Legal risks of going paperless
■ Electronic medical records are meant to save time and money, but they also can create liability issues for doctors.
- WITH THIS STORY:
- » How to reduce EMR liability
Defense attorney Catherine J. Flynn knows how electronic medical records can overwhelm — and often change — the course of a medical liability lawsuit.
In one of her cases, a New Jersey doctor being sued for medical negligence has been accused by a plaintiff's attorney of modifying a patient's electronic history. A printing glitch caused the problem, Flynn said, but the accusation has meant extra time and defense costs. Computer screen shots were reviewed, more evidence was gathered and additional arguments were made.
“This has taken a life of its own, and we've done virtually no discovery on the medical aspects of the case,” she said. “The cost of the e-discovery alone is in excess of $50,000.”
System breaches. Modification allegations. E-discovery demands. These issues are becoming common courtroom themes as physicians transition from paper to EMRs, legal experts say. Not only are EMRs becoming part of medical negligence lawsuits, they are creating additional liability.
Across the country, the move from paper to electronically stored health data is growing. The 2009 federal stimulus package provided federal funds for the creation of a health information technology infrastructure. Health professionals can receive up to $44,000 for Medicare or nearly $64,000 for Medicaid by adopting electronic medical records.
Studies are mixed about how EMRs will impact liability for physicians. A 2010 survey by Conning Research and Consulting, an insurance industry research firm, found that most insurers believe medical claims will rise during the move from paper to electronic records. Lawsuits probably will decrease after an adjustment period, the study said. A report in the Nov. 18, 2010, issue of The New England Journal of Medicine said doctors should expect a varied landscape of liability risks and benefits as EMR adoption unfolds.
Whatever the future holds for EMRs, it's important that doctors reduce their liability risks during system implementation, legal experts say. Being aware of potential legal pitfalls prevents doctors from falling victim to technology intended to do good — not cause hardship.
“It's all about the system that's in place and the integrity of that system,” Flynn said. “You can only do what the system allows you to do. If you have a good system in place, then the doctors are protected — even from themselves.”
The burden of breaches
Data breaches are among the most common reasons that electronically stored information lands doctors in court, said Lisa Gallagher, senior director for privacy and security at the Health Information and Management Systems Society, which advocates health information technology.
For example, thieves broke into the Sacramento, Calif., office of hospital system Sutter Health in October 2011, stealing monitors and a laptop containing the health information of 4 million people. Patients sued, claiming Sutter violated the state's Confidentiality of Medical Information Act. The law regulates medical data disclosures and negligent storage practices. At this article's deadline, an attorney for the plaintiffs had not returned calls seeking comment.
The Sutter Health data security office was encrypting its computers when the theft occurred, the company said in a statement.
Though federal law regulates Health Insurance Portability and Accountability Act violations and subsequent notification rules, state laws vary on reporting regulations for data breaches. Some state laws cover all electronic data, while others, such as California's, are aimed at health data.
Knowing what your state requires in the event of a data breach is essential, especially because of potential legal snares, said Richmond, Va., attorney Jonathan M. Joseph, author of Data Breach Notification Laws: A Fifty State Survey. For instance, if a New Jersey physician treats a patient from another state and a breach occurs, the doctor could be subject to notification rules in the patient's state as well as his or her own, Joseph said.
Police investigations during breaches are another challenge. Law enforcement agencies may ask doctors to delay reporting a breach to patients to not taint the investigation. Some states allow doctors immunity if they do not immediately alert patients because of an agency's request, Joseph said. But some states do not give doctors a break on notification rules.
“The problem with that is that many [investigations] may take months, and you may have to sit and ask yourself, 'Are people going to be harmed?'” he said. “You have to think, 'Should I hold onto the information, or will I be liable?'”
EMRs and new tort claims
In Oregon, health professionals have won a court victory in a data breach case. Paul v. Providence posed significant questions about how far a medical professional's responsibility extends after data is stolen.
Some patients in Oregon sued Providence Health System in 2009 after computer disks were stolen from a medical office employee's car. The disks contained unencrypted records for 365,000 patients. Patients said that because of the theft, they were exposed to past and future out-of-pocket losses associated with monitoring credit reports, and expenses associated with credit damage. A trial court ruled that the plaintiffs did not have a valid claim under state law. The plaintiffs appealed to the state's Supreme Court.
The Oregon Medical Assn., and the Litigation Center of the American Medical Association and the State Medical Societies, expressed concern that if the plaintiffs prevailed, the decision could create a new claim against doctors.
“Plaintiffs in this case ask this court to recognize a new common law tort making health care providers liable in negligence for purely economic losses and emotional distress damages arising out of the theft of patient information from health care providers, in the absence of physical injury,” the Litigation Center said in a brief to the Oregon Supreme Court. “There are strong policy reasons against the creation of liability in these circumstances, especially the chilling effect it could have on the broader use of electronic medical records, which make this a subject more appropriately addressed in the legislative process.”
The Oregon Supreme Court on Feb. 24 ruled the plaintiffs could not sue Providence because the patients failed to show anyone actually viewed or used their personal information.
“Although plaintiffs allege that an unknown person stole digital records containing plaintiffs' information from defendant employee's car, they do not allege that the thief or any third person actually used plaintiffs' information in any way that caused financial harm or emotional distress to them,” the court wrote.
The court said the plaintiffs' claim for future financial harm also was invalid because a “threat” of future physical harm on its own, is not sufficient to constitute an actionable injury.
The decision protects health professionals from unwarranted lawsuits, said Gwen Dayton, legal counsel for the Oregon Medical Assn.
The Oregon opinion is consistent with other states' rulings in similar cases, justices said. However, states such as Maine have allowed plaintiffs to sue over personal information that is used for identify theft purposes, thus causing present financial injury.
Encrypting record systems is key to preventing possible breaches, along with recognizing any suspicious system activity, Gallagher said. “You want to be monitoring your network and [putting] technical controls in place,” she said.
E-discovery is a growing area of concern, said Joshua R. Cohen, a medical liability attorney and president of the New York State Medical Defense Bar Assn. While legal requests once entailed only paper records, attorneys are now seeking every accessible electronic record, including films, lab reports, emails and phone records.
“Plaintiffs are trying to use e-discovery as a weapon of mass discovery,” Cohen said.
A 2011 ruling in New York highlights how e-discovery creates a burden for doctors.
During a lawsuit against St. Luke's Hospital Roosevelt Center, a debate arose about whether the plaintiff should be allowed access to screen shots from a doctor's computer. Joan Bowman, who sued the hospital for wrongful death on behalf of her husband, wanted to see a computer template used to aid physicians in diagnoses. The hospital said the request was overly broad and oppressive.
But the Supreme Court of the State of New York ordered the release of the screen shots.
“Defendant doctors testified that they utilized these materials in coming to their diagnosis,” Judge Alice Schlesinger wrote. “It is not a stretch to allow counsel to see and understand these materials.”
At this article's deadline, the hospital's attorney had not returned messages seeking comment.
The case sets a precedent, said Susan Dennehy, Bowman's attorney.
“If others want to see screen shots from records, I think they'll rely on this case,” she said. “It was important to see where the template led you if you put in an inaccurate chief complaint.”
New Jersey attorney Michael A. Moroney said expenses can rise dramatically because of massive e-discovery requests. In some cases, practices must hire outside teams to sift through archived records, said Moroney, who counsels doctors on the legal challenges of EMRs.
“There's a ton of time involved,” he said. “There's the attorney's time and then the medical staff themselves. It means we're spending tens of thousands of dollars fighting over stuff before we even get to the merits of the case.”
Steering clear of legal problems
Flynn has seen more plaintiff attorneys accusing doctors of modifying electronic records, even when the changes were made innocently. It's essential to have a system that does not allow changes after a certain amount of time, she said. If modifications are allowed, the systems should show that doctors made efforts to be transparent.
Login passwords can create liability. Cohen had a case where a physician provided his login password to a resident and gave him permission to update a patient's chart while the physician was out of town. When a claim arose, it appeared that the absent doctor updated the record.
“It makes it look sloppy,” Cohen said. “Before, the [absent] doctor wouldn't even have been involved in the lawsuit. Now, it creates a question of fact that we have to explain.”
Doctors are busy in their daily practice, but making time to take preventive steps now may save them from EMR liability later.
“The best thing doctors can do is be ahead of the curve,” Moroney said. “Because when the day comes that you are served with a complaint, one of the first things the court is going to look at is, 'How good of a policy did you have, and could you have prevented this?'”