The Legal Implications of Medical Records in the Digital Age – A Brave New World or “Same Old"?
Updated: Nov 15, 2019
The push for hospitals and medical practices to implement electronic medical records systems (EMRS) went into high gear with the passage of the American Recovery and Reinvestment Act of 2009. Tucked into that Act was The Health Information Technology for Economic and Clinical Health Act, known as the HITECH Act.
The HITECH Act offered financial incentives to health care providers to replace their paper medical records with EMRS, and was intended to achieve three objectives: to stimulate the economy through the economic activities associated with acquiring and implementing EMRS; to reduce health care costs through efficiency gains resulting from the use of EMRS; and to improve the quality of health care through provider access to patients medical records. To help realize those goals, EMRS have been designed to capture data from many encounters over long time periods, and to track and report outcomes and trends, not simply to serve as a replacement repository of events related to the condition and treatment of individual patients.
Lawmakers recognized that the expected increase in digitization of medical records and their sharing across communication networks among covered entities and their business associates could result in dramatically more incidents of unauthorized disclosures of protected health information (PHI), potentially affecting hundreds or thousands of patients in any one incident. The HITECH Act, therefore, included a suite of related provisions addressing the obligations of covered entities and business associates if breaches of patients’ privacy rights occurred, which were then added to the HIPAA rules.
Many in the health care field are under the impression that the laws addressing digital records are different from those affecting paper records. Aside from certain parts of the HIPAA rules, the laws affecting medical records as practitioners have historically understood them are unchanged.
There is no question that EMRS have advantages. Records are easier to read as, for the most part, handwritten notes are a thing of the past. Subspecialty notes are grouped together. With appropriate authentication of users and access controls, confidentiality of records is enhanced. Electronic prompts help assure that medications and care are rendered on time. EMRS can be accessed from more than one location and by more than one person simultaneously, and the entire record is always available. Real-time charting through laptops and mobile devices is possible.
EMRS also have significant disadvantages. Due to the typing function or the use of drop-down menus, often not as much detail is recorded. Similarly, when there is nothing new to record, the temptation not to record anything is hard to resist. Entries can look repetitive – and indeed, they may be, due to the ease of cutting and pasting prior entries. Digital entries do not trigger memory of events as well as personal handwriting. Finally, if access controls are too restrictive, modules containing relevant information will not be available to staff who may be faced with patient situations requiring intervention, especially in acute and long term care settings.
It has been said that 35% - 40% of medical malpractice cases become indefensible because of problems with documentation. If it is not charted, plaintiffs’ lawyers will argue that required care did not happen. Documentation is scrutinized by families and their lawyers. If a case gets to trial, a jury will assume that sloppy documentation means sloppy care. This applies equally to paper and digital records.
There are also statutes that are implicated when charting is insufficient or erroneous. Notice that these laws do not distinguish between paper and digital records.
Under Penal Law Section 175.05, a person is guilty of falsifying a business record in the second degree with the intent to defraud if that person makes or causes a false entry in a business record; fails to make a true entry in a business record in violation of duty to do so; prevents a true entry; causes the omission of a true entry; or alters, erases, obliterates, removes or destroys a true entry in a business record. Medical records are business records.
The Legal Implications of Medical Records in the Digital Age
Public Health Law Section 12 provides for civil penalties up to $2,000 per violation for anyone who violates, disobeys or disregards any term or provision of the Public Health Law. There are numerous sections of the Public Health Law that require practitioners to keep accurate, timely and complete medical records. In addition, a practitioner may be subject to the revocation of his or her license for unprofessional conduct for failing to maintain accurate records reflecting evaluation and treatment of a patient; failing to comply with federal, state, or local law, rules or regulations governing his or her practice; filing a false report; or failing to file or impeding or obstructing the filing of a report required by law.
The biggest reason that EMRS have different legal implications from paper records is that EMRS dramatically change business processes within medical practices, hospitals and nursing homes, and these changes may result in increased legal risks of successful claims of malpractice and criminal and civil liability.
To further efficiencies, many EMRS include checkboxes for “within defined limits”. So long as everyone using the EMRS has the same understanding in each clinical setting of what “defined limits” are, this function poses no problems. However, because of the potential for individual interpretation of that term, the consequences (in terms of patient harm and potential legal liability) of what in hindsight may turn out to be the wrong selection of the checkbox are significant.
Many EMRS also have checkboxes for “Not Relevant” or the equivalent. Users may think these can be ignored, and EMRS that do not require completion of every possible field may allow this. However, a “Not Relevant” selection may turn out to be quite relevant in the overall accuracy and usefulness of the record.
In creating a paper record, a provider is likely to indicate the date and time of the event covered by the record, and the identity of the person who delivered the care or interacted with the patient. EMRS automatically capture the time of an entry and the identity of the person under whose log-in the entry was made. Unless the entry is made contemporaneously with the event by the person who delivered the care, the entry must clearly and carefully record the actual time and date of the event being charted and the caregiver’s identity if that person is not the person making the entry.
Those uncomfortable or impatient with, or unskilled at typing entries into text fields may avoid making entries or keep them extremely short. The loss of extensive narrative in records can result in decreased quality of care. A provider who finds use of the EMRS burdensome and has his/her assistant, who was not present during an event, make the entry about it into the EMRS has arguably committed an act of professional misconduct.
The technology that enables real-time charting may carry some of the biggest risks of EMRS. If the person making the entries is also the provider, the provider may be more focused on navigating the screens and making entries than listening to the patient – or being perceived by the patient as not listening, because the provider is unable to make eye contact with the patient. In a hospital or long term care setting, bedside charting carries the potential of unauthorized disclosure of PHI to nosy visitors. The small screen size of tablets and smart phones may discourage detailed charting and increase the risk of error in entry selections. Also, it is much easier to lose or misplace a small device, significantly increasing the risk of unauthorized disclosure of PHI.
The increasing use of scribes to record the real-time interaction between patients and providers indicates a recognition of the legal risks arising from changes in business process occasioned by EMRS and a means of mitigating those risks. To reduce potential legal liability, managers of medical practices, hospitals and nursing homes that have implemented EMRS need to move beyond training staff in their use and focus more intently on how their business processes have changed as a result.
As always, if you have any questions, please feel free to contact us here or call us at 585.258.2800.