An Attorney’s Guide to Understanding Medical Records in the Digital Age

Obtaining Medical Records

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal mandate establishing national criteria to safeguard sensitive patient health information from being revealed without the patient’s approval or awareness. The legislation also allows patients to inspect and obtain a copy of their medical files and request corrections to their medical records.

The ability of counsel to obtain a patient’s medical records under HIPAA will depend on whether the attorney represents the patient or is defense counsel in a lawsuit. Plaintiff’s counsel merely has to use an authorization signed by the client that complies with HIPAA’s requirements and appropriate state laws. Defense counsel, however, has a much tougher row to hoe. Health care providers may request a subpoena or court order from defense counsel before allowing access to specific medical information. While a subpoena cannot be ignored, covered entities are cautioned not to produce protected health information (PHI) without safeguarding a patient’s privacy and confidentiality. The consequences of responding improperly to a subpoena can be even more significant than disregarding the subpoena altogether. HIPAA and its regulations impose stiff monetary penalties and possible criminal charges for unlawful disclosure of PHI. A vital component of the legislation is that a covered entity may disclose only the “minimum necessary” information to comply with the request for medical data.

Electronic Medical Records Practice Tips

Anyone who has worked with electronic medical records knows they are not without problems. Not only are significant costs involved in converting to and maintaining this electronic format, but privacy and security concerns are also presented. For instance, it is foreseeable that about 150 people will have access to a patient’s chart during a hospitalization. A vast number of these individuals are authorized to examine the record as a part of the patient’s treatment, but “there is a paucity of laws that regulate who these people are, what information they may access, and what they can do and not do with the patient’s information once they have viewed it.” (Samuel D. Hodge Jr. & Joanne Callhoun, Understanding Medical Records in the Twenty-First Century, 22 Barry L. Rev. 272, 275 (2017).)

Electronic medical records create distinctive challenges not faced with paper records. One would expect the electronic medical file to contain the same materials as in a patient’s paper file. However, that is not always the case. Some elements of the digital file will be combined, and other sections will not be printed. Equally as important, the patient’s paper chart may not have been converted in the first place, and some of the previous files may be missing. Therefore, counsel would be best served when requesting records to demand that all paper records and electronic files be produced. Counsel should also ask for the PHI disclosure log, a HIPAA-mandated accounting of where, when, what, and to whom a medical record has been provided.

Counsel needs to understand “metadata” in evaluating a patient’s digital chart. This term is defined as “‘secondary information,’ not apparent on the face of the document ‘that describes an electronic document’s characteristics, origins, and usage.’” (Gilbert v. Highland Hosp., 52 Misc. 3d 555, 556 (N.Y. Sup. Ct. Monroe Cnty. 2016).) Metadata encompasses important information such as audit trails, pop-up warnings, and “preliminary questions and checkboxes.” (J. Stanley McQuade, 1 Med. Info. Sys. for Lawyers § 1:18.60 (2d ed. Aug. 2021).) A computer printout of the digital file is unlike the electronic version viewed on a computer and may not include the metadata. This excluded information may be relevant to counsel’s investigation of a claim, so understanding what metadata reveals is important.

It is simple to alter a digital record without leaving any obvious signs that the document has been changed. HIPAA compels all those who employ a computerized system to maintain an audit trail listing all electronic entries and every access to the chart. For instance, an audit trail lists who opened a file, when that access was accomplished, and what actions were performed. The audit trail is important to review if there is any consideration that a chart may have been altered. However, it is not routinely produced when a patient’s file is requested because it is not considered a “patient record.” Instead, counsel must explicitly demand it, and the court will review the legitimacy of the request (if challenged) based on a showing of good cause.

A second form of metadata is a “pop-up” screen or alert to help health care providers with tasks such as medication dosing, dangerous drug incompatibility, and meeting core measures. Pop-up warnings are provided to better patient care, eliminate mistakes and unfavorable outcomes, and increase efficiency. In the event of a medication error or adverse event, counsel should discover what pop-up alerts were utilized with a particular software system and request a printout of what prompts were issued and whether they were reviewed or ignored by the physician.

Developments in Obtaining Medical Records

Patients’ ability to obtain their medical records was radically altered in 2016 with the passage of the 21st Century Cures Act (Cures Act), which prohibits “information blocking” by health care providers. This term means any practice that is “likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” (Alexander Dworkowitz, Provider Obligations for Patient Portals under the 21st Century Cures Act, Health Affs. Forefront (May 16, 2022).) The Cures Act and its regulations provide unprecedented opportunities for patients to gain access to previously private health records information. One measure that health care providers have implemented is the creation of patient portal websites. These portals “share clinical information with their patients” that can be accessed through patient portals. (21st Century Cures Act, Legal Info. Inst.) Most permit access to specific health information and allow patients to complete specific undertakings, such as the making of an appointment and prescription requests. This online ability is bolstered by the HIPAA Privacy Rule, which gives patients the legal right to obtain copies of their medical records. Patient portals are an easy way for counsel to obtain a copy of a client’s medical records. The client can be asked to access their portals and print out the records. This information can then be forwarded to counsel.

ABA TORT TRIAL AND INSURANCE PRACTICE SECTION

This article is an abridged and edited version of one that originally appeared on page 65 of Tort Trial & Insurance Practice Law Journal, Winter 2023 (58:1).

For more information or to obtain a copy of the periodical in which the full article appears, please call the ABA Service Center at 800/285-2221.

WEBSITE: americanbar.org/tips.

ABOUT: TIPS is the only national professional group to unite plaintiff, defense, and insurance and corporate counsel to advance the civil justice system.

PERIODICALS: The Brief, quarterly magazine; Tort Trial & Insurance Practice Law Journal, quarterly electronic law review; TortSource, quarterly electronic newsletter; e-TIPS news, monthly electronic newsletter.

CLE AND OTHER PROGRAMS: More than 15 CLE programs each year, plus numerous hot-topic webinars relevant to your practice area.

RECENT BOOKS: For a complete listing, visit ambar.org/tipspubs.

TO JOIN TIPS TODAY: Please go to ambar.org/tipsmembership.

Download the PDF of this article