by Dr. J.D. – a physician and plaintiff’s attorney, practicing in the Northeast

There is a lot of good that comes from EHR.

Electronic records allow an unprecedented capacity for continuity of care. Tele-medicine permits consults not just across the country but across the world. Just not having to physically transcribe notes saves time. E-prescribing eliminates calls from pharmacies unable to decipher handwriting. Legibility itself prevents many lawsuits.

In fact, as revealed in a 2008 study in the Archives of Internal Medicine, malpractice payouts correlate inversely with EHR use. The authors cited improved follow-up and legibility among the factors that not only reduced adverse outcomes but also made physicians more defensible if they were sued.

On the other hand, EHR carries new risks as the flip side to every advantageous coin.

Records that are beautifully templated and perfectly legible can also be laden with pages of irrelevant repetitions, creating a noise: signal problem that can mask important changes.

The perfect tracking of who accessed the record and when they did so and what changes were made can lead to serious questions about a physician’s own conduct.

Prompts that are designed to ensure that abnormal results are followed-up on and alerts that can avert adverse medication reactions can actually be ignored in a sea of data.

Prescriptions that can be generated with a single click can lead to serious errors because they are being done with a degree of automaticity that having to refer to a paper chart would have avoided.

Since EHR is now a fact of medical life, it is necessary to understand and avoid the liability risks it creates.

Let’s start with the simple fact that the established laws of medical liability make no allowance for new platforms or the need for increased speed. Your duties are the same as those that applied when all medical reports were hand-written.

In that setting, very ordinary practices take on new shadings.

For example, EHR is time-stamped, while hand-written notes are not unless the doctor chooses to include that information. Time-stamping is also fully discoverable. The common practice of completing notes at the end of the day is therefore now open to challenge – did you actually remember critical facts about the patient so many hours later? The actual amount of time spent on the encounter with the patient can also come back to haunt the doctor if it looks very short and there is an adverse outcome.

EHR also creates a trail of access and modification, a true “digital fingerprint”. Whether you actually looked at the chart when you answered a patient question through a portal or when you renewed a medication is now a recorded event.

This is also why malpractice carriers now advise doctors who have just found out that they are being sued to not immediately review the record and to instead wait for a hard copy from the carrier. They do not want the defendant doctor to be questioned as to whether they actually had doubts about the care they rendered, which a sudden review of the chart would suggest.

Probably the most significant liability pitfall that arises from EHR is one of a “dulling of the senses”.

This can happen when the efficiency of the system begins to be perceived as thoroughness.

For example, many e-prescribing systems do not link the medication alert system with the patient’s lab results. The fact that a system is in place that will signal adverse reactions between drugs can lead to a sense of complacency about checking the patient’s most recent test results before renewing. A developing condition – one that may in fact make the medication now dangerous, such as developing renal dysfunction – can be missed because the “smartness” of the system encouraged human complacency.

Conversely, “alert fatigue” can lead to errors. An EHR system that is generating up to 150 alerts a day about matters ranging from redundancy to suggested follow-up to dosage discrepancies to drug interactions simply starts getting ignored.

Meanwhile, in both of these settings there is discoverable digital proof that the red flag was, in fact, waved.

There is also the very serious problem of “cloning”. The cutting and pasting of notes can lead to original lapses merely being replicated and developing problems being literally “lost in the sauce” of documenting what is now irrelevant.

There is also the problem of being drowned in e-information.

There is simply now an increased expectation that you will actually see and evaluate every scintilla of information that reaches you, and that you will do so quickly. This is far beyond the constructive imputing of knowledge to a physician, as, for example, when results sent out from a lab by mail are deemed as being promptly received by the doctor. This, instead, is information that provably reached the doctor at a specific time and date so that the doctor is held responsible for knowing it from that point on.

…And then there is HIPAA, which explicitly extends the principles of common law confidentiality to electronically-transmitted information.

PHI must be appropriately guarded and new technologies that make information transfer very easy can come into direct conflict with that, sometimes in obvious ways and sometimes in ways that a non-technowonk would never anticipate.

An example of the former is text messaging. You would never leave an unsealed envelope containing patient records for a colleague but have you made sure that your text-message system is encrypted, since you are just as unable to make sure that the recipient end is secure in that setting as well?

An example of the latter is Dropbox, which is not HIPAA-compliant because even though file contents are encrypted file titles are not and those file titles contain PHI. You would recognize that taking files to the hospital cafeteria where anyone glancing at the closed folders can read their titles would be an absolute breach of confidentiality, but picking up the fine distinctions about Dropbox is not nearly as clear.

The liability associated with HIPAA lapses can be significant. A recent high-profile case involved a $100,000 fine paid by a group that had posted patient appointment information on an online calendar that the general public could see and had not set up safeguards of patient privacy or trained its staff.

So, in a world that is no more going to be going back to the paper and pencil in terms of medical records than it is to horse-drawn carts in terms of transportation, what can you do to limit your liability?

First and foremost, do not let your frustration or your worry get the better of you. You do not have to like the transition to EHR, but you can keep it in its proper perspective.

Approach it calmly and assess whether your conduct in a given situation meets essential standards.

1. Select your system to match the needs of your practice.

This should take into account such practical issues as your daily patient volume, whether you practice in a primary care area or are a specialist receiving referrals, and the size of your staff and the degree to which records use is delegated.

In making such a choice, consider risks and benefits. For example, picking a system with auto-populated fields is a great time saver for the average patient but it carries a propensity for not recording needed facts, which is medicolegally risky.

2. Select a system to match your own personal preferences.

For example, as simple a matter as whether a change is recorded as a note at the end of the record or as a new note can make an enormous difference in how fluid your transition to your new system will be.

You should not be pounding the round peg of your accustomed habits into the square hole of your EHR system because that will lead to liability-producing lapses.

3. Do not try to keep a parallel paper “shadow” system going.

The dangerous implications for continuity of care both within your practice and in dealing with referrers are clear when you are using “two sets of books”.

It is not a question of if information will not be properly brought over when needed but when and how often it will occur,.

It is a true danger for your patients and a huge medicolegal risk for you.

A commitment to EHR must be a commitment to a uniform restructuring of how you document, store and transmit information.

4. Tailor your system to meet your practical needs.

For example, if you use a patient portal, stipulate clear restrictions on how long it will usually take for information sent through it to be reviewed, or if your system has medication alerts set those as to relevancy so that, for example, your primarily geriatric practice will not be inundated with alerts based on pregnancy risk.

However, never engage in “e-self help” by disabling elements like alerts or the audit trail function. The plaintiff bar is very savvy as to what a given system will include, and should there be an adverse event that an alert would have addressed you will be asked why you never saw it. Evidence that you eliminated the way that your access to the record is documented will simply look like a cover-up.

5. Bear in mind that electronic information-sharing has changed the scope of what the “official medical record” is for the purpose of discoverability.

Everything that comes in carrying an informational trail of its own is now deemed part of your record.

You therefore need to review what comes in, even if it looks routine, because the fact that you have it is discoverable.

Your personal comments are part of the discoverable record as well. For example, adding in “I have to catch a plane.” to a texted request for stat results can be enough for a plaintiff to leverage into a claim that you did not take the time to evaluate the facts of their case properly if there is a later adverse result.

Therefore, remember to keep your professional barriers up and that even if a contact is done the same way as a friendly message that you are actually creating the medical record just as much as if you were writing in a paper chart.

6. Do not alter the form of data.

For example, an image sent in color should be entered in color. Save e-mails and texted pages as they are – do not paraphrase or excerpt them and then discard the original.

No amount of space that you save is worth a lawsuit or the inability to defend against one.

7. Do not rely on the system to write your note for you.

This is particularly relevant to auto-populated systems that then require the physician to either use a drop-down menu or free-texting to alter the standard “normal” that the system has supplied.

It is essential that you do not try to make the facts conform to the listing, either by discounting a discrepancy from normal so that you can use the auto-populated response or by trying to conform what you did find to the closest choice that the drop-down menu pre-supplies.

The apparently minor issue of today that you exclude to save a bit of time may be the first step in a situation that will end in a lawsuit and your records will look like you never made the finding when, in fact, you did.

Changing to an electronic system does not change the first rule of documenting: If you don’t write it down, it never happened.

In other words, if you would have written something with a pen on paper in the past, you should be free-texting it now.

8. Avoid cutting and pasting.

Many defense attorneys feel so strongly about this that they actually recommend having the function disabled, but it is not necessary to go that far.

What is necessary is that you make sure that your note represents your actual actions in the care of the patient.

You will be liable for any errors or omissions that you “clone” into your own note. For example, it will not help in your defense that you actually knew from your own taking of the history that your patient came from a family with serious cardiovascular risk factors if you have simply copied over someone else’s history note that does not include that fact. You will simply have no proof of what you knew.

Over-documenting by cutting and pasting, creating multi-page notes when a hand-written one would have taken less than two sides of a single sheet is also to be avoided. Not only does it not make you more defensible, it actually makes you look indiscriminate. It makes it more difficult to demonstrate your actual clinical judgment.

Cutting and pasting should be reserved for hard data and for necessary quotes from consultants, and both uses should be coupled to your own discussion of why those facts matter.

9. Do not leave out non-verbal material that you would include in a hand-written chart.

For example, drawing a diagram for a patient is not just good medical practice but also excellent conduct from the point of view of later defensibility, since it shows that you spent time explaining the procedure in a personalized way. Therefore, that diagram should always be scanned into the electronic record.

10. Always keep HIPAA in mind.

This applies to both the Security Rule that relates to electronically-stored/transmitted information and the Privacy Rule that codifies common law confidentiality as to all records.

In this regard, reasonable common-sense steps can give your practice significant protection.

For example:

(i) Make sure that your system is specifically listed as HIPAA-compliant.

(ii) Make sure that you get up-to-date information from your patients as to their contact information.

(iii) Make sure that you get up-to-date information from your patients as to who may permissibly have access to their PHI, and establish an office policy (in writing – so that it can proved) for your staff to consult such lists before any release of PHI.

(iv) Limit staff access to PHI to a need-to-know basis and do not use shared passwords.

(v) Avoid PHI leaving the office on a laptop or handheld device and, if such is necessary, make sure that it is encrypted.

(vi) Make sure that the device that PHI is on is maintained securely, even if the information on it is encrypted. For example, don’t check a device containing PHI in with your luggage when you fly and certainly do not leave it in your car or lend it out to your kids.

(vii) Since you know that it is possible that the patient end of an e-mail communication will not be secure, set up a patient portal system that is password-protected and encrypted instead for your patient communications.

(viii) Keep a record showing that you kept abreast of, and implemented, any corrections or improvements to your system that the vendor provided. This is critical in both preventing inadvertent breaches and in defending yourself if a breach still occurs despite your documented efforts to stay current. Simply put, if a patch is available and you use it properly and are still nevertheless breached, you have a very strong defense, but if you did not apply it and were breached as a result, you will be deemed to have been knowingly operating a vulnerable system and may be liable for substantial damages.

11. Train your staff.

They are your legal agents. You are vicariously liable for their conduct and can also be directly liable for negligent supervision of them.

They must use your system as you want it to be used.

In summary: Advances in medical information technology can make patient care more efficient and far safer but they also carry unique liability risks, risks that increase when the system rather than the user is the driver. Physicians can take commonsense steps to limit this problem.