As defined by HealthIT.gov, EHRs (electronic health records) are real-time, patient-centered records that make information available “whenever and wherever it is needed.”  EHRs contain information about a patient’s medical history, provide tools to support providers in decision-making, streamline providers’ workflow, and increase the organization and accuracy of information.  EHR refers to data maintained across multiple providers, while an EMR (electronic medical record) represents patient information maintained by a single provider.  EHRs and EMRs are dynamic and complex systems that can create challenges for attorneys in obtaining and reviewing medical records for litigation.

Robin Khanal, Managing Partner of Quintairos, Prieto, Wood & Boyer, P.A., and legal nurse consultant Mindy Houston provided attendees at the recent DRI Senior Living and Long-Term Care Litigation Seminar an informative overview of “Effectively Managing Risks in Electronic Medical Records.”  Case examples illustrated the importance of ensuring all EMR data is captured through discovery requests.  They noted that the EMR is a “hot topic” for attorneys as digital systems have created many challenges that did not exist with paper-based records.  Counsel must consider computer downtime logs, meta-data, clinical decision support tools, and software applications that may be used outside the EMR in addition to the information contained in the patient record.

Health information is protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and Security Rule.  The Privacy Rule establishes who is covered, what information is protected, and how protected health information can be used and disclosed.  The Security Rule further identifies what safeguards must be in place to protect electronic health information.  These safeguards include, but are not limited to, access controls, encryption, decryption keys, and audit trails.  The Federal Rule of Evidence 803(6) addresses the admissibility of EMRs, while state rules vary.  Each healthcare provider can have unique policies and procedures regarding electronic documentation and security safeguards. Therefore, attorneys must request and be familiar with an individual facility’s privacy and security protocols as well as with the varied state rules of discoverability.

Since EMR software varies by vendor, defense counsel should work with each hospital/facility’s information technology department, medical records department, risk management team, clinicians, and, at times, the software vendor when opposing counsel requests medical records.  Audit logs should be reviewed to determine who had access to the medical chart, when the access occurred, and what, if any, changes were made to the record.  It is important to verify that the produced record is consistent with the audit trail, as inconsistencies can occur due to the timing of the request and credentials of the individual pulling the records.

An article published in the Journal of AHIMA (American Health Information Association) also emphasized the importance of collaboration between legal counsel, risk management, compliance, privacy, data integrity, and the health information (medical records) management department when information is requested for an anticipated or pending lawsuit.  Facilities must have e-discovery policies and processes in place that include issuing a legal hold on the records to preserve relevant information and avoid evidence spoilation.  Lack of clear internal policies can result in different versions of the medical record being released based on the timing of pulling the record or the authorized access levels of the individual preparing the records, i.e., the risk management department may have access to a different print queue than the health information department.  Access to different queues can produce records that do not match, creating delays and confusion in the discovery process.

The federal government continues to focus on electronic health information as evidenced by the release of the Federal Health IT Strategic Plan in September 2024.  One goal of the plan, Connect the Health System with Health Data, addresses data sharing, privacy, and security.  This government initiative underscores the need for providers and counsel to be current with technology and regulations relating to electronic medical records.

The Excelas team, with our AHIMA-accredited health information management professionals, supports our clients in managing medical record retrieval.   Our staff is fully versed in state and federal laws associated with protected health information and is experienced with various electronic medical record systems, including, but not limited to Epic, PointClickCare, Optima, and Meditech.  Once records are retrieved, the Excelas team electronically organizes the records, verifies they are complete, and ensures HIPAA compliance.  Records are available through our secure online portal.  Contact Excelas to learn how our record retrieval services can assist your legal team.