A quarterly review of Company and industry news for Medical Mutual member-policyholders.
About Us » Publications & Announcements
The Advocate
Archive
Legal Issues and the Electronic Medical Record
By Cinde Warmington
When purchasing an electronic medical
record system (EMR), most providers focus
on the clinical functions and may be surprised
by the number of legal issues which
arise out of the implementation. The issues
differ depending on whether the provider
will be participating in a shared medical
record or if the system is intended to serve
only a single office. The use of a shared system
requires the provider to re-evaluate
compliance with the HIPAA Privacy and
Security Rules.While the use of a shared
EMR may greatly enhance the continuity of
patient care, it also significantly increases the
risk of an improper disclosure of confidential
patient information.
Additionally, shared EMRs are often
sponsored by and sometimes subsidized by
hospitals. These subsidies raise legal issues
involving the Stark and anti-kickback
statutes. A Stark exception and an anti-kickback
safe harbor have been developed to
permit hospitals to subsidize the implementation
of EMRs, however, as health care
attorneys, we have already reviewed such
agreements that do not satisfy the specific
requirements of the exception or safe harbor.
Even if the EMR is intended to serve
only one provider location, there are significant
legal concerns. In our practice we have
already assisted a number of providers with
issues arising from use of the EMR, some of
which have resulted in substantial liability.
Far and away, the primary legal issue arising
out of the implementation of an EMR
relates to the improper access of patient
information by employees and others.
Oftentimes, this involves an employee who
improperly accesses the record of a family
member or friend. This may be out of pure
curiosity or for a more nefarious purpose
such as an effort to obtain information to be
used in personal disputes. The records of
prominent, well-known individuals in the
community are an especially attractive target
for the curious. Breaches of this nature trigger
a series of legal activities which are both
time consuming and costly to providers.
Upon the discovery of a breach, the provider
must investigate the scope of the improper
use or disclosure, assess the extent of the
potential harm to the patient whose information
was accessed and take corrective
action to mitigate the damage and prevent
future occurrences. Disciplinary action
must be taken consistent with organizational
policies, procedures, contracts and/or
medical staff bylaws. If litigation has been
initiated, there is an assessment of whether
insurance will provide coverage, a costly discovery
process and all of the costs of litigation
and settlement.
While most breaches are committed by
employees, providers must also be ever-vigilant
about the threat of attacks from outside
the system. In some cases, these attacks are
an attempt to obtain patient demographic
information, including Social Security
numbers that can be used to commit identity
theft. Other attacks are intended simply
to destroy patient information. This type of
breach is more likely to result in the
improper access of large numbers of patient
records. In responding to such attacks,
providers must assess the extent of the
improper access, take appropriate corrective
action, record the disclosure and make the
proper notifications.
The loss of patient information often
raises questions about who is responsible for
maintaining back-up and restoring lost
data. These are issues that should be
addressed in the EMR software agreement
but often are not. It is essential that the
EMR software contract adequately address
the contractor’s obligation to update the
system in response to regulatory changes
and clearly delineate each party’s responsibility
for maintaining back up systems and
for restoring data in the event of a loss.
The steps every provider should take when implementing an EMR system include:
- Evaluate the EMR system to be sure it meets your clinical needs and all regulatory requirements. Don’t take the software providers word that the program is “HIPAA compliant.”
- Retain counsel experienced in dealing with EMR issues to review the EMR agreement to assess the regulatory and business concerns as well as the allocation of responsibilities.
- Implement appropriate policies and procedures to protect against improper access to patient information and a training and education program for all employees.
- Review and revise as needed employee handbooks, employment contracts and medical staff bylaws to ensure you are able to appropriately administer sanctions in the event of a breach.
- Conduct a comprehensive assessment of your compliance with HIPAA Privacy and Security Rules and any applicable state laws and revise your programs as appropriate to reflect the use of an EMR system. This will likely require a revision of your HIPAA privacy notice and an assessment of the adequacy of your firewalls, back-up programs and your disaster recovery plan.
CindeWarmington, a partner in Sulloway & Hollis, PLLC’s Health Care section, represents providers in a wide range of business and regulatory matters.