Electronic Medical Records: What You Don’t See Can Kill You… in Court
By Armand Leone and E. Drew Britcher, New Jersey Law Journal
March 20, 2017
The Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted in 2009 to address certain shortcomings in protections for and security of electronic medical records (EMR). For lawyers litigating personal injury claims, HITECH created the right for patients to receive electronic copies of their personally identifiable health information (PIHI) in an electronic format, including metadata which contains information about how the data was entered, accessed and if it was changed. When medical records are needed to prove liability or when the veracity of medical entries is at issue, the EMR provides information that simply does not transfer to the printed form.
The EMR information displayed on a computer screen for a nurse is often different than what is displayed for a physician, and differing by the particular EMR system being used. The forms and dropdowns can differ by user level. Accessible information may differ depending on the user’s authorization credentials. It is this inability to see these other dimensions in the printed copy of the EMR that makes the paper record only “two-dimensional.” In its electronic form, the EMR provides an additional dimension of information creating a “three-dimensional” record that can be viewed from varying user perspectives.
HITECH and EMR Access Requirements
Personally identifiable health information in electronic medical records is protected under The Health Insurance Portability and Accountability Act, 42 U.S.C.A. §1320(d) et seq. (HIPAA). HITECH extends the protections of HIPAA beyond the three original “Covered Entities” (health plans, health-care clearing house and health-care providers) to third parties who come into contact with PIHI. HITECH also provides that “the individual shall have a right to obtain from such covered entity a copy of such
If the protected health information that is the subject of a request for access is maintained in one or more designated record sets electronically and if the individual requests an electronic copy of such information, the covered entity must provide the individual with access to the protected health information in the electronic form.
45 C.F.R. 164.524(c)(2)(ii). The express language of HITECH provides a mechanism for attorneys to obtain an electronic copy of a patient’s medical records. If the patient chooses, he may “direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific.” 42 U.S.C. §17935(e)(1).
If an individual’s request for access directs the covered entity to transmit the copy of protected health information directly to another person designated by the individual … the individual’s request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of protected health information.
45 CFR 164.524(c)(3)(ii). The covered entity must act on a request for access by 30 days after receipt of the request. 45 C.F.R. 164.524(b)(2).
HITECH limits the costs that can be charged to a patient when requesting electronic medical records. The statute provides: “Any fee that the covered entity may impose for providing such individual with a copy of such information … if such copy … is in an electronic form shall not be greater than the entity’s labor costs in responding to the request for the copy.” 42 U.S.C.S. §17935(e)(2). Supporting regulations additionally confirm that covered entities may impose a reasonable, cost-based fee for providing requested medical records but only for the following costs: (1) labor for copying the health information whether in paper or electronic form; (2) supplies for creating the copy if the individual requests that the electronic copy by provided on portable media; (3) postage; and (4) preparing an explanation or summary of the protected health information, if agreed to by the individual. 45 C.F.R. 164.524(c)(4)(i)-(iv). One would expect that the cost for obtaining medical records in electronic form should be less than for paper records, since it requires a less labor, supplies and postage.
The Veterans Health Administration allows patients to go online and download their medical records without charge. Kentucky requires providers to give patients the first copy of their medical records for free. HITECH guidelines suggest a maximum flat fee of $6.50 for electronic copies of records. Injury cases often involve hospital admissions that contain thousands of pages. Although HITECH should allow less expensive copies, these benefits have not been realized. Not only do higher fees increase the cost of litigation but there are concerns in the medical community that higher fees limit patient access to their records and negatively affect care. Changing the current provider charging practices will require a concerted effort including education of medical providers and perhaps legal action to compel compliance.
Metadata Is Important
What makes the electronic form of the medical record important is that it contains patient information and the “metadata,” which characterizes other data in the record. Metadata is used to determine where the information came from, who created it, and who accessed it. Metadata is data created and stored electronically when the medical record is made and describes attributes about the data. It is stored in different places in different forms. Metadata can describe how, when and by whom ESI was collected, created, accessed, modified and how it is formatted. Portions of metadata can be extracted when native files are processed for litigation. Some metadata, such as file dates and sizes, can easily be seen by users; other metadata can be hidden or embedded and unavailable to computer users who are not technically adept. Metadata is not reproduced in full form when a document is printed to paper or electronic image. Obtaining this information requires a specific request for the EMR metadata
There are four types of metadata: application metadata, document metadata, file size metadata and embedded metadata. The two most important types of metadata for attorneys to get are the document and embedded metadata. The document metadata includes information about who accessed the information (user name); what action was taken (view, create, edit or print); the date and time of access; and how long the user was on the system. The embedded metadata contains information about versions and tracks changes to the information in the record. The most important metadata information to request is the audit trail. It shows exactly when entries were made into the computer, who made them and how long was spent with the record open. The audit trail can be printed out or supplied in PDF format. Even without obtaining an electronic copy, a paper copy of the EMR audit trail can provide a lot of information that can be useful in discovery.
Despite the foregoing, many health-care delivery systems and many courts have been resistant to producing or requiring the production of the true digital record. A printed version of the record is fraught with problems, as the printing of the record is often inconsistent and dependent on the individual printing the same. In a recent deposition, where eight attorneys were in attendance, five different versions of the record were possessed, with differing total numbers of pages and differing page numbers. Nevertheless, many attorneys defending hospital systems claim that the record cannot be meaningfully provided digitally because of the “proprietary” nature of the particular EMR system. They argue that without their specific system, the EMR is not viewable.
However, any reputable EMR should have a continuation of care document (CCD) output, so it can be viewed by other providers using different EMR systems. The CCD is an XML-based standard and was recognized in 2008 by the U.S. Secretary of Health and Human Services for this use. It is time that all involved in litigation involving medical records accept that the record must be produced in the format representative of the EMR as used, and that the audit trail be produced without the necessity for motion practice or a showing of a particularized need. The courts have embraced e-filing, it is time for the courts to embrace a requirement that the EMR be fully produced and perhaps the Rules of Court be amended to reflect the same.
Another consequence of allowing access to EMRs is the need to allow the deposition of the health-care provider to be performed at a terminal that can run the record as it was seen and used by the provider and videotaped accordingly. Nurses and other providers have testified at depositions, when a paper record was provided, that they had never seen their record in that format and did not know how to interpret the same. The need for the digital record to be available to them is clear. In addition, the record, as presented in the digital format, includes the ability for the provider to navigate between different “dropdown menus,” which allows them to move to other sections of the record. It also provides algorithms for care and allows for the entry of pre-printed “canned” text to be entered into the record, instead of requiring a provider to enter information, which requires more time. It should be the rule, not the exception, that these depositions occur “at the terminal.”
A basic understanding of the nature of EMR, the provisions of the HITECH Act, and appreciation for the depth of the content of a digital medical record, is now essential for all attorneys involved in medically related litigation. Likewise, a change in the difficulty of getting records in a reproducible digital format needs to occur to streamline this process. Lawyers, medical providers, health-care institutions and the courts all need to adjust to this change in the dynamic of the current EMR world.