OPINION - Records are an important part of making sure information is available when it is needed but it is often overlooked.
Records can show compliance with laws and regulations and are one of the main sources of information used by auditors, tribunals and courts to verify that an individual has been cared for appropriately.
However, record keeping and information management systems can often be overlooked particularly when a provider’s capacity and resources are stretched.
Now more than ever, the risks arising from remote working, dependence on agency staff and increased absenteeism make information management an essential part of planning for business continuity.
Strong information management systems also provide the foundation for continuous improvement and high quality, safe service delivery.
Information management and the NDIS Practice Standards
Under the National Disability Insurance Scheme (NDIS) providers generally need to meet record keeping requirements.
Registered NDIS providers that are subject to the Core Module must have an information management system in place that is relevant and proportionate to the size and scale of the organisation.
The systems must record all client information in an accurate and timely way.
Providers must ensure that documents are stored with appropriate use, access, transfer, storage, retrieval, retention destruction and disposal processes relevant and proportionate to the scope and complexity of supports delivered.
Good progress noting supports high quality care
Progress notes are fundamental to high quality care and services.
These notes capture progress towards a client’s goals, implementation of support plans and provide a record of events during each appointment or shift. This enables staff, carers and others to identify, communicate and coordinate around the needs of the client.
Quality care requires quality information. Whether considered from the perspective of care delivery, NDIS quality audits, or legal protection, a well written record is a provider’s best evidence to show that services have been delivered properly and that the client has been cared for appropriately.
Ensuring quality information requires providers to establish and adhere to good record keeping practices.
For example, does your organisation provide guidance to staff on minimum expectations for records? Are the records consistent across the services you deliver and easy to access and review?
Progress noting principles
The following principles apply generally to all progress noting, clinical records, reports and planning documents:
Write legibly and always use a pen if note keeping is done by hand (never use pencil).
If note keeping is done by hand and corrections or deletions are required, rule a line through the error, write the correction and initial the change. Make sure the original entry is still readable. Never erase or use whiteout.
Document observations and actions accurately; clearly state facts of the situation (e.g. what you saw or did or what the client said).
Use language with which you are familiar and comfortable – do not use technical terms unless you (and those who will read it) know what it means.
Record all relevant information as completely and concisely as possible. Be brief, simple and to the point. Avoid 'padding' and exaggerations. Quality is more important than quantity.
Record observations, events and conversations as soon as possible after they occur. Timely recording improves the accuracy and completeness of what is captured.
Enter the date and time and sign all entries in the record. Develop and follow consistent protocols for date and time format, use of initials, position designations and other identifiers in the record.
Where services are delivered to multiple clients in the same environment, make sure each client’s record is clearly distinguishable; make sure the record is for the correct client before making an entry, particularly where noting healthcare and medication issues.
Check previous entries, particularly progress notes. This ensures continuity, coordination and follow-ups on care issues.
Avoid the use of jargon or abbreviations. Develop and follow guidance on accepted abbreviations.
Where the information may be relevant to progress reports or care planning, consider the audience:
What do they want or need to know?
What are you trying to say?
What, if anything, are you asking to be done?
Steps for effective information management
The best practice standards for information security management systems are set out in the International Organization for Standardization’s ISO 27001.
While NDIS providers are not required to obtain ISO 27001 certification, it offers a useful framework of measures and controls that can be tailored to what is relevant and proportionate to an organisation or provider.
At a high level, the steps for effective information management in ISO 27001 require that:
There is an ‘Inventory of Information Assets’ that records anything where information is stored, processed or accessible (including IT hardware, software, people and physical files) and owners of those ‘assets’.
Information that is collected and kept is classified according to the organisation’s classification system.
Information is labelled.
Information is handled in a secure way according to organisational procedures for its classification type.
Classifying and handling information
Procedures for handling information should be developed and implemented in accordance with the organisation’s information classification scheme.
What is an appropriate classification depends on your business, but should be relevant to operations and proportionate to the nature of information handled.
Generally, information is classified by reference to legal requirements, value (or risk) to the organisation, and consequences (for example, sanctions) for unauthorised disclosure or modification.
Shifts in the workplace, such as remote working, transition of staff and/or clients, are a good catalyst to remind staff and stakeholders of organisational requirements and personal responsibility for protecting personal information and privacy.
At a minimum, the information management system must set out what and how personal information is collected (with consent), classified and handled, as well as the controls for protecting from loss, destruction, disposal and unauthorised access or disclosure of the records that hold such information, in accordance with the Australian Privacy Principles, Privacy Act 1988 and other legal requirements that may apply.
Remember any record containing personal information is subject to high standards of confidentiality and integrity.
You should also make sure that each client understands what personal information is collected, gives informed consent to its collection and that your organisation’s confidentiality policies are communicated in a way that the client is most likely to understand.
The system should also document ‘access controls’ that clarify who needs to access, know, and use information of different classification types and who is authorised to edit or destroy records.
Access control rules should be supported by formal procedures and defined responsibilities and may need to be reviewed (or removed) based on changes in roles (particularly where staff leave the organisation).
What is ‘relevant and proportionate’?
A number of systems that the NDIS Quality Indicator Guidelines require providers to establish and maintain (including information management) are described as needing to be relevant and proportionate to the scope and complexity of supports delivered and the size and scale of the organisation.
Unfortunately, there is no further guidance on what is relevant and proportionate to matters of size, scale, scope and complexity.
Generally, a larger organisation with many staff will require more comprehensive and detailed procedures, whereas a small organisation that operates with a few thoroughly experienced staff that cover the breadth of operations may not need the same level of detail.
Considerations that are relevant to issues of size, scale, scope and complexity, include but are not limited to:
What is the ‘span of control’ within your organisation? What are the factors influencing the span of control (e.g. ratio of managers to supervised staff, high numbers of new staff)?
What needs to be documented to ensure enough documentation is available to address typical activities in the day-to-day working environment?
What is needed to provide accountability for how supports are delivered and decisions that are made?
Is, or will the organisation be, registered to provide ‘high risk’ supports (high intensity personal activities, specialist behaviour supports or disability accommodation, early childhood interventions)?
If you would like to know more about the latest COVID-19 updates and how it is impacting the disability sector visit our dedicated COVID-19 information page.
What would you like to know more about? Tell us in the comments below or send an email to [email protected].
This commentary is general in nature and provided for informational purposes only. It is not intended to be comprehensive and does not constitute legal advice. You should seek legal or other professional advice or consult with the appropriate government authority if you are unsure about how the issues raised in this commentary apply to the circumstances of your business.
Kai Sinor is a legal practitioner and former Assistant Director for Compliance at the NDIS Quality and Safeguards Commission. He specialises in regulatory matters and has worked across a variety of social justice and regulatory issues for the past decade. Kai is a Senior Lawyer at MPS Law, where he provides legal services to NDIS providers on compliance, corporate and commercial matters.