or unfairness arises.51 Some states' evidentiary rules also accept computerized documents as originals.52

Other states permit reproductions to be admitted as evidence when such copies are made in the regular course of business and satisfy other criteria for trustworthiness.53 The trustworthiness of an automated system refers to the reliability of system hardware and software, the use of proper procedures for creating and storing records, the assurance that entries are made by adequately trained personnel, and the prevention of unauthorized access to the records and of tampering with the system.

Risks Arising from Computer-Based Patient Record Systems

Breaches of Confidentiality and Unauthorized Access

The duty of health care providers to maintain the confidentiality of patient records and to protect them from unauthorized access arises from licensure laws and regulations, specific statutes and regulations with respect to certain patient records (e.g., alcohol and drug abuse patient records, psychiatric records, and records of positive human immunodeficiency virus [HIV] antibody test results), JCAHO standards, Medicare rules, and the common law. In addition, the necessity of keeping records in a manner that makes them admissible as evidence in court requires a provider to protect patient records from unauthorized access.

The legal duties to preserve confidentiality and prevent unauthorized access to patient records are the same with respect to both paper and computer-based records. However, keeping computer-based records confidential and free from unauthorized access poses special challenges, and a failure to do so can have more onerous consequences than may occur in the case of paper records.

The computer's capacity for collecting, storing, and permitting access to large quantities of information often means that more information is collected and stored on computer-based record systems than is collected and stored in paper records. Because of the computer's capacity for mass storage and copying, one breach of a system's security can result in the unauthorized disclosure of extensive information about large numbers of patients. In addition, the computer's capacity to provide health information on large numbers of patients at one time makes computer-based patient


Rules 1001(3) and 1003.


See, e.g., Fla. Stat. Ann. §90.951.


See, e.g., Cal. Evid. Code §§1270-1272.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement