Developments in EHR
EHR systems that contain patients’ medical data and information, have not only been used in healthcare delivery, but are relevant to litigation and are subject to ESI discovery due to amendments that were passed in 2006. As the adoption of EHR systems in hospitals and other healthcare sectors is increasing, providers and legal counsel must be aware of the advances in EHR technology, get a better understanding of the information they can acquire and retrieve from EHR systems, and prepare e-discovery provisioning requirements [8]. The development of techniques in EHR systems would facilitate e-discovery. In addition, healthcare providers naturally have a wide choice as to how engaged their medical practice will be with EHR technology and which EHR system will be used [8]. With national benchmarks to measure EHR systems in terms of certification and meaningful use, the quality of the system outcomes as well as the functionalities associated with e-discovery request need to be guaranteed. Furthermore, particular EHR technologies, for instance, metadata search algorithms, are necessary to facilitate the review process for e-discovery use. Healthcare providers and legal counsel might not be technology experts in EHR development, however, the knowledge of where relevant ESI exists and how to preserve such information to satisfy e-discovery obligations is a necessary requirement.
Techniques in EHR systems to facilitate e-discovery
Advanced techniques in EHR systems to facilitate e-discovery process are needed, otherwise e-discovery will be inefficient and costly, leading to heavy burden to stakeholders involved. For instance, the 2006 amendments have expanded the use of a “legal hold” for preservation of paper documents as well as ESI document. Healthcare organizations should suspend routine document retention and destruction policy to ensure the preservation of all forms of relevant information avoiding sanctions for ESI spoilage, at the time when the organization receives a notice of litigation [9]. There is a documented lack of efficient technology in EHR systems to establish a legal hold on patients’ records and it is costly to put a legal hold on one particular patient in EHR systems [10]. Further, sometimes legal counsels do not have sufficient knowledge in techniques to acquire valuable data from EHR systems. This calls for education about functions of EHR systems.
Information sharing and data interoperability
There is an increasing need to build a national health information infrastructure (NHII) to connect users and manage knowledge of healthcare so that provides functions for information sharing among different EHR systems. There are three main reasons why the NHII is required [11]: First, professionals and researchers face substantial growth and much more complex health data about patients as they encounter more types of illnesses and simultaneously improving diagnostic capabilities; Second, data standardization fulfilled by NHII will facilitate data manipulation so that costs and turnaround times are reduced and last but not least, a platform is needed to assure the benefits of cutting edge technology and method diffuse to different stakeholders in healthcare domain. For instance, large datasets are needed to acquire the knowledge regarding the molecular underpinning of disease through intensive computing capabilities. Such data sets can be one feature of the NHII. In order to achieve the goal to build a NHII connected participants in healthcare, series of agreements on standardization of technology, data, processes and rules need to be reached as well. The quantity and quality of data to support decision-makings in health care delivery are important for implementation of a complete NHII [8]. Each of these issues is critical for system related education.
Data interoperability is a key ability in NHII implementation that two or more EHR systems can exchange and share information. This feature has also been indicated in “meaningful use” stage 1 requirements such that key patient data can be exported to a common format. Currently two formats have been developed: Continuity of Care Records (CCR) and Continuity of Care Documents (CCD) but neither of them has been used to export entire patient’s EHR records, since abbreviations and terminology vary among practice [12]. In order to facilitate e-discovery, first, the format used by the export feature must be able to provide a complete record of a patient for production during discovery. In addition, the EHR data should be viewable by a lawyer in a similar layout as viewed by medical professionals since, “A party must produce documents as they are kept in the usual course of business...” Finally, it is necessary for the feature to be able to export specific data required for production such that the lawyer is capable to produce only relevant data for discovery purposes [12].
Metrics for EHR systems quality control
Without appropriate mechanisms and metrics to control the quality of diverse EHR systems in the market, healthcare organizations are at risk of investing large amounts on poorly designed systems which may not improve the outcomes. Therefore, developing national benchmarks to measure not only the technology but systems in terms of certification, meaningful use, and implementation specification, etc. are mandatory [13,14].
Here, it is also worth noticing the difference between certification and meaningful use on EHR systems [15]. Certification of EHR systems ensures that the particular system meets functionality standards. In June 2010, the Office of the National Coordinator for Health Information Technology (ONC) defined the temporary criteria for testing and certifying EHRS functionality [16]. Subsequently in January 2011, ONC issued the final rule on a Permanent Certification Program for Health Information Technology, for functional testing requirement, cases and tools. Meaningful use implies “providers need to show they’re using certified EHR technology in ways that can be measured significantly in quality and in quantity”, corresponding to quality of the adoption of EHR systems [17]. Identification of these issues is important for educational programs.
Clinical practice guidelines to optimize EHR system use
Clinical practice guidelines (CPG)s assist in decisions about special circumstances in healthcare. CPGs in terms of diagnostic and treatment practices have been developed by professional societies over a long time period. The standard of care is a key to successful defense in medical malpractice litigation since it reveals whether the defendant “proceed [ed] with the reasonable caution that a prudent man would have exercised under such circumstances” [13]. Compliance with well-established CPGs, similar to expert testimony, can be utilized as proof that the defendant met the standard of care, “at least as evidence of a practice that is accepted by a respectable minority”. However, at the early age of EHR system development and adoption, few authoritative CPGs exist regarding the design and use of EHR systems, and even less in the litigation context [13]. Any educational program related to e-discovery in health needs to include such CPGs.
Audit trails/ metadata search techniques
Audit trails are the records about “who did what and when” in order to meet requirements on “system integrity, recoverability, auditing, and requirements”. Effective audit trails on EHR systems should keep all relevant system input and output not only for the purpose of system validation and problem diagnosis, but also to understand how EHR systems are operating. The audit trails can then serve as unbiased evidence of medical practice for potential litigation use [13].
A key component of the functioning of audit trails is Metadata - which is generated to track how an electronic document has been manipulated. Metadata has been viewed as non-hearsay evidence by the courts because it can be considered to have integrity - it is automatically generated without human intervention [10]. Metadata can also be used as a tool to reveal what documents have been actually created, reviewed, modified and deleted. Federal courts have held that when an electronic document is discoverable, it is to be produced “in native format…with their metadata intact” [10]. E-discovery with metadata would generate a huge amount of ESI. This calls for effective search techniques and strategies to facilitate the review process [13]. Therefore, search techniques for metadata and an understanding of metadata need to be covered in e-discovery courses.
Advances in health 2.0
Health 2.0. has been defined as the phenomenon in which Web 2.0 Technologies provide members of the health community–health professionals, health consumers, and health science students–with new and innovative ways to create, disseminate, and share information both individually and collaboratively. It is a new concept of health care that employs social software and other Web-based tools to promote collaboration between patients, their caregivers, medical professionals, and other stakeholders in health care to create a better, more knowledgeable and cost effective environment for better well-being [18]. Health 2.0 is the use of a set of Web tools (blogs, Podcasts, wikis, etc.) in health care by doctors, patients, and scientists. For example, websites like PatientsLikeMe [19] use knowledge from users the network from social media to personalize health care and promote health education [20].
One key difference between traditional models of medicine and Health 2.0 is the knowledge of patient records and related control. In traditional models, patients’ records could only be kept and accessed by medical professionals; while in newer models patients obtain more control and deeper insight into their own information. Web 2.0/technology, patients, professionals, social networking, health information/content, collaboration, and change of health care are the topics closely related to the definition of Health 2.0 [18].
Therefore, any curriculum for Health 2.0 should also include, for instance: 1) the stakeholders involved, e.g. patients/consumers, professionals/caregivers, and biomedical researchers, 2) the emerging methods and technology, e.g. web 2.0 and virtual-reality tools, 3) the change of relationship between stakeholders, such as the improved collaboration and communication between professionals and patients, and 4) the impact on the development of health care system like improvement on safety, efficiency and quality of old system. In addition, inaccurate online information is another concern in Health 2.0. Although research has found that online information is often accurate or can be corrected rapidly, many practitioners believe “the consequences could be disastrous for any inexperienced trainee following the advice” [21]. The use of Health 2.0 raises a challenge for healthcare organizations to serve e-discovery requests. Since the information in Health 2.0 associated with privacy, ethical, and ownership issues is in the scope of discovery as well, failing to preserve relevant information due to un-updated usage and electronic data management policy and techniques could lead to potential sanctions. It is important that students are exposed to each one of these, since these could drive e-discovery lawsuits.
E-discovery policy and strategy
Policies and processes for electronic records management
Electronic health records are composed of types of information within the boundary of the health organization, e.g. email, text messages, and even legacy information systems [22]. Health Information Management and IT professionals need to work together to fulfill the tasks of determining organizational document storage, retention, and destruction schedules as well as for digital information to avoid potential sanctions resulting from failure to preserve relevant documents in e-discovery cases.
For instance, the updated policies and processes should indicate where and in what type of format the electronic health records should be stored, how often to maintain such records, and when to destroy them. Updated policies and processes for electronic medical records are required for healthcare organizations to comply with federal, state requirements to facilitate e-discovery.
Economics of cost
Recently, courts have started to limit ESI discovery based on cost-benefit analysis. Under the Discovery Scope and Limits in Rule 26 of The Federal Rules of Civil Procedure, ESI discovery could be limited if “the burden or expense of the proposed discovery outweighs its likely benefit, considering the needs of the case, the amount in controversy, the parties’ resources, the importance of the issue at stake in the litigation, and the importance of the proposed discovery in resolving the issues”. For example, in Lorranie v. Markel American Insurance Co., Judge Grimm denied the parties’ competing motions for summary judgment by opining that “it makes little sense to go to all the bother and expense to get electronic information only to have it excluded from evidence or rejected from consideration during summary judgment because the proponent cannot lay a sufficient foundation to get it admitted [23]”. Therefore, it is important for students to understand how organizations should establish a means for determining the actual costs for production of ESI, and for detecting if this production would be over burdensome in which case such ESI would be out of the scope of discovery [10].
Legal hold policies to handle preservation of relevant documents
Legal hold indicates that a party “must suspend its routine document retention/destruction policy” for the purpose of making sure the preservation of relevant document including ESI, once the party receives a notice of litigation [24]. In order to comply with the preservation obligation, in addition to appropriate techniques, healthcare organizations need to understand the legal hold policy to handle this process, e.g. the instructions and corresponding workflow so that the regular automatic retention/destruction policy would not execute automatically. These issues would fit into an understanding of both law and workflow systems.
Security and privacy issues
Information privacy and data confidentiality
For an information system in any area and domain, security is of crucial concern. Further, information privacy is one key issue that has serious influence on the adoption of EHR systems since all the patients’ healthcare information are stored, shared and communicated among different EHR systems and healthcare sectors. Any privacy breach and abuse of data may prohibit the intention to use EHR systems in spite of numerous benefits. Privacy issues have not been addressed sufficiently at either technical or business process level, e.g., in a nationwide survey conducted in February 2005 by Harris Interactive of Rochester, N.Y., 70 percent of people were somewhat or very concerned that personal medical information would be leaked due to weak data security [25].
Data is the primary resource in EHR systems thus its confidentiality is significant for information privacy. Personal information obtained in physician-patient relationship should not be revealed to others unless the patient understands and consents to disclosure [26]. The trend of data sharing among EHR systems and healthcare organizations is inevitable, as a result, innovative management techniques and policies on data confidentiality should be taught to keep in step.
Access controls and policies for EHR
While maintaining information privacy matters, obtaining patients’ healthcare information on demand from EHR systems for caregivers like hospitals and doctors is critical as well. There is a trade-off between accessibility to patients’ information and privacy concerns, especially when some EHR systems are based on web services which make the information more easily to access while at the same time give rise to potential privacy issues. Therefore, a challenge raised is to develop access control policies that can provide required protection on privacy while keeping flexibility to accommodate authorized users so that only a set of users can access certain level of patient information [27], e.g. which portions of a patient’s record can access by whom for a specific period of time. In general, attribute-based access control (ABAC) and role-based access control (RBAC) are the two main approaches to control access to EHR systems [28,29]. ABAC divides the system into subcomponents and for each subcomponent, access policy has been stored as an attribute of the data, while RBAC constructs a hierarchy of roles that can be assigned to each user, through which to authorize privileges to each role instead of each user. Both approaches have their own benefits and shortcomings. Thus understanding existing access control method and policy to ensure both flexibility and security is urgent for any student of e-discovery.
Management of patient consent
As we mentioned earlier, without patient’s awareness and consents to disclosure, private information in EHR systems should not be revealed to others, thus consent of patient plays a vital role. Individual patients should know and understand the contents of records in terms of effective notification and truly informed consent for disclosure, which also implies that the particular patient is fully informed of his/her medical status and gives voluntary agreement to permit access to their healthcare information [26]. Failure to truly inform patient’s awareness of disclosure, e.g. using implied consent, would lead to unethical issues.
Patients either implicitly or explicitly consent to information disclosure according to different consent models. For example, two types of consent models are considered: General Consent with Specific Denials and General Denial with Specific Consent [30]. Obviously the latter can maintain information at a high level of confidentiality while at the same time, it might hinder the workflow of healthcare providers. Therefore, an understanding of effective consent and control mechanisms are needed that can give patients control for their own healthcare information as well as not impede regular healthcare delivery process.
HITECH and HIPAA privacy and security rules
Significant modifications have been made to Health Information Technology for Economic and Clinical Health Act (HITECH) and Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. For instance, substantial incentives and grants are provided in the HITECH Act for the adoption of EHR systems and information exchange to improve both quality and efficiency of healthcare. On the other hand, for the HIPAA Privacy and Security Rules, mandatory federal security breach reporting requirements, criminal and civil penalties for noncompliance are established [31,32]. These extensions and enforcements are aimed at continually improving the effect of HITECH and HIPAA rules – clearly an important area of knowledge for the student.