HEALTH LAW SECTION | Vol. 64 | June 2015 | VIRGINIA LAWYER 21

The widespread adoption and useof electronic health records (EHR)continues to transform the health-care

industry in the United States. According

to The Office of the National Coordinator

for Health Information Technology

(ONC), an EHR is a digitalization of a

patient’s medical charts and records.

Ideally, this electronic record may then be

shared among providers, collecting infor-

mation and data about the patient along

the way, resulting in a comprehensive

patient medical history that is widely and

readily available when needed.1 Since the

enactment of the Health Information

Technology for Economic and Clinical

Health Act of 2009 (the HITECH Act),

the health-care industry has worked to

adapt to an ever-changing landscape

addressing information sharing, privacy

and security concerns, and litigation dis-

covery in the electronic age.

Meaningful Use and Data Sharing InitiativesThe HITECH Act, operating in tandem with thePublic Health Services Act that it amended, grantsthe Secretary of Health and Human Services(HHS) relatively broad authority and discretionto adopt standards, implementation specifica-tions, and certification criteria.2 Among the initia-tives contemplated was the widespread adoptionand implementation of EHR. At the time of pas-sage, “only 20 percent of doctors and 10 percentof hospitals used even basic electronic health

records,” claimed Kathleen Sebelius, Secretary ofHealth.3 Partly as a result of the HITECH Act, thegoal of encouraging EHR adoption has been sub-stantially achieved, with 94 percent of hospitalsusing a certified EHR system.4

The shift to EHR was initially supposed totake place in three stages, spanning several years.5

To accomplish that timeline, the HITECH Actcreated a series of staged incentives and financialpenalties (estimated to cost roughly $30 billion)to usher physicians into compliance by 2015.Under these incentive programs, providers whodemonstrate “meaningful use” of EHR can earnannual incentive payments. The term “meaningfuluse” may be understood as a compilation ofdefined goals and objectives that demonstrate ashift from paper recording to electronic record-ing. For example, if a particular electronic recordincludes sixteen menu options, a provider mayhave to meet eleven core requirements and thenfive of ten further options to substantiate mean-ingful use.6 To illustrate, under Stage 1 of theCenter for Medicare and Medicaid Services’(CMS) meaningful use incentive program, onecore requirement is prescribing medicationthrough a computerized provider order entry sys-tem for 30 percent of patients.7

While this carrot-and-stick approach madesense in theory, the HITECH Act failed to accountfor the possibility that various EHR systemsmight fail to achieve (for a variety of reasons) alevel of technical interoperability necessary to sat-isfy certain meaningful use criteria.8 The chal-lenge of obtaining true interoperability of EHRsystems has had the greatest impact on thoseproviders faithfully following the timeline setforth under HITECH, and who are now hopingto complete Stage 3’s information sharingrequirements.9 To do so, however, a providermust: 1) send an electronic summary for 50 per-cent of TOC (Transitions of Care) and referrals;2) receive an electronic summary for 40 percentof TOC and referrals; and 3) perform

ELECTRONIC HEALTH RECORDS: NEW CHALLENGES IN THE ELECTRONIC AGE

www.vsb.org

Electronic Health Records: New Challenges in the Electronic Ageby Molly E. Trant and Jeremy A. Ball

illustration by Madonna Dersch

22

med/allergy/problem reconciliation for 80 percentof TOC and referrals.10 Satisfaction of these crite-ria can be accomplished only with EHR systemsthat are truly interoperable.

According to the Healthcare Informationand Management Systems Society, interoperabil-ity is the “ability of different information technol-ogy systems and software applications tocommunicate, exchange data, and use the infor-mation that has been exchanged.”11 Ideally, practi-tioners, hospitals, laboratories, pharmacies, andpatients could all access and use EHR across orga-nizational boundaries, and regardless of the soft-ware application or vendor utilized, to enhancethe delivery of patient care.12 This ideal, however,is still far from reality. The trouble has less to dowith identifying the problem than with solving it.At the federal level, a committee composed ofrepresentatives from The Office of the NationalCoordinator, CMS, and other stakeholders hasstruggled to promulgate workable rules governinginteroperability.13 These proposed rules, in theirmany versions,14 have most often relied on a sys-tem of carrots over sticks, in the hope of luringphysicians and health-care providers to adoptcross-platform EHR sharing. More recent regula-tions promulgated pursuant to the MedicareAccess and CHIP Reauthorization Act of 2015require health-care providers, as part of themeaningful use program, to attest that they havenot taken steps that would result in limitations onthe interoperability of their EHR.

Even if government efforts are successful inpromoting comprehensive EHR sharing, signifi-cant policy concerns remain. Chief among themis the worry that the seamless sharing of informa-tion will facilitate access to private health infor-mation not just for providers and patients, butalso for outsiders with nefarious intentions ormotives. The Health Insurance Portability andAccountability Act of 1996 (HIPAA)15 is intendedto protect against this concern. Fundamentally,however, the massive amount of personal healthinformation stored in EHR systems, including therelated information sharing platforms, equates toa greater risk of large-scale disclosure and poten-tially more damage to patients if EHR security iscompromised.

In addition to privacy concerns, widespreadsharing of EHR raises a number of unexpectedclinical and business concerns. For example, somenow worry that physicians may have access to toomuch information for treatment purposes, unnec-essarily complicating the process of diagnosingand treating routine ailments. Conversely, othersworry that EHR vendors and institutional

providers may be intentionally blocking the freeexchange of health information to further theirown business interests. In response to these con-cerns, ONC recently issued a report to Congresson the practice of health information blocking,including suggestions for a comprehensiveresponse strategy.16 Part of the challenge lies withEHR vendors, who have had mixed reactions tothe federally mandated move towards data shar-ing. Several EHR vendors formed a trade group,CommonWell Health Alliance, to allow their cus-tomers to share electronic records, while otherlarge EHR vendors such as EPIC have been reluc-tant to join any trade groups, asserting that theircustomers have not expressed an interest in beingpart of a national data sharing organization.17 Inthe coming years, both the ONC and Congresswill need to implement further rules and regula-tions to prevent information-blocking practicesand encourage EHR interoperability while allow-ing providers and vendors to maintain theirautonomy and market presence.

Privacy and Security ConcernsIn addition to the challenges of data sharing, thetransition of patient records from hardcopy filesto EHR systems has raised new and complex chal-lenges with respect to patient privacy. Whereasthe security of physical records could often bemanaged effectively by storing records in lockedrooms or cabinets and by limiting access, the elec-tronic data files that comprise EHR systems aremuch more difficult to control. Modern EHR sys-tems attempt to control access by using user-names and passwords, but such authenticationmeasures are inherently at risk for loss, theft, ormisuse. In addition, the nature of EHR date filesthemselves results in an increased risk ofimproper disclosure. Because EHR date files arestored in digital media, they often may be copied(with or without authority) to mobile storagedevices, such as computer hard drives, flash dri-ves, or DVDs, the loss or theft of which can becatastrophic from a privacy and security perspec-tive. Unfortunately, stories of massive breaches ofelectronic data systems containing patient healthinformation have become somewhat common-place, with Anthem Inc.’s recent disclosure of tensof millions of patient records as just one.18

In the face of these increased risks, the lawcontinues to place tremendous emphasis on theprivacy and security of patient health informa-tion. For example, the Virginia General Assemblyhas tasked the State Health Commissioner withensuring that patient privacy is an overriding goalof licensure and enforcement efforts related to

ELECTRONIC HEALTH RECORDS: NEW CHALLENGES IN THE ELECTRONIC AGE

www.vsb.orgVIRGINIA LAWYER | June 2015 | Vol. 64 | HEALTH LAW SECTION

HEALTH LAW SECTION | Vol. 64 | June 2015 | VIRGINIA LAWYER 23

medical care facilities.19 Virginia state law furtherprotects the privacy of health records through theVirginia Patient Health Records Privacy Act,20 andthe Virginia Department of Health Professionsenforces rules of patient privacy through itslicensing authority of individual practitioners.21

Among those laws governing the privacy andsecurity of EHR, HIPAA is the starting point.Together, the HIPAA Privacy Rule and SecurityRule protect the use, disclosure, and security ofpersonal health information, which includes indi-vidually identifiable health information held ortransported by a covered entity or its businessassociate, in any form or media, whether elec-tronic, paper, or oral.22 The HIPAA Security Ruleestablishes minimum security standards for pro-tecting electronic personal health information,including that found in EHR.23 But implementingthe HIPAA Security Rule in the context of EHR isfar from simple.

The term EHR, when used broadly, includesinformation or data beyond that traditionallystored in a patient’s health record, and frequentlyincludes information existing in multiple datasources.24 For example, electronic records con-taining personal health information may befound in a provider’s primary EHR system (i.e.,the electronic medical record), billing system, e-mail or messaging exchange servers, or even per-sonal mobile devices carried by practitioners. Aprovider may also have access to, and acquire per-sonal health information from, electronic datareporting systems operated by laboratories ordiagnostic imaging centers, or a health informa-tion exchange open to other providers. In sum,“an EHR system consists of a plethora of inte-grated component information systems and tech-nologies,”25 all or part of which may includeelectronic personal health information subject tothe HIPAA Security Rule. As the variety of elec-tronic data systems containing personal healthinformation continues to proliferate, providersand their attorneys must be increasingly vigilantto the requirements of the HIPAA Security Rule.

Discovery of EMR During LitigationThe unique nature of EHR also presents practicaland legal challenges in the context of litigationdiscovery. Most obvious are the privacy and secu-rity concerns, and in particular compliance withHIPAA and analogous state laws, the burden ofwhich falls primarily on the recipient of a discov-ery request. Second, discovery requests seekingpatient health information often seek records orinformation found in a variety of sources includ-ing the EHR, but also including other sources that

fall outside the patient’s “medical record” as tradi-tionally conceived. Identifying and gathering therequested information from a variety of sources,some electronic, some paper, and some morenebulous, e.g., information accessible from ahealth information exchange or stored in the“cloud,” can be difficult. And finally, the design ofEHR data systems often does not lend itself toproduction in a traditional hardcopy format.EHR systems are designed primarily to storepatient health information and display it for useon a screen, not to format and print that data forproduction in response to a subpoena.

Prior to the advent of EHR, responding to asubpoena for a patient’s health record was rela-tively straightforward. Assuming the health-careprovider maintained all records related to the careof patients in a system of hardcopy files, whichwas the norm, responding to a subpoena requiredlittle more than photocopying the file. Even today,Virginia state law conceives of health record stor-age and production through this document-cen-tric view, permitting a provider to charge areasonable fee for production of health recordswhich “shall not exceed $0.50 per page for up to50 pages and $0.25 a page thereafter . . . .”26

The reality, however, is that EHR data sys-tems are frequently not organized or easily repro-ducible as a comprehensive set of printeddocuments. Rather, EHR systems store data thatmay be displayed on a screen in a variety of for-

mats depending on the needs of the provider. Inaddition, EHR systems often store data that is notintended for routine display to the end user, suchas metadata identifying who accessed or viewedthe records, who entered data to the record andwhen it was entered, and whether (or when) anauthorized user responded to an alert or pop-upmessages. The ability of EHR systems to storemore data at a lower cost, in combination withthe recent emphasis on evidence-based medicaldecision making, has also resulted in a massiveincrease in the amount of patient informationstored by providers. Collectively, these factors canmake it extremely difficult (and costly) forproviders to identify all of the electronic patientinformation that may be responsive to a broadly

ELECTRONIC HEALTH RECORDS: NEW CHALLENGES IN THE ELECTRONIC AGE

www.vsb.org

EHR Challenges continued on page 34

Prior to the advent of EHR ... responding to a subpoena

required little more than photocopying the file.

34

worded subpoena, and to produce that information in a paperformat that may have never been contemplated by those whodesigned the underlying software.

ConclusionIn a perfect world, widespread implementation of EHR wouldresult in better medical decision making by providers and bettercare for patients. The jury is still out on whether EHR has, orever will, accomplish that goal at a reasonable cost. The poten-tial benefit of making more health information available tomore people brings many challenges, including those discussedin this article. In the coming years, health-care providers andothers in the industry will continue to wrestle with the funda-mental questions raised by EHR: What information is needed?Who needs access to that information? How can the privacyand security of the information be reliably safeguarded? And, ofcourse, how much money should, or can, be spent to achieveEHR’s promise of better health care?

Endnotes:1 HealthIt.gov, What is an electronic health record (EHR)?

http://www.healthit.gov/providers-professionals/faqs/what-electronic-health-record-ehr, last visited June 1, 2015.

2 See Public Health Safety Act § 3004(b)(3), available athttp://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf.

3 Robert Pear, Standards Issued for Electronic Health Records, (July13, 2010), http://www.nytimes.com/2010/07/14/health/policy/14health.html?_r=2&hpw, last visited June 1, 2015.

4 Dustin Charles, Meghan Gabriel & Michael F. Furukawa, ONCData Brief No. 16, Adoption of Electronic Health Record Systemsamong U.S. Non-federal Acute Care Hospitals: 2008-2013, availableat http://www.healthit.gov/sites/default/files/oncdatabrief16.pdf.

5 HealthIt.gov, Meaningful Use Regulations,http://www.healthit.gov/policy-researchers-implementers/meaningful-use-regulations, last visited June 1, 2015.

6 CMS.gov, “2014 Definition Stage 1 of Meaningful Use, available athttp://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Meaningful_Use.html.

7 Eligible Professional Attestation Worksheet for Stage 1 of theMedicare Electronic Health Record (EHR) Incentive Program,available at http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/EP_Attestation_Stage1Worksheet_2014Edition.pdf.

8 http://cnsnews.com/news/article/barbara-hollingsworth/under-draft-bill-authorized-users-would-get-complete-access.

9 HealthIt.gov, Work Product of the HITPC Meaningful UseWorkgroup – Meaningful Use Stage 3 Recommendation, availableat http://www.healthit.gov/FACAS/sites/faca/files/hitpc_muwg_stage3_recs_2014_03_11.pdf.

10 John Halamka, The good, the bad and the ugly of Stage 3 MU,http://www.healthcareitnews.com/news/good-bad-ugly-stage-3-mu?page=0, last visited June 1, 2015.

11 Daniel R. Verdon, ONC’s plan to solve the EHR interoperabilitypuzzle, http://medicaleconomics.modernmedicine.com/medical-economics/news/onc-s-plan-solve-ehr-interoperability-puzzle?page=full, last visited June 1, 2015.

12 Id.13 2015 Edition Health Information Technology (Health IT)

Certification Criteria, 80 Fed. Reg. 16804 (proposed March 30,2015) (to be codified at 45 C.F.R. pt 170).

14 For a summary, see 2015 Edition Health Information Technology(Health IT) Certification Criteria, pages 18-22, available athttps://s3.amazonaws.com/public-inspection.federalregister.gov/2015-06612.pdf.

15 5 C.F.R. Part 160 and Subparts A and C of Part 164.16 The Office of the National Coordinator for Health Information

Technology (ONC), Report on Health Information Blocking (April2015), available at http://www.healthit.gov/sites/default/files/reports/info_blocking_040915.pdf.

17 See Laura Landro, “Electronic Medical Records Get a Boost,”available at http://www.wsj.com/articles/electronic-medical-records-get-a-boost-1424145649.

18 See Byron Acohido, “Breathtaking Anthem Breach Puts Millionsat Risk for Identify Theft,” available athttp://thirdcertainty.com/news-analysis/breathtaking-anthem-breach-puts-80-million-risk-identity-theft/.

19 Virginia Code Ann. § 32.1-19(C) (emphasis added).20 Virginia Code Ann. § 32.1-127.1:01, et seq.21 See, e.g., 18 VAC 90-20-300(A)(2) (defining unprofessional con-

duct for licensed nurses to include any violation of the VirginiaHealth Records Privacy Act).

22 See 42 C.F.R. Part 160.23 See, e.g., The Office of the National Coordinator for Health

Information Technology, Guide to Privacy and Security ofElectronic Health Information (April 2015).

24 See AHIMA, Fundamentals of the Legal Health Record andDesignated Record Set, Journal of AHIMA 83, no. 2 (Feb. 2011).

25 AHIMA e-HIM Work Group on the Legal Health Record, Update:Guidelines for Defining the Legal Health Record for DisclosurePurposes,” Journal of AHIMA 76, no. 8 (Sept. 2005).

26 Virginia Code Ann. § 8.01-413.

www.vsb.orgVIRGINIA LAWYER | June 2015 | Vol. 64 | HEALTH LAW SECTION

EHR Challenges continued from page 23

Molly E. Trant is a senior corporatecounsel for Riverside Health System.She works closely with her businesscolleagues at Riverside Health Systemto provide legal advice on generalhealth-care and regulatory matters, cor-porate governance, and transactionalmatters.

Jeremy A. Ball is a director in McCandlishHolton PC’s Health Care Practice Group.He represents health systems, hospitals,nursing facilities, physician practice groups,ancillary health care providers, and man-aged care health insurance plans in a varietyof transactional, regulatory, and reimburse-ment matters.