This very important two part series appeared last week.
Story posted: May 19, 2008 - 5:59 am EDT
Part one of a two-part series
Issues surrounding the law and medical records always have converged, but the advent of powerful electronic health-record systems in healthcare have added whole new levels of complexity to that relationship.
“I don’t want to sound alarmist, but this is an extraordinarily significant change in the litigation landscape,” says Kevin Yankowsky, a partner in the Houston office of law firm Fulbright & Jaworski, where he handles healthcare litigation representing both plaintiffs and defendants.
Some key problem areas:
- EHRs are infinitely more complex than paper records. They document not only what was done but also, to a far greater degree, what could have been done but wasn’t. One example is a drug alert fired off by a computerized physician order-entry system that was either complied with or overridden.
- EHR systems can store data about the systems themselves. This so-called metadata includes information on when an electronic record was entered and viewed, by whom, for how long and how often, potentially creating a detailed audit trail that can be used both for legal defense and offense.
- Vendors of EHR systems have not fully adapted their products to this new legal framework, while users of the systems, most specifically healthcare providers, are also playing catch-up in adopting health-record management policies to match the new systems healthcare organizations are installing or have installed.
- Finally, the legal landscape, as Yankowsky and others note, is shifting rapidly, with the tectonics driven in large part by changes in legal guidelines about electronically stored information that are followed by the federal court system but will likely influence similar rules for legal discovery and records production at the state level as well.
“At a very minimum,” Yankowsky says, “it is imperative that healthcare providers start looking at it and making decisions on what they want to do.”
To try and address these problems and give the healthcare industry a battle plan to address them, members of a work group of the Health Level 7 standards development organization met in Phoenix earlier this month. Their aim was to tweak a format that, if followed by adopters of EHR systems, would help their legal health records stand up better in court.
Part 2 followed:
Story posted: May 20, 2008 - 5:59 am EDT
Part two of a series (access part one here)
The newly proposed HL7 profile "identifies the key infrastructure functions that support management of electronic health records for business and evidentiary purposes," Michelle Dougherty, director of practice leadership for the Chicago-based American Health Information Management Association and a co-facilitator for the legal e-health-record work group, says.
For example, the HL7 guidelines note that legal-record functionality criteria overlap with privacy and security requirements under the Health Insurance Portability and Accountability Act of 1996 as well as state laws. According to the HL7 criteria, a legal EHR system must ensure that the identity of users has been verified and access to the system is under a set of specified controls, that information coming into the system via data exchange is coming from a trusted source and that any change made by a clinician has a recorded attestation.
"If your authentication is weak, then someone on the stand (in court) can say, 'That wasn't me,' " Dougherty says. Another problem area with legal e-health records is EHR system vendors, which have not given the concept of a legal record much priority, according to several sources contacted for this story.
Dougherty says, with an attempt at diplomacy, that some IT vendors have not yet fully come to grips with the needs for outputs that can be used in a legal setting.
"It wasn't a major focus for vendors because they were focused on clinical care," she says. "From AHIMA's opinion, as we looked at (vendors') systems, it was a little bit all over the map. There were some core functions in place. Some were stronger than others. 'There was a lot of variability' would be a good way to say it. And purchasers weren't making it a priority."
But, Dougherty says, as more and more healthcare systems have adopted EHRs, "some of those early adopters raised flags saying we have problems. We can't get this (record) out to take to court."
Auditing changes to a computerized record is a key concern.
"You want to have a policy of how you amend a record," she says. In the paper world, "there were these business rules. You don't want a record thrown out on a technicality because it had Wite-Out on it"; so you use permanent ink. Similarly, with an EHR, "You don't want it thrown out because a system allows a record to be overwritten."
One key to defending an electronic record is the metadata, the stuff of audit trails, loosely defined as "data about data," Dougherty says. Laying down guidelines for the acquisition, storage and reporting of metadata is one of the issues the work group had to address.
"It's information that tells you who created a record and when it was modified," she says. "That's what you're reading in case law in the courts, that metadata creates some security and validity. When you don't have that metadata, the courts make some assumptions you don't want them to make. You can't defend yourself.
"If you look at it from a pure record standpoint, that audit report becomes a key component to assure validity," Dougherty says.
Very much more here:
I think it would be fair to say that this issue has slipped relatively under the radar. An exception to that generality is the work the openEHR Foundation (previously the Good Electronic Health Record) did, and continue to do, to address the evidentiary requirements of EHRs. All of the issues raised in these two excellent articles have been certainly discussed and addressed in the openEHR work – although the importance of a range of metadata may not have been emphasised in the way it is in the present articles.
A key point to note is that the problem becomes even more difficult and complex when one starts to consider sharing EHR records and even more problematically when one considered sharing of partial or summary records. Issues around which record has precedence and so on then arise.
Careful reading of both articles is commended to all interested readers. It would be interesting to understand just how NEHTA has addressed these issues I must say! We don’t seem to know as their work has never been made public other than in very high level presentations. That needs to change, and soon, in my view.