Appendix B
Legal Aspects of Computer-based Patient Records and Record Systems

Adele A. Waller

Computer-based patient records and record systems may bring into play laws of many kinds. For example, system hardware may be patented and system software copyrighted. If a computer-based patient record system fails and the failure results in harm to a patient, tort liability can result to the vendor or to the provider using the system, or to both. Tort liability can also arise if a system is not protected from unauthorized access and breaches of patient confidence result or records are destroyed or altered. A computer hacker gaining unauthorized access to a computerized patient record system faces possible criminal liability. Various privacy laws limit permitted disclosure or redisclosure of information stored in computer-based patient record systems.

Other laws must also be taken into account. Licensure laws applicable to health care providers, as well as reimbursement and insurance laws, all impinge on computer-based patient records, as do public health laws that require reporting of vital statistics and of various injuries and diseases. Contract law and the Uniform Commercial Code come into play in contracts for computer-based record systems. The availability of specific performance as a remedy for a vendor's breach of contract is a question that


The author is an attorney in the Health Law Department of the law firm of Gardner, Carton & Douglas, in Chicago. She gratefully acknowledges the assistance of her colleagues Deborah K. Fulton and Bernadette M. Broccolo with the computer science and computer law aspects of this paper.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 200
--> Appendix B Legal Aspects of Computer-based Patient Records and Record Systems Adele A. Waller Computer-based patient records and record systems may bring into play laws of many kinds. For example, system hardware may be patented and system software copyrighted. If a computer-based patient record system fails and the failure results in harm to a patient, tort liability can result to the vendor or to the provider using the system, or to both. Tort liability can also arise if a system is not protected from unauthorized access and breaches of patient confidence result or records are destroyed or altered. A computer hacker gaining unauthorized access to a computerized patient record system faces possible criminal liability. Various privacy laws limit permitted disclosure or redisclosure of information stored in computer-based patient record systems. Other laws must also be taken into account. Licensure laws applicable to health care providers, as well as reimbursement and insurance laws, all impinge on computer-based patient records, as do public health laws that require reporting of vital statistics and of various injuries and diseases. Contract law and the Uniform Commercial Code come into play in contracts for computer-based record systems. The availability of specific performance as a remedy for a vendor's breach of contract is a question that The author is an attorney in the Health Law Department of the law firm of Gardner, Carton & Douglas, in Chicago. She gratefully acknowledges the assistance of her colleagues Deborah K. Fulton and Bernadette M. Broccolo with the computer science and computer law aspects of this paper.

OCR for page 200
--> requires resort to doctrines of equitable remedies. A hardware or software vendor's insolvency raises issues under federal bankruptcy law. Finally, interaction of computer-based record systems with artificial intelligence systems can also raise issues concerning medical device laws and, to the extent that nonphysicians are able to diagnose and treat patients without physician involvement using these systems, physician licensure laws. Because of the plethora of laws that apply to computer-based patient records and record systems, one paper cannot encompass a full discussion of the application of these laws to the computer-based record. What follows, therefore, is a summary discussion of the key legal issues raised by computer-based patient records and record systems: regulatory and accreditation issues, evidentiary issues, patient privacy and record access concerns, record ownership questions, legal risks specific to computer-based patient record systems, and computer contracting issues. State Licensure Laws Computer-based patient records utilized by an institutional health care provider must meet the requirements of relevant state licensure laws, or the institution may face licensure sanctions. The statutes and regulations governing licensure of hospitals, nursing homes, health maintenance organizations, ambulatory surgical treatment centers, and other institutional providers generally contain specific standards and requirements concerning the creation, authentication, retention, and storage of patient records, as well as limitations on the media permissible for their creation and storage. Additional requirements typically found in state licensure statutes and regulations relate to confidentiality, record content, accuracy, completeness, timeliness, and accessibility. Hospital Licensure Laws as Barriers to Full Automation State hospital licensure laws still pose barriers to full automation of the patient record. State-to-state variances in medical records requirements and obsolete and ambiguous or conflicting laws and regulations pose obstacles to the full development of computer-based patient record systems.1 Although some state regulators may permit computerization of patient records in ways that technically are not permitted by state regulations, a health care institution 1   State licensure requirements have lagged far behind the development of technology and have been criticized for so lagging for 20 years or more. See, e.g., Eric W. Springer, Automated Medical Records and the Law (Pittsburgh, Pa.: Health Law Center, 1971).

OCR for page 200
--> investing in an automated patient data system is making too big an investment to risk learning later that the system does not meet state licensure requirements. Some states expressly permit use of computers in the creation, authentication, and retention of patient records.2 Others state their medical records requirements for hospitals generally, impliedly permitting computer-based patient records, or explicitly address use of computers only for one function, such as authentication, but not for other patient record functions.3 Even so, the wide variance from state to state in hospital licensure requirements for medical records may make it difficult to develop patient record systems that comply with hospital licensure laws in all 50 states. State-to-state variances make it expensive to determine if a record system (or set of system specifications) complies with hospital licensure requirements in all states. They also leave open the possibility that inconsistencies between the requirements of two or more states could make it impossible for a system to meet all states' licensure requirements. Failure by a vendor to establish a patient record system's compliance with one (or more) state's licensure requirements may adversely affect the system's marketability in such states. Assuming that hospitals include compliance with legal requirements in their feasibility analysis of computer-based patient information systems, the lack of national uniformity in the medical records requirements of state licensure laws and regulations applicable to institutional health care providers may be expected to retard development and marketing of new computer-based patient record systems. In addition, state-to-state variations in requirements regarding the content of hospital medical records may make it difficult to develop standard formats for computer-based patient records that can be used nationally. Hospital licensure laws and regulations in many states still assume a paper patient record and at best leave the legal status of computer-based 2   410 Ind. Admin. Code §15-1-9(1) (1988); Mo. Code of State Regulations, 19 C.S.R.§30-20-.021(3)(D) (1990); Oreg. Admin. Rule §333-505-050 (1989); Neb. Regulations and Standards for Hospitals §003.04 (1979); Pa. Rules and Regulations for Hospitals §115.25 (1987). In the regulations of these states, however, there is little reflection of any systematic examination of the special problems and challenges posed by automated patient records. Even Oregon, which of all the states has most systematically amended its regulations to be consistent with automated records systems, has done little more than adapt regulations from the era of paper records to permit automated patient records. 3   22 Calif. Admin. Code §70751; Conn. Pub. Health Code, ch. 4, §19-13-03(d); 77 Ill. Admin. Code §250.1510 (1990); Lic. Stds. for Hospitals, N.J.A.C. 8:43G:-15.2; R.I. Rules and Regulations for Licensing of Hospitals §25.0 (1989); S.D. Admin. Rules §44:04:09:04 (1989); Tex. Hospital Licensing Stds. §1-22-1.4 (1985); Utah Admin. Code §R432-100-7.405 (1989); Rules and Regulations for the Lic. of Hospitals in Virginia §208.0 (1982); Wisc. Admin. Code, ch. HSS 124 Hospitals, §124.14 (1988).

OCR for page 200
--> patient records used by hospitals under a cloud.4 Other state laws and regulations appear to permit some forms of automation but not others, or the use of automation for some but not all medical record functions.5 Oklahoma requires that all orders and medications be written in ink, a requirement that is incompatible with a fully automated medical record system. Oklahoma also prohibits substituting a signature stamp for the physician's signature, apparently requiring handwritten authentication of medical records, with the exception of records of diagnostic examinations, for which computer signatures are authorized.6 South Carolina also requires orders to be "written in ink and signed," but permits use of a signature stamp with appropriate controls.7 Iowa requires medical records to be "written" and "signed" by the attending physician.8 North Carolina requires that records be "written'' for all patients admitted to a hospital.9 If a medical record must be signed in ink, the paper record—even if it is generated on a computer—becomes the original record, and many of the efficiencies of automated storage and retrieval of records cannot be realized. Other states restrict permissible medical record storage media to the original or microfilm. 10 Such a restriction is incompatible with storage of records on 4   See, e.g., the rules of states that, as of the time research was completed for this paper, still required that clinical reports or clinical information be filed in or with the medical record or that records of both inpatient and outpatient treatment be filed in one folder: Ariz. Rules, Regulations and Standards for the Licensing and Regulation of Health Care Institutions §R9-10-221 (1982); Rules, Regulations and Min. Stds. for Hospitals in Idaho, IDAPA §16.02.1360.10.a; Regulations for the Licensure of General and Specialty Hospitals in the State of Maine, ch. XII (1972); Min. Stds. for Operation of Miss. Hospitals §1704.4 (1990); N.Mex. Regulations Governing General and Special Hospitals §700.B.4.f (1989); Lic. Rules for General Hospitals in North Dakota, N.D.A.C. §33-07-01-16.6.a (1990); Lic. Stds. for Hospitals and Related Institutions in the State of Oklahoma §13.5-A (1989); 64 W. Va. Legisl. Rules §10.3 (1987); Wisc. Admin. Code, ch. HSS 124 Hospitals, §124.14 (1988). 5   See, e.g., Mo. Code of State Regulations, 19 C.S.R. §30-20.021(3)(D) (1990); Utah Admin. Code §R432-100-7.406 (1989); Hospital Rules and Regulations, Wash. Admin. Code. § 248-18-440 (1989). 6   Licensure Standards for Hospitals and Related Institutions, State of Oklahoma §13.1-B(4) and 13.9-D (1989). 7   S.C. Standards for Licensing Hospitals and Institutional General Infirmaries §601.6 (1990). 8   Iowa Admin. Code §641.51.5 (1988). 9   Rules and Statutes Applying to the Licensing of Hospitals in North Carolina, Subchapter 3c, §.1400 (1988). See also 77 III. Admin. Code § 250.350(a), which requires that all orders for medication and treatment be written except in emergencies. On the basis of this requirement, the Illinois Department of Public Health strongly discourages fully computerized medical records in hospitals. 10   See, e.g., Colo. General Hospitals, ch. IV, §4.2 (1982); Conn. Pub. Health Code, ch. 4, §19-13-03(d) (1989); 410 Ind. Admin. Code §15-1-9(2)(b)(1) (1988); Regulations for the Licensure of General and Specialty Hospitals in the State of Maine, ch. XII (1972); Min. Stds. for Operation of Miss. Hospitals §1702 (1990); Mo. Code of State Regulations, 19 C.S.R. §30-20.021(3)(D) (1990); Operational Rules and Regulations for Health Facilities, Nev. Admin. Code §449.379 (1988); N.Mex. Regulations Governing General and Special Hospitals §700.B.1.b (1989); S.C. Standards for Licensing Hospitals and Institutional General Infirmaries §601.6 (1990); Tenn. Hospitals Rules and Regulations § 1200-8-4-.03(f) (1986); Wisc. Admin. Code, ch. HSS 124 Hospitals, §124.14 (1988). Tennessee has recently amended its statute to permit storage of medical records on "non-erasable optical and electronic imaging technology." See Tenn. Code Ann. § 68-11-306(b) (1991).

OCR for page 200
--> computer disks, magnetic tape, or optical disks—that is, unless the records were both originally created and authenticated by computer and are permanently retained on the original medium (which may be difficult or infeasible, depending on the medium's durability). A serious legal barrier to full realization of the potential of computer-based patient records is the confusion and lack of clarity in some states' standards when they are applied to computer-based medical records. It is not always clear whether regulations requiring that records be kept in ink or "type" (or in ink or "typewritten") permit creation of medical records electronically or with the use of lasers, although a provision permitting authentication of records by computer key, such as that found in Colorado's rules, implies that patient records may be created on a computer.11 Similarly, it is unclear whether a requirement that medical records be recorded in ink, typewritten, or recorded electronically permits recording by lasers on optical disks.12 The regulations of some states require that medical records be "signed" but are silent on whether the substitution of a computer key or code for a physician's signature is permitted.13 This silence cannot be interpreted as 11   See, e.g., Rules of Alabama State Bd. of Hlth., Div. of Lic. and Cert., Hospitals, §420-5-7.07(f) (1988); Rules and Regulations for Hospitals and Related Institutions in Arkansas §0601(C) (1988); Colo. General Hospitals, ch.IV, §4.4 (1982); Tenn. Hospitals Rules and Regulations §1200-8-4-.03 (1986); Vermont Lic. Stds. for the Construction, Maintenance and Operations of Hospitals §3-946 (1954); 64 W. Va. Legisl. Rules §10.3 (1987). 12   Mo. Code of State Regulations, 19 C.S.R. §30-20.021(3)(D) (1990). 13   See, e.g., Ariz. Rules, Regulations and Standards for the Lic. and Regulation of Health Care Institutions §R9-10-221 (1982); Conn. Pub. Health Code, ch. 4, §19-13-03(d) (1989); Ga. Rules and Regulations for Hospitals §290-5-6-.11 (1977); Rules, Regulations and Min. Stds. for Hospitals in Idaho, IDAPA §16.02.1360.13; Iowa Admin. Code §641.51.5 (1988); Ky. 902 KAR 20:016 (1989); Min. Stds. for Operation of Miss. Hospitals §1704.4 (1990); Nev. Operational Rules and Regulations for Health Facilities §449.379; N.Mex. Regulations Governing General and Special Hospitals §700; Lic. Rules for General Hospitals in North Dakota, N.D.A.C. §33-07-01-16.9 (1990); Lic. Stds. for Hospitals and Related Institutions in the State of Oklahoma §13.5-A (1989); S.C. Standards for Licensing Hospitals and Institutional General Infirmaries §601 (1990); Tenn. Hospitals Rules and Regulations §1200-8-4-.03 (1986); Vermont Lic. Stds. for the Construction, Maintenance and Operations of Hospitals §3-946 (1954); 64 W. Va. Legisl. Rules §10.3 (1987); Wisc. Admin. Code, ch. HSS 124 Hospitals, §124.14 (1988); Wy. Stds., Rules and Regulations for Hospitals and Related Facilities §7 (1979).

OCR for page 200
--> necessarily permitting authentication of records by computer key or code. In addition, many states require that each patient's record contain a "signed" consent form or evidence of informed consent.14 It is not clear whether paper files of consent forms must be maintained or whether it is permissible for patients and patient representatives to authenticate consent on a computer by use of a computer key or code unique to each patient. State requirements that medical records (or "original" medical records) be retained in the hospital or on the hospital's premises, except under defined circumstances, mean that use of outside computer services for hospital medical records may constitute a technical violation of the hospital licensure requirements in some states.15 Indiana's regulations, although containing a provision that a computerized record shall be considered the same as a written record, also require that medical records be filed in a safe, accessible manner in the hospital and be kept on the nursing unit during the patient's hospitalization. These two requirements leave the status of outside computer services for Indiana hospitals unclear.16 Other State Licensure Laws State licensure laws and regulations applicable to a variety of other health care providers—both institutional and individual—typically contain provisions concerning patient records or patient information and confidences, or both. State laws and regulations with respect to licensure of institutional providers other than hospitals contain many of the same types of patient record requirements and raise many of the same issues raised by hospital licensure laws and regulations. Licensure laws and regulations for such providers may pose even greater barriers to fully computer-based patient records because, 14   See, e.g., N.J. Lic. Stds. for Hospitals, N.J.A.C. 8:43G-15.2(d)(1) (1990). 15   Rules and Regulations for Hospitals and Related Institutions in Arkansas §0601(V) (1988); Conn. Pub. Health Code, ch. 4, §19-13-03(d)(6) (1989); 410 Ind. Admin. Code §15-1-9(2) (1988); Iowa Admin. Code §641.51.5(1) (1988); Ky. 902 K.A.R. §20:016 (1989); Regulations for the Licensure of General and Specialty Hospitals in the State of Maine, ch. XII (1972); Min. Stds. for Operation of Miss. Hospitals §1701.4 (1990); N.J. Lic. Stds. for Hospitals, N.J.A.C. 8:43G-15.2(h) (1990); N.Mex. Regulations Governing General and Special Hospitals §700.B.1.b (1989); Rules and Statutes Applying to the Licensing of Hospitals in North Carolina, Subchapter 3c, §.1403(d) (1988); Licensure Standards for Hospitals and Related Institutions, State of Oklahoma §13.2-C (1989); Pa. Rules and Regulations for Hospitals §115.28 (1987); S.C. Standards for Licensing Hospitals and Institutional General Infirmaries §601.4 (1990); Tenn. Hospitals Rules and Regulations §1200-8-4-.03(b)(1) (1986); 64 W. Va. Legisl. Rules §10.3.1(a) (1987); Wisc. Admin. Code, ch. HSS 124 Hospitals, §124.14(2) (1988). 16   410 Ind. Admin. Code §15-1-9 (1988).

OCR for page 200
--> even more than hospital licensure laws and regulations, they may be keyed to a paper record. For example, Illinois' long-term care facility licensure regulations require that (1) resident records be written in ink or typed and (2) all physician orders, plans of treatment, Medicare and Medicaid certifications and recertification statements, and similar documents have the original written signature of the physician. Use of a rubber stamp signature, with or without initials, is not permitted. In addition, resident records must contain a "physician's order sheet," a "medication sheet," and "treatment sheets," implying that a manual record must be maintained.17 State licensure requirements for nonhospital institutional providers exhibit the same lack of national uniformity in standards for patient records exhibited by state hospital licensure requirements. In addition, similar concerns regarding obsolete and ambiguous laws and regulations arise in state licensure requirements for institutional providers other than hospitals. State laws and regulations applicable to physicians, nurses, and other individuals licensed to provide health care typically contain an express or implied obligation of confidentiality with respect to patient confidences and, in some statutes or regulations, with respect to patient records. Willful or negligent breaches of confidentiality may constitute grounds for professional discipline.18 The canons of ethics of a profession may be incorporated into a state's licensure requirements, usually by a provision in a licensing act that makes "unprofessional conduct" grounds for professional discipline. 19 The 1989 publication Current Opinions of the Council on Ethical and Judicial Affairs of the American Medical Association contains detailed guidelines on computerized patient databases.20 These may be impliedly incorporated into the statutes and regulations governing licensure of physicians in some states. Medicare Regulations To participate in the Medicare program, a provider must meet the applicable Medicare conditions of participation. The conditions of participation for hospitals include requirements for medical records but do not include 17   77 Ill. Admin. Code §300.1810 (1985). 18   See, e.g., 111 Ill. Ann. Stat. ¶4400-22.30 (Smith-Hurd 1990 Supplementary Pamphlet). 19   See, e.g., 52 Oreg. Rev. Stat. §677.188 (1989); Utah Code Ann. §58-12-35 (1990). 20   American Medical Association (AMA), Chicago, Illinois. Although it may not be practical to implement all of the AMA's guidelines, it should be recognized that these guidelines are some of the most detailed, ethically sensitive standards for computerized patient databases that have been developed to date.

OCR for page 200
--> any express restriction on permissible media for creating and storing medical records.21 Medical records may be authenticated by signature, written initials, or computer entry.22 Thus, the conditions of a hospital's participation in the Medicare program pose no barrier to the use of computer-based patient records. The Medicare conditions of participation for long-term care facilities do not expressly restrict the media for creation and storage of the records.23 However, they require each individual who completes a portion of the assessment to "sign" the assessment.24 In addition, these conditions of participation require that, at each visit to a resident, the physician supervising the resident's medical care must "write, sign and date progress notes" and "sign all orders." 25 It is not clear whether these conditions of participation permit a fully automated record because it is not clear whether authentication by computer code or key provides the required signature and whether a progress note made on a computer fulfills the requirement that a physician must write the note.26 The Health Care Financing Administration (HCFA) permits physician certifications of medical necessity to be executed by computer or transmitted to a hospital by facsimile machines. A provider seeking permission for its physicians to attest to medical necessity on a computer or by facsimile must be able to demonstrate to its intermediary that its system contains adequate safeguards of accuracy and confidentiality and meets certain other standards.27 21   42 C.F.R. §482.24. 22   C.F.R. §482.24(c)(1)(ii). 23   42 C.F.R. §483.75(n). 24   42 C.F.R. §483.20(c)(2). 25   42 C.F.R. §483.40(b). 26   Apparently, the Health Care Financing Administration (HCFA) believes that these conditions of participation would permit a fully automated record because HCFA is discussing with nursing home operators the possibility of requiring that nursing homes computerize resident assessment records to comply with the provision of the Omnibus Budget Reconciliation Act of 1987 requiring maintenance of a uniform, minimum data set on residents' conditions. See Paula Eubanks, "Homes Doubt They Can Computerize per HCFA's Request," Hospitals 64, no. 23 (1990):56. 27   See the HCFA Medicare Hospital Manual Transmittal No. 567 (July 1989). The provider's request must explain (1) the provider's physician identification system, (2) system safeguards to ensure confidentiality, (3) how data are displayed for physician review before electronic attestation, (4) how physician identity is determined upon certification and stored in the provider's system, (5) how the system records a system-generated date and time of entry at the point of attestation, (6) system backup procedures for prolonged downtime, and (7) how the physician verifies that attestations executed through the system have been correctly recorded. HCFA permits use of physician access systems that employ an alphanumeric identifier or biometric identification of physicians.

OCR for page 200
--> Hospital Accreditation Requirements Technically, the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) is a voluntary organization, and JCAHO accreditation is voluntary. JCAHO accreditation standards, however, are incorporated in some state hospital licensure laws, at least in part,28 and a hospital is deemed to meet certain Medicare conditions of participation if it holds JCAHO accreditation.29 Although JCAHO accreditation standards do not explicitly address required media for record keeping and storage, they assume that a hospital may participate in an automated medical record data processing system. JCAHO standards permit authentication of medical records by computer key. The JCAHO requires that all medical records be accurate, accessible, authenticated, organized, confidential, secure, current, legible, and complete.30 A computer-based medical record system can meet JCAHO standards if the system is properly designed and maintained and if medical records are otherwise properly completed. Patient Rights Issues Right of Privacy The Federal Privacy Act and similar acts in many states provide assurance that patient records held by the federal government and governments of states that have enacted privacy legislation will not be disclosed to third parties without the patient's consent, except under defined circumstances.31 However, privacy of patient records in other states and in the private sector is governed by a crazy quilt of statutory, regulatory, and common-law rules and is often inadequately protected. 32 Growing demands for information contained in patient records pose an ever-increasing threat to patient privacy. Such demands come not only 28   See, e.g., the following regulations, which incorporate JCAHO standards for medical records into state hospital licensure requirements: N.H. Code of Admin. Rules, Part He-P802 (1986); R.I. Rules and Regulations for Licensing of Hospitals §25.7; Rules and Regs. for the Licensure of Hospitals in Virginia §208.5 (1982). 29   42 U.S.C. §1395bb. 30   Joint Commission on Accreditation of Healthcare Organizations, "Medical Record Services (MR)," Accreditation Manual for Hospitals (Chicago: 1990). 31   5 U.S.C. §552a. 32   The threats to patient privacy posed by increased use of computers for health records were detailed by Alan F. Westin in Computers, Health Records and Citizen Rights (Washington, D.C: U.S. Government Printing Office, 1976).

OCR for page 200
--> from peer review bodies, third-party payers (both governmental and non-governmental), outside billing and computer services, and government, but from employers, insurers, and others who use health care information for non-health care purposes. When information from patient records is disclosed by a provider—whether with or without the patient's consent—it is extremely difficult to control redisclosure of the information effectively, even though confidentiality agreements and notices are still advisable. Furthermore, when patient records are computerized, they can easily be transmitted across state lines, limiting the ability of any one state to protect the privacy of its citizens. To the extent that patients and providers are aware that computer-based patient records increase the threat to patient privacy, they may be unwilling to provide or record complete information in the patient record, particularly with regard to sensitive matters, such as abortions, AIDS (acquired immune deficiency syndrome), psychiatric problems, and drug or alcohol abuse. Thus, the lack of adequate, uniform, national protection of patient privacy with respect to patient records may hinder full development of computer-based patient record systems. The Uniform Health-Care Information Act skillfully addresses issues of confidentiality and release of patient information.33 Only Montana, however, has enacted this act into law.34 Right of Access to Health Records Most states expressly allow a patient or a patient's authorized representative to inspect and copy the patient's hospital records.35 Rights of access to health records maintained by physicians and other individual health care providers may not always be clear. Before records become available, the person seeking access typically must request such access in writing from the provider and pay reasonable clerical costs. A few states grant patients the right to review their hospital records only after discharge.36 Many states permit providers to refuse to grant a patient's request for disclosure where psychiatric records are involved and where release of the information would be detrimental to the patient's mental health or general 33   National Conference of Commissioners on Uniform State Laws, Uniform Laws Annual, vol. 9, part 1 (St. Paul, Minn.: West Publishing Co., 1988), p. 475. 34   M.C.A. §50-16-501, et seq. 35   See, e.g., Ala. Stat. §18.23.065. 36   See, e.g., Fla. Stat. Ann. §395.017(1); Ill. Ann. Stat., ch. 110, §8-2001.

OCR for page 200
--> health, or where a third-party could be endangered by the release. 37 However, in such states, a provider may be required to deliver copies of the record to the patient's representative or attorney. Several statutes contain special provisions concerning a patient's access to particular portions of his or her record, such as X-rays. 38 Still other states allow a provider to prepare a summary of the patient's record for inspection and copying rather than allowing the patient access to the entire record.39 In the absence of statute or regulation, some courts have recognized a provider's common-law duty to allow a patient limited access to his or her records.40 Where patient records become part of insurers' or other databases, the patient may not even know that the record exists and may have no way to enforce a right of access, even if such exists. In addition, even if the patient gains access to the record, he or she may have no legally enforceable right to correct inaccurate information contained in it. The Uniform Health-Care Information Act addresses access issues, as well as issues of confidentiality and information disclosure.41 As noted earlier, however, only Montana has adopted this legislation to date.42 Issues of access to databases maintained by insurers, correction of data maintained on individuals by insurance companies, and limitations on redisclosure of such information are addressed in the Insurance Information and Privacy Protection Model Act developed by the National Association of Insurance Commissioners (NAIC). To date, at least 13 states have adopted some version of this model act as law.43 37   See, e.g., Fla. Stat. Ann. §395.017(1); Okla. Stat. Ann., ch. 76, §19A; Cal. Health & Safety Code Ann. §1795.14(b); Colo. Rev. Stat. §25-1-801; Hawaii Rev. Stat. Ann. §622-57; Maine Rev. Stat. Ann. §1711; Minn. Stat. Ann. §144.335. 38   See, e.g., Cal. Health & Safety Code Ann. §1795.12(c) and (e). 39   See, e.g., Cal. Health & Safety Code Ann. §1795.20(a); Minn. Stat. Ann §144.335. 40   See, e.g., Cannell v. Medical and Surgical Clinic, 21 Ill. App. 3d 383, 315 N.E. 2d 278 (1974); Matter of Weiss, 208 Misc. 1010, 147 N.Y.S. 2d 455 (N.Y. Spec. Term. 1955); Hutchins v. Texas Rehab. Comm., 544 S.W. 2d 802 (Tex. Civ. Ct. App. 1976). 41   9 Uniform Laws Ann., Part 1 (West 1988), p. 475. 42   M.C.A. §50-16-501, et seq. 43   The NAIC model act is a good beginning but does not go far enough in protecting individuals whose health records are disclosed to insurance companies. One Kansas court, for example, found that transmission of health information concerning the plaintiff to the Medical Information Bureau did not invade the plaintiff's privacy (Senogles v. Security Benefit Life Insurance Co., 217 Kan. 438, 536 P. 2d 1358 [1975]). The Medical Information Bureau is a nonprofit association formed to conduct a confidential exchange of information between its more than 700 insurance company members, which pool information on underwriting decisions and the health status of individual insureds.

OCR for page 200
--> or unfairness arises.51 Some states' evidentiary rules also accept computerized documents as originals.52 Other states permit reproductions to be admitted as evidence when such copies are made in the regular course of business and satisfy other criteria for trustworthiness.53 The trustworthiness of an automated system refers to the reliability of system hardware and software, the use of proper procedures for creating and storing records, the assurance that entries are made by adequately trained personnel, and the prevention of unauthorized access to the records and of tampering with the system. Risks Arising from Computer-Based Patient Record Systems Breaches of Confidentiality and Unauthorized Access The duty of health care providers to maintain the confidentiality of patient records and to protect them from unauthorized access arises from licensure laws and regulations, specific statutes and regulations with respect to certain patient records (e.g., alcohol and drug abuse patient records, psychiatric records, and records of positive human immunodeficiency virus [HIV] antibody test results), JCAHO standards, Medicare rules, and the common law. In addition, the necessity of keeping records in a manner that makes them admissible as evidence in court requires a provider to protect patient records from unauthorized access. The legal duties to preserve confidentiality and prevent unauthorized access to patient records are the same with respect to both paper and computer-based records. However, keeping computer-based records confidential and free from unauthorized access poses special challenges, and a failure to do so can have more onerous consequences than may occur in the case of paper records. The computer's capacity for collecting, storing, and permitting access to large quantities of information often means that more information is collected and stored on computer-based record systems than is collected and stored in paper records. Because of the computer's capacity for mass storage and copying, one breach of a system's security can result in the unauthorized disclosure of extensive information about large numbers of patients. In addition, the computer's capacity to provide health information on large numbers of patients at one time makes computer-based patient 51   Rules 1001(3) and 1003. 52   See, e.g., Fla. Stat. Ann. §90.951. 53   See, e.g., Cal. Evid. Code §§1270-1272.

OCR for page 200
--> record systems an even more tempting target than paper records. As the medical information included in patient records becomes more sophisticated (e.g., genetic information), this temptation will only increase. Mass disclosure of patient information could result in catastrophic liability for a provider; it could also result in licensure sanctions or statutory penalties. Theories under which providers may be held liable for breaches of confidentiality include both statutory and common-law theories. Common-law theories under which providers may be held liable for breaches of confidentiality include invasion of privacy, betrayal of professional secrets, breach of contract, slander, and negligent or intentional infliction of emotional distress. Statutes such as the federal statute concerning confidentiality of drug and alcohol abuse patient records provide penalties for breaches. Security mechanisms and procedures can provide some level of protection to computer-based patient records against unauthorized access by users both inside and outside a provider organization. Yet even the most sophisticated security measures will not provide fail-safe protection of patient records, particularly in decentralized systems. In fact, one of the biggest threats to the security of computer-based patient records comes from the trend toward networked systems. Security measures that are both adequate and affordable and that do not interfere with efficient patient care currently do not exist for such systems. A computer-based patient record system should include a security system that, as far as is practicable, permits only authorized users to access patient records and permits authorized users to access only those portions of the records that are relevant to their particular functions. The system should also ensure that access to each record is tracked by the system and monitored as a deterrent to unauthorized review of records. Access to sensitive records or portions of records should be sharply limited; this kind of access should also be tracked by the system and carefully monitored by the provider. Such records include HIV-antibody test results, records of drug and alcohol abuse patients, psychiatric records, and records of celebrity patients. With AIDS patients, the main and more easily accessible portion of the record can include a notation to use body fluid precautions without identifying the patient as having AIDS, hepatitis, or some other disease transmissible by body fluids. HIV-antibody test results can either be omitted from the automated system or stored in a restricted portion of the record. To the extent that sensitive records are not stored on the system, however, the advantages of a totally automated system cannot be realized. A provider with a computer-based patient record system that uses passwords, access codes, and key cards should have and strictly enforce policies against disclosing or sharing such means of access. Alternatively, a provider could use a system that identifies users biometrically through voice-prints,

OCR for page 200
--> thumbprints, or other unique individual features; however, the sophisticated technology required for this kind of system may still be prohibitively expensive for many health care providers. In a hospital, policies against sharing passwords, access codes, and key cards should apply to the medical staff as well as to employees. Violation of these policies should be grounds for discipline, up to and including termination of employment or revocation of medical staff membership. When employment or medical staff membership ends, computer access should terminate immediately. Hospital medical staff members should be asked to sign confidentiality statements acknowledging that passwords, access codes, and key cards are for personal use only. Physicians should be held liable for any entries to a record made by nurses or assistants using the physician's password. To discourage password and access code sharing, an individual should be available 24 hours a day to assist authorized users who forget their access codes and persons with a legitimate need for one-time record access. An institution should also develop a mechanism for overriding the computer security system in the event of an emergency. The use of computer networking, computer facilities owned or operated by others, or computer sharing could result in unauthorized access to computer-based records and breaches of confidentiality. In addition, outside computer consultants and technicians (including service personnel and vendor representatives) who obtain access to a computer-based patient record system conceivably could access records in an unauthorized manner or breach confidentiality. Thus, a provider should enter into confidentiality agreements with all outsiders who may have access to medical records and should have appropriate hardware and software security. To protect against mass access and extraction of information from a computer-based patient record system, the system should include special security measures against programs that permit mass copying of records at one time or that have the potential to access or alter large numbers of records at one time. Current computer security technology cannot provide perfect security for computer-based patient record systems. The security mechanisms available for decentralized systems and computer networks provide much less protection than those available for mainframe systems. Given current technology, the need for security generally must be balanced with the need of health care professionals and hospital staff for easy, immediate access to patient records. Currently feasible security measures are particularly inadequate for networked systems and probably cannot protect providers that install computer-based record systems from substantial exposure to liability. To the extent that providers are aware of this exposure, they may be deterred from using computer-based patient record systems.

OCR for page 200
--> Computer Viruses and Other Computer Sabotage Computer viruses and other forms of computer sabotage pose real threats to the integrity of computer-based patient record systems. Viruses or other forms of sabotage can result in the alteration or destruction of data or the creation of false data on the system; they can also cause the system to slow down or crash or otherwise make patient records inaccessible, either temporarily or permanently. Sabotage can be carried out by both insiders and outsiders and by both authorized and unauthorized system users. Health care providers cannot discount the possibility of sabotage by disgruntled employees. In fact, the biggest threat to system integrity and patient record confidentiality comes from employees and other insiders. The risk of viruses or other sabotage from the outside can be substantially reduced by eliminating all networking and electronic data sharing with outside computers and by not using any disk from an outside source. Such isolation of a system is generally infeasible, however, and would rule out hospital-physician office linkages and other networking for which there may be important clinical or research reasons. Antivirus software can aid in blocking or detecting viruses and other sabotage. Software vendors have been known to sabotage a system when payment has been withheld for a system's failure to meet contractual standards. Therefore, a system purchaser or lessor should consider insisting that vendors indemnify the purchaser against all damage and losses resulting from keylocks, viruses, worms, bombs, and the like inserted into software by the vendor or its agents, and from other computer sabotage by the vendor or its agents. Providers using computer-based record systems have a legal obligation to take security measures that are reasonable, at least by current standards. Currently available security technology for networked patient record systems is insufficient to give providers total assurance that the confidentiality of their records will not be breached or that the integrity of patient records on the system cannot be destroyed. One catastrophic incident involving a computer-based patient record system could set the legal status of computer-based record systems back decades. Therefore, development of improved security technology is of utmost importance. Potential for Inaccessibility Medicare, the JCAHO, and most state hospital licensure laws require that medical records for current hospital patients be readily accessible and stored in a way that permits prompt retrieval of information. Keeping computer-based patient records available means minimizing system downtime and having adequate backup mechanisms.

OCR for page 200
--> In addition to its potential for hindering patient care, which may result in negligence liability, excessive patient record system downtime may also create regulatory violations or JCAHO accreditation deficiencies. The following precautions can help protect against inaccessibility of computer-based patient records: properly maintaining hardware and thoroughly debugging and maintaining system software; ascertaining other users' experience with system downtime and their ability to bring a system back up quickly prior to contracting for purchase or lease of a system; including performance standards in any lease or contract with a vendor, as well as guarantees of reliability and of ongoing maintenance support; taking adequate precautions against sabotage of the system; and having adequate backup and emergency capability. Questions of Durability Medical records must be durable for a number of reasons: to meet state licensure requirements, to comply with Medicare rules, to preserve a record of patient encounters for use as evidence in malpractice and other lawsuits, to permit future treatment of the patient or future notification to patients who have received treatment that creates health risks for them or their descendants, and, in some cases, to support research. Some states require hospitals to retain medical records for 25 years.54 A researcher or research institution may need to preserve medical records for as long as 75 years. Changes in technology that cause patient record systems to become obsolete before the need for records stored on the systems has ended can mean that old and new systems do not interface. Another potential risk is that unproven new technology may lack durability. For example, the long-term durability of optical disks has not yet been proven. Copying patient records from an old system to a new system raises special concerns. Reliable evidence of the chain of copying must be preserved so that the copied records can be admitted as evidence in court. The provider must also ensure that copied records comply with a state's hospital and other institutional licensure requirements as to the media in which patient records can be retained. 54   Conn. Public Health Code §19-13-D3(e)(6); Nev. Operational Rules and Regulations for Health Facilities §449.379-2 (1988); Lic. Rules for General Hospitals in N. Dakota §33-07-01-16.3 (1990).

OCR for page 200
--> Accuracy Issues Errors in computer-based patient records can result from faulty software or equipment or from human error. A patient record system should be free from significant errors in computer hardware and software. Laboratory equipment and other machines providing input to a computer-based patient record system should also be free from such errors. Mechanisms for minimizing human error, such as reviews of input for accuracy, are also advisable. When corrections are made, they should be logged on the system as suggested in the previous section concerning evidentiary issues. If clinical observations are recorded using bar coding or other programmed codes, there should be a mechanism in place for visual confirmation or other verification of the codes entered into the computer. Selected Legal Issues in Computer Contracting Leases and acquisitions of computers may involve some or all of the following: hardware, operating, and application software licenses; installation, testing, and implementation services; and postinstallation maintenance and support services for both operating and application software and equipment. Use of multiple agreements to address these interrelated components of computer system acquisitions creates the risk of conflict among the agreements and may confuse even more the issues of what law applies to these agreements. Unless multiple agreements cannot be avoided (e.g., different vendors for the hardware/operating software and application software), a single agreement is preferable. Because of the hybrid nature of contracts for computer systems, it is not always clear what law governs issues of contract interpretation, the rights of the parties, procedures for resolving disputes, and so forth. If a court characterizes a transaction as a sale of goods, the Uniform Commercial Code will apply. However, computer system acquisitions involve both goods and services and often involve licenses rather than sales of software (to which the Uniform Commercial Code may or may not apply). An inaccurate product definition in a contract for a computer-based patient record system or a product definition that is not sufficiently detailed can result in delivery of a system that does not function properly as a patient record system or in a contract that does not require the vendor to deliver a system that has certain important features or the capability to perform crucial patient record functions. It is common for system vendors to "puff" the capabilities of their products in their marketing materials and in their proposals to health care providers or to promise software or features that are still on the vendor's drawing board. Although some contracting strategies help to minimize

OCR for page 200
--> puffery and vaporware, no currently available mechanism provides complete protection against such practices. In addition, software licenses may present problems. If a software license is not sufficiently broad in scope or duration, a provider can find itself paying unexpected additional license fees to maintain its system. An insufficiently broad license could also leave a provider without rights to use software that is crucial to the functioning of its patient record system. Access to the source code for software is essential to a health care provider's ability to support and maintain patient record application software. Therefore, the provider should attempt to obtain a copy of the source code, either as part of the initial license grant or in the event that the vendor breaches its support obligations or decides to discontinue supporting the software. Bankruptcy, particularly among small vendors, may make it more difficult, or even impossible, to obtain the source code from a software escrow or in the event the vendor discontinues its software support. If software licensed or sold in connection with a patient record system infringes the intellectual property rights of another, the consequences to the provider that acquires the system can be severe—both in terms of liability and loss of the right to use the software. Therefore, vendors should be required to warrant that they own the software being licensed or have the right to sublicense it. In addition, the vendor should agree to indemnify the provider and hold it harmless against claims by third parties asserting that the software or the provider's use of the software, or both, infringes on their proprietary rights. Of course, none of the legal remedies available to a health care provider for a patient record system vendor's breach of contract is as desirable as the vendor's performance of the acquisition agreement. Therefore, it is important to structure payment schedules and conditions to payment in such a way as to give the vendor incentives to perform the agreement. The vendor should be required to warrant that the record system will meet key performance standards, such as system response time, capacity, and batch-processing capabilities. The use of such software mechanisms as viruses and keylocks to enforce a purchaser's obligation to pay for software is becoming increasingly common, particularly among smaller vendors. Because the law in this area is still unclear, the provider should insist on a warranty in the acquisition agreement that the software does not and will never contain such mechanisms. The provider should also obtain indemnification for resulting losses and damage if such mechanisms are ever used in the acquired software. Contractual limitations on the vendor's liability should be avoided because they may leave a provider without recourse to the vendor when a patient record system fails to function or malfunctions. Such limitations on liability include limitation on the dollar amount of damages, exclusion of liability for consequential damages, limitation of

OCR for page 200
--> liability for a provider's use of a system, and limitation of remedies to special remedies (e.g., termination and refund rights). For health care providers who use shared computing services for a patient record system, patient record confidentiality is of special concern because the computing service receives copies of (and possibly maintains the originals of) the provider's patient records. The contract should require the computing services vendor to maintain strict confidentiality and to give the provider all necessary access to patient records (including but not limited to returning the data in usable form to the provider when the relationship ends). In addition, the contract should require the vendor to cooperate with the provider to prevent discovery of data by third-party litigants when disclosure is not legally required. Overcoming Legal Barriers to Computer-Based Patient Records and Record Systems Adoption of Uniform National Licensure Standards and Health Information Laws Uniform national standards should be developed for patient records maintained by health care institutions. Such requirements could be enacted at the federal or state level; however, given that regulation of health care providers falls within classic state police powers, development of uniform state licensure standards for patient records would be preferable to enactment of federal requirements. The chief disadvantage of achieving national uniformity through uniform state laws is that enacting such laws may be a lengthy process or may never actually occur. In addition, state legislatures may adopt amendments to the uniform act before enacting it as legislation. Nevertheless, the success of other uniform state legislation (e.g., the Uniform Commercial Code) suggests that such legislation could be developed and enacted by all 50 states. If enacted, these uniform state licensure standards for medical records should be applicable to all institutional health care providers that are required to maintain patient records. The problems arising from obsolete and ambiguous state licensure standards for medical records could be resolved by the development and enactment of uniform state licensure standards expressly applicable to computer-based records and record systems. These standards should be clearly stated with respect to automated creation, authentication, storage, and retention of patient records, but should not be so detailed as to inhibit future improvements in technology. In order to protect the confidentiality of health records and to provide patients rights of access to their health records and the right to include corrections to information in health records, all states should adopt uniform

OCR for page 200
--> health care information legislation such as the Uniform Health-Care Information Act. Adoption of such legislation should make patients more willing to disclose sensitive information related to their health status and to have that information recorded in their health records. If such uniform legislation were in place, health care providers presumably would have less concern about unauthorized disclosure and misuse of sensitive patient information and should, therefore, be less hesitant to record sensitive patient information in a computer-based patient record. If legislation were passed obligating third parties to whom patient information is disclosed to protect the confidentiality of such information, abuse of patient information and invasions of patient privacy should decrease. In addition, if health care information laws were uniform across all states, the applicable law would be clear and uniform, regardless of whether patient data were stored in the same state in which patients were located. Adoption by all states of uniform health care information legislation such as the Uniform Health-Care Information Act would provide predictable access by patients to their health records and would ensure their being able to correct (or at least protest) inaccuracies contained in such records. Overcoming Special Legal Risks Related to Computer-based Patient Records Most of the special legal risks connected with computer-based patient records that are enumerated in this paper can best be reduced by development of new and better computer technology, including software specifically designed to reduce these risks. The greatest legal risk from computer-based patient record keeping comes from unauthorized access to record systems and from computer viruses and other sabotage, particularly in cases in which computer networks are used and there is telephone access to the patient information system. Research efforts should be directed toward developing affordable computer security technology that can adequately protect patient records without severely reducing system user friendliness. The following would also help to reduce the potential legal risks associated with computer-based systems: Technological advances that make computer-based record systems more reliable and development of enhanced backup capabilities would decrease the legal risks, as well as the risks to patients, that arise when computer-based records become inaccessible. Development of new storage media or technology that increases and ensures the long-term durability of records stored on optical disks and other currently available media would decrease the risks arising from the uncertain or inadequate durability of current computer-based patient records.

OCR for page 200
--> More reliable equipment and software for computer-based patient record systems and better mechanisms for checking and correcting human input errors would help to reduce the risks that arise from inaccurate computer-based patient records. Conclusion The promise offered by fully computer-based patient records for improving the quality of patient care and advancing medical knowledge through research is enormous. Therefore, concerted efforts should be made to overcome legal and technological barriers that stand in the way of full development of computer-based records and record systems. In the future, with increasing use and development of artificial intelligence systems, computer-based patient records may be expected to become interactive, providing diagnostic assistance and even treatment recommendations. An interactive patient record promises improved quality of care, but the interaction of such ''smart" systems with computer-based patient records will also raise a host of legal and policy issues that are beyond the scope of this paper. Among them will be allocation of responsibility (and liability) for errors in the artificial intelligence system, whether caused by faulty hardware, faulty software, or error in the system's medical rules. The more advanced such systems become, the more questions they will generate about the practice of medicine and whether nonphysicians can use these systems to diagnose and treat patients without physician involvement. In addition, systems that can diagnose or treat patients without intervening professional involvement may be classified and regulated as medical devices under food and drug laws. Finally, these "smart" systems can be expected to lead to a redefinition of the physician's role, as they begin to perform functions that formerly only a physician could perform.

OCR for page 200
This page in the original is blank.