Electronic Health Records Workgroup: February 2007 Meeting Materials

MEMORANDUM

TO: American Health Information Community Electronic Health Records Workgroup

FROM: Melissa M. Goldstein, Michael L. Kidney, Mark F. Tatelbaum, and Bruce S. Wolff

SUBJECT: Follow-up to Legal/Regulatory panel at Workgroup’s January 11, 2007 meeting

DATE: 2/21/07

At the request of the Electronic Health Records Workgroup, the members of the January 11, 2007 Legal/Regulatory panel (Michael L. Kidney, Mark F. Tatelbaum, and Bruce S. Wolff, moderated by Melissa M. Goldstein) submit the following responses to follow-up questions posed by members of the Workgroup.

Dr. Bell:

1. The Certification Commission for HIT (CCHIT) certifies ambulatory EHRs to criteria for functionality, interoperability, and security. Would use of a Certified EHR decrease liability as criteria for security, clinical decision support, aggregation functionality, etc. become part of the process?

Mark F. Tatelbaum: I think having an EHR certification process is useful to develop baseline requirements of the system. Recommending that systems be able to easily identify types of information I think would allow providers to more easily determine and access the information they believe they need to address the medical condition for which they are involved. I'm not sure this will address however the questions about how the EHR is used and how substantial information is incorporated and used by providers, if at all. While in the paper world, I believe providers often consider 3d party information unreliable and repeat exams and tests (for valid reasons, with regard to testing methods and deviations of error, etc. . . ), I believe the electronic world makes much more information readily available and that society may have a created an unrealistic expectation that this information is considered, even though it may be irrelevant and unreasonable to do so. Ultimately, I think this is a standard of care issue and I think it might be helpful for the Committee to articulate that not all information included in an EHR is necessarily relevant or appropriate for a particular provider to review or consider in his/her care and treatment of the patient.

Michael L. Kidney: I agree with Mark. I believe that a Certified EHR would tend to decrease potential liability. Enhanced functionality and standardization can assist physicians in readily obtaining the information they need. Also, potential adverse outcomes can be reduced if health care providers can easily input and extract the relevant EHRs, which should be a benefit of functionality, standardization, and interoperability. At the same time, it would be important to offer guidance as to how the EHR should be utilized. Potential tort liability will be reduced if the Committee can articulate some sort of guidelines that offer guidance as to how EHRs should be utilized, e.g., which sections of the EHR should be reviewed by a physician treating a new patient?

Bruce S. Wolff: I also concur. To the extent a certified EHR system can provide the physician, through decision-support, summarization or some other mechanism, with some guidance as to what information in the patient’s record should be reviewed, and how far back, when a patient presents with certain symptoms, it would go a very long way to dealing with the liability problem faced with “but, it was in the EHR system, why didn’t the physician look and realize X from this old test, etc., etc.” In the absence of more precise clinical guidance on this issue, certification of the EHR system with appropriate and peer-reviewed prompts in this regard should help contain liability exposure. I continue, however, to be concerned during the transition period with what requirements will pertain when/while there are robust electronic systems, but paper records predating the system remain to be examined can a certified EHR system help point the physician to which of the paper records as well ought to be pulled or reviewed in full text format in the file?

2. Is there shared liability for problems with EHR use when the EHR is part of a large integrated system to which each MD has his or her own access with respect to Wolff’s number 1: There are no real legal barriers, only perceived increased liability.

Mark F. Tatelbaum: I don't follow the question.

Michael L. Kidney: I am not sure I follow the last part of the question, but in response to the first part of the question, it is unlikely that an individual MD would have liability for the design of an EHR system, whereas an individual MD could have liability arising from failure to input or review EHR records.

Bruce S. Wolff: I’m not sure I understand it either, but do agree with Michael’s comment. Assuming the question might relate to something like faulty information entered into the system outside of the individual physician’s control but then acted upon by him/her when dealing with a patient (i.e., not a design problem but one generated by the integrated system’s operation), there should be no greater liability for the physician than that which he/she faces today in receiving faulty information from a lab, specialist, colleague, etc. On the other hand, the integrated system that operates the EHR would have exposure for delivering faulty information to the physician that he/she acted upon reasonably believing it to be reliable.

3. Today’s Clinical Decision Support systems are intrusive and frequently more annoying than helpful. Is liability increased if a physician turns them off? And in a related question, many physicians purchase EHRs but do not use all of the modules or functions, at least not early in the process of implementation. Would there be increased liability if a suit is filed (justifiable or not) and the physician does not use all of the functionality available to him or her?

Mark F. Tatelbaum: What is meant by Clinical Decision Support systems? With respect to possible liability for not using all the modules, I think this may be able to be addressed by the certification process, which could presumably define the steps/standards in implementing an EHR. This could be somewhat akin to the HIPAA privacy and security regulations, which give some broad standards and require justifications and determinations for using or not. The process could be that entities that implement EHRs have policies and procedures in place that best suit their practices and meet the baseline standards and if they do so will be afforded immunity from suit. I believe this could be comparable to the immunity afforded under the Health Care Quality Improvement Act for peer review professional review activities and possibly could address the increased tort exposure and encourage the use of EHRs.

Michael L. Kidney: I agree with Mark. Also, I would note that the cases imposing liability on physicians for a failure to review medical records generally only do so for "available" records. A plaintiff may argue by analogy that turning off available modules or functions is tantamount to not reviewing available records. This is another reason why I think it is so important to develop Certified EHRs, as well as guidelines in reviewing and updating them. See Comments to Dr. Bell’s Question 1 above.

Bruce S. Wolff: I agree, though I think I feel more strongly that in the absence of an institutional process/rationale to transition to full use, there needs to be a justification (other than “annoyance”) for why certain functionalities, modules, decision-support mechanisms are not being utilized. Failure to use what is available is akin to turning away from information that could be vitally important. Especially if the justification for spending federal and other monies to promote EHR deployment and use is to facilitate/accelerate the use of best clinical practices, I have a hard time believing it is appropriate for physicians to turn off the decision support capabilities and then claim immunity for not having cared for a patient in accordance with best available clinical guidelines……

John Houston:

The two questions/comments that I have are as a follow-up to Mr. Wolff’s point #2(a):

(Perceived concern regarding liability from having unsolicited information presented in large quantities. What could be missed? For what am I held accountable? Comment: It is assumed that more information leads to better decisions and better care. The remedy for the concern is assuring that it is presented in a user friendly and relevant format in the EHR.)

1. Regardless of how it is presented, there is a real chance that physicians will be overloaded with information. Either a physician will need to spend an exorbitant amount of time reviewing information (resulting in lost productivity). Or, standards of care will need to be established that take into consider the volume of information.

Mark F. Tatelbaum: I agree. See my comments above regarding immunity.

Michael L. Kidney: I agree. I think it is important to develop guidelines for reviewing and updating EHRs. See Comments to Dr. Bell’s Question 1 above.

Bruce S. Wolff: Again, I would echo Mark’s and Michael’s comments and concur that one way to address this concern would be through the EHR certification process, absent other/better ideas.

2. In my health system, physicians are raising concerns due to the introduction of new imaging systems that capture substantially more information. Certain imaging studies are larger than 5GB in size. The question that is being asked is what information needs to be maintained? Can I discard part of the image file that is not relevant to the reason that the study was ordered? What if that discarded information is relevant in the future for unrelated reasons? Additionally, what if non-relevant information, if reviewed, would have uncovered an issue - other than the reason why the study was ordered?

Mark F. Tatelbaum: I agree with this concern. Ultimately, I think standards will need to be developed with respect to expectations. I think it comes down to what a reasonable provider in those circumstances would do. This would get into delay of diagnosis allegations presumably. The question will be what should the provider have done with the vast amount of information and is he/she required to look further than what he/she ordered the test for. I'd argue not. However, if the information is obvious and apparent in what he/she is looking at for his/her purpose, then he/she very well might be held responsible.

Michael L. Kidney: I agree that standards should be developed to develop this issue. I cannot recall seeing any cases imposing liability for a failure to retain medical records, but I have not specifically researched this issue. But I think this would be a worthwhile issue to research.

Bruce S. Wolff: I agree with the concern and believe it is warranted from a potential future liability perspective and that some research would be helpful but also believe that a retention protocol built into a certified EHR could be of substantial help here to all concerned.

I think that information overload is a real issue and is something that needs to be investigated.

Mark F. Tatelbaum: I agree. See my comments above in response to Dr. Bell's questions. I'd be happy to try and work through these issues further if the Committee would like.

Michael L. Kidney: I agree again. See comments above.

Bruce S. Wolff: Me too and addressed, in part, above.

John Tooker:

One additional question re: unsolicited information. Is there practice liability for unsolicited but important information sent and thought to be acted upon when, in fact the information was sent but not received, such as caught in a spam filter? Is there a legal obligation from the sender to confirm receipt and from the recipient, acknowledgement that the information was received? Practices are not only recipients of information; they will be sending information to others.

Mark F. Tatelbaum: I don't believe that unsolicited important information that is caught up in a spam filter will create significant liability. Spam filters are necessary and in fact may be required by other regulations. If the information is so important and not solicited or otherwise obtained, I believe that the provider will face exposure for that issue directly in that he/she should have sought it. I don't believe there is a legal obligation per se to confirm receipt, but defer to Michael on specific case law. Depending on the circumstances under which information is transmitted and a response is sought, there may be an obligation to follow-up if nothing is received. I think this comes down to what a reasonably prudent person would do in the circumstances.

Michael L. Kidney: I agree with Mark. I doubt that there would be significant liability for information caught in spam filters, but the issue has never arisen in one of my cases, so I have not specifically researched it.

Bruce S. Wolff: I am also in agreement with Mark’s articulation if the information was important enough to be asked for, or should have been asked for in dealing with a particular patient, follow up would be necessary regardless of whether the information was caught up in a spam filter or otherwise detained, lost or misdirected. This issue should be seen no differently than today in a paper environment people forget to send things, they are misdirected/misaddressed, the mail is lost, etc., etc. Same issue, just a different medium; same result hopefully.

Pam Pure

1. Physician customers tell us that they are very concerned about increasing liability associated with introducing or incorporating patient medical information into their EHR systems. I believe liability fears are a significant source of resistance to broad adoption of electronic medical records. While I agree that the improved documentation that generally results from implementing an EHR reduces medical liability by producing amore complete record of what is known at the time of clinical decision making, the perception of increased liability is a barrier that must be overcome. With the current focus on interoperable EHRs and Personal Health Records, I think it would be helpful to provide more specific guidance around current precedent regarding two scenarios: The physician acts upon data made available to him by a patient through use of a Personal Health Record or provided from another physicians EHR. The information is later determined to be inaccurate or incomplete. What is the extent of his/her liability? What should the standard of practice to verify/validate such information before incorporating that information in his/her medical decisions?

Mark F. Tatelbaum: I think this is similar to the current environment. Was the physician reasonable in relying upon the information provided, or should he/she have sought additional information? I think this is left to the judgment of the provider given the facts and circumstances presented.

Michael L. Kidney: I agree. I think it is unlikely that liability will be imposed on a physician for reliance on inaccurate information, at least in the absence of indicia that the medical record was inaccurate.

Bruce S. Wolff: I agree that this should not be perceived as any different a problem from that faced today by physicians who receive medical records from colleagues, or lists of meds (generally incomplete) from patients, etc. Questions should be, (i) was the physician acting reasonably in relying on what was presented to him/her, and (ii) was there anything seen in the physician’s own examination/record that was contrary to the information received from outside or that should have reasonably led him/her to investigate further.

2. The physician disregards data provided to him through an external PHR or another provider's EHR because he/she doubts its reliability. The information may have led him/her to pursue a different clinical course of treatment. What is the extent of liability? Again, what is the standard of practice that should be followed regarding information from third parties--including the patient?

Mark F. Tatelbaum: I think the issue is similar to the first question. How reasonable is the provider in believing the information was unreliable? If the type of information is needed, did the provider try to seek it again in a more reliable manner? The question here I think will be whether the provider was reasonable in disregarding the information and taking the actions he or she took.

Michael L. Kidney: As long as the conscious disregard of the purportedly inaccurate medical record was not negligent, liability should be limited. Also, an interesting question is whether the standard of care would require that the physician perform some sort of follow-up inquiry before disregarding a medical record.

Bruce S. Wolff: I agree. Again, though, I want to return to the old refrain: this issue is already dealt with in today’s paper practice all the time; the actions/reactions of the physician should be the same yes, it may happen more often in an EHR world, but the physician’s actions/reactions should still be the same.

3. How does this compare to a physician's current liability for actions based on lab or eprescribing information provided by third parties which are later determined to be inaccurate? Where does the liability rest? Is there clear guidance that is suggested by the existence of such cases?

Mark F. Tatelbaum: I think it depends on the type of information. I believe a physician is entitled to rely on lab results received from a third party. If they are so out of line with other indicators, I think the physician needs to try and take that into account and perhaps reorder the labs. If the labs are mistaken and the physician relied upon them to the patient's detriment, I believe and would argue that the physician acted appropriately under the circumstances and the lab is liable.

Michael L. Kidney: I agree again. A physician should be entitled to rely on a lab record in the absence of indicia of unreliability.

Bruce S. Wolff: I’m on the same page.

Obviously, physicians are also concerned over the productivity impact on their practice if they have to incur new costs associated with validating new sources of data. Current reimbursement models make such costs impractical. Is this a topic that this work group would like to take up?

Bruce S. Wolff: My only comment here is that I don’t think any of us are arguing, or even suggesting, that there is a greater degree of likelihood or legal requirement that elements of data from a third-party be independently validated by the recipient, except where there is some reason/indication that it would be reasonably prudent to do so in a particular instance.