Legal Issues Surrounding Electronic Medical Records

                 Legal Issues Surrounding Electronic Medical Records

                                                  Dr KS Dhillon LLM

What is electronic medical record (EMR)?

Traditionally medical records have been paper based. The hospitals have been collecting handwritten patient medical data and storing it securely as per the legal requirement of handling and storing patients confidential medical data.
Over the last couple of decades there has been a push to record, process, store and transfer health information electronically. This electronically recorded, processed and stored medical data is known as electronic medical records (EMRs). The electronic application not only helps in recording clinical data, X-rays and laboratory findings but also helps in making decisions, making request for medication from the pharmacy and placing and receiving orders regarding patient care [1]. The EMR system would require the use of a computer system with the necessary software along with a network.
The touted benefits of the EMR include improvement in quality of patient care, decrease in health care costs, reduction in storage space requirements and easy of searching the patients records. Electronic data can be more easily retrieved and modified and updated thereby increasing efficiency. By using appropriate templates the doctors can safe time and make less mistakes [1].
Some believe that these electronic systems which are faster than the paper system can save time, lives, and money [1].
Despite the touted benefits of the EMR the transition from paper to electronic recording has been very slow. In the USA the Healthcare Information and Management Systems Society (HIMSS) has planned the implementation and use of the EMR system in 7 stages. As of 2013 EMR implementation was in stage 2 and stage 3. In stage 6, about 100 % of the hospitals were expected to be covered. Stage 7, would see the building of the regional and national network that would integrate all the EMR systems in the country [1]. In the US as of 2013 only 25.5% of the hospitals had a comprehensive EMR.
In Malaysia, the Ministry of Health, in 2001 claimed that Hospital Selayang was the first hospital in the world to have a comprehensive ICT paperless system using the Total Hospital Information System (THIS)[2].
The capital cost of equipping a hospital with THIS is about 80 to 100 million ringgit in Malaysia and this constitutes almost 40% of the total development cost of a 800-1000 beds hospital. So far the Malaysian government has spent more than 600 million Ringgit for the project and this does not
include operation and maintenance cost of the system [2]. As of 2015 only 21 out of 138 public hospitals (15%) had implemented either the Total Hospital Information System (THIS), the Intermediate Hospital Information System (IHIS) or Basic Hospital Information System (BHIS).
Though firewalls and encryption do permit safer and secure transfer of health information, confidentiality of patient information and other legal risks remains a concern.

Legal Risks of EMRs

The legal system relies on precedent and is slow to adopt new technologies such as EMRs. Hence it can offer little help in the navigation from paper-based to electronic record [3]. Though EMRs may be able to solve problems of missing clinical information that was seen with paper records, there is no legal precedent addressing the responsibility of clinicians reviewing the large amount of clinical information available in the integrated EMRS. Many find it difficult to review the complete electronic record within a reasonable timeframe [3].
Furthermore EMRs introduce several more liabilities. Large amounts of perfectly legible data can be stored in EMRs which makes it easily discoverable, unlike incomplete or illegible handwritten records which are not easily discoverable. Hence the EMR data can be a liability to the doctor and the health provider.
EMRs can store extremely huge amount of data which can lead to information overload resulting in the doctor overlooking key information in the system. This again can be a new form of liability. In this mountain of information, doctors can miss critical information which can affect treatment decision which would make doctors and the hospital liable for negligence [3].
With EMRs the doctors legal responsibility and accountability increases. The electronic records will identify the person who reviewed or failed to review key information such abnormal findings recorded in the EMR. Failure to identify and address important abnormal findings can lead to legal challenges. With paper records it is not always possible to tell who accessed the records. Lapses in management of the patient can easily be detected with EMRs[3].
There are some document related issues with EMRs which can introduce new liabilities. Some EMRs contain progress note documentation templates which allow test results to be automatically imported. This automatically imported test and clinical findings may not be within the clinical preview of the the person inadvertently importing the information and signing the note electronically and this may introduce new liabilities [3]. Notes that are copied and pasted may contain lots of information that appear similar and display information that is no longer correct.

Ethical issues with EMRs

Data in EMRs can more easily be accessed by many individuals as compared to data in paper records. Data in paper records can also be accessed by others but it is difficult to track who accessed the paper records. Since more people have access to electronic data the potential for privacy breach increases. When many people have access to electronic data the question of ownership of data also arises. Who actually owns this protected health information?[3]
In the past ‘several electronic health records (EHR) vendors (eg, Cerner, GE, and Allscripts [formerly Eclipsys]) have sold deidentified copies of their patient databases to pharmaceutical companies, medical device makers, and health services researchers’ [3]. Although the data is deidentified, it is not difficult to reidentified the data using publically available external data sources[3].
There are EHR user guidelines but what happens when unauthorized personnel access the the data and also what happens when unintentional or unavoidable violation of the guidelines take place? An example would be when a person who is logged in has to rush off for an emergency and someone standing by accesses the data. These situations raise complex ethical and legal issues[3].
This electronic data-driven approach in medicine has a long way to go. There are many unaddressed issues to be sorted out. Who will ‘oversee the data aggregation, verification and validation, and analysis; who will have data access; who will make the final data interpretations; and assuming that everyone agrees they are correct, who will adjudicate the ethical disagreements that inevitably surface when data are used to inform new health care policies’ [3]. There is a dire need for ‘nonpartisan, multidisciplinary, expert review-panels composed of clinicians, statisticians, informaticians, ethicists, and patient advocates’ to sit together and address these issues rather than pushing half baked electronic systems done the throat of unwilling users.
The goal of providing higher quality, lower-cost health care through widespread EHR remains elusive.

Risk for medical malpractice claims

Doctors are at an increased risk of medical malpractice claims when the EMR is being implemented and in the initially phase these EMRs can be a thorn in physicians' side.The transition period from a familiar to unfamiliar system introduces risk of error. The impact of the EMRs on the medical malpractice claims, however, is still unclear [4].
When there is malpractice litigation, EMRs can provide clear, complete, organized and legible data and documentation that can prove a malpractice claim. Pre-trial discovery from the EMRs can increase the chances of prosecutors finding some evidence of wrongdoing among an entire team of providers [4].
When there are errors in the accuracy of the clinical content in the EMR or the the manner of presentation of clinical data is poor, the EMR vendor cannot be held liable and the malpractice risk for physician increases. Invariable there will be various limitations related to liability of the EMR vendor in the EMR contract [4]. Another issue that is likely to crop up is, what happens to the old medical records whenever the system is upgraded? Will the complete old records be maintained or only certain screenshots will be maintained due cost constraints.

Likelihood of medical errors

Estimates in the USA show that adverse drug events (ADEs) will injure or kill 770,000 people in hospitals every year [5]. The most common cause of these ADEs is prescribing errors [6]. Computerized physician order entry (CPOE) systems built into the EMRs are expected to reduce prescribing errors and save hundreds of billions in annual costs. However, many believe that too much dependence on an EMR will result in small mistakes quickly turning into medical errors [4].
Koppel et al [7] published a study in 2005 which identified and quantified  the role of CPOE in facilitating prescription error risks. They found that the CPOE systems facilitated 22 different types of medication error risks, which included pharmacy inventory displays being mistaken for ‘dosage guidelines, inflexible ordering formats that generated wrong orders, and CPOE display screens that prevented a coherent view of the patient's medications’[4].  They study also revealed that 75 percent of clinical staff surveyed said that they encountered these error risks weekly or sometimes more often.
Doctors overreliance on functions such as cut and paste can perpetuate mistakes while leaving a trail of errors which are less likely to be discovered and corrected [8]. The cut and paste function also raises issues regarding ownership of the records when a legal investigation is carried out. There are also issues of risk of bugs, viruses or other technological inefficiencies with EMRs which was not there with paper records [8]. An accidental click of the mouse can be dangerous and harmful in some circumstances.

Breaches, theft and unauthorized access to protected health information

Way back in 1996 the US Congress recognized that advances in electronic technology could erode the privacy of health information and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was passed to improve the efficiency and effectiveness of the health care system. HIPAA provisions mandated Federal privacy protections for individually identifiable health information [9]. The Department of Health and Human Safety USA posts all data breaches on a public website. In 2009 there were 2.4 million patients affected by health data breach and in 2010, 5.4 million patients were affected. The most common cause of breaches was theft of patient data. Human error, loss of records and intentional unauthorized access to protected information were the other causes of breaches [4].
The Department of Health & Human Services (HSS) does not take HIPAA violations lightly. In 2011, a computer was stolen from the administrative office of California based Sutter Health which potentially exposed the private data of about 4 million patients. The Department of HHS and the Office for Civil Rights issued a civil money penalty of $4.3 million against Largo, Md.-based Cignet Health for the HIPAA violation. Two days later, HHS and the Office for Civil Rights announced that Massachusetts General Hospital in Boston had agreed to pay $1 million to settle potential HIPAA violations [4].
In Malaysia we have the Personal Data Protection Act 2010 which protects the patients physical and mental health data. Section 9 of the Act (Security Principle) makes the data user responsible for taking practical steps to ‘protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction’ [10]. The Act requires protection of the place of storage and the equipment where the data is stored. Measures have to be taken to ensure the reliability, integrity and competence of personnel having access to the personal data; and measures have to be  taken to ensure the secure transfer of the personal data [10].
It is not known if the Personal Data Protection Act 2010 will have the bite of HIPAA or it will remain all bark and no bite as was the case with the HIPAA in its early days.
Hospitals would have to have comprehensive policies and procedures in place and their staff have to be trained to comply with the policies and procedure to prevent breaches, theft and unauthorized access to protected health information. Impermissible use or disclosure of protected patient information should be thoroughly investigated and appropriate remedial action taken. Accurate documentation related to the incident and the investigation should be retained.

What healthcare leaders need to do?

The physicians and other health care workers in the hospital have to be well-informed about compliance and legal risks of the EMRs. The training process is not always easy. Initiatives in EMR education are important to make sure that the doctors and staff do not take legal risks out of ignorance [4].
It can be difficult to train doctors to use the new software because they are usually ‘trained to autonomously practice medicine’ and change is difficult for them. One on one personalised training in a private environment is often most useful and productive. In the one to one environment the doctor can think about and discuss the impact of the software on their workflow [4]. The cooperation between the hospital IT department and the doctors must be enhanced and promoted by the health care leaders.

References

1. PeterChris Okpala.  The Electronic Medical Record (EMR). Journal of Applied Medical Sciences. 2013; 2 (2): 79-85.
2. Roshidi Hassan et al. Implementation of Total Hospital Information System (THIS) In Malaysian Public Hospitals: Challenges and Future Prospects. International Journal of Business and Social Research (IJBSR). 2012;2 (2): 33-41.
3. Perritt HH. Law and the Information Superhighway. 2nd ed. Somerset, NJ: Aspen Publishers; 2009.
4. Molly Gamble. 5 Legal Issues Surrounding Electronic Medical Records. 2012. at https://www.beckershospitalreview.com/legal-regulatory-issues/5-legal-issues-surrounding-electronic-medical-records.html accessed on 28/4/2018.
5. Lesar TS, Lomaestro BM, Pohl H. Medication prescribing errors in a teaching hospital: a 9-year experience.  Arch Intern Med. 1997;157:1569-1576.
6. Leape L, Bates D, Cullen D.  et al.  System analysis of adverse drug events.  JAMA. 1995;274:35-43.
7. Koppel R, Metlay JP, Cohen A, et al. Role of Computerized Physician Order Entry Systems in Facilitating Medication Errors. JAMA. 2005;293(10):1197–1203. doi:10.1001/jama.293.10.1197.
8. Mangalmurti SS, Murtagh L, Mello MM. Medical Malpractice Liability in the Age of Electronic Health Records. N Engl J Med 2010;363(21) 2060-2067. 
9. HIPAA for Professionals; Health Information Privacy; U.S. Department of Health & Human Services at https://www.hhs.gov/hipaa/for-professionals/index.html accessed on 1/5/2018.
10. LAWS OF MALAYSIA ACT 709, PERSONAL DATA PROTECTION ACT 2010 at http://www.pdp.gov.my/images/LAWS_OF_MALAYSIA_PDPA.pdf accessed on 1/5/2018.