By Neil Chesanow
EHRs Are Full of Legal Risks
Many physicians are so concerned about being sued for malpractice that they routinely order unnecessary tests and procedures to practice defensive medicine. And yet, when it comes to legal risks in using their electronic health records (EHRs), their concern is often nonexistent, experts assert.
Many doctors use their EHRs in nonstandard ways, without considering how this may affect them in a liability suit. Or they gloss over other aspects of using an EHR.
“Every aspect of EHR selection, implementation, and use may be examined in the course of medical malpractice discovery to uncover the source of the incident, or undermine the records that are being presented in defense of the malpractice claim,” warns Ronald B. Sterling, CPA, MBA, an EHR expert in Silver Spring, Maryland, and author of Keys to EMR Success.
“Anything could be a malpractice issue,” Sterling says, “from the product itself, to the way it was set up, to how you’ve been using it.”
Are your EHR practices setting you up for a rude awakening should a patient sue you for malpractice? Let’s take a look.
Who’s to Blame if Your EHR Doesn’t Work Properly?
Sometimes EHRs don’t function properly owing to design flaws or bugs. For example, data you enter into the opening screen may fail to populate the fields of other screens correctly, or authorized software upgrades may alter the presentation of historical data that you’ve entered, Sterling says.
If problems related to bugs in a faulty product figure into a malpractice suit, who is ultimately responsible for the EHR’s performance?
To understand who is liable for an EHR’s bugs and flaws, Sterling likes to use the analogy of purchasing a hammer to build a house. You can ask the salesperson for advice on how to use the hammer, he says, but if the house then comes out lopsided, whose fault is that?
“The Health Insurance Portability and Accountability Act (HIPAA) specifically states that the healthcare provider is the covered entity responsible for maintaining the integrity of the patient’s medical record — not the EHR vendor, not the consultant, not the systems integrator,” he says.
“A doctor can be held liable because most vendors’ contracts essentially say, ‘We do not practice medicine; it is up to the physician to make sure this EHR is being used correctly.’ Practices must understand what they’re using and verify that the system is appropriately set up to document the care they provide.”
If you find bugs or flaws, contact the vendor and insist that the glitches be fixed, Sterling advises. Vendors may be more responsive than many doctors assume. And document each attempt to get the vendor to fix buggy software, so that you have a record of trying to remedy the situation.
Look at it from the perspective of a plaintiff attorney. If you didn’t know about the flaw, why not? Didn’t you sign a contact saying that you understood how the EHR worked? If you did know about the flaw and made no attempt to get it fixed, then, it could be argued, you knowingly jeopardized your patients.
Copying and Pasting Text: Tempting, but Dangerous
Many doctors complain that an EHR slows them down. To regain some of that lost time, they may use shortcuts, such as cutting and pasting lengthy patient histories from one electronic chart to another. How might this affect a malpractice case against you?
Sharona Hoffman, JD, Professor of Law & Bioethics at Case Western Reserve University School of Law in Cleveland, Ohio, and an expert on the potential pitfalls of EHR use in liability suits, says that copying and pasting information from one electronic record to another is among the worst things you can do, clinically as well as legally. “It seems to be happening at a fever pitch today,” she laments.
One problem is that incorrect or outdated patient information may be copied from one record to another, which can undermine a malpractice defense. Another is that copied and pasted information can make patient histories so lengthy that it can be difficult for the doctor, or other clinicians, to quickly locate relevant facts.
“You should see the five-page garbage I get from other MDs’ EHRs when I request patient records,” one doctor told Medscape. “They are nothing but electronic copy-and-paste junk and add nothing to patient care.”
In addition, large blocks of text repeatedly copied in the EHR are easily revealed by a plaintiff attorney in the discovery phase of a malpractice suit. It suggests that you were not really engaged in patient care and may cast doubt on anything else you may say in your defense, Hoffman points out.
“Case law establishes that physicians can be held liable for harm that could have been averted had they more carefully studied their patients’ medical records,” Hoffman wrote in the Berkeley Technology Law Journal. [1] “For example, Short v. United States involved a patient whose doctor failed to diagnose hisprostate cancer in time for it to be cured. The court held that under Vermont law, the physician violated the standard of care by failing to review the patient’s past visit notes, which would have elucidated the nature of his problem.”
For all the problems it can cause, cutting and pasting just isn’t worth it, Hoffman contends. Many experts urge doctors to disable the feature.
Passwords Can Be a Problem in Court
Many physicians feel that the security requirements recommended to protect patient records are too onerous. Password sharing is a case in point. Especially in a small practice, where staffers are like family, forcing everyone to use a separate password, and changing passwords at regular intervals, may seem like overkill. Is it a good idea for everyone to use the same password?
The answer is no. Steven Waldren, MD, senior strategist at the American Academy of Family Physicians, recently told Medscape that rather than being under the radar, small physician practices are among the most vulnerable to hackers and identity thieves.[2]
Employees may be unwitting accomplices by using a password-protected EHR computer to download videos or music during lunch or after hours, creating an open door for hackers — “a rich new environment for cyber criminals to exploit,” according to the FBI.[2] You can learn who is doing this if each staffer has a separate password. If everyone uses the same password, lots of luck.
“Disclosure of psychiatric or sexual histories or other sensitive information … leads to profound embarrassment, ruined careers, or loss of professional and personal opportunities,” Sharona Hoffman writes.[1] “These, in turn, can generate litigation against those responsible for security breaches.”
Last April, Medscape reported that physicians can expect criminals to increasingly target their EHRs for patient information that they can sell on the black market for $50 per chart.[2] Identity thieves can use patient data to obtain free medical care, including prescription drugs, or open new credit accounts. They also can use pilfered information about a physician to file bogus insurance claims.
HIPAA mandates that you notify affected patients following the discovery of a breach of unsecured protected health information. “If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its Website for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside,” the law says.[3] If the breach affects more than 500 residents, you must send a press release to appropriate media outlets serving the protected area.
Keep in mind that every entry, correction, or emendation to patient information is recorded in the EHR, as well as the time and date it was made and who made it. If a password registered to you is used by several staffers, it may make it seem as though you changed patient records in ways that you didn’t authorize or even know about — until a plaintiff attorney raises the issue in discovery.
Ignore Clinical Decision Support at Your Peril
Clinical decision support (CDS) — which includes drug/drug and drug-allergy alerts — is an EHR’s most annoying feature, as many doctors see it. They bridle at a computer telling them how to practice medicine, and the unending stream of alerts, many unnecessary, can be irritating.
As a result, many doctors click through CDS recommendations and alerts with barely a glance, override them, set higher thresholds that trigger alerts to reduce their number, or don’t install the CDS module for their EHRs in the first place.
An EHR records how much time you spend reading alerts. If it’s virtually nil, and something happens to a patient as a result, you may have a problem in court, Sterling says.
Even if you’re a hospital employee and the hospital turns off some drug alerts, a plaintiff attorney may show that one of those alerts might have prevented injury to a client and, in discovery, may ask why such a valuable tool isn’t being used, Sharona Hoffman says. You may think, “Not my problem.” But think again. Both the hospital and an individual physician may be jointly sued.
Pitfalls of Using an EHR in Nonstandard Ways
Many EHRs are touted as being highly customizable, and many doctors purchase an EHR with the idea of tinkering and tweaking to get it just right for their practices. And most EHRs can indeed be customized — if you know what you’re doing. If you don’t, and you get sued, it could harm you in court.
“‘Customization’ means different things, depending on the product you’re using,” says Sterling, the EHR consultant. “Some products actually allow me to go in and change the nature of the product so it isn’t doing what it was supposed to do as advertised, and/or I use the product in a nonstandard way, so it doesn’t do what it’s supposed to be doing. If you’re not using it in a way that maintains patient information in a reliable way, you could run into a problem.”
Say you bypass the way the EHR is designed to have information entered, he offers by way of example. “Instead of checking off a box that says the patient is allergic to penicillin, I put that into a note,” he says. “The system’s not going to be smart enough to figure out the note to know that the patient’s allergic to penicillin. If the patient has a serious emergent problem, and he needs to see me in three months so I can check on the status of the problem, if I type that into the note, it’s not something the system will track. It’s not something the system will manage, and therefore it’s not information that’s going to be used.”
“If something bad happened, and I were being investigated for a claim of medical professional liability, plaintiff attorneys are going to look at it and say, ‘Were you using the system as it was intended?'” Sterling elaborates. “If I say, ‘I don’t fill out this form that came with the system; I have my own form,’ the lawyers will say, ‘Oh, really? Well, did you know that your form isn’t used by the system to figure out whether you do CDS rules, which can trigger care items? The patient should have had this, or the patient should have had that.'”
“If you don’t check the right boxes to trigger those events, they’re not going to happen,” Sterling continues. “Therefore, the system’s not going to inform you that you need to check on this patient’s A1c level because he’s diabetic or check on that patient’s glaucoma because she has an eye pressure problem. If used in a nonstandard way, the system isn’t smart enough to figure how to trigger these alerts, and therefore you may not have been staying on top of patient care.”
“The problem is not doing the customization,” he adds. “The problem is doing the customization so that it works. Everyone sits there and says, ‘Oh, it’s so easy to do.’ But sometimes it’s not so easy.”
