Positive Outlook - Issue 8.0 - Nov 2014

EHRs Are Full of Legal Risks

Many physicians are so concerned about being sued for malpractice that they routinely order unnecessary tests and procedures to practice defensive medicine. And yet, when it comes to legal risks in using their electronic health records (EHRs), their concern is often nonexistent, experts assert.

Many doctors use their EHRs in nonstandard ways, without considering how this may affect them in a liability suit. Or they gloss over other aspects of using an EHR.

"Every aspect of EHR selection, implementation, and use may be examined in the course of medical malpractice discovery to uncover the source of the incident, or undermine the records that are being presented in defense of the malpractice claim," warns Ronald B. Sterling, CPA, MBA, an EHR expert in Silver Spring, Maryland, and author of Keys to EMR Success.

"Anything could be a malpractice issue," Sterling says, "from the product itself, to the way it was set up, to how you've been using it."

Are your EHR practices setting you up for a rude awakening should a patient sue you for malpractice? Let's take a look.

Who's to Blame if Your EHR Doesn't Work Properly?Sometimes EHRs don't function properly owing to design flaws or bugs. For example, data you enter into the opening screen may fail to populate the fields of other screens correctly, or authorized software upgrades may alter the presentation of historical data that you've entered, Sterling says.

If problems related to bugs in a faulty product figure into a malpractice suit, who is ultimately responsible for the EHR's performance?

To understand who is liable for an EHR's bugs and flaws, Sterling likes to use the analogy of purchasing a hammer to build a house. You can ask the salesperson for advice on how to use the hammer, he says, but if the house then comes out lopsided, whose fault is that?

"The Health Insurance Portability and Accountability Act (HIPAA) specifically states that the healthcare provider is the covered entity responsible for maintaining the integrity of the patient's medical record -- not the EHR vendor, not the consultant, not the systems integrator," he says.

"A doctor can be held liable because most vendors' contracts essentially say, 'We do not practice medicine; it is up to the physician to make sure this EHR is being used correctly.' Practices must understand what they're using and verify that the system is appropriately set up to document the care they provide."

If you find bugs or flaws, contact the vendor and insist that the glitches be fixed, Sterling advises. Vendors may be more responsive than many doctors assume. And document each attempt to get the vendor to fix buggy software, so that you have a record of trying to remedy the situation.

Look at it from the perspective of a plaintiff attorney. If you didn't know about the flaw, why not? Didn't you sign a contact saying that you understood how the EHR worked? If you did know about the flaw and made no attempt to get it fixed, then, it could be argued, you knowingly jeopardized your patients.

Copying and Pasting Text: Tempting, but Dangerous
Many doctors complain that an EHR slows them down. To regain some of that lost time, they may use shortcuts, such as cutting and pasting lengthy patient histories from one electronic chart to another. How might this affect a malpractice case against you?

Sharona Hoffman, JD, Professor of Law & Bioethics at Case Western Reserve University School of Law in Cleveland, Ohio, and an expert on the potential pitfalls of EHR use in liability suits, says that copying and pasting information from one electronic record to another is among the worst things you can do, clinically as well as legally. "It seems to be happening at a fever pitch today," she laments.

One problem is that incorrect or outdated patient information may be copied from one record to another, which can undermine a malpractice defense. Another is that copied and pasted information can make patient histories so lengthy that it can be difficult for the doctor, or other clinicians, to quickly locate relevant facts.

"You should see the five-page garbage I get from other MDs' EHRs when I request patient records," one doctor told Medscape. "They are nothing but electronic copy-and-paste junk and add nothing to patient care."

In addition, large blocks of text repeatedly copied in the EHR are easily revealed by a plaintiff attorney in the discovery phase of a malpractice suit. It suggests that you were not really engaged in patient care and may cast doubt on anything else you may say in your defense, Hoffman points out.

"Case law establishes that physicians can be held liable for harm that could have been averted had they more carefully studied their patients' medical records," Hoffman wrote in the Berkeley Technology Law Journal. [1] "For example, Short v. United States involved a patient whose doctor failed to diagnose his prostate cancer in time for it to be cured. The court held that under Vermont law, the physician violated the standard of care by failing to review the patient's past visit notes, which would have elucidated the nature of his problem."

For all the problems it can cause, cutting and pasting just isn't worth it, Hoffman contends. Many experts urge doctors to disable the feature.

Passwords Can Be a Problem in Court
Many physicians feel that the security requirements recommended to protect patient records are too onerous. Password sharing is a case in point. Especially in a small practice, where staffers are like family, forcing everyone to use a separate password, and changing passwords at regular intervals, may seem like overkill. Is it a good idea for everyone to use the same password?

The answer is no. Steven Waldren, MD, senior strategist at the American Academy of Family Physicians, recently told Medscape that rather than being under the radar, small physician practices are among the most vulnerable to hackers and identity thieves.[2]

Employees may be unwitting accomplices by using a password-protected EHR computer to download videos or music during lunch or after hours, creating an open door for hackers -- "a rich new environment for cyber criminals to exploit," according to the FBI.[2] You can learn who is doing this if each staffer has a separate password. If everyone uses the same password, lots of luck.

"Disclosure of psychiatric or sexual histories or other sensitive information ... leads to profound embarrassment, ruined careers, or loss of professional and personal opportunities," Sharona Hoffman writes.[1] "These, in turn, can generate litigation against those responsible for security breaches."

Last April, Medscape reported that physicians can expect criminals to increasingly target their EHRs for patient information that they can sell on the black market for $50 per chart.[2] Identity thieves can use patient data to obtain free medical care, including prescription drugs, or open new credit accounts. They also can use pilfered information about a physician to file bogus insurance claims.

HIPAA mandates that you notify affected patients following the discovery of a breach of unsecured protected health information. "If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its Website for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside," the law says.[3] If the breach affects more than 500 residents, you must send a press release to appropriate media outlets serving the protected area.

Keep in mind that every entry, correction, or emendation to patient information is recorded in the EHR, as well as the time and date it was made and who made it. If a password registered to you is used by several staffers, it may make it seem as though you changed patient records in ways that you didn't authorize or even know about -- until a plaintiff attorney raises the issue in discovery.

Ignore Clinical Decision Support at Your Peril
Clinical decision support (CDS) -- which includes drug/drug and drug-allergy alerts -- is an EHR's most annoying feature, as many doctors see it. They bridle at a computer telling them how to practice medicine, and the unending stream of alerts, many unnecessary, can be irritating.

As a result, many doctors click through CDS recommendations and alerts with barely a glance, override them, set higher thresholds that trigger alerts to reduce their number, or don't install the CDS module for their EHRs in the first place.

An EHR records how much time you spend reading alerts. If it's virtually nil, and something happens to a patient as a result, you may have a problem in court, Sterling says.

Even if you're a hospital employee and the hospital turns off some drug alerts, a plaintiff attorney may show that one of those alerts might have prevented injury to a client and, in discovery, may ask why such a valuable tool isn't being used, Sharona Hoffman says. You may think, "Not my problem." But think again. Both the hospital and an individual physician may be jointly sued.

Pitfalls of Using an EHR in Nonstandard Ways
Many EHRs are touted as being highly customizable, and many doctors purchase an EHR with the idea of tinkering and tweaking to get it just right for their practices. And most EHRs can indeed be customized -- if you know what you're doing. If you don't, and you get sued, it could harm you in court.

"'Customization' means different things, depending on the product you're using," says Sterling, the EHR consultant. "Some products actually allow me to go in and change the nature of the product so it isn't doing what it was supposed to do as advertised, and/or I use the product in a nonstandard way, so it doesn't do what it's supposed to be doing. If you're not using it in a way that maintains patient information in a reliable way, you could run into a problem."

Say you bypass the way the EHR is designed to have information entered, he offers by way of example. "Instead of checking off a box that says the patient is allergic to penicillin, I put that into a note," he says. "The system's not going to be smart enough to figure out the note to know that the patient's allergic to penicillin. If the patient has a serious emergent problem, and he needs to see me in three months so I can check on the status of the problem, if I type that into the note, it's not something the system will track. It's not something the system will manage, and therefore it's not information that's going to be used."

"If something bad happened, and I were being investigated for a claim of medical professional liability, plaintiff attorneys are going to look at it and say, 'Were you using the system as it was intended?'" Sterling elaborates. "If I say, 'I don't fill out this form that came with the system; I have my own form,' the lawyers will say, 'Oh, really? Well, did you know that your form isn't used by the system to figure out whether you do CDS rules, which can trigger care items? The patient should have had this, or the patient should have had that.'"

"If you don't check the right boxes to trigger those events, they're not going to happen," Sterling continues. "Therefore, the system's not going to inform you that you need to check on this patient's A1c level because he's diabetic or check on that patient's glaucoma because she has an eye pressure problem. If used in a nonstandard way, the system isn't smart enough to figure how to trigger these alerts, and therefore you may not have been staying on top of patient care."

"The problem is not doing the customization," he adds. "The problem is doing the customization so that it works. Everyone sits there and says, 'Oh, it's so easy to do.' But sometimes it's not so easy."

Are EHRs Changing the Standard of Care?
A key malpractice issue is whether EHR use, particularly in conjunction with meeting meaningful use criteria issued by the Centers for Medicare & Medicaid Services (CMS), is changing the standard of care.

"In the meaningful use measures, we have an obligation to check the drug/drug and drug-allergy interaction issues of a patient," Sterling observes. "If we don't check those interactions, or if we use the system in such a way that the interactions are not properly checked, or we don't do anything with those interactions -- well, we now have close to 500,000 physicians in the United States who are doing drug/drug and drug-allergy interaction checking. So the question is: If we have 500,000 physicians in the United States doing this because of meaningful use, did that become a de facto standard of care?"

"We're really talking about two different issues here," Sterling reflects. "One is recognizing the change in standard of care that's being driven by the use of EHRs, and second is using the EHRs in a way that is going to be helpful to meet that standard of care.

"If I use my EHR in a way to meet that standard of care, I'm going to be fine. But if I don't use it in a way to meet that standard of care, then I'm going to open myself up to all kinds of problems -- and in many cases, these are going to be systemic problems," he says.

Whether the minority of doctors who still use paper charts will encounter standard-of-care issues if they get sued remains an open question. However, it is quite possible, experts believe, that a doctor's failure to use an EHR, or his failure to document by hand his review of the same information found in an EHR's CDS alerts and guidelines, could be grounds for a charge of substandard care.

Legal Consequences of Input Errors

Primary care physicians are chronically pressed for time. Studies show that entering information into an EHR takes longer than it did with paper charts.[4] As a result, many doctors feel compelled to enter data into the EHR as speedily as possible, often with the patient in the room. That's how costly mistakes are made.

Sloppy documentation takes many forms. When transferring paper records to the EHR, there may not be a place in the EHR form for every notation in a paper chart. If some information fails to be transferred, a plaintiff attorney may ask, "Did the doctor have the full picture of the patient's condition?" Sterling says. In discovery, if the paper record is still available, it may be compared with the history now in the EHR. If some information was omitted, it casts doubt on how well you could have cared for the patients without playing with a full deck.

Some doctors don't sign their notes, Sterling says, or they check boxes indicating the services performed without providing supporting documentation. As a result, a plaintiff attorney may ask, "Did you actually provide the services in the note to the patient?"

One doctor inadvertently distributed clinical notes that included inappropriate findings, such as test results that had nothing to do with the patient's condition, Sterling recalls. When the note was challenged in discovery, it cast doubt on the accuracy of the entire patient record.

"Greater access to existing diagnostic data and economic pressures to avoid duplicating tests could lead to errors from inappropriate reliance on outdated or inadequate prior testing," Hoffman writes.[1] "Mistakes may also result from data entry errors," she adds. "Clinicians may be faulted for ignoring critical prompts and alerts from decision support features."

Hoffman also points out that the use of autofill technology may exacerbate the problem of EHR inaccuracies by completing template fields when the doctor types in a letter or two. This may speed things along, but the information may be incorrect, and doctors, in their haste, may not check.

Hoffman cites a study of 60 patient records with 1891 notes from the Department of Veterans Affairs' EHR, generally regarded as one of the best.[1] It found that 84% of the notes contained at least one documentation error, and there were an average of 7.8 documentation mistakes per patient. "If such notes are not carefully edited," she writes, "old symptoms, vital signs, or test results can appear to be current, and such mistakes can create new threats to patient safety and liability exposure for clinicians."

Legally risky input errors need not be inadvertent -- just nonstandard. The journal Health Data Management reports that a family practice in Colorado found that its EHR was randomly deleting such words as "not" when the records were printed and shared with other physicians.[5] As it turned out, the clinician entering the note was an old-fashioned typist who put two spaces rather than one after a period -- once a standard practice. The extra space deleted the first word in the next sentence.

Making matters worse, the vendor knew about the problem and kept mum. Had this come out in discovery, it isn't clear who would be at fault: the vendor, the clinician, or both, experts say. But legally murky situations such as this may prompt malpractice insurers to settle a case rather than risk a bad verdict in court.

Turning Patients Into Litigants

Many doctors complain that reviewing and entering information into the EHR means that patients don't get much eye contact during their visits. This depersonalization can have legal consequences.

"Physicians who have fewer minutes to speak with and examine patients may provide lower-quality care," Sharona Hoffman writes.[1] "In addition, patients may resent the doctor's focus on the computer and apparent inattention to them and be more apt to sue if they are dissatisfied with their health outcomes."

"This concern is not theoretical," she adds.[1] "Multiple studies have shown that patients most often decide to sue when they are displeased with the quality of the physician/patient relationship and feel they cannot communicate well with their doctors."

Similarly, communicating with some patients by secure email -- a core objective of meaningful use stage 2 requirements -- can backfire. Even though patients tell surveyors that they like doctors who do secure email,[6] if you don't respond in a timely fashion -- particularly if it's an emergency -- or if the tone of your email is curt and unfriendly, or too friendly and informal, it can leave patients miffed.

"There are concerns with every single EHR feature, with every single capacity, and you need to think through them all and implement responsible stewardship," Hoffman advises. "So if you're going to communicate with patients by email, don't communicate in the same way you would with your best friend, with incomplete sentences and not a lot of thought put into it. Everything requires careful thought."


  1. Hoffman S, Podgurski A. E-health hazards: provider liability and electronic health record systems. Berkeley Technol Law J. 2009. http://btlj.org/data/articles/24_4/1523_Hoffman.pdf Accessed June 4, 2014.

  2. Lowes R. Stolen EHR charts sell for $50 each on black market. Medscape Medical News. April 28, 2014. http://www.medscape.com/viewarticle/824192 Accessed June 4, 2014.

  3. US Department of Health & Human Services. Health information privacy. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/ Accessed June 4, 2014.

  4. Poissant L, Pereira J, Tamblyn R, Kawasumi Y. The impact of electronic health records on time efficiency of physicians and nurses: a systematic review. J Am Med Inform Assoc. 2005;12:505-516.

  5. Gardner E. Why EHRs won't reduce your malpractice premiums. Health Data Management. September 30, 2013. http://www.healthdatamanagement.com/news/why-ehr-will-not-reduce-your-malpractice-premiums-46691-1.html#Login Accessed June 4, 2014.

  6. Beaulieu-Volk D. 3 ways physician-patient email helps practices. Fierce Practice Management. March 26, 2013. http://www.fiercepracticemanagement.com/story/3-ways-practices-benefit-secure-physician-patient-email/2013-03-26 Accessed June 4, 2014.