Health care providers, policymakers, patients, and payers share the vision of a health care system powered by information technology. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 authorizes grants and incentives totaling an estimated $14 billion to $27 billion to promote "meaningful use" of electronic health records (EHRs) by providers. In the excitement over health information technology, some of the potential risks associated with it have received less attention, such as the possible effects of this technology on medical malpractice liability. Yet even now, the potential for EHRs to ameliorate some sources of stress related to liability while reinforcing others is apparent.
We explore the implications for malpractice liability of four core functionalities of EHR systems: documentation of clinical findings, recording of test and imaging results, computerized provider-order entry, and clinical-decision support. We also discuss the ramifications of secure messaging capabilities integrated into EHR systems and the overall effects that may occur as comprehensive EHR systems become standard. Our analysis is based on a review of the limited available literature on the liability implications of EHRs and a much larger body of literature on the effects of EHRs on quality of care and the role of clinical practice guidelines in malpractice litigation.
The legal implications of EHRs extend beyond changes in malpractice liability. Other important consequences include potential liability under privacy and confidentiality laws, disputes over ownership of health data, and heightened vulnerability to Medicare or Medicaid fraud claims as a result of improved information on the match between services rendered and services billed. Because others have covered such concerns well, we confine our analysis to malpractice issues.
MAJOR EHR FUNCTIONALITIES AND THEIR PREVALENCE
An array of electronic information systems is used in health care today. "Basic" EHR systems facilitate electronic access to clinical information such as patient demographic characteristics, patient encounters, and laboratory and imaging results, with some systems permitting clinicians' notes. Basic EHR systems also permit computerized provider-order entry of medications, and many systems that include computerized provider-order entry check orders against patient information to flag potential drug interactions, allergic reactions, and errors.
"Comprehensive" EHR systems include these functionalities as well as more extensive capabilities for computerized provider-order entry (such as entry of laboratory test orders and nursing orders) and clinical-decision support. Clinical-decision support may include information about relevant clinical practice guidelines, clinical reminders, and guidance and safety alerts with respect to drug doses. Sophisticated systems scan patient data to provide individualized clinical recommendations.
In 2008, a total of 11% of nonfederal U.S. hospitals had implemented basic EHR systems, and less than 2% had implemented comprehensive systems in at least one clinical unit. A much larger proportion of hospitals had implemented or begun implementation of key EHR functionalities; for example, 56% had implemented or initiated implementation of electronic systems for entry of physicians' notes, and 52% had implemented or initiated implementation of clinical-decision support systems involving practice guidelines. Among physicians whose primary practice setting was not a hospital, 21% had a basic system and 6% had a comprehensive system in 2009.11
The future of EHRs lies in greater linkages to external systems. Many EHR systems provide electronic communication among providers within the same organization; others also allow secure messaging between providers and patients. These patient–provider communications vary from routine requests to refill prescriptions to reports of symptoms requiring prompt assessment. In some instances, systems maintained by different organizations share information about patients through "health information exchange" networks (HIEs). Although currently these networks are rare, they are likely to become more common owing to the federal government's recent commitment to help states fund the development of HIEs.
The liability implications of EHRs are likely to vary over the life cycle of the adoption of these systems. We begin by examining the period of initial transition to EHRs, during which predictable implementation snags may heighten providers' liability risk. After this initial period, EHRs have the potential to reduce injuries and malpractice claims but will also create opportunities for error and will alter the context for proving and defending malpractice claims with the use of electronic information. Finally, the long-term effects of widespread adoption of EHRs include potential shifts in the legal standard of care that may not favor providers.
MEDICOLEGAL RISKS DURING IMPLEMENTATION OF EHRS
Implementing new information systems may initially elevate, rather than decrease, providers' malpractice risk. As with any new technology, the risk of error increases during the "implementation chasm," as providers move from a familiar system to a new one. Several studies have documented increases in computer-related errors, and in one case an increase in mortality, shortly after implementation of computerized provider-order entry systems.
Medical errors and adverse events may result from individual mistakes in using EHRs (e.g., incorrectly entering information into the electronic record) or systemwide EHR failures or "bugs" that create problems in care processes (e.g., "crashes" that prevent access to crucial information). The interface between paper and electronic records may also create documentation gaps or other problems that affect clinical care. As an illustration of such risks, one recent study showed a higher rate of failure to inform patients of abnormal test results in outpatient practices in which a hybrid of paper and electronic records was used than in practices in which paper or electronic records alone were used. Effective training and tailoring of new systems to existing technology can minimize the incidence of such errors, and organizations that have sufficient resources can monitor problems after implementation and adjust systems to minimize the persistence of errors. However, these measures may not prevent errors entirely, and system failures may recur long after implementation, leaving clinicians to "practice blind" until functioning is restored.
At least one legal case suggests that providers have a duty to minimize such risks during the transition period. A federal court held that a hospital that switched from a paper to an electronic system for delivering test results had a duty to "implement a reasonable procedure during the transition phase" to ensure the timely delivery of test results to physicians. The court did not elaborate on what elements are sufficient to constitute a reasonable procedure, but it found that the hospital had met its duty by establishing a protocol for the period before all physicians had completed training on the new system that required radiologists to inform the requesting physician of abnormal results by telephone and that included a procedure whereby the results were automatically printed in two locations.
LIABILITY RISKS AND BENEFITS AS HEALTH INFORMATION TECHNOLOGY SYSTEMS MATURE
After the initial implementation stage, it is unclear whether the use of EHRs is likely to increase or decrease malpractice liability overall. EHRs have frequently been touted for their potential to reduce liability, with some malpractice insurers offering discounts to providers who make the switch from paper records to EHRs.23 One recent study showed that physicians who used EHRs reported a lower number of paid malpractice claims than did those who did not use EHRs, although the association did not persist in multivariate analysis. However, EHR systems also create new legal risks.
Effects on Care Processes
EHRs hold considerable promise for preventing harmful medical errors and associated malpractice claims.25 They promote complete documentation and timely access to patient information, facilitating sound clinical decision making. The use of electronic intermediaries may decrease transcription errors, improve communication among providers, and limit the duplication of tests. Clinical-decision support systems may offer a safety net by reminding harried providers of clinical guidelines and catching errors before they cause harm. Empirical evidence suggests that comprehensive EHR systems can improve adherence to clinical guidelines and reduce rates of medication errors. EHR users overwhelmingly report improvement in the quality of care they provide. On the other hand, despite experts' optimism, there is currently no evidence that the use of EHRs reduces diagnostic errors.30,31
Although computerized provider-order entry systems can decrease some kinds of medication ordering errors, they may create vulnerability to new kinds of errors. For example, discontinuities between information systems may cause prescribed medications to be automatically and unexpectedly canceled. Poorly designed systems that default to a potentially dangerous drug dose by failing to consider clinical changes such as renal or hepatic failure can lead to harmful ordering errors if physicians fail to recalculate the dose. Fuller access to electronic patient information may tempt providers to rely on previously recorded patient histories, test results, and clinical findings rather than collect new information. Although this may reduce duplication of effort and expenditures, it may perpetuate errors and omissions from earlier encounters. Overreliance on the copying and pasting function of many documentation systems can also perpetuate earlier mistakes. Secure messaging systems and other electronic communications also have both liability risks and liability benefits. Offering medical advice without conducting a physical examination or taking a history increases the risk of an erroneous diagnostic or treatment decision. Moreover, courts have held that telephone communications between a physician and a patient can be sufficient to establish the physician–patient relationship necessary for malpractice liability. The same is likely to be true for electronic communications. Once such a relationship is established, failing to respond to patient e-mails within a reasonable period of time could constitute a violation of the standard of care. In addition, e-mail may create a written record of negligent advice. It may even constitute negligence to e-mail advice to a patient rather than examine him or her in person. Alternatively, messaging systems may help prevent medical errors and adverse events by allowing patients to easily vocalize clinically significant concerns that they do not believe warrant an office visit.
Messaging systems also affect liability risk by shaping patients' perceptions of their physician. E-mails that are responded to slowly, are answered with boilerplate language from staff members, or are otherwise unresponsive to patients' concerns are likely to provoke ire and dissatisfaction. Conversely, highly responsive physicians may strengthen their relationships with patients. This may have medicolegal benefits, since research has linked a propensity to sue with patients' satisfaction with their physician and the physician's communication skills.
To assist providers, the American Medical Association (AMA) and the American Medical Informatics Association have established ethics policies and guidelines on the use of electronic communications in clinical practice. The AMA policy states that physicians should not use electronic communications to establish physician–patient relationships - only to supplement "other, more personal, encounters." Both sets of guidelines recommend that physicians develop their own guidelines for such matters as the appropriate use of and turnaround time for e-mails. The AMA guidelines further suggest establishing a protocol for terminating e-mail relationships with patients who repeatedly violate the rules. Before initiating an e-mail relationship, providers should notify patients of their guidelines and obtain informed consent for the use of electronic communications.
Effects on the Litigation Process
In addition to affecting the risk of a lawsuit, implementation of EHRs may affect the course of malpractice litigation by increasing the availability of documentation with which to defend or prove a malpractice claim. Unlike telephone conversations, e-mail creates a written record. To the extent that the use of EHRs facilitates the entry of more extensive notes, it too may bolster the written record. Finally, EHRs record all electronic transactions, from the input of orders to time stamps of clinical activity, although they vary in their ability to produce reports of these data on demand. This information, called metadata, provides a permanent electronic footprint that can be used to track physician activity. Under federal law, metadata are discoverable in civil trials, which means that defendants must surrender them to a plaintiff's lawyers on request. State law, which governs most malpractice litigation, varies as to the discoverability and permissibility of metadata.
In some malpractice cases, the documentation within EHRs may establish a provider's culpability, whereas in others it may help mount a defense. For instance, in one case, a patient with a catastrophic operative outcome sued his surgeon for negligence. Electronic data monitors from the operating room showed that there were more than 90 minutes of gaps in the anesthesia record. The legal inquiry turned to the anesthesiologist. A deeper examination of the electronic record uncovered further discrepancies. Though it was unclear whether errors were made in patient treatment, the collective weight of the discrepancies became difficult to defend in court, and the anesthesiologist settled the case.
Metadata can be used to authenticate the EHR - for example, to verify that an EHR was modified at the time of treatment rather than later.44 Typically, this should bolster the defendant's ability to rely on the EHR when defending against a malpractice claim. However, if the record was modified at an inappropriate time, metadata can raise questions about falsification of records, even in the absence of actual wrongdoing. In the aforementioned case, metadata revealed that the anesthesiologist wrote his postoperative note minutes after the operation began. This appearance of impropriety probably helped the plaintiff secure a settlement. The hospital later discovered that its anesthesiologists commonly recorded standard notes, such as their presence at the patient's emergence from anesthesia, during less hectic parts of the procedure.43,45 Whereas in the pre-electronic age such a practice posed little risk of liability, the availability of metadata changes the game.
LONG-TERM EFFECTS ON THE STANDARD OF CARE
To prove medical malpractice, a plaintiff must establish the applicable standard of care and prove that the defendant caused injury by falling short of that standard. As the use of EHRs spreads, it may reshape medical liability by altering the way in which courts determine the standard of care and by changing the standard of care itself.
Clinical-decision support systems may help drive this transformation. In a malpractice suit, each side presents expert testimony to define the applicable standard of care. Expert witnesses may rely solely on their own judgment and experience or invoke external evidence of the standard of care, such as clinical practice guidelines. Courts have permitted this use of practice guidelines and would probably also admit clinical-decision support systems as evidence of the standard of care, if an expert attests that they reflected reasonable and customary care. A physician's departure from the clinical-decision support protocols could then be used as evidence of negligence.
Like practice guidelines, clinical-decision support protocols could establish a more accurate definition of the standard of care than would emerge from the clash of expert opinions alone. However, they have limited ability to anticipate the myriad clinical scenarios that physicians encounter. Physicians routinely override even relatively simple clinical-decision support protocols, such as drug-allergy alerts, for clinically appropriate reasons.
Overriding a system default that arguably represents the standard of care creates an electronic record that physicians may need to justify in court. For example, in some clinical-decision support systems, simultaneous use of clopidogrel and aspirin requires physicians to overrule safety protocols protecting against excessive anticoagulation, even though the simultaneous use of the two drugs is generally indicated for patients with myocardial infarction. In the rare case in which a hemorrhage develops in a patient, a deliberate suspension of safety protocols could resonate poorly with juries. Overreliance by courts and juries on recommendations embedded in clinical-decision support systems could result in increased and sometimes inappropriate liability when providers depart from clinical-decision support protocols. Some, but not all, EHR systems prompt clinicians to document their reasons for overriding clinically significant alerts.
The growth of HIEs and the subsequent accessibility of external medical records may also substantively change the standard of care. Without HIEs, a provider has limited ability to examine a patient's records from another provider. Perhaps recognizing this, at least two courts have declined to impose a legal duty to obtain and review prior medical records. HIEs provide easy access to this information, possibly increasing the liability risk for providers who fail to take advantage of that access. It is unclear whether courts would require physicians to routinely perform comprehensive reviews of external EHRs, but in cases in which a patient mentions a relevant piece of his or her medical history and the provider fails to review an easily accessible external EHR, liability could well result.
This prospect reflects a deeper concern about health information technology: will the practice environment evolve along with the information environment to allow physicians to make use of the available information resources? The time constraints of typical office visits, for example, may hinder a thorough examination of voluminous EHRs. Under such constraints, key information may be missed in a sea of new electronic data, much of which is of dubious clinical significance. The legal standard of care in malpractice cases is meant to reflect reasonable care, but what appears to be reasonable may differ from the perspective of a layperson, who is convinced of the easy accessibility of electronic information, and the physician, who has the challenge of examining both the patient and his electronic dossier in a 15-minute visit.
Finally, as the use of EHRs grows, failure to adopt an EHR system may constitute a deviation from the standard of care. The standard of care is usually defined by reference to what is customary among physicians in the same specialty in similar settings. Once a critical mass of providers adopts EHRs, others may need to follow. If EHRs do indeed improve quality of care, many legal scholars would applaud this development, since it exemplifies the ability of tort law to spur providers to practice more safely. This "deterrence" notion, however, assumes that the cost–benefit ratio of technology is reasonable, so that injuries are prevented at an efficient cost. Empirical evidence evaluating this assumption is mixed.
Providers can expect a varied and shifting landscape of medical liability risks and benefits as the adoption of EHRs unfolds. Whether these developments improve the performance of the medical liability system remains to be seen. Electronic documentation is likely to bolster the accuracy of courts in determining liability by enhancing the evidence available to evaluate claims. Less clear at this early stage is whether EHRs will lead courts to recognize changes in the legal standard of care - and if so, whether these changes are socially desirable. It is also unknown how the law may evolve to allocate liability fairly among individual clinicians, EHR developers, and provider organizations that select and implement EHR systems. Liability that arises primarily because of poorly designed EHR systems arguably should rest with those in control of system architecture and implementation, not end users. However, in many cases, suboptimal design may set the stage for user errors, complicating the assignment of fault. In addition, some contracts between provider organizations and EHR developers reportedly include provisions protecting the developer from liability arising from the use of the EHR system.
Health care professionals and provider organizations can actively manage EHR-associated risks. First, they can decline to sign contractual provisions that immunize the system developer. Second, they can select systems that are designed to minimize the risk of user error or misuse and maximize the ease of record retrieval. This requires that organizations invest effort early to ensure that the EHR system is customized to the practice patterns of their clinical staff - for example, ensuring that clinical-decision support alerts and medication-dose defaults are sensible.
Third, organizations that adopt EHRs can ensure that clinicians receive thorough training, including education about organizational expectations regarding the use of the system. Hospitals can monitor the use of the system after implementation for obvious problems. Physicians, for their part, must be willing to climb the learning curve. Understanding how using EHRs may help protect them from liability, and how misuse or nonuse may increase liability risk, should motivate them to do so.
Fourth, organizations can ensure that practice conditions are such that the use of the new technology can be maximized. Identification of appropriate practice conditions will require organizations to work closely with their care teams to identify existing barriers to the optimal use of EHRs, whether these involve the length of office visits, the placement of computer terminals, problems accessing external records, or other factors. Fifth, managing patients' expectations about secure messaging and accessing of EHRs is pivotal. Finally, when physicians serve as experts in malpractice litigation, they can educate liability insurers and courts about the limitations of clinical-decision support systems and the appropriateness of departures from them in certain situations.
In evaluating whether to invest in EHR technologies, provider organizations must weigh the substantial up-front cost and possible risks against the potentially sizeable, but uncertain, long-run benefits. The malpractice implications of EHRs should be included in future discussions of risks and benefits. Although there is currently little research quantifying the risks and benefits with respect to liability, we are optimistic that they will ultimately weigh in favor of the implementation of EHRs. Regardless, it is likely that EHRs are here to stay. As the use of EHRs becomes commonplace, the legal standard of care will evolve, and latecomers to the EHR table may be called to account.
Supported in part by an Investigator Award in Health Policy Research from the Robert Wood Johnson Foundation, Princeton, NJ (to Dr. Mello).
Disclosure forms provided by the authors are available with the full text of this article at NEJM.org.
We thank Ashish Jha for comments on an early draft of the manuscript.
From the Department of Medicine, New York University Medical Center, New York (S.S.M.); and the Department of Health Policy and Management, Harvard School of Public Health, Boston (L.M., M.M.M.).
Address reprint requests to Dr. Mello at the Department of Health Policy and Management, Harvard School of Public Health, 677 Huntington Ave., Boston, MA 02115, or at firstname.lastname@example.org.