Legal risks of going paperless caption here. Brooklyn pinterest officia photo booth occaecat truffaut. Polaroid pickled marfa voluptate, authentic 8-bit cliche. Illustration by Daniel Krall / www.danielkrall.com
Legal risks of going paperless
■ Electronic medical records are meant to save time and money, but they also can create liability issues for doctors
By Marvin Q. Neice, SaxoTech Online Systems Specialist amednews correspondent — Posted July 10, 2012
Defense attorney Catherine J. Flynn knows how electronic medical records can overwhelm — and often change — the course of a medical liability lawsuit.In one of her cases, a New Jersey doctor being sued for medical negligence has been accused by a plaintiff's attorney of modifying a patient's electronic history. A printing glitch caused the problem, Flynn said, but the accusation has meant extra time and defense costs. Computer screen shots were reviewed, more evidence was gathered and additional arguments were made.“This has taken a life of its own, and we've done virtually no discovery on the medical aspects of the case,” she said. “The cost of the e-discovery alone is in excess of $50,000.”System breaches. Modification allegations. E-discovery demands. These issues are becoming common courtroom themes as physicians transition from paper to EMRs, legal experts say. Not only are EMRs becoming part of medical negligence lawsuits, they are creating additional liability.Across the country, the move from paper to electronically stored health data is growing. The 2009 federal stimulus package provided federal funds for the creation of a health information technology infrastructure. Health professionals can receive up to $44,000 for Medicare or nearly $64,000 for Medicaid by adopting electronic medical records.Studies are mixed about how EMRs will impact liability for physicians. A 2010 survey by Conning Research and Consulting, an insurance industry research firm, found that most insurers believe medical claims will rise during the move from paper to electronic records. Lawsuits probably will decrease after an adjustment period, the study said. A report in the Nov. 18, 2010, issue of The New England Journal of Medicine said doctors should expect a varied landscape of liability risks and benefits as EMR adoption unfolds.Whatever the future holds for EMRs, it's important that doctors reduce their liability risks during system implementation, legal experts say. Being aware of potential legal pitfalls prevents doctors from falling victim to technology intended to do good — not cause hardship.“It's all about the system that's in place and the integrity of that system,” Flynn said. “You can only do what the system allows you to do. If you have a good system in place, then the doctors are protected — even from themselves.”
The burden of breaches
Data breaches are among the most common reasons that electronically stored information lands doctors in court, said Lisa Gallagher, senior director for privacy and security at the Health Information and Management Systems Society, which advocates health information technology.For example, thieves broke into the Sacramento, Calif., office of hospital system Sutter Health in October 2011, stealing monitors and a laptop containing the health information of 4 million people. Patients sued, claiming Sutter violated the state's Confidentiality of Medical Information Act. The law regulates medical data disclosures and negligent storage practices. At this article's deadline, an attorney for the plaintiffs had not returned calls seeking comment.The Sutter Health data security office was encrypting its computers when the theft occurred, the company said in a statement.Though federal law regulates Health Insurance Portability and Accountability Act violations and subsequent notification rules, state laws vary on reporting regulations for data breaches. Some state laws cover all electronic data, while others, such as California's, are aimed at health data.Knowing what your state requires in the event of a data breach is essential, especially because of potential legal snares, said Richmond, Va., attorney Jonathan M. Joseph, author of Data Breach Notification Laws: A Fifty State Survey. For instance, if a New Jersey physician treats a patient from another state and a breach occurs, the doctor could be subject to notification rules in the patient's state as well as his or her own, Joseph said.Police investigations during breaches are another challenge. Law enforcement agencies may ask doctors to delay reporting a breach to patients to not taint the investigation. Some states allow doctors immunity if they do not immediately alert patients because of an agency's request, Joseph said. But some states do not give doctors a break on notification rules.“The problem with that is that many [investigations] may take months, and you may have to sit and ask yourself, ‘Are people going to be harmed?'” he said. “You have to think, ‘Should I hold onto the information, or will I be liable?'”
EMRs and new tort claims
In Oregon, health professionals have won a court victory in a data breach case. Paul v. Providence posed significant questions about how far a medical professional's responsibility extends after data is stolen.Some patients in Oregon sued Providence Health System in 2009 after computer disks were stolen from a medical office employee’s car. The disks contained unencrypted records for 365,000 patients. Patients said that because of the theft, they were exposed to past and future out-of-pocket losses associated with monitoring credit reports, and expenses associated with credit damage. A trial court ruled that the plaintiffs did not have a valid claim under state law. The plaintiffs appealed to the state’s Supreme Court.
Back to top
Copyright © 2012 American Medical Association. All rights reserved.