Vol. 55 No. 4

Trial Magazine

Also Featured

You must be an AAJ member to access this content.

If you are an active AAJ member or have a Trial Magazine subscription, simply login to view this content.
Not an AAJ member? Join today!

Join AAJ

Cures for Barriers to Electronic Health Records

Despite laws that protect patients’ access to their EHR, many encounter challenges when requesting this information. The 21st Century Cures Act offers stronger avenues for obtaining complete records.

Jonathan H. Lomurro, Jennifer L. Keel, Nursine Jackson April 2019

Patients have a right to access their electronic health records (EHR) under federal law.1 That protected right of access, however, is often hindered by practices of those in control of the patient’s personal health information. The Health Insurance Portability and Accountability Act (HIPAA) initially addressed EHR access when it was passed in 1996.2 Then in 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was intended to grant patients access to their digital health data.3 But patient access remains frustratingly limited in practice.

Much has changed since HIPAA and the HITECH Act were enacted. A more recent attempt to remedy patients’ limited access to EHR was included in the 21st Century Cures Act, which was signed into law in late 2016. “Information blocking” is so common that it is explicitly defined in the Cures Act as any practice that “is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.”4 In addition to intentionally preventing patients from accessing their health information, the design of EHR systems can also limit access to patient records. Many EHR systems are composed of multiple software applications, generally from different manufacturers, and the different applications often lack necessary interoperability. Information blocking and interoperability failures may not only prevent patients from having access to their records but can also interfere with their medical care, resulting in injury or death, and deny them a legal remedy for injuries sustained through medical errors and negligence.

In one example, a patient was using a beta blocker for years, which had a black-box warning not to abruptly stop the medication. The sudden cessation, particularly in patients with preexisting cardiac disease, can cause numerous possible complications, including severe hypertension. Unfortunately, a resident stopped the medication in preparation for a surgical procedure. The EHR system had a built-in fail-safe warning that would activate if the medication was stopped. The action was noted in the chart, but the data didn’t transfer to the portion of the electronic system relating to medication orders, so the alert was not triggered. This led to the patient suffering a hypertensive crisis that caused a non-focal brain bleed resulting in her death.

While information blocking usually involves the failure of the medical provider to provide the patient full access to his or her personal health information, it also can occur when all the treating medical providers aren’t given complete access. In one example, a patient had an X-ray of his lung to rule out pneumonia at a local hospital. The X-ray demonstrated an infiltrate, which was noted on the radiology report. Instead of electronically sharing the data with the primary care physician, the report was faxed and then scanned into the physician’s electronic system. The image was severely blurred and difficult to read. Because the electronic information was not shared, the primary care doctor was not alerted to the findings. During the patient’s annual checkup the following year, it was revealed that cancer filled most of his lung. He died of lung cancer.


Determining what information has been collected in each EHR system poses a serious e-discovery obstacle.


The Changing Face of EHR Systems

Patients should have access to all of their collected information, but determining what information has been collected in each system poses a serious e-discovery obstacle. There are many EHR systems, and not all systems are equal. The demands on a hospital EHR system may be significantly more robust than those imposed by a small private practice physician’s office in which the EHR’s application may be limited to recording office visit notes. In fact, many applications may not even be functional in an actual patient-care environment: The EHR software applications generally are not tested in clinical settings, which places information technology (IT) designers in the difficult position of guessing about unanticipated situations.

For example, in one instance, newly released software lacked options that would allow the nurses to override the system and gain immediate access to urgently needed emergency medications and supplies. Also, in many clinical settings in which EHR systems are newly installed, drop-down menus and auto-population macros lack selections that correspond with data entry needs based on the situations occurring in examination and operating rooms.

So how do you assess each system’s capabilities? An April 2016 report to the U.S. Congress attempted to answer that question by detailing mechanisms to help medical providers compare and select EHR technology products.5 According to the report, there were almost 800 developers of certified health IT and almost 200 health IT developers specifically in the hospital market, with each system having different capabilities.6

Take the Epic EHR system as an example of diverse capabilities: It allows doctors to access patient information, prescription writing, visit notes, and more—including on its smartphone and tablet apps from outside the facility.7 Patients can exchange secure messages, record blood pressure readings to their charts, and schedule appointments through Epic. The system also can record data from glucometers, Fitbits, and other devices such as Apple’s HealthKit and Google Fit.

But despite such capabilities, medical providers routinely say, “our software can’t do that,” in response to specific data requests and requests for audit trails. And unfortunately, those who should know more about an EHR system’s functionality, such as IT personnel who implement the software in the health facility, and even the software support techs, also wrongfully exclaim the same thing regularly.

To assess whether an EHR system has adequate functionality before being marketed, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health Information Technology (ONC) established the Health IT Certification Program. The ONC issued its Standards and Certification Criteria Final Rule in 2010,8 which was intended to assure purchasers and other users that an EHR system meets HHS’s technological capability, functionality, and security requirements.9

Every EHR software vendor signs a statement that its software meets the certification criteria before the software is released for clinical use. As a condition of maintaining certification, software providers must submit responses about all certified technology they develop.10 If software is not functional, (for example, alerts for drug incompatibilities issued by the pharmacy are not conveyed to the nurses and physicians caring for the patient), the ONC is the EHR users’ resource to report problematic software, allowing problems to be investigated and, hopefully, fixed.11

On March 4, 2019, the ONC released its long-awaited proposed rule to implement the Cures Act’s interoperability, information blocking, and health information technology certification provisions.12 This proposal reflects that the plan is to continue using most of the certification requirements the ONC adopted in its 2015 final rule, with some additions and revisions, which means EHR system minimum standards, as described in the following paragraph, will remain in effect.13 The proposal deletes the remaining references to the 2014 rule.

EHR systems—minimum standards. Information that must be maintained for an EHR system to meet minimum standards is set forth in ASTM E2147-01. If a facility uses EHR, it is required to meet these standards.14 Despite software manufacturers having attested that their software met certification criteria, many facilities and even some EHR software manufacturers or vendors claim that they are not required or are unable to produce some of the required information. To rebut a facility’s false contentions, the attestation statements from the software manufacturer15 and the facility16 can and should be obtained and used as objective rebuttal evidence.

Under ASTM E2147-01, audit logs must record the exact date and time of the access event and the exit event.17 Patients must be uniquely identified to distinguish them and their information from all others.18 The health information system user also must be uniquely identified.19 Any actions—such as additions, deletions, changes, queries, printing, or copying—must be recorded, and any patient data that has been accessed must be identified.20 Patient data should be identified with granularity specific enough to clearly determine whether data has been accessed to allow for the enforcement of federal or state laws regarding special confidentiality protection.21 Specific categories of data content—such as demographics, pharmacy data, test results, vitals, and transcribed notes type—should be individually identified in the audit.22 To identify who accessed what and when, the EHR system must produce an output file that lists activities in common terms or maintains a data dictionary to clarify abbreviations or alpha-numeric codes used to identify audit data recorded.

Attorneys and other patient advocates can check for information on the EHR system that a medical provider uses via the ONC’s Certified Health IT Product List to determine whether the EHR product at issue has certified that it provides audit reports, information on auditable events, and tamper-resistance features.23 This resource will show that a product has certified that it provides authentication and access controls and clinical quality measure data.24

In addition, you can find out whether the developer has certified the application’s ability to allow third parties to view, transmit, and download patient electronic health information.25 These security measures are essential to verify that confidential medical information is protected or that Social Security numbers or insurance information are not conveyed and used by another party.

Audit trails. One of the most important resources for an attorney is the EHR audit trail. EHR system users must be able to create one or more audit reports for every software system being used for a specific time period.26 The reports must be able to include specified data under ASTM E1247-01, changes to user privileges when the EHR system was in use, and the date and time of actions. The content of audit reports also must be sortable—produced in Excel spreadsheet format, not as pdf documents.

The audit trail is the current-day medical records custodian, but it is more powerful and more detail oriented in its ability to track medical record changes. In Gilbert v. Highland Hospital, a New York trial court reflected on the importance of the audit trail: It “shows the sequence of events related to the use of and access to an individual patient’s EHR. . . . The audit trail cannot be erased and all events related to the access of a patient’s EHR are permanently documented in the audit trail. Providers cannot hide anything they do with the medical record. No one can escape the audit trail.”27

Additionally, attorneys should know that there is an audit of the audit log.28 Computer system instability, power outages, or the medical providers improperly switching off auditing controls may result in temporary suspension of a system’s collecting audit data. If there is any interruption in the collection of audit data, an explanation of who terminated the audit data collection, why, and for how long should be reflected in the audit of the audit log. 

Enforcing Patients’ EHR Rights

When providers or EHR system designs limit access to information, it can be difficult for patients to enforce their legal rights. Enforcement of EHR system requirements should provide patients with access to their “complete health record” as the law requires.29 But despite such requirements, health care providers do not automatically grant access to other facilities or patients.

While information blocking is a well-recognized phenomenon, the burden to gain statutorily defined access continues to fall on patients and their representatives. Plaintiff attorneys must know the statutes and regulations and their cases well enough to specify their needs for access, must properly state their needs in their requests for the audit trails and access logs, and must understand the benefit of that information to the litigation. Many EHR systems have access logs that indicate the different users who accessed the document. These would be a separate file from the audit trail, which may contain different data such as edits, deletions, or locations.

Your judge and the HHS’s Office of Civil Rights can enforce your clients’ right to access health information.30 If an entity withholds personal health information or charges a fee greater than allowed by law to provide that information, the entity has violated HIPAA and you should report that violation to the OCR.31

If the problem is related to a glitch in software that has been certified to create, preserve, and retrieve the requisite health information, report the issue to the HHS’s ONC.32 Recently, the ONC declared that it was no longer testing EHR systems to verify that they met the certification criteria, and instead, it would allow health IT developers to “self-declare” their product’s conformance to these criteria.33

This self-declaration process has become a sales and marketing tool instead of a security tool. Rather than verifying that software is fully functional before being released on the market, HHS now investigates only after a problem has been reported. Any claim that the certified health information developer or a health care provider engaged in information blocking should be reported to the ONC, and each claim should lead to an investigation.34 The penalties may be up to $1 million per violation;35 however, penalties are not paid to the patient but to the government.

When software has caused or contributed to an injury to a patient, report the issue to the FDA using a Manufacturer and User Facility Device Experience (MAUDE) database report.36 The FDA is responsible for monitoring the safety of medical devices, including software for electronic medical records.

Additionally, HHS’s Office of the Inspector General (OIG) has the authority, along with law enforcement partners, to investigate any conduct that places patient safety at risk and that causes losses to all federal health care programs. A complaint can be filed at the OIG’s hotline operations.37

The Attempt to ‘Cure’ EHR Access

The Cures Act expands on HIPAA and HITECH Act requirements regarding health information access. HIPAA’s Privacy Rule granted individuals the right to access their health information.38 The HITECH Act also provided that people have a right to obtain records in electronic format from entities that maintain such records, required covered entities to respond to records requests within 30 days, and strictly limited fees.39

The Cures Act charges the ONC with improving the flow and exchange of electronic health information, advancing interoperability, prohibiting information blocking, and supporting patient access to their personal health information.40 The act sets forth new goals for patient access to electronic health information and requires that EHR providers certify system usability for patients. Under the act, EHR best practices include providing patients with health information that is private and secure, accurate, verifiable, and easily exchanged.41 Information should be accessible “to that patient and the patient’s designees,”42 and patients have a right to direct a copy of their protected health information to a designated person.43 The patient’s right to access and deference to standards development organizations, such as ASTM, are also reiterated.44

The Cures Act also establishes “interoperability” requirements for health information technology. Systems must enable the secure exchange and use of electronic health information with other health information technology systems without special effort by the user.45 EHR systems must allow for complete access, exchange, and use of all electronically accessible health information.46 The act also directs the ONC to “develop or support a trusted exchange framework, including a common agreement among health information networks nationally” to ensure network-to-network exchange of health information.47

The Cures Act required the U.S. Comptroller General to build on prior Government Accountability Office studies and conduct a review of patient access to their protected health information, including barriers or difficulties.48 Patients generally were unaware that they had a right to challenge providers who deny them access to their medical records. In addition, providers often store the information in multiple electronic record systems or in a mix of paper and electronic records, a practice resulting in patients routinely receiving incomplete records.

The ONC’s March 2019 proposed regulations implementing the Cures Act focus on specific areas of the law, including patient access, information blocking, the new conditions of certification, and the role application programming interfaces will play in the new health information technology landscape created by the act.49 The proposal references support for patients’ “electronic access to their health information at no cost.”50

However, the proposal focuses on the transfer of and integrity of the record through consistent maintenance of audit data. In the past, rules have emphasized keeping EHR secure. With this proposal, the focus is on exporting and sharing health information. The proposal is interesting for what it says and for what it does not. An important note for plaintiff attorneys is that the proposal does not mention ASTM standards and left their audit trail requirements in full force and effect.


With the Cures Act, the harmful impact on patients due to the lack of EHR system-to-system compatibility and the use of information blocking have come into the spotlight.


With the Cures Act, the harmful impact on patients due to the lack of EHR system-to-system compatibility and the use of information blocking have come into the spotlight. As we await the finalization of regulations implementing Cures Act provisions, it is important now more than ever to ensure EHR access challenges do not impede our clients’ legal rights.


Jonathan H. Lomurro is a partner at Lomurro Law in Freehold, N.J., and can be reached at jlomurro@lomurrolaw.com. Jennifer L. Keel is a partner at Thomas, Keel & Laird in Denver, and can be reached at jkeel@thomaskeel.com. Nursine Jackson is a legal nurse consultant and medical analyst at The Law Offices of Mark R. Bower in New York City, and can be reached at Nursine@gmail.com.


Notes

  1. 45 C.F.R. §164.524 (Westlaw current through Feb. 21, 2019); 42 U.S.C. §17935(e) (Westlaw current through Pub. L. No. 115-281)).

  2. Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. §1320d–2 (Westlaw current through P.L. 115-281).

  3. For more on the HITECH Act, see Roger J. Leslie, Clearing the Path to Patients’ Medical Records, Trial 28 (May 2016).

  4. 42 U.S.C. §300jj-52(a)(1) (Westlaw current through Pub. L. No. 115-281).

  5. U.S. Dep’t of Health & Human Servs., Office of the Nat’l Coordinator for Health Info. Tech., Report on the Feasibility of Mechanisms to Assist Providers in Comparing and Selecting Certified EHR Technology Products (April 2016), www.healthit.gov/sites/default/files/macraehrpct_final_4-2016.pdf.

  6. Id. at 9.

  7. America’s Health IT Transformation: Translating the Promise of Electronic Health Records Into Better Care Hearing Before the S. Comm. on Health Educ., Labor and Pensions, 114th Cong. 20 (2015) (prepared statement of Peter DeVault, Director of Interoperability, Epic Systems Corp.).

  8. Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, 75 Fed. Reg. 44,590 (July 28, 2010).

  9. U.S. Dep’t of Health & Human Servs., Office of the Nat’l Coordinator for Health Info. Tech., Certification of Health IT, http://tinyurl.com/y53sqjjt.

  10. 42 U.S.C. §300jj-11(c)(5).

  11. U.S. Dep’t of Health & Human Servs., Office of the Nat’l Coordinator for Health Info. Tech., Health IT Feedback Form, www.healthit.gov/healthitcomplaints.

  12. 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, 84 Fed. Reg. 7424 (Mar. 4, 2019), https://tinyurl.com/y5js5rk9.

  13. Id.; see also 2015 Edition Health Information Technology (Health IT) Certification Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modifications, 80 Fed. Reg. 62,602 (Oct. 16, 2015).

  14. Standard Specification for Audit and Disclosure Logs for Use in Health Info. Sys., ASTM E2147-01 (reapproved 2013) (incorporated by reference in 45 C.F.R. §170.299 and available for a fee at www.astm.org).

  15. Such documentation is an “approved method to demonstrate conformance” to health IT standards. Office of the Nat’l Coordinator for Health Info. Tech., Certification of Health IT: 2015 Edition Test Method, www.healthit.gov/topic/certification-ehrs/2015-edition-test-method.

  16. Ctrs. for Medicare and Medicaid Servs., Promoting Interoperability (PI) Programs: Registration and Attestation, http://tinyurl.com/cpazbce.  

  17. ASTM E2147-01, §7.2 (available for a fee at www.astm.org)  

  18. ASTM E2147-01, §7.3.

  19. ASTM E2147-01, §7.4.

  20. ASTM E2147-01, §§7.6, 7.7.

  21. ASTM E2147-01, §7.7.

  22. Id. 

  23. Certification of Health IT, supra note 9.

  24. Id.; 45 C.F.R. §170.315(c)-(d).

  25. 45 C.F.R. §170.315(e)(1).

  26. For more on audit trails, see Jennifer L. Keel and Matthew R. Laird, Blazing a Trail, Trial 22 (May 2017); Jennifer L. Keel, Follow the Audit Trail, Trial 28 (May 2014).

  27. 52 Misc. 3d 555. 557 (N.Y. Sup. Ct. 2016) (citing Alice G. Gosfield, Health Law Handbook §10:9 (2011)).

  28. 45 C.F.R. §170.302(s)(3) states that EHR and their modules must have the ability to detect the alteration of audit logs.

  29. See 45 C.F.R. §164.524; The 21st Century Cures Act, 42 U.S.C. §300jj-19a(b)(2)(D), 300jj19a(a)(3)(B)(viii).

  30. U.S. Dep’t of Health & Human Servs., Office for Civil Rights, Filing a Complaint (June 16, 2017), https://www.hhs.gov/hipaa/filing-a-complaint/index.html.

  31. To report a HIPAA violation, visit OCR’s “Complaint Portal Assistant” at https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf.

  32. U.S. Dep’t of Health & Human Servs., Office of the Nat’l Coordinator for Health Info. Tech., Health IT Feedback Form, www.healthit.gov/healthitcomplaints.

  33. U.S. Dep’t of Health & Human Servs., Office of the Nat’l Coordinator for Health Info. Tech., Program Guidance 17-04: Self-Declaration Approach for ONC-Approved Test Procedures (Nov. 22, 2017), http://tinyurl.com/y24vjptj.

  34. 42 U.S.C. §300jj-52(b)(1).

  35. 42 U.S.C. §300jj-52(b)(2).

  36. U.S. Food & Drug Admin., MAUDE-Manufacturer and User Facility Device Experience, http://tinyurl.com/zrun8kn.

  37. U.S. Dep’t of Health & Human Servs., Office of Inspector Gen., Non-Employee Complaint, https://forms.oig.hhs.gov/hotlineoperations/complaint.aspx.

  38. 45 C.F.R. §164.524; U.S. Dep’t of Health & Human Servs., Individuals’ Right Under HIPAA to Access their Health Information 45 CFR §164.524, http://tinyurl.com/jhhyk6n.

  39. 45 C.F.R. §164.524(c)(2)(ii); see HIPAA Journal, What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?, http://tinyurl.com/y2zmffru.

  40. Sherri Morgan & Lana Moriarty, 21st Century Cures Act & the HIPAA Access Right, U.S. Dep’t of Health & Human Servs., Office for Civil Rights, http://tinyurl.com/y3srxb5n.

  41. 42 U.S.C. §300jj-19(c)(3)(A)–(D).

  42. 42 U.S.C. §300jj-19(e)(1)(A).

  43. Id.

  44. 42 U.S.C. §300jj-14(c); 45 C.F.R. §164.524.

  45. 42 U.S.C. 300jj(9); Office of the Nat’l Coordinator for Health Info. Tech., Interoperability, www.healthit.gov/topic/interoperability.

  46. 42 U.S.C. §300jj (9).

  47. 42 U.S.C. §300jj-11(c)(9)(A); Office of the Nat’l Coordinator for Health Info. Tech, Trusted Exchange Framework and Common Agreement, http://tinyurl.com/y6o7z95s.

  48. U.S. Gov’t Accountability Office, Report to Congressional Committees, Medical Records: Fees and Challenges Associated With Patients’ Access (May 2018), www.gao.gov/assets/700/691737.pdf.

  49. 84 Fed. Reg. 7424.

  50. Id. at 9.