Submitted: The Two Sides Team March 7, 2013

Electronic medical records are meant to save time and money, but they also can create liability issues for doctors.
March 5 2013

by Alicia Gallegos, via AmedNews

Defense attorney Catherine J. Flynn knows how
electronic medical records can overwhelm — and often change — the course
of a medical liability lawsuit.

In one of her
cases, a New Jersey doctor being sued for medical negligence has been
accused by a plaintiff’s attorney of modifying a patient’s electronic
history. A printing glitch caused the problem, Flynn said, but the
accusation has meant extra time and defense costs. Computer screen shots
were reviewed, more evidence was gathered and additional arguments were
made.

“This has taken a life of its own, and we’ve
done virtually no discovery on the medical aspects of the case,” she
said. “The cost of the e-discovery alone is in excess of $50,000.”

System
breaches. Modification allegations. E-discovery demands. These issues
are becoming common courtroom themes as physicians transition from paper
to EMRs, legal experts say. Not only are EMRs becoming part of medical
negligence lawsuits, they are creating additional liability.

Across
the country, the move from paper to electronically stored health data
is growing. The 2009 federal stimulus package provided federal funds for
the creation of a health information technology infrastructure. Health
professionals can receive up to $44,000 for Medicare or nearly $64,000
for Medicaid by adopting electronic medical records.

Studies
are mixed about how EMRs will impact liability for physicians. A 2010
survey by Conning Research and Consulting, an insurance industry
research firm, found that most insurers believe medical claims will rise
during the move from paper to electronic records. Lawsuits probably
will decrease after an adjustment period, the study said. A report in
the Nov. 18, 2010, issue of The New England Journal of Medicine said doctors should expect a varied landscape of liability risks and benefits as EMR adoption unfolds.

Whatever
the future holds for EMRs, it’s important that doctors reduce their
liability risks during system implementation, legal experts say. Being
aware of potential legal pitfalls prevents doctors from falling victim
to technology intended to do good — not cause hardship.

“It’s
all about the system that’s in place and the integrity of that system,”
Flynn said. “You can only do what the system allows you to do. If you
have a good system in place, then the doctors are protected — even from
themselves.”

The burden of breaches

Data breaches are among the most common
reasons that electronically stored information lands doctors in court,
said Lisa Gallagher, senior director for privacy and security at the
Health Information and Management Systems Society, which advocates
health information technology.

For example, thieves
broke into the Sacramento, Calif., office of hospital system Sutter
Health in October 2011, stealing monitors and a laptop containing the
health information of 4 million people. Patients sued, claiming Sutter
violated the state’s Confidentiality of Medical Information Act. The law
regulates medical data disclosures and negligent storage practices. At
this article’s deadline, an attorney for the plaintiffs had not returned
calls seeking comment.

The Sutter Health data security office was encrypting its computers when the theft occurred, the company said in a statement.

Though
federal law regulates Health Insurance Portability and Accountability
Act violations and subsequent notification rules, state laws vary on
reporting regulations for data breaches. Some state laws cover all
electronic data, while others, such as California’s, are aimed at health
data.

Knowing what your state requires in the event
of a data breach is essential, especially because of potential legal
snares, said Richmond, Va., attorney Jonathan M. Joseph, author of Data Breach Notification Laws: A Fifty State Survey.
For instance, if a New Jersey physician treats a patient from another
state and a breach occurs, the doctor could be subject to notification
rules in the patient’s state as well as his or her own, Joseph said.

Police
investigations during breaches are another challenge. Law enforcement
agencies may ask doctors to delay reporting a breach to patients to not
taint the investigation. Some states allow doctors immunity if they do
not immediately alert patients because of an agency’s request, Joseph
said. But some states do not give doctors a break on notification rules.

“The
problem with that is that many [investigations] may take months, and
you may have to sit and ask yourself, ‘Are people going to be harmed?’”
he said. “You have to think, ‘Should I hold onto the information, or
will I be liable?’”

EMRs and new tort claims

In Oregon, health professionals have won a court victory in a data breach case. Paul v. Providence posed significant questions about how far a medical professional’s responsibility extends after data is stolen.

Some
patients in Oregon sued Providence Health System in 2009 after computer
disks were stolen from a medical office employee’s car. The disks
contained unencrypted records for 365,000 patients. Patients said that
because of the theft, they were exposed to past and future out-of-pocket
losses associated with monitoring credit reports, and expenses
associated with credit damage. A trial court ruled that the plaintiffs
did not have a valid claim under state law. The plaintiffs appealed to
the state’s Supreme Court.

The Oregon Medical Assn.,
and the Litigation Center of the American Medical Association and the
State Medical Societies, expressed concern that if the plaintiffs
prevailed, the decision could create a new claim against doctors.

“Plaintiffs
in this case ask this court to recognize a new common law tort making
health care providers liable in negligence for purely economic losses
and emotional distress damages arising out of the theft of patient
information from health care providers, in the absence of physical
injury,” the Litigation Center said in a brief to the Oregon Supreme
Court. “There are strong policy reasons against the creation of
liability in these circumstances, especially the chilling effect it
could have on the broader use of electronic medical records, which make
this a subject more appropriately addressed in the legislative process.”

The
Oregon Supreme Court on Feb. 24 ruled the plaintiffs could not sue
Providence because the patients failed to show anyone actually viewed or
used their personal information.

“Although
plaintiffs allege that an unknown person stole digital records
containing plaintiffs’ information from defendant employee’s car, they
do not allege that the thief or any third person actually used
plaintiffs’ information in any way that caused financial harm or
emotional distress to them,” the court wrote.

The
court said the plaintiffs’ claim for future financial harm also was
invalid because a “threat” of future physical harm on its own, is not
sufficient to constitute an actionable injury.

The
decision protects health professionals from unwarranted lawsuits, said
Gwen Dayton, legal counsel for the Oregon Medical Assn.

The
Oregon opinion is consistent with other states’ rulings in similar
cases, justices said. However, states such as Maine have allowed
plaintiffs to sue over personal information that is used for identify
theft purposes, thus causing present financial injury.

Encrypting
record systems is key to preventing possible breaches, along with
recognizing any suspicious system activity, Gallagher said. “You want to
be monitoring your network and [putting] technical controls in place,”
she said.

E-discovery is a growing area of concern,
said Joshua R. Cohen, a medical liability attorney and president of the
New York State Medical Defense Bar Assn. While legal requests once
entailed only paper records, attorneys are now seeking every accessible
electronic record, including films, lab reports, emails and phone
records.

“Plaintiffs are trying to use e-discovery as a weapon of mass discovery,” Cohen said.

A 2011 ruling in New York highlights how e-discovery creates a burden for doctors.

During
a lawsuit against St. Luke’s Hospital Roosevelt Center, a debate arose
about whether the plaintiff should be allowed access to screen shots
from a doctor’s computer. Joan Bowman, who sued the hospital for
wrongful death on behalf of her husband, wanted to see a computer
template used to aid physicians in diagnoses. The hospital said the
request was overly broad and oppressive.

But the Supreme Court of the State of New York ordered the release of the screen shots.

“Defendant
doctors testified that they utilized these materials in coming to their
diagnosis,” Judge Alice Schlesinger wrote. “It is not a stretch to
allow counsel to see and understand these materials.”

At this article’s deadline, the hospital’s attorney had not returned messages seeking comment.

The case sets a precedent, said Susan Dennehy, Bowman’s attorney.

“If
others want to see screen shots from records, I think they’ll rely on
this case,” she said. “It was important to see where the template led
you if you put in an inaccurate chief complaint.”

New
Jersey attorney Michael A. Moroney said expenses can rise dramatically
because of massive e-discovery requests. In some cases, practices must
hire outside teams to sift through archived records, said Moroney, who
counsels doctors on the legal challenges of EMRs.

“There’s
a ton of time involved,” he said. “There’s the attorney’s time and then
the medical staff themselves. It means we’re spending tens of thousands
of dollars fighting over stuff before we even get to the merits of the
case.”

Steering clear of legal problems

Flynn has seen more plaintiff attorneys
accusing doctors of modifying electronic records, even when the changes
were made innocently. It’s essential to have a system that does not
allow changes after a certain amount of time, she said. If modifications
are allowed, the systems should show that doctors made efforts to be
transparent.

Login passwords can create liability.
Cohen had a case where a physician provided his login password to a
resident and gave him permission to update a patient’s chart while the
physician was out of town. When a claim arose, it appeared that the
absent doctor updated the record.

“It makes it look
sloppy,” Cohen said. “Before, the [absent] doctor wouldn’t even have
been involved in the lawsuit. Now, it creates a question of fact that we
have to explain.”

Doctors are busy in their daily practice, but making time to take preventive steps now may save them from EMR liability later.

“The
best thing doctors can do is be ahead of the curve,” Moroney said.
“Because when the day comes that you are served with a complaint, one of
the first things the court is going to look at is, ‘How good of a
policy did you have, and could you have prevented this?’”

Share this story