Electronic health record (EHR) software benefits are many: Complete and legible records, safety alerts for clinical decision support, and remote access. These benefits enhance patient safety and improve quality of care, which should decrease the frequency of professional liability claims. Medical innovations, however, often bring new risks, so physicians must keep potential harm to patients in mind and manage potential EHR liability risks proactively.
EHR adoption rates for EHR is high, with more moving towards certified EHR technology, and for good reason. EHRs can share information electronically with hospitals, laboratories, clinics, medical offices, and other providers. EHR adoption or selection is an important business decision and a major planning process. Opinions differ about how to make the selection in the planning phase.
Some medical practices develop selection criteria during their planning process. Others select an EHR system first and then plan to support it. Most practices identify their main objectives, select an EHR system that best supports them, and then complete their planning.
Certain planning steps in a certain sequence have been helpful in many EHR adoptions:
- Set a spending budget in an affordable range to see whether an EHR system is a feasible investment.
- Investigate available features to know what EHRs can provide to customize a system for exact needs.
- Draft a request for information or proposals to let vendors know EHR system requirements for the practice.
- Review each response to the request and select a few which most closely match practice-specific requirements. Interview each respondent and make a final selection.
- Install the new system and start implementation and staff training.
After establishing objectives, the organization should must consider several factors in comparative shopping for EHR products:
- Whether and how the software can accomplish principal practice objectives. Test software performance with specific needs and provide the vendor with scenarios to customize the product performance demonstration
- Start-up pricing for hardware, software, maintenance, upgrade, installment payments, lab and pharmacy interfaces, and a health information exchange connection.
- Data migration strategy for roles, responsibilities, and costs.
- Server options, whether client server, application service provider, software as a service/cloud-based
- Ability to integrate with other existing software and planned software purchases
- Privacy, security, and back-up capabilities
- Vendor stability or EHR market presence in region
- Costs of personal legal counsel compared to open sources
One way to appraise EHR software is to consider the servers that store the data:
- Physician-Hosted. The physician’s own servers store the EHR data. The physician purchases the hardware and software and is responsible for system maintenance, security, and backup.
- Remotely-Hosted. In this system, the EHR data storage is on servers of another entity responsible for maintenance, security, and data backup. There are three types of remotely-hosted EHR systems:
- Subsidized. A related entity, sometimes a hospital, subsidizes the EHR financing. Typically the system uses the subsidizing entity’s servers, so the physician does not control the data.
- Dedicated. The physician does not store the EHR data, which are on the vendor-dedicated servers. Although the physician does not control data storage, the data are on servers in specifically-known locations.
- Cloud. In this system, not the physician but the vendor stores the EHR data on the Internet. Such vendors provide software as a service the physician accesses from the vendor website. Vendors who offer online software tend to move the data frequently, so the physician may not know where the data actually are other than somewhere space. The physician has no control over the data.
Streamline your selection project with our free requirements template, customized for EHR/EMR technologies.
EHR Contractual Matters
After gaining some familiarity with EHR systems, physicians should consider how contract terms and conditions may affect clinical practice:
- Ownership. Who owns the data? Clear and complete documentation supports patient care and demonstrates responsible medicine practice during patient treatment. Therefore, physicians should establish clear ownership of patient medical records at the beginning of any EHR vendor relationship. Otherwise, a result may be harmful to patients whose records are not readily available for continued treatment, disability claims, or other purposes. Moreover, physicians defending themselves against medical malpractice claims are at a disadvantage in the absence of relevant medical records.
- Operational Considerations. System failures can affect patient care and expose physicians to medical malpractice liability. Drug interaction alerts, while useful, may depend on outdated information that could cause patients harm. Under the learned intermediary legal theory, physicians, not vendors, have the duty to identify system defects and errors that could be harmful. System failure may prevent physicians from responding quickly and effectively to recover data when needed most.
- Termination Issues. Physicians should plan for conservation of their EHR data if the vendor becomes unavailable or the service contract lapses or terminates. The EHR system should be compatible with other practice support systems in the event of vendor unavailability. Physicians need to understand exactly where their EHR data storage will be during and after the contract period with the vendor, who will have access to the data, and for what purposes.
- Confidentiality and Security. EHR systems should have safeguards for confidentiality, security, and integrity. Physicians should choose vendors compliant with state law, federal Health Insurance Portability and Accountability Act (HIPAA), and federal Health Information Technology for Economic and Clinical Health Act requirements. HIPAA physicians should have formal business associate agreements with their vendors.
Potential Liability Risks
After settling contractual issues with vendors, physicians should consider the practical uses of the system and how to incorporate it into their practices. For improvements in clinical care and patient safety, technological components must be relevant and appropriate. For example, too many alerts, especially those that seem irrelevant, eventually may cause users to disregard them and perhaps commit medical errors.
Inappropriate or unauthorized access to EHR data runs considerable risk of liability for loss of patient confidentiality, and portable devices are particularly vulnerable to loss, theft, and misuse. Employee training can prevent improper access. Physicians should install effective hardware and software security protections, an automatic lock-out after a period of disuse as an example.
This overview of EHR implementation, system features, and professional liability concerns is general, and there may be additional business management and legal liability issues to consider on an org. by org. basis. Health care providers should seek legal advice from personal counsel after considering the information presented in this article.