The previous issue of Risk Review was dedicated to the basics of electronic health records (EHR) and other safety-enhancing technologies. In addition to establishing the differences between electronic health records and electronic medical records (EMR), as well as defining a host of other related terms and concepts, the articles in that issue explored the benefits and risks of these technologies and recounted the success story of at least one physician’s experience in implementing EHRs.
This article delves more deeply into what EHRs (or EMRs) must be able to accomplish in order to be considered “legal.” For the purposes of this article, to be “legal,” an EHR or EMR must comply with the stipulations for business records on computers (which apply to any kind of electronic record compiled during the “ordinary course of business”). This does not mean that failure to comply makes an electronic record “illegal.” However, as indicated in some of the examples in this article, noncompliance could subject physicians having such records to increased legal risk, including even fraud allegations – see the “Billing and Clinical Systems Integrity” section (page 2).
What Constitutes a “Legal” Electronic Health or Medical Record?
The American Health Information Management Association’s (AHIMA), which is dedicated to improving the standards for electronic health and medical records states on page 64A in its practice brief, Update: Guidelines for Defining the Legal Health Record for Disclosure Purposes; AHIMA; Chicago (2005):
The legal health record is the documentation of healthcare services provided to an individual during any aspect of healthcare delivery in any type of healthcare organization. It is consumer-or patient-centric. The legal health record contains individually identifiable data, stored on any medium, and collected and directly used in documenting healthcare or health status.
Legal health records are records of care in any health-related setting used by healthcare professionals while providing patient care service or for administrative, business, or payment purposes. Some types of documentation that comprise the legal health record may physically exist in separate and multiple paper-based or electronic or computer-based databases.
There are three key functional requirements which EHRs and EMRs must meet to be legal: authentication, systems interaction and privacy/security protection. Use of systems failing to meet these functional requirements may result not only in greater malpractice liability, but also leaves its users vulnerable to claims of fraud and violations of privacy, security and confidentiality according to HIPAA Rules.
Authentication Functional Requirement
This refers to an EHR or EMR’s ability to demonstrate that the information is accurate and unaltered. In most systems, this function is handled in the background. Records of alterations, deletions or additions to a record are considered to be supportive data which the user can, if needed, inspect for purposes of validation. This “data about data” is often referred to as “metadata.” The ability to properly show late entries in an EHR or EMR is another important functional requirement to authenticate. Although some older systems show all of the “before and after” versions of changes in a single version, some newer systems do just the opposite, showing only one version and giving few, if any, indications that an alteration took place or what exactly the prior version stated.
To identify previous versions may require the very skills which could permit undetectable alterations of the records, thereby further compromising their integrity, credibility and authenticity. This could lead to suspicions of electronic “cover-ups” in the context of medical litigation cases, further complicating their defense, even when there may be no strong claims for negligence.
These variations and their legal implications for users demonstrate why every user must have a basic understanding of how the EHR or EMR system works, and, more importantly, meticulous instructions regarding how the system is to be used correctly. Behind every EHR or EMR implementation there must be medical records policies and procedures that form the crosswalk from documentation compliance rules to system use rules. This will help ensure that all users routinely and habitually generate and use documentation systems in a manner that, since compliant with existing rules, regulations, and practice standards, serves all the intended uses of a legal medical record (How to Evaluate Electronic Health Record (EHR) Systems; Trites, Gelzer; pp. 2-3; AHIMA; Chicago,2008).