Leaving an open electronic health record unattended can increase the risk of the HIPAA violation.
Courtesy of iStock\Thinkstock


Published 12/1/2014
Patrick M. Palmer, MD

Electronic Health Records: The Unintended Consequences

Patrick M. Palmer, MD

The electronic health record (EHR) market is huge and is here to stay, having been embraced by most physicians, insurers, government agencies, and hospital systems. The EHR industry generated $24 billion in global revenues in 2013 and has an anticipated growth rate of 10 percent per year through 2015. Recent studies show that 78 percent of physicians’ offices had adopted some form of EHR by 2013, and 83 percent of physicians use EHRs in their practices, in part due to the “carrot-and-stick” approach adopted by many stakeholders.

The Center for Medicare & Medicaid Services (CMS), for example, provides a financial “carrot” to practices that meet the recently released Stage 2 Meaningful Use Criteria. These include 17 core objectives covering e-prescribing, encrypted patient emails, a secure patient portal, the recording of smoking status, and more. Physicians who can document interoperability between systems, data sharing, data transfer, and electronic communications with patients can receive up to $43,723 in incentive payment.

EHRs have many advantages beyond these financial incentives. They offer the promise of “complete documentation,” structured data, and the potential for patient risk stratification. The robust data storage offers the potential to improve medical documentation and decision-making.

But we cannot forget the “stick” in this “carrot-and-stick” approach. Beginning next year, stiff penalties for EHR noncompliance will go into effect. Penalties start at 1 percent of Medicare payments per year and can reach a maximum of 5 percent.

According to a 2008 article in the Harvard Journal of Law and Technology, “The benefits of EHR systems will outweigh their risks only if these systems are developed and maintained with rigorous adherence to the best software engineering and medical informatics practices and if the various EHR systems can easily share information with each other.”

The EHR challenges
To successfully personalize an EHR system to the practice may be costly. EHR systems are expensive ($20,000 to $50,000 per physician to implement and maintain). Additional costs include periodic vendor maintenance and the need for additional support personnel and possibly scribes. Storage costs and courier fees can increase office overhead. EHR implementation is time-consuming and a productivity drain, as physicians and staff face a steep learning curve with the technology.

Many systems cannot communicate with one another (lack of intuitive interface), making it more difficult to achieve Stage 2 Meaningful Use financial benefits.

Even when properly used, EHRs have the potential to increase medical errors and medical liability. Cloned (cut-and-paste) records must be avoided because they can lead to an insurance audit as well as result in red flags to payers and attorneys. Faulty templates can promote “garbage-in, garbage-out” documentation. Excessively speedy documentation can lead to errors. Unsecured EHR formats increase the potential for HIPAA compliance risks. Finally, there is the need for continuous and more robust firewall security.

Cyber attacks and data theft of EHRs are increasing. Data theft can be costly and the theft of medical data is far more valuable and damaging than credit card theft. This can lead to stolen medical identities, fraudulent healthcare claims, and potential HIPAA violations for failure to ensure adequate security.

EHRs also have the potential to damage the traditional doctor-patient relationship. Patients who have privacy or security concerns may withhold information from the physician. Physicians who are more focused on completing the EHR than on listening to the patient may be seen as impersonal, leading to patient dissatisfaction and possible complaints to regulatory agencies and medical boards.

Liability risks
According to Thomas B. Fleeter, MD, chair of the AAOS Medical Liability Committee, EHRs pose significant liability potential. These include HIPAA violations due to unauthorized data releases; juxtaposition errors, as in selecting the wrong patient; illusory communication; and technical difficulties. Poor intuitive interfaces, irrelevant templates, and unintelligible data can be problematic. “Lost” abnormal-result prompts, time-stamped issues, and medication ordering risks are additional considerations.

EHR design problems can be a plaintiff’s playground. Plaintiff’s attorneys now routinely use EHR weaknesses against hospitals and physicians to challenge standard-of-care issues. Attorneys can take advantage of physician-overload, exploiting warnings, errors, and overrides. In several cases, physicians have been found liable in failing to meet standard of care because they ignored or overrode warnings in the computerized record about abnormal findings such as lab, imaging, or drug interactions.

According to CRICO—the patient safety and medical malpractice insurer for the Harvard medical community—the most frequent examples of harm to patients caused by EHRs include incorrect data entry by staff, cut-and-paste data entry, inadequate updating, and computer crashes resulting in data loss and access problems. The Economic Cycle Research Institute, a Pennsylvania-based nonprofit institute that analyzes patient safety issues, believes that “EHR hazards are the most important patient-safety concern for 2014.”

Oversight lacking
One of the objectives of the American Recovery and Reinvestment Act of 2009 was to accelerate the implementation of EHRs in the United States. Although the use of EHRs has increased substantially since 2009, unique user- and system-specific vulnerabilities continue to limit reliability and source accuracy.

The five largest EHR providers are also major contributors to political campaigns. EHR vendors are exempt from federally mandated error reporting; instead, voluntary reporting is simply encouraged. No central database for error reporting exists, and the U.S. Food and Drug Administration has no plans to require EHR error reporting. Some EHR providers prohibit their customers from discussing unsafe processes.

EHR risks have emerged as some patient deaths have been blamed on these systems. Drug-prescribing errors have occurred. Physicians and nurses complain about the complexity of EHRs. Human error is common. The fundamental operational functions of EHR systems can vary, and some legal opinions have indicated a potential impeachability of EHRs on the basis of “unreliability and untrustworthiness.”

Problematic and imprecise use as well as dysfunctional EHR operations may ultimately result in legal challenges to source accuracy. As outlined in the Federal Rules of Evidence, any system (EHR) must demonstrate the ability to produce accurate results and avoid the implications of a lack of trust. Legal evidentiary challenges may result if the appearances of the EHR seem to differ from the facts of the case. This can result in a diminished confidence in the reliability of the medical record.

The jury’s still out
Do the benefits of EHRs outweigh the potential risks? Although the full benefits of EHRs have yet to be realized, they include the following:

  • improved quality and convenience of patient care
  • increased patient participation in care
  • improved accuracy of diagnoses and health outcomes
  • improved care coordination
  • increased practice efficiencies and cost savings

However, the risks are also substantial. With EHRs, the potential for medical errors increases, and, hence, provider liability also increases. The reliability and trustworthiness of the EHR can be challenged. The potential exists for physician overload with EHR system complexity. Neither federal mandates for EHR error reporting nor a federal EHR error data registry exists. The potential for EHR-related patient injury is real.

Patrick M. Palmer, MD, is a member of the AAOS Medical Liability Committee and the AAOS Board of Councilors.

Editor’s note: Articles labeled Orthopaedic Risk Manager (ORM) are presented by the Medical Liability Committee under the direction of Robert R. Slater Jr, MD, ORM editor. Articles are provided for general information and are not legal advice; for legal advice, consult a qualified professional. Email your comments to feedback-orm@aaos.org or contact this issue’s contributors directly.


  1. Electronic Health Records survey, 2014.
  2. Medscape EHR Report, 2014
  3. Hoffman S, Podgurski A: Finding a Cure: The Case for Regulation and Oversight of Electronic Health Record Systems (2008). Case Legal Studies Research Paper No. 08-13; Harvard Journal of Law and Technology, Vol. 22, No. 1, 2008.
  4. Controlled Risk Insurance Company, Harvard Malpractice Insurance Group
  5. Assenture Research, 2014
  6. Federal Rule of Evidence, 803(6) (E)
  7. Drury B, Gelzer R, Trite P, and Paul GL: Electronic Health Records Systems: Testing the Limits of Digital Record’s Reliability and Trust. Ave Maria Law Review, 2014.