by Denita Neal, JD
Ms. Neal is a Risk Manager for Professional Risk Management Services, Inc., Arlington, Virginia.

Innov Clin Neurosci. 2011;8(6):43–45

Disclaimer: This ongoing column is dedicated to providing information to our readers on managing legal risks associated with medical practice. We invite questions from our readers. The answers are provided by PRMS, Inc. (www.prms.com), a manager of medical professional liability insurance programs with services that include risk management consultation, education and onsite risk management audits, and other resources to healthcare providers to help improve patient outcomes and reduce professional liability risk. The answers published in this column represent those of only one risk management consulting company. Other risk management consulting companies or insurance carriers may provide different advice, and readers should take this into consideration. The information in this column does not constitute legal advice. For legal advice, contact your personal attorney. Note: The information and recommendations in this article are applicable to physicians and other healthcare professionals so “clinician” is used to indicate all treatment team members.

Question: The size of my medical practice has nearly doubled over the last few years, so I have decided to invest in an electronic records system. While I am optimistic about the prospect of streamlining the documentation process, I am also concerned about professional liability. Are there any special issues I should consider as I move forward?

Answer:

The many benefits of electronic health records (EHRs)* are evident and they include comprehensive and legible records, clinical decision support such as safety alerts, and remote access to records. These benefits should translate into improved quality of care and improved patient safety, which in turn, should lead to decreased professional liability claims. However, history has shown that medical innovations are frequently accompanied by new risks. Accordingly, physicians must keep the potential for harm to patients in mind and must actively manage the potential liability risks associated with EHRs.

Choosing an EHR system

The first step is to understand the various types of systems. One way to approach the various EHR systems available is to consider where the data resides, or more specifically, where the servers (on which the data is stored) are located.

Physician-hosted system. Under this system, the EHR data is stored on the physician’s own servers. In addition to purchasing the hardware (including servers) and software, the physician is responsible for maintenance, security, and data backup. While the data remains under the control of the physician, vendors can include a disabling code in their software. This means that in the event of a dispute (such as one involving a price dispute), the vendor can hold the data hostage.

Remotely hosted system. Under this system, the EHR data is stored on another entity’s servers. This other entity is responsible for storing the data and would also be responsible for maintenance, security, and data backup. The data is under the control of the third party (owner of the servers where the data are stored) rather than under the control of the physician. Generally speaking, there are the following three types of remotely hosted EHR systems:

Subsidized system. Under this system, an entity with whom the physician has a relationship, such as a hospital, subsidizes the financing for the EHR. Typically the subsidizing entity’s servers are utilized, rather than the physician’s, so the physician does not have control over the data. Important considerations include legal concerns (e.g., antitrust/anti-kickback issues), particularly with subsidies from hospitals, and ownership of the data if the relationship changes, such as the physician moves or no longer participates in the health insurance plan.

Dedicated hosted system. Under this system, the physician does not store the EHR data on his/her own servers. Rather, the data is stored on the vendor’s dedicated servers. While the physician does not have control in terms of data storage, the data is stored on servers in specific, known physical locations.

Cloud system (internet-based computing). Under this system, the physician does not store the EHR data on his/her own servers, but rather the vendor stores the data on the internet (in the clouds). Such vendors are called “SaaS” (software as a service) providers, which were formerly known as “ASPs” (application service providers). The physician’s computers do not have the EHR software, but rather the software is accessed through the vendor’s website. Vendors who offer the online software tend to move the data frequently, so the physician may not know where the data is located, other than “somewhere in the clouds.” The physician does not have control of the data and does not have control over when the data is moved or where it is moved.

Cloud systems present several causes for concern as related to professional liability. First, the vendor often controls the data both during and after the contract period, a fact which may compromise physician (therefore patient) access to the information. Further, the “click and agree” online agreements may not provide for negotiation on terms and therefore may not actually meet physicians’ clinical practice needs.
The final and perhaps most costly aspect of online agreements is that indemnification and other provisions may contractually obligate physicians to liabilities beyond what is covered under medical professional liability policies, so physicians should thoroughly understand what they are agreeing to and obtain legal advice if any of the provisions are not clear.

Contractual matters associated with choosing an EHR system

After gaining some understanding of the various types of EHR systems, physicians must then consider contractual matters and how they will affect clinical practice. While there are many business aspects to choosing an EHR system, the following basic points may be worth considering in terms of minimizing professional liability exposure related to EHRs.

Ownership—Who owns the data? Good documentation supports quality patient care and is a physician’s primary means of demonstrating the practice of responsible medicine during the course of treatment. Courts view a carefully kept treatment record as a clinician’s written testimony. Therefore, it is paramount that physicians clarify ownership of patient medical records at the outset of any EHR vendor relationship. Failure to do so could result in the harm to patients when their records are not readily available for continuation of care, personal litigation, disability claims, or other uses. In addition, physicians face increased liability should they attempt to defend themselves against medical malpractice liability claims in the absence of medical records.

Operational problems. Operational considerations such as clinical support tools and system failures affect patient care and therefore medical malpractice liability. For example, drug interaction alerts, while incredibly useful, may be based on out-of-date information, a fact that has the potential to greatly harm patients. Under the learned intermediary legal theory, physicians rather than vendors are responsible for identifying errors that could lead to patient harm. System failure is an operational concern that may render physicians unable to respond quickly and effectively to recover data when it is most needed. In spite of the physician’s lack of control over the failure, indemnification clauses in contracts may shift liability to the physician who may not have insurance coverage for the stated liability risk. Moreover, gag orders in vendor’s contract could prevent physicians from sharing concerns, including patient safety concerns, even with other users of the product such as hospitals.

Termination issues. Physicians should plan for what will happen to their EHR data should the vendor go insolvent or the contract is otherwise terminated. As mentioned earlier, medical records serve as physicians’ defense testimony when they are faced with medical malpractice lawsuits or even medical board complaints.

Obsolete technology. Efforts should be made to choose an EHR system that will be compatible with other systems in the event of termination or vendor’s insolvency.

Confidentiality and security issues. Any EHR system should contain safeguards to ensure the confidentiality, security, and integrity of the clinical records. To ensure physicians are able to meet the obligations to maintain records in a confidential and secure manner, physicians need to understand exactly where their EHR data will be stored (during and after the contract period with the vendor), who will have access to the data, and for what purpose. Physicians should be aware of applicable laws and choose vendors who comply with state law requirements, federal Health Insurance Portability and Accountability Act (HIPAA) requirements, and federal Health Information Technology for Economic and Clinical Health Act (HITECH) requirements. Covered providers under HIPAA should have a Business Associate Agreement with the vendor; noncovered providers should have a similar confidentiality agreement.

Potential liability risks associated with using an EHR system

Once contractual issues with vendors have been settled, physicians should consider the practical uses of the system and how it may be incorporated into the existing practice. To gain improvements in clinical care and patient safety, the various technology components have to be relevant and used appropriately. For example, too many alerts, especially those that clinicians believe are irrelevant, will lead to users ignoring alerts and perhaps committing medical errors.

More on confidentiality and security. Inappropriate or unauthorized user access to EHR data creates considerable risk for liability related to breach of patient confidentiality, and portable devices are particularly vulnerable to loss, theft, and inappropriate access resulting in the need for breach notification. Employee training is the key to avoiding inappropriate access. Furthermore, physicians should ensure appropriate security protections on hardware (including portable devices) and software; an example is an automatic lock-out after a specified period of inactivity.

Data entry and integrity. Obviously, EHR output is only as accurate as the information that is entered by all of the professionals and paraprofessionals using the system. That said, cut and paste functions may render unclear the identity of the author of a specific entry. Templates may contain automatic populating features and default language that may not be applicable to individual patients. Users should, therefore, ensure that the correct information is being entered on the correct patient and that the correct author is credited with the entry. Physicians should also consider the potential for tampering and intentional or unintentional destruction of medical information. This is called spoliation and could render a physician’s defense to a medical malpractice claim inadequate or nonexistent.

Too much information. A final data integrity area to consider is whether so much information is being captured and stored that users cannot find relevant information. This can be problematic in emergency situations as well as routine treatment. One practical solution to this dilemma is to periodically print out a patient record and evaluate it for adequacy. A good medical record is one which a subsequent provider or an expert witness would be able to understand what happened during the treatment relationship and why.

Conclusion

The discussion above is far from all-encompassing, but rather is intended to provide an overview of what is currently known and specific professional liability concerns related to selecting EHR systems. Certainly there are additional practice-management and business concerns, as well as legal issues that need to be addressed. Physicians are encouraged to seek legal advice from personal counsel in addition to considering the information presented in this article.

*Note. This article uses the term EHR, which refers to an electronic health record system that is capable of easily sharing information electronically with other providers, such as hospitals or laboratories. The same principles would apply if the physician is seeking an electronic medical record (EMR) system limited to the physician’s practice and not linked with other systems.

Got your own question? To submit a question, e-mail Elizabeth Klumpp, Executive Editor, eklumpp [at] matrixmedcom [dot] com. Include “Risk Management Column” in the subject line of your e-mail. All chosen questions will be published anonymously. All questions are reviewed by the editors and are selected based upon interest, timeliness, and pertinence, as determined by the editors. There is no guarantee a submitted question will be published or answered. Questions that are not intended for publication by the authors should state this in the e-mail. Published questions are edited and may be shortened.