Electronic Health Records: Patient Safety and Liability Concerns

Health information technology (HIT) has significantly shaped the landscape of modern healthcare, and electronic health records (EHRs) represent one of the most consequential technological advances in recent decades. EHRs have revolutionized the documentation of patient care. For the majority of healthcare organizations and practitioners, paper records are a relic of the past.

Virtually all hospitals in the United States use EHRs, and almost 90 percent of office-based physicians have adopted these systems.¹

Over the years, the promise of EHR capabilities has been ambitious and perhaps borderline utopian — these systems have been lauded as a way to vastly improve patient safety, efficiency, care coordination, and information sharing. However, the reality of EHRs has been a complex intertwining of incremental improvements, risks, and frustrations. Many benefits have been tempered by negative effects or outcomes. For example:

• Increased access to patient data has resulted in information overload and data dumps.
  
• Enhanced clinical decision support and patient alerts can cause alarm fatigue.
  
• The convenience of electronic prescribing and referrals has been moderated by system glitches and human factors that result in errors or oversights.
  
• The elimination of handwriting illegibility has been offset by printed versions of EHRs that contain coding gibberish or massive amounts of meaningless data.
  
• Efficiencies in billing and coding processes have been negated when poor documentation processes lead to the replication of inaccurate information.

These examples illustrate the figurative seesaw that the healthcare community has experienced with EHR technology. As a result, feelings about EHRs often are mixed, and many providers cite EHR issues as a key contributor to clinician burnout.

In addition to clinical and operational issues, EHRs also have introduced a new dynamic in malpractice liability. Contributing factors in EHR-related litigation include problems with documentation practices, user errors, system issues/design, conversion issues, and training and education. Additionally, cases involving EHR factors were costly and more than half resulted in high-severity outcomes (i.e., permanent disability or death).

This article focuses on a number of areas in which EHR-related risks may occur due to time constraints, inexperience, oversight, system usability, or other factors. Risk strategies also are presented for each area covered, with the hope that they will lay the groundwork for more thorough discussions within healthcare organizations about how to manage risks associated with complex EHR systems.

Implementation/Conversion

Moving from paper records to an EHR system or converting from one EHR system to another is inherently risky because data can be lost or misplaced, workflow processes change, and users require new skills and knowledge.

Implementation/conversion is a multistep process that should involve:

• Organizational needs assessment
• Due diligence review of vendors and products
• Strategic planning
• Ongoing evaluation and adjustment once the system is in place

The Office of the National Coordinator for Health Information Technology (ONC) notes that successful implementation requires a two-phase approach: pre-implementation and implementation.⁴ The first phase focuses heavily on the “big-picture” strategy, including establishing an overall implementation plan, developing governance processes, and designing workflow patterns.

The pre-implementation phase also includes communicating with providers and staff about the new system and the conversion process as well as providing ample training opportunities. Careful evaluation of workflow processes and an open dialogue with staff may help identify potential issues early, so the organization can develop and apply effective solutions.

The second phase involves more detailed evaluation and adjustment, such as tailoring the system to meet the specific needs of the organization, establishing a change-management process, and determining how to transfer information and reconcile legacy data with data in the new system, so as not to misplace important records or overlook critical health information.

The implementation phase also involves providing overall support for the new system and encouraging providers and staff members to adopt the new technology. Workforce cooperation and compliance are critical during the implementation phase. The individuals managing the process should realize that some providers and staff may welcome the new technology, while others might resist the change.

In some instances, provider/staff resistance has led organizations to maintain both paper and electronic systems to meet varying preferences. However, research has shown that hybrid systems decrease efficiency and increase the risk of errors.⁵ Although it might be tempting to try to satisfy everyone, it also can be counterproductive and, ultimately, it does not support a culture of safety or environment of cohesive teamwork.

Strategies for Implementation/Conversion

• Include providers and staff members who will be using the EHR system in initial research and planning activities.
  
• For paper-to-electronic conversions, develop a plan for how your organization will handle paper records once the EHR system is implemented. For example:
  • Will staff members scan paper records into the new system?
  • Will scanned documents be searchable?
  • What are the expectations for providers to reconcile old records with new ones during patient encounters?
    
• For conversions from one EHR system to another, determine the previous vendor’s and new vendor’s roles in information transfer (i.e., contractual obligations and requirements). Consider the following questions:
  • Is any data optimization required prior to conversion?
  • What are the deadlines for data transfer between systems?
  • Will your organization have access to the old system after the conversion; if so, for how long?
    
• Seek provider/staff input on developing policies and workflow processes that align with their needs as well as the functionality of the new system.
  
• Support providers and staff throughout the pre-implementation and implementation phases by (a) including them in the decision-making process, (b) maintaining transparent communication; and (c) establishing firm, yet reasonable expectations related to EHR adoption and use.
  
• Be realistic about the cost (both in external resources and staff time) that it will take to implement the new system.
  
• Provide training and education during pre-implementation and implementation — as well as after the system is in use — to help providers and staff acclimate to the EHR’s interface and functionality, recognize potential process or system problems, and work toward achievable solutions.

For in-depth information about implementing an EHR system and valuable tools to assist in the process, see Section 1 of the ONC’s Health IT Playbook and the American Medical Association’s STEPS Forward™ EHR Transitions module.

Documentation

Accurate and thorough documentation is the backbone of risk management; it provides essential patient information, historical details about the course of patient care, and a record of services provided.

EHRs are intended to streamline the documentation process, while at the same time capturing more information than was previously possible with paper records. Although using an EHR system may result in more substantive patient information, it also can lead to errors due to specific functions of the system, such as copy and paste; structured and standardized content; and metadata and audit trails.

Copy and Paste

The practice of copy and paste is one of the most common and problematic documentation issues associated with EHRs. Both the MPL Association’s and CRICO Strategies’ malpractice analyses cite this practice as a top trend in EHR-related allegations.⁶ Copy and paste — also called cut and paste, cloning, or carrying forward — refers to electronically lifting information from a previous entry in a patient’s record and placing it in the current entry. It also refers to copying information from one patient record to paste into another, such as through the use of boilerplate language.

Automated functions within EHR systems facilitate the cloning of information because of the ease with which users can grab and move content. Practitioners who feel crunched for time may find the copy and paste function enticing because it’s quick and easy.

Despite the convenience, copying and pasting content can lead to the proliferation of incorrect and nonconsequential information throughout the electronic records, which can lead to patient harm if treatment decisions are based on erroneous or old information – or if practitioners are so overwhelmed by “note bloat” that they miss critical information.

Copy and paste also can affect healthcare providers’ credibility, both in litigation and with patients. For example, ECRI’s report Copy/Paste: Prevalence, Problems, and Best Practices relays the story of a physician who, while talking with a comatose patient’s family, stated that the patient had only recently had surgery (within the previous days). In reality, the patient had undergone surgery more than a month prior, but the phrase “postoperative day 2” had been copied and pasted in the progress notes for weeks.⁸

Additionally, the use of copy and paste can have serious corporate compliance implications. When information is cloned from encounter to encounter without careful review, the organization might end up billing for services that did not occur. Even though this type of billing error might be a simple oversight, it could lead to allegations of fraud, which may jeopardize reimbursement from Medicare and other payers.

Copy and paste also can have a negative effect on data integrity. One of the broad goals of EHR systems is to facilitate the electronic exchange of health information and collection and submission of clinical quality measures. Inaccurate data that result from poor practices like copying and pasting may have long-term implications for population health studies, disease tracking, and data mining.⁹

Strategies for Copy and Paste

• As part of documentation policies, establish guidelines for when copy and paste is prohibited and when it may be used with extreme care.
  
• In situations in which copy and paste is allowed, ensure that organizational policy stipulates the need for practitioners to carefully review any information carried forward in records.
  
• Reinforce practitioners’ responsibility for updating/revising copied information as appropriate and electronically signing each record to verify their review and approval of the information.
  
• Include in documentation policies a requirement that providers note the source of any information they copy and paste in records.
  
• Encourage providers to revise copied and pasted material to remove redundancy and extraneous details.
  
• Routinely audit records to check for errors that may have resulted from copying and pasting patient information.
  
• Educate staff about the dangers and consequences of using poor documentation practices and shortcuts, such as misinformed treatment decisions and fraudulent billing.

To learn more, see the Partnership for Health IT Patient Safety’s Health IT Safe Practices: Toolkit for the Safe Use of Copy and Paste.

Structured/Standardized Content

One of the purported benefits of EHRs is structure and standardization, which is accomplished through functions such as data entry fields, check boxes, drop-down menus, auto-fill, and templates. Although these functions can help generate consistent documentation across providers, poor system usability or user errors can present risks. For example, patient safety might be jeopardized if:

• Patient matching or identification issues cause a provider to enter data in the wrong patient record.
  
• The data entry fields don’t match the clinical situation, or the system is unable to account for variations in patient population (e.g., adult vs. pediatric patients).
  
• The system automatically defaults to a selection of “normal.” If all options are not carefully reviewed, the record might indicate a normal value for a condition that was never evaluated.
  
• The auto-fill function populates incorrect information in a field, and the provider accepts the information without review.
  
• The provider selects the wrong template, check box, or menu item, which can easily happen when multiple options are presented and time is scarce.
  
• The provider is unaware of how taking an action within the EHR ultimately affects the physical output of the record.

Undoubtedly, data entry fields, check boxes, drop-down menus, auto-fill, and templates can create efficiencies, but they also can contribute to the domino effect of replicating inaccurate information. An article about EHR liability in For the Defense explains that “if one provider puts in a wrong medication, a wrong diagnosis, or an incorrect medical history, the systems are typically designed to keep repopulating and disseminating the erroneous information. Keep in mind that one wrong entry might not stay in the system of origin, but it might find it way to a separate pharmacy, specialist, or outside primary care system.”¹¹

Further, overreliance on structured/ standardized content can result in records that lack specificity. Without the unique patient narratives that were customary in paper records, it might be difficult to distinguish one patient encounter from the next, creating uncertainty about critical thinking, clinical reasoning, and diagnostic- and treatment-related decision-making.

Strategies for Structured/Standardized Content

• When selecting an EHR system, make sure your organization can tailor it to relevant clinical situations and patient populations. For example, pediatric practices should ensure that EHR systems take into account medication dosing differences for children.
  
• Be aware of whether your system automatically defaults to a normal setting. If so, carefully review the record at each patient encounter to ensure it doesn’t misrepresent clinical information.
  
• Provide a final quality assurance review of all data you enter and boxes you select in the EHR during each patient encounter.
  
• Occasionally print out and review records to ensure information is presented in a logical, accurate format.
  
• In addition to using structured/standardized content, provide patient-specific notes and comments in the record as appropriate and necessary.
  
• If the system has different screen views based on provider type or role, ensure that all providers are aware of those views and what information may or may not be visible to other practitioners.
  

Metadata and Audit Trails

As mentioned previously, EHRs present an opportunity to collect more data than was ever possible with paper records — and not just data that reside within patient records. A distinguishing characteristic of EHRs is their ability to collect metadata, or “data about data.” Metadata leave an audit trail that may show information such as:

• Who accessed a record, when they accessed it, and the machine on which the information was accessed
  
• The date and time that test results were reviewed
  
• The data and time that a record was modified
  
• How long a provider had a record open and how quickly he/she selected various options
  
• How a provider responded to system-generated alerts or advisories

Simply stated, metadata and audit trails provide an electronic footprint that tracks “each access, update, and action performed by each user . . .”¹³ This information can play a pivotal role in malpractice litigation — either by confirming a healthcare provider’s recollection of events or showing discrepancies in a provider’s statements. For example, if a provider says they documented at the point of care, but the EHR audit trail shows that the majority of documentation was entered several weeks later, the discrepancy might cast doubt on the provider’s credibility — even if the documentation is accurate.

For some practitioners, metadata might necessitate a change in workflow. For example, providers who have typically entered some information into patient records prior to the actual patient encounters will need to adjust their processes. Otherwise, metadata might show inconsistencies in the timing of events. Further, providers should be cognizant of following organizational policies related to documentation timeframes and protocols for amending records.

Strategies for Metadata and Audit Trails

• Be aware of, and educate others in your organization about, your state’s e-discovery statutes or rules.
  
• Learn how your EHR system’s metadata function works, and develop documentation policies around that knowledge.
  
• Ensure that providers and staff in your practice are mindful of the type of metadata that the EHR system collects.
  
• Adjust workflow processes as necessary to eliminate inconsistencies in metadata.
  
• Develop guidance for how to appropriately amend or update electronic records. Without a defined policy, changes to a record may raise questions about the validity and integrity of information.
  
• Consider hiring an outside party to perform an annual audit of your EHR system and provide feedback about the quality of documentation, adherence to regulatory standards, and billing/coding compliance.

Alert Fatigue

Perhaps one of the most powerful patient safety capabilities of EHR systems is their potential to analyze patient data, provide clinical decision support, and send providers auditory or visual safety alerts (e.g., reminders that patients are due for screening tests or notifications about possible contraindications, such as dangerous drug—allergy interactions). These tools are valuable, but only when they are appropriately designed and implemented.

Unfortunately, “in the current highly computerized clinical environment, an individual clinician interacts with many different alert-generating devices—meaning that every day, clinicians are on the receiving end of a staggering number of alerts.”¹⁴ Systems that bombard providers with an overabundance of alerts can be frustrating and lead to a phenomenon known as “alert fatigue” in which providers — pressed for time and exhausted by the sheer number of notifications — ignore or override alerts without verifying their clinical significance.

Research suggests that providers often miss, ignore, or do not follow up on safety alerts or notifications.15 Although many of these dismissed notifications do not result in patient harm, alert fatigue has contributed to various adverse outcomes and is considered a patient safety hazard.

Further, when providers are inundated with massive numbers of noncritical or nonrelevant notices (i.e., low-value alerts), the likelihood that important information will be overlooked increases. After receiving a number of unhelpful alerts, a clinician might bypass the next alert based on the assumption that it is another “false alarm” — when, in fact, it might contain critical information.

To complicate matters, not all alerts that are overridden are the result of providers ignoring the system. Many times, alerts are overridden for valid clinical reasons. However, metadata that capture overrides likely will not distinguish between the two. If metadata are used as evidence in a malpractice lawsuit, healthcare providers might have to defend why they overrode alerts.

Addressing alert fatigue requires consideration of the human and systems factors that contribute to the issue “as the problem fundamentally arises from both the technology itself and how busy human beings interact with the technology.”¹⁸

Strategies for Alert Fatigue

• Determine whether your EHR system’s alert function can be tailored for your healthcare organization, your overall patient population, and specific patient characteristics (e.g., patients who are at high risk for potential adverse outcomes due to certain diseases or conditions).
  
• If your organization is in the process of purchasing an EHR system, include questions about the alert capabilities in your initial research and assessment of products. Carefully consider how each product has applied human factors principles to alert design.
  
• Ask your vendor whether the system’s alerts can be classified based on severity or other factors, and make sure the different types of alerts are presented in different ways to help clinicians quickly distinguish each type of alert.
  
• Limit interruptive alerts to only those that are classified as severe.
  
• Determine whether you can turn off or minimize alerts that are clinically nonconsequential to help reduce alert burden.
  
• Provide documentation, including rationale, for deactivating certain types of alerts or overriding clinically significant alerts.

In Summary

EHRs represent both the present and future of health record documentation. With improved design, proper implementation, and careful consideration of how these systems operate, EHRs can provide opportunities to streamline processes, enhance quality of care, and support patient safety efforts.

However, like all types of technology, EHRs aren’t without problems and risks. Changes in workflow, poor system design and usability issues, lack of understanding about these systems and their capabilities, user errors and system glitches, and lack of defined protocols can all lead to process breakdowns and errors.

Awareness of the potential risks that EHRs present can help healthcare organizations, providers, and staff proactively address them through ongoing staff training, workflow evaluation, and development of comprehensive policies and procedures.

Endnotes

1 HealthLeaders Media News. (2016, June 3). Only 4% of hospitals don’t use EHRs. Retrieved from www.healthleadersmedia.com/innovation/only-4-hospitals-dont-use-ehrs; Office of the National Coordinator for Health Information Technology. (2022). National trends in hospital and physician adoption of electronic health records. Health IT Quick Stat #60. Retrieved from www.healthit.gov/data/quickstats/national-trends-hospital-and-physician-adoption-electronic-health-records; Centers for Disease Control and Prevention, National Center for Health Statistics. (2023, November 3 [last reviewed]). Electronic medical records/electronic health records (EMRs/EHRs). Retrieved from www.cdc.gov/nchs/fastats/electronic-medical-records.htm


2 Alobayli, F., O’Connor, S., Holloway, A., & Cresswell, K. (2023). Electronic health record stress and burnout among clinicians in hospital settings: A systematic review. Digital Health, 9, 20552076231220241. doi: https://doi.org/10.1177/20552076231220241


3 Adams, K. (2022, April 19). EHR dissatisfaction linked to increased clinician resignation. Becker’s Health IT. Retrieved from www.beckershospitalreview.com/ehrs/ehr-dissatisfaction-linked-to-increased-clinicianresignation.html


4 MedPro Group cases with electronic health records as a contributing factor, closed 2012–2023.


5 Office of the National Coordinator for Health Information Technology. (2019). Electronic health records (Section 1). In Health IT Playbook. Retrieved from www.healthit.gov/playbook/


6 Mangalmurti, S. S., Murtagh, L., & Mello, M. M. (2010). Medical malpractice liability in the age of electronic health records. The New England Journal of Medicine, 363(21), 2060–2067.


7 CRICO. (2024, May 31). From click to care: Managing copy-and-paste risks in the EHR. Retrieved from www.rmf.harvard.edu/News-and-Blog/Newsletter-Home/News/2024/SPS-May-Documentation-Copy-Paste-Errors


8 ECRI Institute. (2015, October). Copy/paste: Prevalence, problems, and best practices. Retrieved from www.ecri.org/Resources/HIT/HTAIS_Copy_Paste_Report.pdf


9 Broulliard, C. P. (2016, August). Electronic health record liability. For the Defense, 80-86.


10 Pew Charitable Trusts. (2019, June 3). Pew urges agency to prioritize safety in pediatric electronic health records. Retrieved from www.pewtrusts.org/en/research-and-analysis/speeches-and-testimony/2019/06/03/pewurges-agency-to-prioritize-safety-in-pediatric-electronic-health-records


11 Federal Rules of Civil Procedure. (2006, December 1). U.S. Government Printing Office. Retrieved from www.gpo.gov/fdsys/pkg/CPRT-109HPRT31308/pdf/CPRT-109HPRT31308.pdf


12 K&L Gates Electronic Discovery Law. (n.d.). Current listing of states that have enacted e-discovery rules. Retrieved from www.ediscoverylaw.com/state-district-court-rules/


13 Sterling, R. B. (2016, March 25). Hidden malpractice dangers in your EHR. Medscape. Retrieved from www.medscape.com/viewarticle/857727


14 Agency for Healthcare Research and Quality. (2019, September). Patient safety primer: Alert fatigue. Retrieved from https://psnet.ahrq.gov/primer/alert-fatigue


15 Ibid.; Luthra, S. (2016, June 15). Screen flashes and pop-up reminders: ‘Alert fatigue’ spreads through medicine. Kaiser Health News. Retrieved from https://khn.org/news/screen-flashes-and-pop-up-reminders-alert-fatiguespreads-through-medicine/; Jason, C. (2021, April 16). The pros and cons of EHR clinical decision support alerts. TechTarget. Retrieved from www.techtarget.com/searchhealthit/news/366578960/The-Pros-and-Cons-of-EHRClinical-Decision-Support-Alerts


16 Agency for Healthcare Research and Quality, Patient safety primer: Alert fatigue.


17 Ibid.