AMA News Article Offers Incomplete (and Thus Misleading) Advice on the Legal Risks of EHRs and other Clinical IT

An article was published in the AMA News by Alicia Gallegos, AMA Medical News staff, entitled "Legal risks of Going Paperless." While it is not clear if these are the official views of the AMA leadership, the article is interesting nonetheless.

It should perhaps have been entitled "Some of the Legal Risks of Going Paperless, excluding the ones that make the health IT industry look bad:"

Legal Risks of Going Paperless
AMA News
March 5, 2012

Electronic medical records are meant to save time and money, but they also can create liability issues for doctors.

By Alicia Gallegos, amednews staff.

Defense attorney Catherine J. Flynn knows how electronic medical records can overwhelm — and often change — the course of a medical liability lawsuit.

In one of her cases, a New Jersey doctor being sued for medical negligence has been accused by a plaintiff’s attorney of modifying a patient’s electronic history. A printing glitch caused the problem, Flynn said, but the accusation has meant extra time and defense costs. Computer screen shots were reviewed, more evidence was gathered and additional arguments were made.

“This has taken a life of its own, and we’ve done virtually no discovery on the medical aspects of the case,” she said. “The cost of the e-discovery alone is in excess of $50,000.”

This is a variation on the theme of plaintiff's lawyers being the cause of EHR problems as I wrote at "Plaintiff's Trial Lawyers Are to Blame for EHRs That 'Tattle' on Doctors - And Harm Patients."

System breaches. Modification allegations. E-discovery demands. These issues are becoming common courtroom themes as physicians transition from paper to EMRs, legal experts say. Not only are EMRs becoming part of medical negligence lawsuits, they are creating additional liability.

Missing is the problem that is most important of all: health IT system defects, poor user interfaces, unreliability, data loss, etc. causing or contributing to medical malpractice that results in patient harm or death. (An example that I personally observed and reported to the FDA MAUDE database is here; there are numerous others in this blog.)

Data breaches are among the most common reasons that electronically stored information lands doctors in court, said Lisa Gallagher, senior director for privacy and security at the Health Information and Management Systems Society, which advocates health information technology

Most common perhaps (a big problem unto itself), but not the most clinically significant problem. Yet the AMA article goes on about this issue for many paragraphs; it's the prime focus of the article.

A 2011 ruling in New York highlights how e-discovery creates a burden for doctors.

During a lawsuit against St. Luke’s Hospital Roosevelt Center, a debate arose about whether the plaintiff should be allowed access to screen shots from a doctor’s computer. Joan Bowman, who sued the hospital for wrongful death on behalf of her husband, wanted to see a computer template used to aid physicians in diagnoses. The hospital said the request was overly broad and oppressive.

But the Supreme Court of the State of New York ordered the release of the screen shots.

“Defendant doctors testified that they utilized these materials in coming to their diagnosis,” Judge Alice Schlesinger wrote. “It is not a stretch to allow counsel to see and understand these materials.”

At this article’s deadline, the hospital’s attorney had not returned messages seeking comment.

The case sets a precedent, said Susan Dennehy, Bowman’s attorney.

“If others want to see screen shots from records, I think they’ll rely on this case,” she said. “It was important to see where the template led you if you put in an inaccurate chief complaint.”

Note the "spin" about the "burden for doctors" of eDiscovery. To the pundits and voluntary adopters: you have gotten what you asked for. To the non-pundit clinicians forced to use health IT: I hate to say this, but you've gotten screwed.

The article then offers a laundry list of how to avoid EHR-related liability:

... As the number of electronic medical records increases, so do certain legal risks, medical liability experts say. Common mistakes doctors make with EMRs and how attorneys recommend that physicians reduce their liability risks:

Mistake: EMRs allow users to move quickly through patient records, but cutting and pasting information makes it easy to paste incorrect information.
Recommendation: Refrain from copying and pasting EMR data, and be cautious when moving from one patient’s record to the next.

Mistake: Computer programs can help doctors make a differential diagnosis, but the templates don’t often include every possible symptom and corresponding medical condition.
Recommendation: Doctors should not become overly dependent on electronic diagnosis aids. Electronic systems are no substitute for hands-on diagnosis.

Mistake: Because EMRs allow physicians to move through patient charts much more quickly than paper charts, attorneys are noticing that some doctors are not being thorough when writing notes electronically.
Recommendation: Physicians should keep meticulous electronic notes on each patient and take time to document each chart.

Mistake: Some practices can fail to safeguard electronic patient data.
Recommendation: Practices should encrypt all information on computer devices and have policy that discourages employees from taking portable devices out of the office.

Mistake: A system may not clearly indicate changes to records.
Recommendation: Physicians should install systems that show transparency when modifications are made and/or have a program lockout period where no more modifications can be made to a record.

Mistake: Doctors may fail to follow notification requirements in the event of a data breach.
Recommendation: Be clear on what your state law requires when a data breach occurs, and make sure employees follow the rules immediately.

Mistake: Doctors may destroy or delete electronic records when a lawsuit is possible.
Recommendation: If doctors suspect they are being sued, they must preserve all electronic data related to the patient in question, including emails, phone messages and computer records.

Missing is this, as is well-covered by almost 8 years of posts on this blog, and elsewhere:

Big mistake: Doctors and hospitals buy and implement experimental technology approved by nobody, of uncertain quality to the point of losing or corrupting data, often with glass-tube black-and-white TV user interface modernity. Such technology is "errorgenic", i.e., it promotes "use error", can mislead, and can promote medical errors.
Recommendation: Hold off until the industry has gotten its act together.

Also missing from the AMA News article is the fact that physicians and hospitals use health IT at their own risk, even if the IT is "certified."

This article is clearly pregnant with omissions and spin that reveal a pro-health IT bias.

-- SS

Is ONC Stonewalling on the issue of HIT Certification, Safety and Liability?

At my Feb. 16, 2012 post "Hospitals and Doctors Use Health IT at Their Own Risk - Even if Certified" I wrote that an ONC-ATCB (Authorized Testing and Certification Body) replied to my email inquiry about health IT certification, safety and liability indemnification by stating that:

What was suggested in the email below (freedom from liability for users of the system, etc.) would be out of scope for ONC-ATCB testing based on the given criteria.

[That is, the criteria used in testing here - ed.]

What I did not include in that post was the fact that some months ago, I had emailed ONC directly with the same questions, and then called them on the phone with those questions at about the same time as I inquired of the ATCB.

ONC itself never responded.

There are several possibilities:

• They don't know the answer.
• They don't want to respond.
• They don't care to respond.

Dismissing possibility #1, these civil servants appear to be stonewalling on the issue.

It would be nice to hear ONC itself admit the term "certification" is a gossamer guarantee of health IT safety, efficacy and indemnification of purchasers, implementers and users from potential EHR-related liability.

I am not holding my breath.

-- SS

Addendum:

An ONC representative did get back to me on Feb. 27, but I told them my question had already been answered by ONC ATCB's.

Hospitals and Doctors Use Health IT at Their Own Risk - Even if "Certified"

Due to my observations of confusion about health IT certification [1], and due to vague or incomplete seller language that could be misinterpreted by buyers (perhaps by design), I recently asked several ONC-ATCBs (HHS's Office of the National Coordinator for Health IT-Authorized Testing and Certification Bodies) the following.

I sent this question via email to their "questions" email addresses:

"Is EHR certification by an ATCB a certification of EHR safety, effectiveness, and a legal indemnification, i.e., certifying freedom from liability for EHR use of clinical users or organizations? Or does it signify less than that?"

One ONC-ATCB provided the following in response to my request for information.

From: Trivedi, Amit V (ICSA Labs)
Sent: Thursday, February 16, 2012 11:22 AM
To: Scot Silverstein
Subject: RE: Form submission from: Contact Us

Hello Scot,

Thanks for your email. Certification by an ATCB signifies that the product or system tested has the capabilities to meet specific criteria published by NIST and approved by the Office of the National Coordinator. In this case the criteria are designed to support providers and hospitals achieve "Meaningful Use." A subset of the criteria deal with the security and patient privacy capabilities of the system.

Here is a list of the specific criteria involved in our testing:
http://healthcare.nist.gov/use_testing/effective_requirements.html

In a nutshell, ONC-ATCB Certification deals with testing the capabilities of a system, some of them relate to patient safety, privacy and security functions (audit logging, encryption, emergency access, etc.).

What was suggested in the email below (freedom from liability for users of the system, etc.) would be out of scope for ONC-ATCB testing based on the given criteria. [I.e., certification criteria - ed.] I hope that helps to answer your question.

Thanks,

Amit

Amit Trivedi
Program Manager - Healthcare
ICSA Labs, an Independent Division of Verizon Business

Mar. 5, 2012 Addendum:  I also received a response from another ONC-ATCB, the Drummond Group:

From: Joani Hughes (Drummond Group)
Sent: Monday, March 05, 2012 1:06 PM
To: Scot Silverstein
Subject: RE: EHR certification question

Per our testing team:

It is less than that. It does not address indemnification although a certification could be used as a conditional part of some other form of indemnification function, such as a waiver or TOA, but that is ultimately out of the scope of the certification itself. Certification in this sense is an assurance that the EHR functions in way that could enable an eligible provider or eligible hospital to meet the CMS requirements of Meaningful Use Stage 1. Or to restate it more directly, CMS is expecting eligible providers or eligible hospitals to use their EHR in “meaningful way” quantified by various quantitative measure metrics and eligible providers or eligible hospitals can only be assured they can do this if they obtain a certified EHR technology.

Please let me know if you have any questions.

Thank you,
Joani.

Joani Hughes
Client Services Coordinator
Drummond Group Inc.

These are direct and clear statements.

My question was certainly answered. ONC cerification is not a safety validation, such as in a document from NASA on aerospace software safety certification, "Certification Processes for Safety-Critical and Mission-Critical Aerospace Software" (PDF) which specifies at pg. 6-7:

In order to meet most regulatory guidelines, developers must build a safety case as a means of documenting the safety justification of a system. The safety case is a record of all safety activities associated with a system throughout its life. Items contained in a safety case include the following:

• Description of the system/software
• Evidence of competence of personnel involved in development of safety-critical software and any
safety activity
• Specification of safety requirements
• Results of hazard and risk analysis
• Details of risk reduction techniques employed
• Results of design analysis showing that the system design meets all required safety targets
• Verification and validation strategy
• Results of all verification and validation activities
• Records of safety reviews
• Records of any incidents which occur throughout the life of the system
• Records of all changes to the system and justification of its continued safety

Health IT testing conspicuously lacks attention to most of the aerospace software safety points above. I note that there appears to be no reasonable excuse for such omissions.

IOM has recently studied the issue of HIT safety. IOM states in a Nov. 2011 report that HIT safety and safety testing is unsatisfactory, and has recommended HHS study it as well. IOM recommends HHS annually re-evaluate whether regulation is needed to improve safety, although IOM favors industry self-policing [2].

Thus, buyers and users of even "ONC certified" health IT are not indemnified from liability due to medical errors or problems caused by the health IT.

Sellers who exaggerate the value of certification or imply its meaning is akin to FDA device approval, likewise, could be faulted for making false representations about their products.

It would appear the sellers could potentially be sued for doing so by purchasers/users who themselves get into legal hot water due to EHR defects or other problems.

-- SS

Note:

[1] I believe confusion about EHR "certification" is in part due to the term itself. I raised objections to this term when it was first proposed based on my experience in pharma, suggesting what I felt was the more accurate expression "features qualification" instead.

[2] "Health IT and Patient Safety: Building Safer Systems for Better Care", Institute of Medicine of the National Academies, Nov. 2011, http://www.iom.edu/Reports/2011/Health-IT-and-Patient-Safety-Building-Safer-Systems-for-Better-Care.aspx

Those Goddamn Plaintiff's Trial Lawyers Are to Blame for EHRs That 'Tattle' on Doctors - And Harm Patients

It seems the EHR technophiles are starting to notice one of the side effects of EHR technology: the liabilities EHRs impose on users.

Interestingly, those liabilities are presented below as the fault not of a cavalier industry receiving extraordinary governmental and regulatory accommodation compared to other healthcare sectors that, among other issues, have allowed it to (see hyperlinks for more information):

• Disregard practices of good software engineering, product safety and human factors issues (usability),
  
• Ignore tenets of good information presentation yielding literal reams of 'legible gibberish' masquerading as medical records that confuse attorneys on both sides of the Bar as well as clinicians,
  
• Flout proper conduct of human subjects experimentation e.g. without informed consent,
• Avoid appropriate methodologies for medical device trials (all the while promoting the data these devices generate as 'revolutionizing healthcare'),
• and more as covered on this site and at my Drexel University educational site at this link.
  

Instead, the liabilities are presented as the fault of plaintiff trial lawyers, who need to be disempowered through yet another special accommodation for health IT.

My comments are interspersed in [red italics]:

Feb. 8, 2012
The Wall Street Journal
MarketWatch
Healthcare IT Expert Exposes Hidden Risks of Lawsuits Due to Electronic Health Record

Spokesperson Says Electronic Health Records May Give Crippling Access to Physician's Actions and Increase the Need for Defensive Medicine

[Crippling access to physician's actions? That is an odd combination of terms - ed.]

DELRAY BEACH, Fla., Feb 8, 2012 (GlobeNewswire via COMTEX) -- Since the American Recovery and Reinvestment Act (ARRA) passed in February 2009 and caused a digital tsunami in the healthcare industry, physicians have been scrambling to comply with the requirement to switch to electronic health record systems. (EHRs) While many in the healthcare industry laud the use of EHRs to improve quality of care and analyzing patient outcomes, Dr. Sam Bierstock, founder of Champions In Healthcare, points out significant concerns regarding increased vulnerability to medical legal claims that may result from the use of EHRs without major tort reform that would relieve physicians of an onslaught of malpractice suits.

"EHRs unquestionably have the potential to improve patient safety and the quality of care delivered, but what few people realize is that using an EHR exposes physicians to an Orwellian level of analysis of every single act while doing their job," said Bierstock, who has advocated and pioneered the use and benefits of EHRs for more than 30 years." EHRs, however, can also be audited to examine how long it took them to act after an abnormal lab result came in, if the doctor checked on on-line references before making a clinical decision, what was said in every email and how long the doctor took to respond, and even how long the doctor looked at a screen or scrolled down to read an entire document.

[Why, exactly, this is a bad thing, I do not understand; it seems hypocritical. After all, any data collected that can help improve healthcare has been deemed golden - up to now - ed.]

Physicians are exposing themselves to an unacceptable level of scrutiny and analysis of their use of computers that may serve to encourage malpractice suits.

["Unacceptable level of scrutiny" is largely a code phrase for audit trails and other 'metadata', i.e., automatically generated computer data that shows who accessed or modified a document or other data, when, from where, etc. I ask - access to this data is unacceptable to whom? Injured patients? - ed.]

Meaningful tort reform is essential to getting the maximal benefit from these wonderful systems.

[Wonderful systems, when even the IOM admits we don't know the level of harm they cause, the NIST indicates they are poorly usable, and so forth as here? - ed.]

According to Bierstock, the problem runs even deeper because during his career as an industry consultant with Champions in Healthcare, and as a speaker at healthcare events he has noticed that the vast majority of physicians are still not aware of the complex requirements imposed upon them by the Health Information Technology for Economic and Clinical Health (HITECH) Act even though it has been a law for more than two years.

[I agree with the statement "imposed upon them", but this imposition was largely at the hands of the HIT pundits, the 'Ddulites' (technophiles who ignore technology's downsides, the opposite of 'Luddites', link), and various species of non-medical profiteers - ed.]

"I talk to many physicians who have no idea they can suffer financial, civil and even criminal penalties (i.e. jail) for non-compliance.," said Bierstock. "I have been asked to speak about this topic many times, but beyond HITECH, it's my opinion that similarly, doctors and hospitals don't yet fully realize their medical legal vulnerability associated with the use of EHRs.

[They will learn, fast, with Medical Informatics specialists such as myself on patients' side instead of on the side of the health IT industry - ed.]

This will be the case until there is major tort reform, which has unfortunately been thwarted by the influence of American Trial Attorneys and their associations."

[You see, it's all the fault of the evil Plaintiff's Bar - ed.]

Bierstock noted that in an effort to stimulate physicians and hospitals to install and use EHRs, The American Reinvestment and Recovery Act of 2009 also authorized the Centers for Medicare and Medicaid Services (CMS) to issue guidelines which define what is "Meaningful Use" of an EHR - guidelines which must be met in order for hospitals and doctors to receive financial incentive payments for using EHRs, or be penalized by having Medicare or Medicaid payments reduced for failure to meet the guidelines.

[Unfortunately, they did not formulate guidelines for safety. Thus, as Sharona Hoffman, JD notes in MEANINGFUL USE AND CERTIFICATION OF HEALTH INFORMATION TECHNOLOGY: WHAT ABOUT SAFETY?, "General system safety is a property that is attainable only through rigorous processes for development and evaluation. However, the regulations do not address certification of EHR vendors’ software development processes or even require vendors to analyze and mitigate potential safety hazards. Furthermore, ATCBs will use testing requirements developed by the National Institute of Standards and Technology (NIST) that are apparently intended only to determine whether systems include certain features. Passing such tests is not sufficient to ensure that those features function properly in the long term and under varied operating conditions." - ed.]

Bierstock believes that if physicians are expected to embrace EHRS, they should be allowed to do so in a manner that maximizes the benefits of these systems to the delivery of care and to the benefit of their patients without worrying about giving unlimited ammunition to trial lawyers.

[Perhaps the EHR pundits should have foreseen this eventuality before pushing the current administration to mandate national EHR rollout. It didn't take a rocket scientist to do so - ed.]

"Quite simply, physicians may be in a situation that leaves them vulnerable to litigation and threatens loss of their professional standing and personal assets -- all because an external evaluator [e.g., a trial lawyer, judge or jury -ed.] may not think the physician lived up to arguable standards in the digital age," said Bierstock. "Overall, EHRs are the litigator's proverbial golden goose. They are to malpractice attorneys what the electron microscope is to microbiology."

[In other words, EHRs deserve yet another special accommodation, this time regarding legal Discovery, in addition to the many other special accommodations this industry has received. In fact, EHRs make available only that which they are designed to, and discoverability of that information is a Federal matter under the Federal Rules of Civil Procedure (FRCP) governing e-discovery - "On December 1, 2006 the Federal Rules of Civil Procedure were revised to address numerous e-discovery issues. Rules 16,26,33,34,37 and 45 require attorneys to pay specific attention to electronic discovery issues. E-Discovery practices and strategies need to be reviewed and aligned with the updated rules to ensure compliance." - ed.]

I find requests for additional special accommodations for EHR's over other medical devices and IT in other industries (e.g., airplane black boxes and cockpit recorders that monitor the every move of pilots) to be illustrative of the concept "be careful, you may get what you wish for."

That plaintiff trial lawyers are blamed for quite properly using the Federal Rules of Civil Procedure to assure justice for victims of medical malpractice, including EHR-related medical malpractice, is outrageous.

It seems the pundits might be starting to panic, after realizing the "data utopia" that is going to "revolutionize medicine" has a downside.

-- S. Silverstein, MD

Feb. 14, 2012 Addendum:

It seems the clinical data itself generated by today's health IT - garnered while putting patients at risk and costing many billions of dollars - might not be anywhere near as trustworthy as advertised by the technophiles.

See "It Seems We Are Not The Only Ones Bumping Up Against EHR Data Quality Issues. PCEHR Implications Are Worth Considering" at the Australian Health Information Technology blog by Dr. David More, MB PhD FACHI, and the JAMIA articles he references.

Dr. More observes:

... If ever there was an example of “garbage in, garbage out” in operation this has to be it. There has to be a great deal of care taken as we move from the most simplest data sharing to more complex efforts.

-- SS