As one delves deeply into the details of electronic health records, technical standards, privacy compliance and vendor contracts, what starts to emerge is more a picture of legal defense than one of a system focused on patient care.
And it almost has to be that way, considering the myriad federal, state and local mandates regarding data security and information exchange, as well as the new regulations for meaningful use, standards and privacy.
Under the Health Information Technology for Economic and Clinical Health (HITECH) Act in the 2009 stimulus law, updates to the Health Information Portability and Accountability Act (HIPAA) require that providers and their business associates focus on defending information disclosures against privacy risks, then documenting how they do it. Organizations that want to be eligible for EHR incentive payments under meaningful use will have to account for how they achieve those criteria. And doctors and hospitals will have to make sure their contracts with vendors spell out in writing exactly what those EHR systems should be doing to facilitate information exchange and protect privacy.
It adds up to a rigorous defense system, in case anything goes wrong with the EHRs, a data breach occurs, or a patient is harmed during care. Health information technology has changed the legal landscape for hospitals, not just clinical care, according to Mike Slovis, counsel with Cunningham Meyer & Vedrine in Chicago. “It’s taken the focus away from the medicine and put it on the electronic record,” he said.
Slovis spoke during the 2010 Legal EHR Summit, hosted by the American Health Information Management Association. The two-day conference explored the legal issues surrounding health IT, electronic records, and the ways providers and their legal teams are managing the new requirements. He is working on a malpractice case with NorthShore University HealthSystem in Evanston, Ill., where a patient sued following a two-month hospital stay during which he lost the use of his arms and legs.
The suit has been ongoing for more than a year, and most of its arguments and complications have focused on what information the electronic record contains, how to retrieve it and which way to format it; as well as on following the audit trails to see who accessed the information, and when. In addition, as information was added to the record, older versions of the data were saved over, which also creates complications in the courtroom when an attorney is trying to explain the patient’s history, Slovis said.
With all the different screens viewed by doctors, nurses and other medical staff when they cared for the patient, printing out the entire record filled four boxes with paper, Slovis said. In addition, other methods of trying to view the EHR have led to more questions about how data is presented in an electronic chart and how to interpret it. It’s a struggle for the patient’s lawyers too, who must try to understand all the nuances of the electronic record, he added. “It’s really hard for them to determine if there’s negligence or not.”
It’s not just providers being called on to defend electronic systems. Vendors also can be summoned to explain the technology, said Teresa Bunsen, chief privacy officer and senior director of health information record services for NorthShore. Questions about source codes, the product platform and definitions embedded in the EHR have come up in this case, too. “It’s gotten that technical in order to answer some of their questions,” she said.
When it comes to malpractice defense, juries are interested in hearing the narrative of a patient event: They want to know what happened, when and why, according to Patricia King, associate general counsel for Swedish Covenant Hospital in Chicago, who also spoke during the summit. “If the medical record doesn’t present a clear case, defense counsel might not be able to do that.”