Originally published June 2014
Electronic patient records support high quality and safe care by making the personal health information of patients readily available to the healthcare providers who need it.
As the use of eRecords increases, pitfalls and liability issues are emerging. The following 10 tips can help physicians mitigate risk.
Phase-in the rollout
When a new electronic record system is being implemented, it carries a higher risk for errors as the system is unfamiliar to users. A phased rollout with appropriate training is considered best. Everyone using the record system, including physicians, should be trained on the software and use it in a consistent way.
From the onset, physicians will want to clarify ownership of records, custody, access, storage, copying, disposal, and also transferring of records should a physician decide to leave a group practice. A data sharing agreement, which is a requirement in many jurisdictions, will prove beneficial in establishing clear accountabilities. The written agreement generally helps to articulate the role of each user and who has access to the information in the system and to what extent. It also helps clarify who is responsible for maintaining the information in the system.
Have a backup plan
Computers sometimes fail, records can be lost, and liability may follow. Systems should be backed-up regularly and antivirus protection should be used. Vendors should confirm in writing that a backup function is in place and working.
Quality assurance reviews should be conducted periodically to confirm the system is functioning properly and contingency plans should be in place in case of a prolonged system disruption.
Establish good routines early
Physicians should enter information carefully and as soon as possible following the patient encounter. Patient names, identifiers, and the date and time should be double-checked.
Be careful to select carefully from menus. For example, drug names may look or sound the same. Double-check the starting, escalation, maintenance, and tapering dosages.
Respect privacy and confidentiality
Only healthcare professionals included in the delivery of care should have access to a patient's health information and only on a need-to-know basis. To monitor usage, electronic record systems are generally required to have an audit capability to record the details of access and use. While audit requirements vary between jurisdictions, they often include the identity, date, time and duration of access; password protection to an identifiable user; changes or additions to notes; and which documents were viewed and for how long. The software's audit capability should never be disabled for any reason.
To protect patient information, providers should consider the following:
Ensure the system is equipped with robust security features including encryption, passwords, and access controls to protect against unauthorized access.
Never use someone else's password when accessing the patient's record.
Actively log off when tasks are completed. Leaving the system open allows access by another individual under the first provider's user name. Systems should have an automatic log-off if left inactive for a set period of time.
Ensure all trainees have their own login identifications that are distinct and different from supervisors and staff.
Put a policy in place for the "lockbox, masking, or blocking" feature for protected or sequestered records, and for dealing with lockboxed information when the patient requests a transfer of records.
Lost or stolen laptops, office computer systems, CDs, DVDs, memory sticks, portable USB drives, and other mobile devices containing unencrypted copies of patient information represent a significant medico-legal risk and expense. Password protection, although important, does not equal encryption. Some privacy commissioners and medical regulatory authorities (Colleges) have stated that physicians and other custodians must encrypt patient information stored on mobile devices. The CMPA recommends that all devices and systems containing patient health information be encrypted.
Use automatic features with care
For efficiency, computers can be programmed to automatically populate information fields (e.g. past illnesses and medication lists) from one visit to the patient's next visit. While this can be beneficial at times, auto-population can also skew the record of the visit, and introduce some risks.
Such automatic features may potentially compromise the credibility of a physician if the detail of the entry inaccurately indicates what was done at the time. This documentation could be challenged as not representing what actually happened at a particular visit.
Record each individual patient encounter to reflect what actually occurred.
Consider using short free-text notes to describe the clinical encounter and the rationale for decision-making instead of lengthy click-box templates.
Use decision aids correctly
Many electronic record systems have decision-making tools such as clinical practice guidelines, clinical reminders, and automatic pop-ups of recommendations for drug choice. These can include alerts and warnings related to contraindications and potential drug interactions. Some even have tools to help with the formulation of differential diagnoses.
All tools should be carefully chosen to be congruent with reasonable and current standards of practice. They should not be used as a replacement for a physician's own judgment. Physicians should assess each suggestion offered by a tool, taking into consideration the individual circumstances of the case. On the other hand, inappropriately overriding or turning off system prompts and warnings may also negatively impact patient safety and the defence of subsequent medico-legal problems. While the use of these tools is not yet part of the standard of care, if they are not to be used, then this decision should be stated in the facility's administrative policies.
Physicians should also be aware of alert fatigue. It is important to always consider whether the alert information is relevant for a particular patient. The audit function in a system will indicate which alerts were viewed and for how long.
Recommendations, warnings, and alerts that are located away from the centre of the computer screen can be missed. It is often important to enter a clear note indicating the thought process that led to a treatment choice that differs from the one suggested. It may be prudent to inform the patient of the reasons for the decision.
Track tests and referrals
The electronic system should be used to track, action, and file test results. Poor clinical outcomes resulting from missed appointments, failures to follow up, and lost lab tests and diagnostic imaging reports are common causes of patient complaints and legal actions. A robust tracking capability for tests and referrals, including for pending results, is an important consideration in selecting an electronic system.
Make changes properly
Corrections can be made in an electronic record, but must be done properly to avoid the appearance of deliberate falsification. The overwriting of electronic information, even if incorrect, might be misconstrued as improper alteration of the patient record. The audit function will indicate who made any entries or changes and when.
Never change the existing entries after learning of a complaint or action. Correcting an electronic record should be made in a manner that is as consistent as possible with College requirements for paper records. If information is incorrect or incomplete then this needs to be rectified.
If information in a lab report is incorrect, the physician and the lab should work together to correct it. If appropriate, they should also consider how best to improve the system to limit such problems in the future. If others need to be informed of the amendments, the actions taken and responses should be documented.