Electronic Medical Records: Changing Medical Malpractice Litigation
“By computerizing health records, we can avoid dangerous medical mistakes, reduce costs, and improve care.” – President George W. Bush, State of the Union Address (Jan. 20, 2004)
“We will make sure that every doctor’s office and hospital in this country is using cutting edge technology and electronic medical records so that we can cut red tape, prevent medical mistakes, and help save billions of dollars each year.” - President Barack H. Obama, Radio Address (Dec 6, 2008)
Something both major political parties agreed upon has led to disagreement in the field of Medical Malpractice. While the contentious discussions on mandatory competence in technology for lawyers echo in our ears, technological advances have been thrust into the practice field of Medical Malpractice and have caused practitioners to function with these advancements. A lawyer’s ability to adapt and accept will separate and define their success; in litigation, ignorance is not bliss.
When the Health Information Technology for Economic and Clinical Health Act (HITECH), within the larger American Recovery and Reinvestment Act of 2009 (ARRA), and the Patient Protection and Affordable Care Act (PPACA) were placed into effect, the field of medical malpractice was destined to change. And with the change, the scope of discovery in medical malpractice vastly expanded. The reason for the expansion was the Act’s established goal for “utilization of a certified electronic health record for each person in the United States by 2014.” 42 USC 300jj-11(c)(3)(A)(ii). In order to accomplish its goal, the government provided an EHR incentive program for clinicians and hospitals which demonstrated meaningful use of electronic health records. With incentives and penalties driving conversion, almost all hospitals and most private practitioners have switched their practices over to electronically stored health records.
Foreseeing the risks associated with such a fast implementation of EHR in the country and a need for protection of these new electronic records, the Department of Health and Human Services (HHS), promulgated the privacy and security rules, under HIPPA, the Health Insurance Portability and Accountability Act. 67 Fed. Reg. 53, 182 (Aug. 14, 2002), 68 Fed. Reg. 8333, 8334 (to be codified at 45 C.F.R. 160, 162, 164; finalized in 45 C.F.R. 160, 162, 164 (2003). The rules created standards to address how health information may be used and protected. One of its purposes was to ensure that medical records could not be altered without detection; “protect the security and privacy of individual identifiable health information (‘IIHI’).” Smith v. American Home Prod. Corp, 372 N.J.Super. 105 (N.J. Super. App. Div. 2003).
The HIPAA Security Rule requires regular monitoring of system activity, including audit logs and access reports, by IT personnel or compliance officers on at least a quarterly basis. 45 CFR 160, 162, 164; 45 CFR 164.308(a)(1)(ii)(C); 45 CFR 164.312(b). Additionally, HIPAA Security Rules requires every covered entity or business associate to use standard “audit controls” through implementation of “hardware, software, and/or procedural mechanisms to record and examine system activity in information systems that contain or use electronic protected health information.” 45 CFR 164.312(b)
The entities are required to “implement policies and procedures to protect electronic protected health information from improper alteration or destruction” and implement “[m]echanism[s] to authenticate electronic protected health information… to corroborate that electronic health information has not been altered or destroyed in an unauthorized manner.” 45 CFR 164.312(c)(1) and (2). In addition to authenticating the records, it was required they implement procedures to authenticate the person or entity seeking access. 45 CFR 164.321(d).
Similar to the federal HITECH Act, in the State’s HIT Operational Plan, part of New Jersey’s Vision Statement was to “envision a New Jersey HIT environment by 2014 where: All NJ consumers have a secure electronic health record that includes all health related information and services.” State HIT Operational Plan of August 13, 2010 containing December 2010 Updates, Section 1.0 Executive Summary, p. 7 of 167. “All patients will have access to a secure, electronic and portable health record.” New Jersey Plan for Health Information Technology, October 16, 2009, at p. 7. In quick terms, a patient can travel with all of their records and, therefore, theoretically, have better care in the future. A familiar standardization of medical information and portability can be witnessed by use of SNOMED-CT, the systematic nomenclature of medicine and clinical terms, DICOM, the digital imaging and communications in medicine standard for films (x-rays, MRI, CT-Scans, etc.), and HL7, the health level 7 international standards. Due to the enforcement requirements, a health law attorney may be the best friend a medical malpractice attorney can have. And a corporate attorney can tell you the benefits and horrors regarding delving into the complex world of e-discovery.
So what does this mean for the medical malpractice attorney? Do they have to become versed in health law and corporate discovery? It means different things for the plaintiff attorneys and the defense attorneys.
Since a patient’s medical history, record, test results, and films have become easily transferrable through electronic and portability requirements, a plaintiff attorney must know what exists, what to request, when to request it, and how to request it. The New Jersey Bill of Rights for hospital patients states that every person admitted to a general hospital shall have the right to access all records pertaining to the patient’s treatment and receipt of a copy thereof. N.J.S.A. 26:2H-12.8. The New Jersey Patient Rights states that a patient shall have prompt access to and can obtain a copy of the information contained in the patient’s record and can obtain a copy. N.J.A.C. 8:43G-4.1(24), (25). But if a practitioner wishes to know what was truly done with regard to their client, they should not limit their requests to a copy of the record; they should seek all the electronic data associated with the care.
Under our New Jersey Court Rules, R. 4:18-1(a), any party may serve on any other party a request to produce documents (including…electronically stored information and any other data stored in any medium from which information can be obtained). The Rule is only limited by subpart (b); wherein, the requestor must set forth the items to be inspected, describe each item and category with reasonable particularity, and specify the form or forms in which it is to be produced. It is almost impossible to describe that which you cannot comprehend or even know exists.
The plaintiff attorney, therefore, must be as specific as possible and base the request on information derived from HIPPA, HITECH, NJ HIT, and other statutes. Further, they should utilize the facilities policies, procedures, and data map to learn what the health systems contains and who maintains it. Sometimes the true evidence is contained in a software module extension program and not within the main electronic health record system. And if the requestor fails to ask for it in its native format or a useable electronic format, they will be provided a limited printed version.
A practitioner, in the medical malpractice field, can give examples of how the printed record significantly differs from the electronic version of the same. A fluid interface doesn’t translate to static paper. Many times, the item provided is a printout or shell of the record and void of the audit data. Since our Rules state that when requesting electronically stored information, the requestor may specify the form or forms in which the information is to be produced, it falls on the plaintiff’s attorney to understand different file types. See R. 4:18-1(b)(1).
Problematic for the defense attorney is how to answer the request. What sounds fairly simple may become extremely complex after a conversation with the physician-client; who usually is not very savvy with computers or technology. And there is a real danger for the defense attorney and their client based on their response or lack of a response. A lawyer cannot hide under the claim that the hospital representative swears that it is the entire record. Their failure to provide requested documents subjects them to sanctions, under R. 4:23-1, or the dismissal of their answer, under R. 4:23-5. Further, “the so-called spoliation inference [] comes into play where a litigant is made aware of the… concealment of evidence during the underlying litigation.” Rosenblit v. Zimmerman, 166 N.J. 391 (N.J. 2001). By failing to provide documents specifically requested in discovery, the attorney can put their clients at risk for an amendment to the complaint for counts of Fraudulent Concealment of Medical Records. The elements can be met by the request and failed response: 1) defendant had a legal obligation to disclose evidence in connection with an existing litigation, 2) the evidence was material to the litigation, 3) plaintiff count not reasonably obtain access from another source, 4) the defendant intentionally withheld the evidence with purpose to disrupt the litigation, and 5) that plaintiff was damaged in the underlying action by having to rely on an incomplete record. See Model Jury Charge 5.50I. To summarize, plaintiff requested it, defendant didn’t provide it, plaintiff couldn’t get it from elsewhere, it was intentionally not provided, and plaintiff had to at least pay to file a motion because of it. “Such conduct cannot go undeterred and unpunished and those aggrieved by it should be made whole with compensatory damages and, if the elements of the Punitive Damage Act, N.J.S.A. 2A:15-5.12, are met, punitive damages for intentional wrongdoing.”Rosenblit v. Zimmerman, 166 N.J. 391 (N.J. 2001). The complicated proof will be to element number 4. However, it is not necessary for the plaintiff to prove this by direct evidence. As all litigators know, proof of a fact may be proved by both direct evidence and circumstantial evidence and the jury will make the call. Newmark–shortino v. Buna, 48 A.3d 401 (N.J. Super. 2012).
Defendants frequently fail to adequately respond to the specific requests and fail to advise their counsel of the technical aspects of their systems; especially when the request is for the audit trail and audit logs in their native format. Clearly the information is relevant because it addresses the exact subject of the litigation. As for the audit trail and log, it contains evidence of who did what, when, and from where. All critical elements of a case; it may confirm or contradict testimony and/or the record.
It is hard for the physician or hospital to claim ignorance of audits and standardization when the requirements are federally mandated and EHR policies and procedures are required. Since an audit trail is created by automated monitoring software that contemporaneously records the manipulation of a patient’s EMR as it occurs, information is recorded every time a user views, edits, prints, deletes, downloads, exports, or otherwise manipulates any part of a patient’s EMR. And federal and state law require these audit controls. 45 C.F.R. 164.312.
HIPAA required that the Secretary adopt Security Standards for health information which shall take into account the technical capabilities of record systems used to maintain health information and the value of audit trails in computerized record systems. 42 USCA 1320d-2(d)(1). It required each person who maintains health information to maintain administrative, technical, and physical safeguards to ensure the integrity and confidentiality of the information. 42 USCA 1320d-2(d)(2). Pursuant to the Secretary’s authority, the provisions of 45 CFR 164 et seq. were adopted. 45 C.F.R. 164.102.
Audit controls include implementing hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. 45 C.F.R. 164.312(b). This follows with the requirement of verifying integrity of the record by implementing policies and procedures to protect health information from improper alteration or destruction. 45 C.F.R. 164.312(c). The entity must document the policies and procedures for the required specifications. 45 C.F.R. 164.316. To assist in understanding the standards, the subchapter of Health Information Technology’s Part named Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology was adopted. 45 C.F.R. 170.
The field is changing. There are those that will adapt and those that will not. It is an exciting time for both sides of the field. No longer are we holding paper records to the light and searching for erasure marks. We now just comb through an audit trail to see the edits to the record. In the modern world of medical malpractice litigation, ignorance is not an excuse that can be claimed by the physician, the defense attorney, or the plaintiff’s counsel.