January 2019

EHR Insider: EHRs Pose Malpractice Risk
By Joy Stephenson-Laws
For The Record
Vol. 31 No. 1 P. 30

The use of EHRs in ambulatory and inpatient facilities has become the norm rather than the exception in the health care industry. According to the Centers for Disease Control and Prevention, about 90% of office-based physicians now have an EHR system. More than one-half have a basic system that offers, at a minimum, patient history and demographics, patient problem lists, clinical notes, medication and allergy lists, computerized prescriptions, and laboratory and imaging results.

It is clear that the days of physicians recording patient records by hand and storing them in a color-coded, manual filing system have been relegated to history.

Part of this growth can be attributed to the 2009 HITECH Act, which created an incentive program that encourages health care providers to adopt EHR systems. EHRs held the promise of enhanced patient care, treatment outcomes, and operational efficiencies. The benefits of moving to an EHR have been mostly realized, and few in the health care sector would express a desire to go back to pre-HITECH days.

There is another aspect, however, to EHR adoption that has become more of a significant risk for providers—one that its architects may not have contemplated 10 years ago. It may be a result of the law of unintended consequences, but how a physician uses an EHR is increasingly becoming a factor in both malpractice complaints and as a pseudo defense "witness" in such cases.

This may seem paradoxical, but the reality is that this record-keeping technology in and of itself is neither a liability nor an asset to a provider when it comes to malpractice situations. What does matter, however, is how a physician selects, installs, maintains, and uses the system in day-to-day practice management. All of these can make the difference between winning and losing a malpractice claim or determining whether one is filed in the first place.

There is some evidence that more than 80% of EHR-related malpractice cases involve moderate or severe harm to the patient. Therefore, it seems clear that physicians and other providers currently using or implementing an EHR must take the necessary steps to minimize their inherent risk while maximizing their potential value.

Get It Right From the Start
There are three phases to implementing and using an EHR, each of which poses its own challenges and opportunities for protecting a provider from a malpractice claim. As with many processes and most technology, getting it right from the beginning can help avoid costly mistakes and problems downstream.

There are more than 1,200 vendors in the United States that offer EHR systems. One-half of providers purchasing these systems spend well in excess of $100,000. Despite the numerous options, nearly 70% of providers report not liking the functionality of their EHR. This is noteworthy because providers will be less likely to invest the time and effort required to correctly use new technologies if they view them to be cumbersome.

If a physician is contemplating a new system or an upgrade to an existing system, the best approach is to be honest and clear about the needs of the practice, the skill set of the staff, and the individual comfort level with how the system works. Take the time to research a system that can adapt to an individual practice and not the other way around.

It's also critical to dedicate the resources necessary to install the new system. It will take some time to effectuate a smooth and accurate transition from the original paper and electronic files to the new EHR system. For example, ensure that appropriate checks and balances are in place to allow for the accurate comparison of the original data with the transferred data. How important is this? Considering that upward of 25% of EHR errors can be traced back to software and conversion issues, the potential benefits of getting this right from the beginning should be clear.

Another element that should be considered at the outset is compatibility with existing internal and external information systems. Having an EHR that can't "talk" with other systems defeats the purpose of enhancing patient care and can create new liabilities for the practice.

Training and Security
Given the potential impact and liability of misuse or incorrect use of an EHR, ensuring that all staff have a clear understanding of how to use the system is of paramount importance. This training must include sufficient hands-on practice to minimize the risk of errors once the system goes online.

In addition, the system itself should go through a thorough beta test phase in which all patient data are made available in traditional and digital forms (which is especially critical during a conversion from paper to digital).

Performing these necessary tests can help defend against potential negligence claims for mishandling the transition, patient records, or treatment plans.

Keep in mind that the possibility of lost or stolen laptops or other hardware used to access the EHR as well as cyberattacks are a real threat. State-of-the-art security measures, including encrypted data, cloud-based backup, and strong and unique passwords, can help protect patient records and defend against potential malpractice claims.

Mandatory periodic training and updating of passwords can help keep a practice in compliance with various HIPAA security requirements, which could prove beneficial in malpractice claims. Each user must be assigned a unique password. In addition to increasing security, this will identify which staff members are making which patient entries, a slice of information that could prove beneficial to a physician's defense during any malpractice claims.

Ongoing Use to Avoid User Errors
One benefit of EHR technology is the ability to streamline routine paperwork, thereby saving time that the physician can dedicate to patient care. Unfortunately, many of these time-saving shortcuts can also create increased opportunities for incorrect information to make its way into patient records. ePrescribing errors and a failure to recognize important alerts can impact quality of care and create an electronic paper trail that could be used as part of a malpractice complaint.

The following are the most common user errors:

• Copy and paste: One of the most tempting time savers is copying information from one part of a patient record to another (or even across patients if the information, such as a diagnosis, is identical). The inherent risk, however, is not worth the seconds saved. In fact, 13% of EHR-related malpractice complaints involve copying and pasting. There have been cases, for example, where a physician entered identical progress notes for a patient over several days or weeks, thus making it difficult to accurately determine the patient's health. The best advice is to take the time to enter correct and updated information, and review it before making it part of the record.

• Template and autofill: Another time saver are forms prepopulated with common patient treatment entries or featuring drop-down checklists. The problem with these shortcuts is that inattentive physicians can end up recording generic data rather than unique patient information. Such an error can impact patient care and trigger a malpractice lawsuit. It also brings into question the attending physician's credibility and ability.

As with physical records, physicians must be accurate and timely, and review documentation before it enters the system.

• Ignoring alerts: Most EHR systems feature alerts to warn doctors of potential problems such as dangerous drug interactions and lab results that fall out of the normal, expected range. Alerts also offer educational support for making clinical decisions.

While it may be convenient to ignore, override, or even disable these alerts, savvy physicians will resist the temptation to do so because they are legally responsible for the data they input, receive, and access. In the case of a malpractice suit, a physician could be held liable for disregarding an alert that could have prevented an adverse event.

• Sharing passwords: This goes without saying, but the best policy is to never share passwords—no matter how convenient it may be in the moment. This policy protects both physicians and patients.

The Way Forward
EHR use will continue to increase as will the technology's sophistication, interoperability, and functionality. Eventually it will be easier for EHRs to communicate with each other across platforms, providers, and locations, ensuring that physicians can provide patients with seamless care wherever they may be and whenever they may need it.

Even with all these benefits, physicians cannot overlook the legal risks in using these systems. They must take steps to protect themselves, their practices, and their patients. Most are common sense, requiring little if any investment of time or resources. But doing so can pay strong dividends down the road through increased patient satisfaction, better treatment outcomes, reduced operating and insurance costs, and a lower risk of a malpractice complaint.

— Joy Stephenson-Laws is founding and managing partner of Stephenson, Acquisto, and Colman (www.sacfirm.com). She is a member of the American Bar Association, Consumer Attorneys of Los Angeles, California State Bar Association, US District Court-Central/Eastern, and the Ninth Circuit Court of Appeals.