Medical Malpractice – Guide to Electronic Medical Record Discovery
Medical Malpractice – Guide to Electronic Medical Record Discovery stories
  2
  •  
  0
  •   0 comments
Share

garrettdiscover
garrettdiscover Community member
Autoplay OFF   •   a month ago
Ten years ago, the courts were satisfied when the defendants stated there were no audit trails and could only produce a limited patient record. Everyone was satisfied with that answer...

Source: https://www.garrettdiscov...

Medical Malpractice – Guide to Electronic Medical Record Discovery

Ten years ago, the courts were satisfied when the defendants stated there were no audit trails and could only produce a limited patient record. Everyone was satisfied with that answer.

Now the courts have seen the capabilities of the modern day Electronic Medical Record and have ordered everything from virtual site inspections, in-person inspections aided by the EMR vendor,

disclosure of system documentation and forensic audits of systems. Defendants can no longer stand idle or take the position that the data does not exist.

Background on certified Electronic Medical Record (EMR) Systems

In 2011,

the Department of Health and Human Services (DHHS) Centers for Medicare and Medicaid Services (CMS) established the Medicare and Medicaid EHR Incentive Program (now known as

the Promoting Interoperability Program) to encourage clinicians, eligible hospitals, and CAHs to adopt, implement, upgrade (AIU),

and demonstrate meaningful use of Certified Electronic Record Health Technology.

Physicians received $67,250 from the Federal Government and Hospitals received at a minimum $1,200,000 as a base payment for implementing a Certified Electronic Medical Record System.

EMR vendors had to go through rigorous testing and evaluation, as well as attest to the Federal Government that they could meet the program requirements.

The attestation process was governed by DHHS Office of National Coordinator (ONC) and required that an EMR have transaction level auditing (audit trail) and once the vendor met

the requirements their products would be listed on the ONC Certified Health Product List website.

Only a handful of hospitals across the nation serving the Medicare and Medicaid eligible population did not receive funding from the Federal Government.

Did Practitioners and Hospitals attest to the federal government that they were using a Certified Electronic Medical Record System?

Yes.

All practitioners and hospitals that applied for government funding to help pay for all or part of their Electronic Medical Record System attested that their system could meet

the program requirements.

One way the providers of care knew the system could meet the requirements is that the Office of National Coordinator maintained a website of the EMR products that met

the requirements: https://chpl.healthit.gov/#/search.

A provider would simply click on the various models and software and determine if the combination of the vendor's software constituted a certified and complete Electronic Medical Record System.

The ONC system would then generate a number similar to a VIN on a car that was needed to apply for government incentives.

Who maintains the EHR Incentive program applications?

Each state was responsible for creating a website to educate the public and practitioners on the efforts of interoperability.

Additionally, each state administered the Federal Government's EHR incentive program and each state maintains the applications for incentives.

What is an Audit Trail?

An audit trail allows for the tracking of an individual's access to an Electronic Health Record including; any modification, deletion, or additions to the Electronic Health Record.

Among other things, an audit trail must include information documenting who accessed the electronic information and what was done during that access period (45 C.F.R SS 170.210).

Specifically, the audit trail must provide "the date, time, patient identification, and user identification must be recorded when electronic health information is created, modified, accessed,

or deleted; and an indication of which action(s) occurred and by whom must also be recorded" 45 C.F.R SS 170.210.

Audit trails are required to include any modifications made to a patient's medical record, what was changed, what it was changed to, and what it was changed from.

HIPAA Mandates Audit Trails 45 C.F.R SS 164.312(b) & 45 C.F.R SS 170.210(b)

A health care facility must maintain an audit trail of a patient's electronic medical record.

Specifically, the audit trail must provide "the date, time, patient identification, and user identification must be recorded when electronic health information is created, modified, accessed,

or deleted; and an indication of which action(s) occurred and by whom must also be recorded."

HIPPA Audit Trail Requirements ASTM E2147-18

"Audit reports designed for system access provide a precise capability for healthcare providers, organizations, patients, patient representatives,

and advocates to see who has accessed and/or manipulated patient information.

Audit Trail Retention 45 C.F.R. SS 164.316

The audit trail must be available for a minimum of 6 years.

Patients Right to Access the Audit Trail 45 C.F.R SS 164.24

An individual has a right of access to obtain a copy of his/her protected health information.

Individual Access 45 C.F.R SS 164.524(c)(2)(i) & 45 C.F.R SS 164.524(c)(2)(i)

A health care facility must provide the individual with access to protected health information in the form or format requested by the individual.

Protection from Alterations 45 C.F.R. SS164.312(c)(1)

Providers of care must "implement policies and procedures to protect electronic protected health information from improper alteration or destruction."

Medical Providers Must Protect records from alteration 45 C.F.R. SS 170.210(h)

"Because of the significant risk of medical information manipulation in computing environments by authorized and unauthorized users,

the audit report is an important management tool to monitor access and any such manipulation retrospectively.

In addition, the access and disclosure logs become powerful support documents for disciplinary and legal actions."

There are no exemptions from Federal Audit Trail Requirements

The certification criteria are set forth by the Centers for Medicaid and Medicare Services (CMMS) Office of National Coordinator (ONC) and administered by the State Government.

The program provides in most cases for the entire cost of adopting, implementing and upgrading a certified EMR.

As part of the certification requirements, the practice must have in place transaction level auditing.

If a practice is deficient, it would require self-reporting to the Inspector General's Office and would result in a substantial loss,

as the Medicare and Medicaid reimbursement rates are tied to the certification.

Providers of Care and Third-Party Brokers

"Providers of Medical Care," and are thus "Covered Entities" under applicable law 42 U.S.C. 1395x(s), 45 C.F.R. SS170.210(h) (incorporating ASTM Standard E2147-01).

"Providers of Medical Care" would encompass "a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s))" 45 C.F.R SS 160.103. 42 U.S.C.

1395x(s)'s definition of "health care provider" specifically covers (42 U.S.C. 1295x(s)(3) ) "ex.

____diagnostic X-ray tests__ and ____"X-ray, radium, and radioactive isotope therapy, including materials and services of technicians." 42 U.S.C. 1295x(s)(4).

It should also be noted that as a provider of electronic services to the Defendant "Covered Entities,

" most 3rd party vendors of data holders would (at the very least) be deemed a "Business Associate," bound by the same audit trail requirements (HIPAA and the HITECH act. 45 CFR SS 160.103).

Transmission of Health Data requires compliance 45 CFR 160.103

Transmitted "health information" in electronic form (Health information means any information, including genetic information, whether oral or recorded in any form or medium, that:

Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the past,

present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present,

or future payment for the provision of health care to an individual (45 C.F.R SS 160.103).

Can the Plaintiff test the credibility of the Defendants EMR?

Under 45 C.F.R SS 164.524(c)(2)(i) a health care facility must provide the individual with access to protected health information in the form or format requested by the individual.

In this case, Plaintiff seeks the following:

General EMR Audit Trail Elements

Audit Trails consist of many data elements:

User ID;

Date of entry;

Time of entry;

Field that was edited;

Whether the entry is a correction to an existing entry;

Value or text entered into the field;

Display time of the entry;

Any notes or annotations entered;

ID of the user making any correction;

Time that the correction was made; and

Iterations of each entry

Are audit trails kept within the Core Medical Record System?

Yes and No. Most EMR's have various audit trails. Some of the most well-known EMR's capture access logs; including, every keystroke made into the system to modifications of patient record data.

Some systems do not have the proper auditing and compliance modules necessary to constitute a certified system; therefore, multiple vendors modules must be combined.

For instance,

in many EMR installations the auditing and compliance module within the core software is not robust and therefore hospitals often purchase products such as FairWarning or P2Sentinel,

which are auditing programs that capture an extreme amount of data regarding who touched what record and for what purpose.

One of the problems I run into often, is that defendants take the position that the auditing information is not part of the patients record.

This defense falls flat as the courts routinely have required the production of these records.

Stories We Think You'll Love 💕

Get The App

App Store
COMMENTS (0)
SHOUTOUTS (0)