ABA Health eSource
September 2008 Volume 5 Number 1

E-Health: Electronic Medical Records And E-Discovery In The Digital Age
by Robin K. Vinson, Smith, Anderson, Blount, Dorsett, Mitchell & Jernigan, LLP, Raleigh, NC

Robin K. VinsonThe advent of personal computers and electronically stored information (ESI) has produced both opportunity and challenge for today's healthcare providers. In a modern world dependent on automated processes, storing and transferring health information in a digital format creates speed and efficiency. At the same time, however, the dependence on ESI may result in frustrations and new liability risks for the unwary. Indeed, a paperless medical office may inundate even the brightest healthcare provider with mounds of information which is everywhere, yet nowhere, at the same time. As discussed in this article, effective electronic medical records management will allow healthcare professionals to succeed in a complex healthcare marketplace, while reducing waste and inefficiency.

In general, ESI includes any information, data or process that can be stored or read in a digital format: e-mail, word processing files, web pages, financial reports created by spreadsheet applications, documents scanned and stored in various formats, audio files, x-rays, MRIs, and photographs and other digital images. 1 Such electronic information is uniquely different from its former paper counterpart in several significant ways. First, electronic documents are created and transferred at a much faster pace than paper documents. Second, electronic documents are harder to dispose of than paper documents, in that the deletion of a file from a desktop does not remove it from the computer's storage devices. Third, unlike paper charts and flat x-ray films, computer information is dynamic and can be reviewed in many ways, and also may be susceptible to change without human intervention, such as a software application that is designed to update files automatically. Finally, electronic data is dependent on its software or data base environment in order for the material to be accessed and used effectively, which can be problematic when technology changes require the movement of data from one software program to another while upgrades are taking place. 2

The New Paradigm

For most physicians and their practices, ESI and it related technology is a constant learning process. Today's digital age requires the physician to learn a completely new language relating to the creation and management of electronic information. While most of us have come to understand concepts like desktops, laptops, PDAs, CPUs, hard drives, memory, and encryption, the world of e-health, electronic medical records, and e-discovery in litigation requires a speaking acquaintance with terms like ghost image, forensic or mirror image, allocated and unallocated space, hash value, metadata, legacy data, orphan records, WORM media, and life-cycle management. 3 With ESI usually accessible and searchable, many providers have developed a false sense of security as to their ability to safeguard and manage effectively the information captured and created on a daily basis. IT vendors have, for years, sold proprietary health information software and network applications 4 which allow both large and small providers to treat their patients efficiently, integrate their processes, and maintain regulatory compliance. In most cases, providers have navigated, albeit awkwardly, the various record retention requirements and regulations in areas involving Medicare, Medicaid, JCAHO, OIG, Stark, and other authorities. 5 To ease the burden of storage, IT professionals have created automatic archival and deletion protocols which, in large measure, operate consistent with health policy and regulatory objectives.

Electronic Medical Records -- Rewards and Challenges

An electronic medical record (EMR) is a medical record in a digital format, that is, a patient record that is created, stored and transmitted electronically. 6 First conceived as a way to reduce medical errors and increase efficiency, the use of EMRs has revolutionized the practice of medicine in less than a generation. EMR technology has been shown to reduce medication errors drastically by eliminating the use of handwritten prescriptions and easier checking for contra-indications and drug interactions. 7 The use of computerized physician orders (from simple email formats to hand-held scanners and bar-coding systems) may reduce medication errors by as much as 85% in certain patient populations. 8 Similarly, although there are substantial upfront costs, automated claims processing has reduced overhead and increased the net payments for many providers, reducing financial strain on busy practitioners in the process. 9 EMR technology has also been shown to facilitate clinical integration and efficiencies across large provider groups, whereby clinical alerts and reminders in computer-based medical records have resulted in significantly faster and more complete adoption of practice guidelines in various areas of disease management. 10

At the same time, with the increased use of EMR technology, there will likely be new and challenging issues for physicians and healthcare attorneys alike. First, liability risks may arise regarding possible violations of the Health Insurance Portability and Accountability Act (HIPAA). 11 For any health care provider who transmits health information in an electronic form, HIPAA defines and limits the circumstances under which an individual's protected health information can be used or disclosed. The existing HIPAA privacy and security rules require physicians to establish safeguards to protect the integrity, confidentiality and availability of electronic protected health information. 12 At the very least, practitioners should establish secure log-on and password procedures to assure authentication, and install adequate firewall software on all devices to avoid contamination. 13

Second, any donor program between hospitals or similar entities and physicians need to meet the safe harbor exceptions in order to avoid anti-kickback and Stark law violations. In 2006, the Centers for Medicaid and Medicare Services and the Office of the Inspector General simultaneously established rules creating an exception to the Physician's Self-Referral Law ("Stark") and a new safe harbor to the Anti-Kickback Statute, whereby donations of technology will not violate the Stark Law and the Anti-Kickback Statute if certain conditions are met. 14 The e-prescribing regulations allow certain limited donations of e-prescribing technology to physicians, which may include hardware, software, and training services necessary to receive and transmit electronic prescription information. The new EMR regulations allow various healthcare institutions to donate EMR systems to physicians and physician group practices, as long as the software is interoperable, the use is left unrestricted, and a written agreement reflects certain required cost--sharing arrangements. 15

Third, new and challenging risks may arise in medical malpractice and liability cases involving EMR programs and electronic protected health information. In many respects, the physician's decision-making process during patient encounters is influenced by the template based software and text written by the EMR vendor, which may not reflect actual custom and practice in a particular jurisdiction. Commentators have suggested that use of EMR systems may, over time, create national standards of care which do not exist at present. 16 In addition, where templates automatically make entries into the patient record without supervision, and automatically update prior records with new information, the patient record could be rendered inaccurate. 17 Further, in cases where the template suggests and assigns claims codes to patient encounters, there exists the possibility of possible false claims issues. 18 Any one of these untoward events could spawn a myriad of additional issues concerning product liability and indemnification claims.

The ability to create and store electronic data and information has resulted in increasing demands by litigants to preserve, retrieve and produce metadata (data showing date, time and manner of use of patient record, for example) and other encrypted information ancillary to the patient EMR information. Whereas presently only a few reported decisions have applied e-discovery principles in medical malpractice cases, there will likely be an increasing emphasis on computer forensics in these cases in the future. Recent amendments to the Federal Rules of Civil Procedure 19 and the procedural rules of many states have adopted rules regarding the management and use of ESI in the litigation arena, and these new rules will likely require litigants to meet and confer early in the litigation process to identify and preserve ESI that may be subject to discovery. 20 Indeed, discovery depositions of IT personnel familiar with EMR systems and the analysis of metadata may become routine in medical liability litigation.

The Future of Health Information Technology

The Bush Administration has called for the nationwide adoption of EMR programs covering the majority of Americans by 2014. To facilitate that effort, on July 23, 2008, a congressional panel approved a major health IT bill which would provide approximately $560 million in loans and grants available to physicians and other health care providers in rural and underserved areas and in small practices over the next five years. 21

The year 2009 may see yet additional congressional funding for incentives to providers adopting EMR systems. 22 As healthcare professionals move toward uniform use of EMRs, and in light of recent e-discovery trends, there will likely be an increasing demand for IT personnel who have both medical and forensic expertise. Likewise, physician groups should expect and demand that their legal counsel be well-versed in the technical jargon of electronically stored information and electronic medical records and their requirements and uses in clinical, compliance and litigation contexts.

*Robin Vinson is a partner in the Raleigh law firm of Smith, Anderson, Blount, Dorsett, Mitchell & Jernigan, LLP, practicing in the areas of corporate, contract and healthcare law and complex corporate, commercial and healthcare litigation. He earned his bachelor's and law degrees from Wake Forest University. He has written and spoken on compliance, record-retention and risk-management issues for physician and provider organizations.

1 Barbara Churchill et al, The Impact of Electronically Stored Information on Corporate Legal and Compliance Management: An IBM Point of View (2006) http://www-03.ibm.com/industries/financialservices/doc/content/resource/business/1824668103.html (last accessed on September 3, 2007).
2 Id. at 26.
3 Douglas Browning, et al, Dictionary of Computer and Internet Terms, Ninth edition, Barrons Educational Series, Inc. (2006).
4 The use of proprietary software may present licensing issues which would be considered in conjunction with the privacy and security issues discussed below.
5 William H. Roach, Jr. and the Aspen Health Law and Compliance Center, Medical Records and the Law, Jones & Bartlett Publishers (2003).
6 The term "electronic medical record" (EMR) has been used almost interchangeably with the term " electronic health record" (EHR), both of which have gained widespread use. Many users use the term EHR to a global concept and EMR to a discrete use. C. Peter, Waegemann. Status Report 2002: Electronic Health Records, Medical Record Institute (2002).
7 Amy Jurevic Sokol, J.D., M.H.A. & Christopher J. Molzen, J. D., The Changing Standard of Care in Medicine: E-Health, Medical Errors, and Technology Add New Obstacles, 23 J. Legal Med. 449, 468 (2002).
8 Charles Safran, M. D., Electronic Medical Records: A Decade of Experience, 285 J.A.M.A. 1766 (2001).
9 Charles Safran, supra, at Note 9.
10 Press Release, AMA Launches Campaign To Cut Waste From Chaotic Insurance Claims Process, American Medical Association ( http://www.ama-assn.org/ama/pub/category/18672.html) (last accessed on September 3, 2007).
11 Public Law 104-191 (August 21, 1996), codified as 29 U.S.C. 1181 et seq.
12 The HIPAA Privacy Rule was effective December 28, 2000 (65 Fed. Reg. 82462). The HIPPA Security Rule was effective as of April 21, 2003 (68 Fed. Reg. 8334).

Id. The general requirements of the HIPAA Security Rule establish that providers must do the following:

(a) Ensure the confidentiality, integrity, and availability of all electronic protected health information.

(b) Protect against anticipated threats to the security or integrity of such information.

(c) Protect against any anticipated uses or disclosures that are not permitted or required.

(d) Ensure compliance by the medical practice.

14 71 Fed. Reg. 45,110 (August 8, 2006) (final anti-kickback safe harbors); 71 Fed. Reg. 45,140 (August 8, 2006) (final Stark exceptions).
15 Interoperable software should be certified by the Certification Commission for Healthcare Information Technology ("CCHIT").
16 Amy Jurevic Sokol, J.D., M.H.A. & Christopher J. Molzen, J. D., The Changing Standard of Care in Medicine: E-Health, Medical Errors, and Technology Add New Obstacles, 23 J. Legal Med. 449, (2002).
17 For example, the automatic updates might change LPN to RN throughout the entire EMR once 'RN' is inputted for a particular nurse, changing the older records without notice.
18 "EMR & E/M: Beware of Software's Potential To Upcode," eClinicalWorks ( http://www.eclinicalworks.com/2006-05-01-pr2.php ) (May 1, 2006) (last accessed on September 3, 2008).
19 See Amendments to Fed.R.Civ.P. 16(b), 26(b)(2), 26(b)(5)(B), 34(b), and 37(f), effective December 1, 2006. Several states have followed the federal judiciary's lead in adopting revised procedural and evidentiary rules to accommodate electronically stored information in the litigation process.
20 Fed.R.Civ.P. 16( b) and 26(b)(2).
21 In 2004, President Bush signed an executive order that created the Office of the National Coordinator for Health Information Technology (ONCHIT) at the Department of Health and Human Services (HHS). Its mission was to implement an interoperable health information technology infrastructure nationwide. One of ONCHIT's mandates was the widespread deployment of EMRs within 10 years. The "Protecting Records, Optimizing Treatment, and Easing Communication through Healthcare Technology Act of 2008" (the 'PRO(TECH)T Act of 2008 ) aims to promote e-health records for all Americans by 2014.
22 Congressman Stark has announced his plan to sponsor a bill that would have a wider menu of incentives, including more funds and tax credits.

The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.