Can Technology Get You Sued?

It's hard to deny the obvious upside to healthcare technology. E-prescribing software has all but eradicated errors related to handwriting interpretation, while EHRs are enabling greater continuity of care. Telemedicine has opened the door to virtual house calls for the elderly and chronically ill, and mobile devices like smartphones and laptops are putting patient data into the hands of providers where and when they need it. Indeed, medical technology has revolutionized the delivery of care.

But for all the problems it has helped to solve, it's also created some new ones related to liability risk. "I don't think doctors realize how big of a potential problem this is," says Mark Anderson, chief executive officer of AC Group, a healthcare technology advisory and research firm in Montgomery, Texas, which identified 42 areas in which EHRs are contributing to malpractice lawsuits. "Many of the shortcuts we are using to make the system work faster are resulting in an increased number of malpractice claims."

Electronic prescription software is among them, he says. Physicians who renew prescription refills with a single click, for example, as vendors like to promote, fail to review any new clinical entries made since the initial prescription was written, making them more likely to miss changes that could jeopardize their patients' health. At the same time, the vast majority of e-prescribing software available today does not link patient lab results with its medication alert system, which is designed to alert physicians to potentially harmful reactions to a prescription drug, says Anderson. A lab result that shows high levels of creatintine in the blood, for example, can indicate a decline in kidney function, making a handful of commonly prescribed medications unsafe to use. "There are numerous lawsuits on this issue right now," says Anderson.

E-discovery

EHR time stamps have also proven problematic in the courts. In most cases, each time you update a patient's record, your EHR makes a note of the date and time. Plaintiff's attorneys can demand that data as part of the discovery process in a malpractice case. "Most physicians do not understand the software that is available in their EHR and so they don't necessarily know what can be tracked if a malpractice case arises," says Robert Goodson, a partner with the Washington, D.C.-based law firm Wilson, Elser, Moskowitz, Edelman & Dicker. "We are seeing more and more comprehensive discovery requests made by plaintiff's lawyers to obtain data from EHRs."

Some doctors, he adds, wait until the end of the day to complete their patient notes all at once. "In the past with paper records no one could see when you made an entry in a patient file, but the plaintiff's attorney can now say, 'You see 30 patients a day right? How can you be certain that this is accurate if you recorded the note at the end of the day?'" says Goodson, noting EHRs are not themselves creating the malpractice event, but are contributing to the size of settlements. Likewise, if you update your notes after each exam, the time stamp reveals how long you spent per patient encounter. An abbreviated visit might be called into question on the defense stand.

According to Goodson, all practices using an EHR or considering purchasing one, should ask their vendors to explain the nuances of their software and the various ways it could potentially help or harm their practice.

Cloning

The act of copying information electronically from a prior note or patient visit and pasting it into a new note (known as "cloning") can also land physicians in the legal hot seat. "This may result in irrelevant over-documentation, and the patient may appear to have more or less complex problems since the prior encounter," says David Troxel, medical director of The Doctors Company in Napa, Calif., a medical malpractice insurance company. "By substituting a word processor for the doctor's thoughtful review and analysis, the narrative documentation of daily events and the patient's progress may be lost, thereby compromising the record of the patient's course." The quality of notes and documentation may be further compromised, he says, by the use of automated templates.

Cloning, of course, can also result in record keeping inconsistencies - something plaintiff's attorneys prey upon. One note in a patient's record may allude to a peanut allergy or heart murmur, for example, while the record for a subsequent appointment, in which only part of the patient's record was copied forward, clearly does not. "These are mistakes that would not have been made under the old paper system and plaintiff's attorneys have figured that out," says Anderson. "When you have conflicting data in the chart that gives the plaintiff's attorneys an opportunity to say, 'Why did you sign off on this?'" A 2011 internal survey by AC Group found that 30 percent of the EHR charts they reviewed from 35 different software vendors contained physician notes with conflicting information.

Data, data, everywhere

The sheer volume of e-health information available to physicians these days makes it hard to manage liability exposure, as well. From a malpractice perspective, doctors may be held liable for failure to access or review all patient medical information to which they have reasonable access. That includes the data in their own EHR, hospital charts, consultants' reports, lab and radiology reports, and exams from outside specialists. "There is a public expectation that primary-care physicians should know everything in their patient's medical record, but the reality is that they don't because it's become so complicated to coordinate care with specialists that it's absolutely impossible," says Luke Sato, assistant clinical professor of medicine at Harvard Medical School and chief medical officer for the Controlled Risk Insurance Co. (CRICO) in Cambridge, Mass., the medical malpractice insurance carrier for all Harvard teaching medical institutions. That can lead to a missed diagnosis, he says.

Indeed, the largest percentage of malpractice claims (24 percent) processed by CRICO over the last few years relate to missed and delayed diagnoses, primarily of various forms of cancer. Such claims represent a disproportionate 60 percent to 70 percent of total losses, due to the size of monetary settlements. "The size of these awards is devastating because the severity of the cases is so high," says Sato. "If you miss cancer in a 30- or 40-year-old, the economic damages and impact on their families is huge. The court has great sympathy for that."

Alert fatigue

"Alert fatigue," in which EHR users start to dismiss or override the barrage of warnings that pop up on their computer screen when they order tests or medication, may also be contributing to malpractice claims, says Troxel. The clinical decision support system within most EHRs automatically generates a flag (in some cases up to 150 per day) to notify physicians about redundant tests, potentially harmful drug interactions, dosages, and suggestions for follow-up care. Since they often only pertain to a specialist or a small segment of their patient population, like diabetics or pregnant women, however, overworked providers dismiss many such alerts as irrelevant without bothering to read them.

A 2009 study published in the Archives of Internal Medicine of more than 200,000 alerts generated in ambulatory care by commercial outpatient electronic prescription systems found that clinicians accepted just 9.2 percent of drug interaction safety alerts. Even those representing "high severity" drug interactions were accepted just 10.4 percent of the time. "Use caution when overriding or disabling alerts, warnings, reminders and embedded practice guidelines," warns Troxel, noting practices can increasingly select software that allows them to screen such warnings for relevancy.

Civil penalties

The risks associated with health information technology, however, are not just limited to patient care. Wireless communication presents its own challenges when it comes to safeguarding patient privacy. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires healthcare providers to protect against unauthorized access to or disclosure of all electronically-stored patient health information.

While patients cannot bring private lawsuits, or causes of action, against healthcare providers for HIPAA violations, civil fines from the Health and Human Services department's enforcement arm, the Office for Civil Rights (OCR), can be substantial, says Lori LaSalle, a healthcare attorney with Abrams, Fensterman, Fensterman, Eisman, Greenberg, Formato & Einiger LLP in New York.

Civil penalties for non-compliance range from $100 to $50,000 per violation depending on the degree of negligence, with a calendar year cap of $1.5 million. "Just in the last few months we've seen providers coming in with investigations from OCR and we weren't seeing that before," says LaSalle. "I think we're definitely at the point where there are providers who are being investigated for complaints and they're being fined." (There are also criminal penalties at stake for those who knowingly obtain or disclose individually identifiable health information in violation of the HIPAA privacy rule ranging from $50,000 and a one-year prison term to $250,000 and up to 10 years imprisonment.)

To ensure HIPAA compliance, medical offices need to be sure their technology is encrypted, especially portable devices like tablets, laptops, and cell phones, to prevent access by hackers and unauthorized users, says LaSalle. They should also use password protection - both for their mobile devices in the event of loss or theft and for their EHR to ensure only authorized staff members have access to protected information.

While HIPAA permits the use of e-mail to discuss health issues and treatment with patients, the OCR advises healthcare providers to apply reasonable safeguards to avoid unintentional disclosures. That includes checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending any treatment-related messages. Other suggested safeguards include limiting the amount or type of information disclosed through unencrypted e-mail. "E-mail is a great source of potential HIPAA violations related to who it goes out to and how it gets shared," says Goodson. "It's not unusual for people to use someone else's e-mail address [like another family member's] to send a message, so if you are using e-mail you need to think about HIPAA and look at all the risks versus the benefits to patients."

The American Medical Association further recommends practices retain electronic copies of all e-mail communications with patients, establish a policy that defines the types of transactions (prescription refill, appointment scheduling, etc.) and sensitivity of subject matter (HIV, mental health, etc.) permitted over e-mail, and request that patients put their name and patient identification number in the body of their message.

Text messaging can also lead to HIPAA violations, especially when unencrypted messages are sent between personal cell phones, as when a hospital employee texts a physician to update him about a patient or ask for clarification of medication orders. "Providers need to be aware that when they are communicating on a [smartphone] or via e-mail that those technologies must meet the encryption requirement so the communication cannot be intercepted by an unauthorized party," says LaSalle. Several service providers offer HIPAA compliant encrypted text messaging to healthcare providers via mobile devices.

Physicians should also be wary of using social media networks to communicate with their patients, says Troxel, suggesting practices have a written confidentiality policy for employees that clearly restricts the discussion of patient health information online. While Facebook and Twitter may be useful for doctor-to-doctor consultations, in which no identifying patient information is disclosed, The Doctors Company advises physicians to resist such use with patients as it encourages a more informal tone, which may compel doctors to cross the line between personal and professional communication. Plus, notes LaSalle, social media networks are not secure, so any disclosure of protected health information would violate HIPAA privacy rules.

Healthcare technology is giving doctors the tools they need to better manage patient care, but progress often comes at a short-term cost. As the legal and regulatory framework evolves to protect patient safety without stifling innovation, providers will have to take steps of their own to mitigate liability risk.

"There are people who say EHRs are already making it less risky to deliver care. I agree with that because the alternative is a paper-based system and that's the worst-case scenario," says Sato, noting EHRs will better serve physicians in the coming years as users increasingly weigh in on functionality. "Going forward, I think technology will play a huge role in making healthcare less risky."

In Summary

There is no doubt that technology is moving healthcare forward, but with the rewards comes a bit of risk. Keep the following in mind:

• Many EHRs record the date and time you update patient notes.
• Copying and pasting patient notes from a prior visit can compromise a patient's record.
• The over abundance of e-health information is contributing to missed and delayed diagnoses.
• Portable devices like laptops and smartphones should be password-protected and encrypted.
• Social media is not HIPAA compliant, and thus inappropriate for patient-provider communication.

Shelly K. Schwartz, a freelance writer in Maplewood, N.J., has covered personal finance, technology, and healthcare for more than 17 years. Her work has appeared on CNBC.com, CNNMoney.com, and Bankrate.com. She can be reached via editor@physicianspractice.com.

This article originally appeared in the March 2012 issue of Physicians Practice.