote *: For additional guidance about limiting the use of
information, refer to 45 CFR 164.502(b) and 164.514(d) under
“Minimum Necessary” within the Health Insurance Portability and
Accountability Act of 1996 (HIPAA).
Elements of Performance

1 The organization has a written policy addressing the privacy of health
information. (See also RI.01.01.01, EP 7)
Note: For ambulatory surgical centers that elect to use The Joint
Commission deemed status option: The organization must comply with
Section 45 of the Code of Federal Regulations parts 160 and 164,

generally known as the Health Insurance Portability and Accountability
Act (HIPAA) Privacy and Security Rules.
EP Attributes

Program: Ambulatory

Page 8 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932…

New FSA CMS MOS CR DOC SC ESP
– Information
Technology

§416.50(g) D A ESP-1

2 The organization implements its policy on the privacy of health
information. (See also RI.01.01.01, EP 7)
Note: For ambulatory surgical centers that elect to use The Joint
Commission deemed status option: The organization must comply with
Section 45 of the Code of Federal Regulations parts 160 and 164,
generally known as the Health Insurance Portability and Accountability
Act (HIPAA) Privacy and Security Rules.
EP Attributes

New FSA CMS MOS CR DOC SC ESP
– Information
Technology

§416.50(g) A

3 The organization uses health information only for purposes permitted
by law and regulation or as further limited by its policy on privacy.
(See also MM.01.01.01, EP 1; RI.01.01.01, EP 7)
Note: For ambulatory surgical centers that elect to use The Joint
Commission deemed status option: The organization must comply with
Section 45 of the Code of Federal Regulations parts 160 and 164,
generally known as the Health Insurance Portability and Accountability
Act (HIPAA) Privacy and Security Rules.
EP Attributes

New FSA CMS MOS CR DOC SC ESP
– Information
Technology
§416.50(g) A

4 The organization discloses health information only as authorized by the
patient or as otherwise consistent with law and regulation. (See also
RI.01.01.01, EP 7)
Note: For ambulatory surgical centers that elect to use The Joint
Commission deemed status option: The organization must comply with
Section 45 of the Code of Federal Regulations parts 160 and 164,
generally known as the Health Insurance Portability and Accountability
Act (HIPAA) Privacy and Security Rules.
EP Attributes

New FSA CMS MOS CR DOC SC ESP

Page 9 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932…

– Information
Technology
§416.50(g) A

5 The organization monitors compliance with its policy on the privacy of
health information. (See also RI.01.01.01, EP 7)
Note: For ambulatory surgical centers that elect to use The Joint
Commission deemed status option: The organization must comply with
Section 45 of the Code of Federal Regulations parts 160 and 164,
generally known as the Health Insurance Portability and Accountability
Act (HIPAA) Privacy and Security Rules.
EP Attributes

New FSA CMS MOS CR DOC SC ESP
– Information
Technology
§416.50(g) A
© 2014 The Joint Commission, © 2014 Joint Commission Resources
E-dition is a registered trademark of The Joint Commission

Page 10 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932…

Chapter: Information Management

IM.02.01.03: The organization maintains the security and
integrity of health information.

Rationale: Not applicable.

Introduction: Introduction to Standard IM.02.01.03
The integrity and security of health information are closely related.
Health information is collected and processed through various
information sources and systems throughout the organization. As a
result, breaches in security can lead to the unauthorized disclosure or
alteration of health information. When this occurs, the integrity of the
data and information is compromised. Even simple mistakes, such as
writing the incorrect date of service or diagnosis, can undermine data
integrity just as easily as intentional breaches. For these reasons, an
examination of the use of paper and electronic information systems is
considered in the organization’s approach to maintaining the security
and integrity of health information. Regardless of the type of system,
security measures should address the use of security levels, passwords,
and other forms of controlled access. Because information technology
and its associated security measures are continuously changing, the
organization should do its best to stay informed about technological
developments and best practices that can help it improve information
security and therefore protect data integrity.

Monitoring access to health information can help organizations be
vigilant about protecting health information security. Regular security
audits can identify system vulnerabilities in addition to security policy
violations. For example, as part of the process, the organization could
identify system users who have altered, edited, or deleted information.
The results from this audit process can be used to validate that user
permissions are appropriately set. Conducting security audits can be
particularly effective in identifying when employee turnover causes
vulnerabilities in security because user access and permissions were not
removed or updated.
Elements of Performance

1 The organization has a written policy that addresses the security of
health information, including access, use, and disclosure.
Note: For ambulatory surgical centers that elect to use The Joint
Commission deemed status option: The organization must comply with
Section 45 of the Code of Federal Regulations parts 160 and 164,

Program: Ambulatory

Page 11 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932…

generally known as the Health Insurance Portability and Accountability
Act (HIPAA) Privacy and Security Rules.
EP Attributes
New FSA CMS MOS CR DOC SC ESP
– Information
Technology
§416.50(g) D A ESP-1

2 The organization has a written policy addressing the integrity of health
information against loss, damage, unauthorized alteration,
unintentional change, and accidental destruction.
EP Attributes

New FSA CMS MOS CR DOC SC ESP
– Information
Technology
D A ESP-1

3 The organization has a written policy addressing the intentional
destruction of health information.
EP Attributes

New FSA CMS MOS CR DOC SC ESP
– Information
Technology
D A ESP-1

4 The organization has a written policy that defines when and by whom
the removal of health information is permitted.
Note: Removal refers to those actions that place health information
outside the organization’s control.
EP Attributes

New FSA CMS MOS CR DOC SC ESP
– Information
Technology

§416.47(a) D A ESP-1

5 The organization protects against unauthorized access, use, and
disclosure of health information.
Note: For ambulatory surgical centers that elect to use The Joint
Commission deemed status option: The organization must comply with
Section 45 of the Code of Federal Regulations parts 160 and 164,
generally known as the Health Insurance Portability and Accountability
Act (HIPAA) Privacy and Security Rules.

Page 12 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932…

EP Attributes
New FSA CMS MOS CR DOC SC ESP
– Information
Technology

§416.50(g)

C

6 The organization protects health information against loss, damage,
unauthorized alteration, unintentional change, and accidental
destruction.
EP Attributes

New FSA CMS MOS CR DOC SC ESP
– Information
Technology
C

7 The organization controls the intentional destruction of health
information.
EP Attributes

New FSA CMS MOS CR DOC SC ESP
– Information
Technology
A

8 The organization monitors compliance with its policies on the security
and integrity of health information.
Note: For ambulatory surgical centers that elect to use The Joint
Commission deemed status option: The organization must comply with
Section 45 of the Code of Federal Regulations parts 160 and 164,
generally known as the Health Insurance Portability and Accountability
Act (HIPAA) Privacy and Security Rules.
EP Attributes

New FSA CMS MOS CR DOC SC ESP
– Information
Technology
§416.50(g) A
© 2014 The Joint Commission, © 2014 Joint Commission Resources
E-dition is a registered trademark of The Joint Commission

Page 13 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932…

Chapter: Information Management

IM.02.02.01: The organization effectively manages the collection
of health information.
Rationale: Within the organization, health information can come from
multiple sources. The use of standardized formats and terminology can
help clarify information that is used by different individuals for various
purposes. Capturing data in standardized language can lead to greater
data integrity and reliability, as well as an increased potential for ease of
use by internal and external systems and users. The more consistent the
organization’s efforts are to capture accurate data in standardized
language, the more likely the organization will be to rely on that data for
patient-related purposes, including reimbursement, risk management,
performance improvement, and infection surveillance.

Introduction: Not applicable

Elements of Performance

1 The organization uses uniform data sets to standardize data collection
throughout the organization.
EP Attributes

New FSA CMS MOS CR DOC SC ESP
– Information
Technology
A

2 The organization uses standardized terminology, definitions,
abbreviations, acronyms, symbols, and dose designations.
EP Attributes

New FSA CMS MOS CR DOC SC ESP
– Information
Technology
D A ESP-1

3 The organization follows its list of prohibited abbreviations, acronyms,
symbols, and dose designations, which includes the following:
– U,u
– IU
– Q.D., QD, q.d., qd
– Q.O.D., QOD, q.o.d, qod

Program: Ambulatory

Page 14 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932…

– Trailing zero (X.0 mg)
– Lack of leading zero (.X mg)
– MS
– MSO4
– MgSO4
Note 1: A trailing zero may be used only when required to demonstrate
the level of precision of the value being reported, such as for
laboratory results, imaging studies that report the size of lesions, or
catheter/tube sizes. It may not be used in medication orders or other
medication-related documentation.
Note 2: The prohibited list applies to all orders, preprinted forms, and
medication-related documentation. Medication-related documentation
can be either handwritten or electronic.
EP Attributes

New FSA CMS MOS CR DOC SC ESP
– Information
Technology

M C

© 2014 The Joint Commission, © 2014 Joint Commission Resources
E-dition is a registered trademark of The Joint Commission

Page 15 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932…

Chapter: Information Management

IM.02.02.03: The organization retrieves, disseminates, and
transmits health information in useful formats.
Rationale: The ease of use of health information between systems and
users contributes to its potential usefulness within the organization and
for external reporting purposes. Data stored in different formats cannot
easily be converted to a new format or transferred to other organizations
or providers. For example, immediate access to infection control data
can impact patient safety within the organization and outside of the
organization. As more organizations automate various processes and
activities, these systems need to allow for transmitting and receiving
critical data while maintaining data integrity.
Introduction: Introduction to Standard IM.02.02.03
Standardizing the collection of data, a concept that is supported by the
requirements of Standard IM.02.02.03, helps with the effective
dissemination of data and information. Consistency in data collection
systems (paper-based, electronic, or a combination) creates the
foundation for retrieving and disseminating data and information in the
most useful format. For information about data collection and
dissemination, visit the websites of the Office of the National Coordinator
for Health Information Technology (ONC) (http://www.healthit.gov/) and
the Certification Commission for Healthcare Information Technology
(CCHIT) (http://www.cchit.org).
Elements of Performance

2 The organization’s storage and retrieval systems make health
information accessible when needed for patient care, treatment, or
services. (See also IC.01.02.01, EP 1)
EP Attributes

New FSA CMS MOS CR DOC SC ESP
– Information
Technology

§416.47(a) A

3 The organization disseminates data and information in useful formats
within time frames that are defined by the organization and
consistent with law and regulation.
EP Attributes

Program: Ambulatory

Page 16 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932…

New FSA CMS MOS CR DOC SC ESP
– Information
Technology
M C

13 For organizations in California that provide computed tomography
(CT) services: The organization complies with radiation event
reporting requirements specified in section 115113 of the California
Health and Safety Code.
EP Attributes

New FSA CMS MOS CR DOC SC ESP
M C
© 2014 The Joint Commission, © 2014 Joint Commission Resources
E-dition is a registered trademark of The Joint Commission

Page 17 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932…

Chapter: Information Management

IM.03.01.01: Knowledge-based information resources are
available, current, and authoritative.

Rationale: Not applicable.
Introduction: Not applicable
Elements of Performance

1 The organization provides access to knowledge-based information
resources during hours of operation. (See also IM.01.01.03, EPs 2 and
6)
EP Attributes

New FSA CMS MOS CR DOC SC ESP
A
© 2014 The Joint Commission, © 2014 Joint Commission Resources
E-dition is a registered trademark of The Joint Commission
Program: Ambulatory

Page 18 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932…

Chapter: Information Management

IM.04.01.01: The organization maintains accurate health
information.
Rationale: The integrity and quality of health information influences the
usefulness and effectiveness of all internal and downstream systems, as
well as external reporting. When the integrity of the data has been
compromised, additional resources will be needed to scan the data and
correct errors. Inaccurate data can lead to poor decision making.
Introduction: Not applicable

Elements of Performance

1 The organization has processes to check the accuracy of health
information.
EP Attributes

New FSA CMS MOS CR DOC SC ESP
A ESP-1
© 2014 The Joint Commission, © 2014 Joint Commission Resources
E-dition is a registered trademark of The Joint Commission
Program: Ambulatory

Page 19 of 19Print Chapter

9/17/2014https://e-dition.jcrinc.com/Common/PopUps/PrintChapter.aspx?rwndrnd=0.704197965932…