Legal Risks of Going Paperless

Electronic medical records are meant to save time and money, but they also can create liability issues for doctors.


Legal risks of going paperlessDefense attorney Catherine J. Flynn knows how electronic medical records can overwhelm — and often change — the course of a medical liability lawsuit.

In one of her cases, a New Jersey doctor being sued for medical negligence has been accused by a plaintiff’s attorney of modifying a patient’s electronic history. A printing glitch caused the problem, Flynn said, but the accusation has meant extra time and defense costs. Computer screen shots were reviewed, more evidence was gathered and additional arguments were made.

“This has taken a life of its own, and we’ve done virtually no discovery on the medical aspects of the case,” she said. “The cost of the e-discovery alone is in excess of $50,000.”

System breaches. Modification allegations. E-discovery demands. These issues are becoming common courtroom themes as physicians transition from paper to EMRs, legal experts say. Not only are EMRs becoming part of medical negligence lawsuits, they are creating additional liability.

Across the country, the move from paper to electronically stored health data is growing. The 2009 federal stimulus package provided federal funds for the creation of a health information technology infrastructure. Health professionals can receive up to $44,000 for Medicare or nearly $64,000 for Medicaid by adopting electronic medical records.

Studies are mixed about how EMRs will impact liability for physicians. A 2010 survey by Conning Research and Consulting, an insurance industry research firm, found that most insurers believe medical claims will rise during the move from paper to electronic records. Lawsuits probably will decrease after an adjustment period, the study said. A report in the Nov. 18, 2010, issue of The New England Journal of Medicine said doctors should expect a varied landscape of liability risks and benefits as EMR adoption unfolds.

Whatever the future holds for EMRs, it’s important that doctors reduce their liability risks during system implementation, legal experts say. Being aware of potential legal pitfalls prevents doctors from falling victim to technology intended to do good — not cause hardship.

“It’s all about the system that’s in place and the integrity of that system,” Flynn said. “You can only do what the system allows you to do. If you have a good system in place, then the doctors are protected — even from themselves.”

The Burden of Breaches

Data breaches are among the most common reasons that electronically stored information lands doctors in court, said Lisa Gallagher, senior director for privacy and security at the Health Information and Management Systems Society, which advocates health information technology.

For example, thieves broke into the Sacramento, Calif., office of hospital system Sutter Health in October 2011, stealing monitors and a laptop containing the health information of 4 million people. Patients sued, claiming Sutter violated the state’s Confidentiality of Medical Information Act. The law regulates medical data disclosures and negligent storage practices. At this article’s deadline, an attorney for the plaintiffs had not returned calls seeking comment.

The Sutter Health data security office was encrypting its computers when the theft occurred, the company said in a statement.

Though federal law regulates Health Insurance Portability and Accountability Act violations and subsequent notification rules, state laws vary on reporting regulations for data breaches. Some state laws cover all electronic data, while others, such as California’s, are aimed at health data.

Knowing what your state requires in the event of a data breach is essential, especially because of potential legal snares, said Richmond, Va., attorney Jonathan M. Joseph, author of Data Breach Notification Laws: A Fifty State Survey. For instance, if a New Jersey physician treats a patient from another state and a breach occurs, the doctor could be subject to notification rules in the patient’s state as well as his or her own, Joseph said.

Police investigations during breaches are another challenge. Law enforcement agencies may ask doctors to delay reporting a breach to patients to not taint the investigation. Some states allow doctors immunity if they do not immediately alert patients because of an agency’s request, Joseph said. But some states do not give doctors a break on notification rules.

“The problem with that is that many [investigations] may take months, and you may have to sit and ask yourself, ‘Are people going to be harmed?’” he said. “You have to think, ‘Should I hold onto the information, or will I be liable?’”

EMRs and New Tort Claims

In Oregon, health professionals have won a court victory in a data breach case.Paul v. Providence posed significant questions about how far a medical professional’s responsibility extends after data is stolen.

Some patients in Oregon sued Providence Health System in 2009 after computer disks were stolen from a medical office employee’s car. The disks contained unencrypted records for 365,000 patients. Patients said that because of the theft, they were exposed to past and future out-of-pocket losses associated with monitoring credit reports, and expenses associated with credit damage. A trial court ruled that the plaintiffs did not have a valid claim under state law. The plaintiffs appealed to the state’s Supreme Court.

The Oregon Medical Assn., and the Litigation Center of the American Medical Association and the State Medical Societies, expressed concern that if the plaintiffs prevailed, the decision could create a new claim against doctors.

“Plaintiffs in this case ask this court to recognize a new common law tort making health care providers liable in negligence for purely economic losses and emotional distress damages arising out of the theft of patient information from health care providers, in the absence of physical injury,” the Litigation Center said in a brief to the Oregon Supreme Court. “There are strong policy reasons against the creation of liability in these circumstances, especially the chilling effect it could have on the broader use of electronic medical records, which make this a subject more appropriately addressed in the legislative process.”

The Oregon Supreme Court on Feb. 24 ruled the plaintiffs could not sue Providence because the patients failed to show anyone actually viewed or used their personal information.

“Although plaintiffs allege that an unknown person stole digital records containing plaintiffs’ information from defendant employee’s car, they do not allege that the thief or any third person actually used plaintiffs’ information in any way that caused financial harm or emotional distress to them,” the court wrote.

The court said the plaintiffs’ claim for future financial harm also was invalid because a “threat” of future physical harm on its own, is not sufficient to constitute an actionable injury.

The decision protects health professionals from unwarranted lawsuits, said Gwen Dayton, legal counsel for the Oregon Medical Assn.

The Oregon opinion is consistent with other states’ rulings in similar cases, justices said. However, states such as Maine have allowed plaintiffs to sue over personal information that is used for identify theft purposes, thus causing present financial injury.

Encrypting record systems is key to preventing possible breaches, along with recognizing any suspicious system activity, Gallagher said. “You want to be monitoring your network and [putting] technical controls in place,” she said.

E-discovery is a growing area of concern, said Joshua R. Cohen, a medical liability attorney and president of the New York State Medical Defense Bar Assn. While legal requests once entailed only paper records, attorneys are now seeking every accessible electronic record, including films, lab reports, emails and phone records.

“Plaintiffs are trying to use e-discovery as a weapon of mass discovery,” Cohen said.

A 2011 ruling in New York highlights how e-discovery creates a burden for doctors.

During a lawsuit against St. Luke’s Hospital Roosevelt Center, a debate arose about whether the plaintiff should be allowed access to screen shots from a doctor’s computer. Joan Bowman, who sued the hospital for wrongful death on behalf of her husband, wanted to see a computer template used to aid physicians in diagnoses. The hospital said the request was overly broad and oppressive.

But the Supreme Court of the State of New York ordered the release of the screen shots.

“Defendant doctors testified that they utilized these materials in coming to their diagnosis,” Judge Alice Schlesinger wrote. “It is not a stretch to allow counsel to see and understand these materials.”

At this article’s deadline, the hospital’s attorney had not returned messages seeking comment.

The case sets a precedent, said Susan Dennehy, Bowman’s attorney.

“If others want to see screen shots from records, I think they’ll rely on this case,” she said. “It was important to see where the template led you if you put in an inaccurate chief complaint.”

New Jersey attorney Michael A. Moroney said expenses can rise dramatically because of massive e-discovery requests. In some cases, practices must hire outside teams to sift through archived records, said Moroney, who counsels doctors on the legal challenges of EMRs.

“There’s a ton of time involved,” he said. “There’s the attorney’s time and then the medical staff themselves. It means we’re spending tens of thousands of dollars fighting over stuff before we even get to the merits of the case.”

Steering Clear of Legal Problems

Flynn has seen more plaintiff attorneys accusing doctors of modifying electronic records, even when the changes were made innocently. It’s essential to have a system that does not allow changes after a certain amount of time, she said. If modifications are allowed, the systems should show that doctors made efforts to be transparent.

Login passwords can create liability. Cohen had a case where a physician provided his login password to a resident and gave him permission to update a patient’s chart while the physician was out of town. When a claim arose, it appeared that the absent doctor updated the record.

“It makes it look sloppy,” Cohen said. “Before, the [absent] doctor wouldn’t even have been involved in the lawsuit. Now, it creates a question of fact that we have to explain.”

Doctors are busy in their daily practice, but making time to take preventive steps now may save them from EMR liability later.

“The best thing doctors can do is be ahead of the curve,” Moroney said. “Because when the day comes that you are served with a complaint, one of the first things the court is going to look at is, ‘How good of a policy did you have, and could you have prevented this?’”


Enhanced by Zemanta

Peace of Mind: Keeping Medical Records Safe

By Kim Holmes and Barry Fonarow

Peace of Mind: Keeping Medical Records SafeHow secure are your patients’ data? Storing patient health records electronically may be an efficient solution to the antiquated paper filing system of the past, but despite the many upside perks (including financial incentives from the government to adopt electronic health records), a failure in your system that results in breached data may come at a hefty price.

As a psychologist, you understand that maintaining confidentiality between patient and therapist is core to your ability to practice. Suffering a data breach could not only cost you time and resources but could cost your professional reputation.

While federal and state laws vary, generally a data breach can occur when sensitive protected health information (PHI), including mental health records and personally identifiable information (PII), is accessed without authorization, which can occur through intentional or unintentional means.

According to a recent U.S. Department of Health and Human Services report, roughly 7.9 million people’s medical records have been exposed in 30,750 cases of health care-related data breaches since 2009 — a trend that is expected to continue.

The U.S. Congress first addressed individual privacy infringements in 1996 when they enacted the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules, which sought to set a national legislative standard for protecting electronic individual health information. The issue was revisited in 2009 with the signing into law of the Health Information Technology for Economic and Clinical Health Act (HITECH) — a piece of legislation that was introduced as part of the Patient Protection and Affordable Care Act (the “health reform” law) that amended HIPAA — giving it “teeth” for the first time in the form of potential civil monetary fines and penalties.

While HIPAA/HITECH now provides that fines and penalties may be incurred by a health care organization in the event of a breach (on a sliding scale ranging from $50,000 up to $1.5 million per violation for the most egregious breaches), whether and to what extent these fines and penalties may be levied is always a subjective assessment by the government. An organization’s preparedness to prevent a data breach and its timely and appropriate response to a breach are factors taken into account by the federal government in determining whether and to what extent fines and penalties will be assessed under HITECH.

In addition to lost and/or stolen laptops and other portable electronic devices, one of the largest causes of health care-related data breaches is employee negligence. For instance, in 2010 NewYork-Presbyterian Hospital at Columbia University Medical Center reported a data breach which resulted in 6,800 patients’ PHI, including 10 social security numbers, being accidentally posted on the internet by an employee.

Additionally, allowing access to information by third party vendors and service providers may add another layer of vulnerability that is often overlooked when identifying cyber security weak spots. From 2010 to 2011, the personal PHI pertaining to 20,000 patients who visited the emergency room at Stanford Hospital in Palo Alto, Calif., remained publicly accessible on an online homework help site following an incident with the hospital’s third party billing contractor.

In the event that a cyber-related data breach occurs, there are often far-reaching repercussions including reputational harm and financial burdens due to potential fines and penalties and civil and class action lawsuits. There may also be expenses related to privacy notification, credit monitoring, health records resolution services, crisis management and forensic investigation.

The first step to protecting against a cyber-related data breach is through education. Learn about the federal and state laws that could apply to your organization and understand the reporting and notification requirements that may apply in the event of a data breach. Utilizing best practices both in advance of and at the point of discovering a data breach may also position your organization to be viewed more favorably by a federal or state reviewing authority post breach.

With most health care organizations only allocating 2 percent to 3 percent of their IT budgets to cyber security, an all-inclusive plan will probably be a distant reality at first for most practices. However, being caught unaware and unprepared when a breach occurs could have catastrophic consequences that an organization may not be able to weather. Therefore, in addition to consulting with a trusted advisor such as a specialized privacy/data breach attorney or risk management consultant, following these few simple guidelines may help reduce the impact of a cyber-related data breach:

  • All portable/mobile electronic devices should be encrypted with data encryption software.
  • When outsourcing work, do your due diligence by researching the third party vendor or service provider’s data breach policies, whether and to what extent they have errors and omissions liability and/or cyber liability insurance in place, and seek to put in place a written indemnification agreement with all vendors and service providers.
  • Draft an internal incident response plan for data breaches and make it part of your organization’s culture. A clear plan outlining how to respond to a data breach within your internal organizational structure should help reduce the time between when a breach occurs and when it is appropriately responded to – all of which may place your organization in a more favorable light with an after-the-fact government audit or review of the data breach.
  • Consider the purchase of a cyber liability insurance policy to help weather the financial burden of the “when” not “if” of a data breach occurring.

Complete peace of mind concerning the subject of data breaches and cyber security is not something most organizations can enjoy these days. But, you may be more confident regarding the safeguarding of your patients’ protected health information against a data breach if you have put an appropriate response plan in place to help mitigate the potentially devastating financial and reputational impact a data breach can bring upon your organization.


Enhanced by Zemanta

8 Breach Prevention Tips

By Howard Anderson

8 Breach Prevention TipsWhat can be learned from the more than 390 major breaches affecting more than 19 million individuals that have been reported as a result of the federal HIPAA breach notification rule? Plenty, breach prevention experts say.

Here are eight key breach-prevention insights from information security thought-leaders:

1. Don’t Forget Risk Assessments

The details of the biggest breaches last year “make it painfully clear that inadequate, if any, HIPAA security risk analysis took place prior to the breaches,” says Dan Berger, CEO at Redspin. “A comprehensive security risk assessment would have identified where PHI [protected health information] is stored, who has access to it and how it’s utilized in the normal workflow. The analysis would then investigate whether sufficient controls are in place.”

Because so many huge breaches have involved the loss or theft of mobile devices and media containing unencrypted PHI, Berger concludes that risk assessments were either not conducted or they failed to pinpoint that vulnerability. He urges organizations to conduct comprehensive assessments that take into account external and internal infrastructure, web applications and wireless security and lead to a mobile device policy and in-depth employee training.

2. Encrypt Mobile Devices, Media

“Even though encryption is what’s referred to as an addressable standard in the HIPAA security rule – which means it’s not actually mandated in all cases – I don’t see any reason why information shouldn’t be encrypted in all cases on portable media and devices,” says Robert Belfort, partner at the law firm Manatt, Phelps & Phillips LLP. “That’s one step that organizations can take that can address a very significant share of the types of breaches that are occurring.”

In addition to making better use of encryption, organizations should consider limiting or banning patient data storage on mobile devices, many experts advise. For example, David Szabo, partner at the law firm Edwards Wildman Palmer LLP, says organizations should “reassess their policies about how much information employees really need to take off the premises. … The whole issue of portable devices is one that organizations really need to look at hard.”

3. Beef Up Training

“People have to be trained to understand the policies of the organization, and they have to be trained about common-sense safeguards that they can follow to avoid breaches or the misuse of information,” Szabo stresses.

Timothy McCrystal, partner at the law firm Ropes & Gray, points out that the Department of Health and Human Services‘ Office for Civil Rights has stressed the importance of ongoing training in its resolution agreements with organizations that have experienced a breach.

“I have participated in discussions with OCR on a resolution agreement, and that was a particular point of focus – that the organization not just have policies and procedures, but that employees and others had been trained on them, understood them and were actually implementing them in their day-to-day responsibilities.”

4. Conduct Internal Audits

In addition to training, an important step toward addressing internal breach threats is to conduct audits of records access, Belfort says.

“The belief that audit logs are being monitored and that there is a high risk that if you access a record improperly you will be caught through some sort of audit trail review can have a very important impact on behavior within an organization,” he notes.

5. Monitor Business Associates

About 22 percent of major breaches, including many of the largest incidents, have involved business associates. As a result, it’s essential to work with vendor partners to ensure they’re taking adequate breach prevention steps.

McCrystal says it’s important to ask business associates probing questions before signing a contract. Those questions should include inquiries about the companies’ privacy and security policies, use of encryption and reliance on subcontractors.

Healthcare organizations “should actually implement an audit from time to time” to ensure business associates are adequately addressing security, McCrystal adds. “Some of our clients, when contracting with business associates, have conducted audits of their privacy and security practices in advance of entering into a contract.”

6. Limit Data Storage

Fred Cate, a law professor at Indiana University, says the recent breach affecting 24 million customers of Internet retailer raises an important question for security professionals in all industries: “Are you collecting and storing more data than you need? Because if you are, you’re taking on more risks then you need to face.”

In the incident, a hacker gained access to an unencrypted central database containing a wealth of customer information. In the healthcare arena, numerous major breaches have stemmed from massive unencrypted databases stored on laptops or backup tapes.

Ozzie Fonseca, senior director at Experian Data Breach Resolution, notes that about half of 500 organizations across all U.S. industries that have experienced a breach said in a recent survey that they subsequently took steps to limit personal data collected and limit sharing of the data with third parties. About 42 percent limited the amount of personal data stored.

“Collecting and storing unnecessary information is never a good idea,” Fonseca says.

7. Don’t Forget About Paper Records

Szabo points out that federal authorities fined Massachusetts General Hospital $1 million after an employee left paper medical records on a subway train. “We shouldn’t get too wrapped up in just thinking about computers and technical things – paper records can also be at risk simply because of the errors and omissions of employees,” he says.

8. Address Other Potential Vulnerabilities

Last May the HHS Office of the Inspector General issued a report based, in part, on audits of seven hospitals. Those audits, McCrystal notes, identified numerous technical vulnerabilities. “Five of the hospitals had wireless access vulnerabilities, including ineffective encryption, rogue wireless access points, no firewall separating wireless networks from internal wired networks … and no authentication requirements for entering wireless networks,” McCrystal says.

All of the hospitals had some access control vulnerabilities, including, for example, inadequate password settings and a lack of automatic log-off of inactive computers, he adds.

Some hospitals had certain audit log functions disabled. And others had uninstalled critical security patches, outdated anti-virus updates, operating systems that were no longer supported by the manufacturer and unrestricted Internet access for hospital users.

McCrystal advises hospitals to use the report to guide a self-audit to help identify vulnerabilities and reduce the risk of breaches – as well as help prepare for this year’s HIPAA compliance audits.


Enhanced by Zemanta