America's health care landscape is changing dramatically and there are various aspects of risk management that physician practices and hospitals must be aware of as 2013 wraps up and we enter 2014.
Three noteworthy drivers of potential lawsuits against physicians include mobile/smartphones, electronic health records (EHRs) and the emerging trend of prescription drug overdose.
The advent of mobile health care technology and its integration with EHRs raises new issues for patient safety and medical professional liability claims.
Mobile devices are changing the way consumers access their health information. Remote monitoring devices are being used to transmit information. However, the standards of medical care do not change no matter what the medium in which physicians and their patients choose to interact.
Privacy, security and integrity are ethical standards that should be applied to all aspects of a physician's practice. The HIPAA Security Rule establishes a national set of security standards for the confidentiality, integrity, and availability of electronic protected health information.
In deciding whether to use mobile devices one needs to consider how these devices will affect the risks (breach of data to the public) to health information, and how to protect and secure health information and data breaches. Conducting a risk analysis will help identify risks and determine safeguards, and policies and procedures needs. A mobile device risk management strategy would be to periodically perform a risk analysis on a new mobile device, in the event of a lost or stolen device, or suspicion that health information has been compromised.
A mobile risk management strategy would include:
• Understand how the user plans on using mobile devices and applications
• Identify potential unauthorized access to sensitive data (passed over network in clear, stored unencrypted on device, backed up to uncontrolled system)
• Impact to the business based on lost devices and threats
• Policies and procedures to protect the business — good passwords; encrypt the data; antivirus protection
• Manageable procedural and technical controls, and monitoring their effectiveness
When you use a mobile device in your practice to access an organization’s internal network or system it is your responsibility to follow the owner of that network or system’s policies and procedures.
Questions you should be considering when using a mobile device to access an EHR:
• What is the policy of the organization?
• Can I use my personally owned mobile device?
• Is there a Virtual Private Network (VPN) that allows you to access, receive or transmit personal health information securely?
• What about back-up health information to a secure server?
• Who is the organization’s privacy officer and security officer?
• Am I required to enable remote wiping and/or remote disabling of the mobile device?
To further assist you in this area the U.S. Department of Health and Human Services has provided "Your Mobile Device and Health Information Privacy and Security" tips and information to help protect and secure health information patient entrust to physicians when using mobile devices on:
• Lost mobile device
• Stolen mobile device
• Downloaded virus
• Shared mobile device
• Unsecured Wi-Fi network
Ways physicians can protect the privacy and confidentiality of their patient:
• Use an alpha numeric password
• Encryption capabilities
• Remote wiping and/or remote disabling
• Disable file sharing applications
• Personal firewall(s)
• Regularly update security software
• Verify mobile applications will perform only functions you approve of before downloading
• Limit an unauthorized users’ access
• Not sending or receiving when connected to a public Wi-Fi
• Delete personal health information before discarding or reusing the mobile device
• Delete all information from a rental car’s Bluetooth phone system when returning the vehicle
A breach of confidentiality in any of these ways may pose serious consequences for both the practice and the employee. The patient may have valid cause to bring a breach of confidentiality lawsuit against the practice. In addition, under both state and federal laws, the medical office personnel can be fined, individually, for hundreds of thousands of dollars for a violation of a patient's privacy rights. They may also face jail time.
When a mobile device with patient information or a patient medical record is stolen the law requires patient notification when patient identifying information is unencrypted. Unencrypted information includes a patient's name, Social Security number, passport number, driver's license number, credit card number or pin. HIPAA requires that any breach of information, including lost or stolen information, be listed on your log of disclosures.
Failure to notify the patient can lead to the following situations:
• Medical identity theft of your patient's information.
• Loss of your patient's trust.
• Loss of reputation.
Your letter to the patient should include:
• A brief description of what occurred.
• Branch of law enforcement is involved in the investigation.
• Attempts being made to reconstruct the record.
• Recommendations and phone numbers for reporting and placing fraud alerts on their consumer reports. Several consumer fraud agencies are: Equifax, Experian and TransUnion.
The Office of Civil Rights and the Office of the National Coordinator for Health Information Technology have collaborated to provide tips and information related to the protection and security of health information on mobile devices. Their website offers:
• Printed material, videos and downloadable materials such as posters and staff reminders
• Guidance through the risk assessment process leading to policy development.
In an article titled "Patients trust physicians most to protect personal data," writer Pamela Lewis Dolan states physicians should be prepared for a dramatic increase in the number of patients using mobile devices to monitor and track their health. Mobile devices will become an integrated part of patient treatment plans.
There is a growing demand for patient engagement as health care moves toward shared decision-making. As physicians migrate to EHRs and patient portals, firewalls and antivirus software should be assessed as part of the process. It is also important to establish a system that continually updates and monitors electronic security needs.
Firewalls and antivirus software can potentially protect your computer system from hackers and viruses, encryption is also important. Correspondence through e-mails or internet containing protected health information (PHI) sent through common internet providers should be encrypted. Encryption is important because in the event data is stolen, then under HIPAA the organization is exempt from fines.
Medical offices entertaining the implementation of, or utilizing a cloud-based service for data storage, retrieval and patient access have specific fortifications that need to be addressed with a Business Associate Agreement (BAA).
HIPAA requires that a business associate must implement safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of PHI, and to ensure that any subcontractor (i.e. Cloud Service, data line service, etc.) engaged by the business associate in this process agrees to implement similar safeguards.
• The business associate must review and modify security measures on an ongoing basis to ensure the continued provision of reasonable and appropriate protection of PHI.
• If a business associate appoints a subcontractor (i.e. data line service, cloud service etc.) to perform a function or service that involves use or disclosure of PHI, the business associate is obligated to enter into a BAA with the subcontractor (a subcontractor, subcontracting to another).
• If a breach of PHI occurs at the subcontractor stage, the subcontractor must then notify the business associate, which then must notify the covered entity (medical office / service). The covered entity must then notify the affected individuals (patients, Insurance companies etc.), unless it has delegated such responsibilities to a business associate.
• Business Associates are now separately and directly liable for compliance with and violations of HIPAA privacy, security and breach notification rules. Penalties for HIPAA noncompliance is up to $1.5 million per violation.
In Stage 2 of the meaningful use program physicians are required to engage with their patients. In building a patient engagement strategy the portal should allow:
1. Patient Registration (demographic data) — Office required forms
2. Appointment Functions — Look-up, Request, Confirm
3. Billing Activities — Review Status, Statements, Payments
4. Patient Services — Request refills, Exchange e-messages, Exchange e-visits
5. Patient Records — Access Information, results, referrals
6. Gather Information — Patient and family history, present illness, reporting requirements
Introducing an EHR system into a medical practice enables physicians and their staff to provide more efficient care by making patient information more accessible. It also presents some risks exposure in these areas:
2. Confidentiality of protected patient information (Drug History/HIV/Psychiatric Records)
3. Prescription errors
4. Metadata files save all information
5. Tracking of laboratory and diagnostic testing
6. HIPAA and PHI
An example of metadata is that the physician receives a request for a copy of the EHR from an attorney for a patient. The physician reviews the medical record and finds that a progress note contains inaccurate information. The physician then deletes the visit and retypes the progress note incorporating the now known information. At lawsuit, there are two records produced by the plaintiff indicating the record was changed. How? The physician had sent a copy of the original progress note to the specialist/referral.
Hidden content in your EMR documents can pose serious risks in legal proceedings. All EMR/EHR systems save every key-stroke in the "background" metadata files. Altering the medical record after signing off is discoverable. The plaintiff's attorney can subpoena the records and have access to all documents, whether hard copy or electronic. They can also use experts to identify discrepancies in the metadata files. Your credibility and/or defensibility may be at risk for not making proper changes.
Never delete or change the original record. Simply add a new note (addendum) with today’s date/time, and place the new information in this addendum.
When documenting patient encounters, physicians are encouraged to review their notes prior to signing. If there is a need to correct, modify or change the record, you should identify the note, enter the new data, and/or refer to the specific encounter, if necessary. When you discover an error or need to make a late entry after you have signed the record, the physician should create an addendum to the EMR and refer to the specific encounter.
In the hospital setting, the procedure for adding or deleting in the medical record remains the same. Physicians are encouraged to create an addendum, indicating changes. Never alter the medical record, even if the system allows you to do so.
Hospitals have struggled with the demand of physicians wanting to use their mobile devices to access the hospital’s EHR system. Hospitals have made it clear that if their systems can’t be used securely by a mobile phone then no access is granted.
Recent federal data show that drug overdose deaths have increased dramatically, with most fatalities stemming from “prescription” medications. The overdose death rate has more than tripled since 1990. In 2010, 74% of pharmaceutical-related overdoses were unintentional, 17% were suicides and 8% were undetermined.
Questions arise when a patient suffers an injury resulting from a prescribed medication such as whether the medication was needed, whether a proper history and physical examination was conducted, or whether the physician properly documented the encounter. Failure in any of these areas opens the physician to liability.
Nationwide, the U.S. Drug Enforcement Administration (DEA), along with state and local agencies, is aggressively prosecuting individuals who prescribe opioids illegally and those who operate "pill mills." In some cases, doctors, physicians’ assistants, nurse practitioners, medical clinics and pharmacies have been compelled to surrender their federal licenses to dispense controlled substances.
In more serious cases, health care providers have had to forfeit their medical licenses to state medical/pharmacy boards. There have been raids on medical offices and clinic’s in which law authorities believes providers are writing excessive or unnecessary prescriptions.
What should you do if a law enforcement officer shows up at your practice?
• Request identification
• Ask to see a written request, demand or subpoena
• You have the right to consult with your legal counsel
What are you doing to prevent prescription drug abuse overall in your practice? What sort of risks are you explaining to your patients about opioids specifically? What are you doing to reduce the use of prescription drugs that are typically abused like opioids? Such efforts would include taking steps to avoid over-prescription of drugs such as opioids.
In keeping a close eye on an emerging phenomenon the following risk management guidance is suggested for doctors who prescribe narcotics:
• Have a policy regarding the number of prescription refills provided before requiring return visits.
• Maintain a current medication and prescription refill lists
• Develop an informed consent on the use of opioid analgesics for the treatment of chronic pain, to include side effects and risk.
• Review the patient’s medication list at each visit.
• Ask the patient to take the medication as instructed and assess periodically to determine benefits of opioid therapy and adjustment of dosage.
• Inform the patient operating dangerous machinery could put lives in jeopardy.
• Obtain permission to communicate directly with other health care providers.
• Request a Patient Activity Report from the Controlled Substance Utilization Review and Evaluation System, if you suspect that the patient may be obtaining prescription medications from another source.
• Refer patients who are requesting frequent refills of Schedule II through IV narcotics to pain management specialists.
• Discharge a patient from your practice who does not comply with your medical advice regarding medication and refills.
The Substance Abuse and Mental Health Services Administration released its Opioid Overdose Toolkit: Information for Prescribers. This guide offers tips on safe prescribing and preventing opioid overdose. This toolkit is the latest iteration of federal government advice on safe opioid prescribing.
Find out if your practice already closely tracks and adheres to what is recommended by reading this document. If not, you may find some things to incorporate into your assessment and prescribing protocol. If a physician comes under investigation for prescribing practices, they will be way ahead of the curve if they can show concretely that they have followed, and are following, the most advanced recommendations and advice on how to safely prescribe and treat.
The Federation of State Medical Boards (FSMB) represents 70 medical and osteopathic boards. An area in which the FSMB supports its member medical boards is through policy analysis and development. In July 2013, the “Model Policy on the Use of Opioid Analgesics in the Treatment of Chronic Pain” was developed. Nearly 30 states have adopted all or part of the Guidelines/Policy for their own policies on issues pertinent to medical regulation.
The Model Policy reflects progress made in the medical community’s understanding of pain management. It also gives guidance and encourages consistency among state medical boards in addressing trends in medical practice and regulation by:
• Recognizing the inadequate management of pain and barriers to appropriate treatment;
• Emphasizing the dual obligation of government to develop a system that prevents abuse, trafficking and diversion of controlled substances while ensuring their availability for legitimate medical purposes;
• Revising definitions of addition, chronic pain and physical dependence to reflect current consensus and expertise in the medical community; and
• Updating criteria for evaluating the appropriate management of pain
State-level prescription monitoring programs are available in most states. This powerful tool that clinicians can use is a good idea to identify prescription-drug shoppers.
The drivers of the prescription drug overdose are increased opioid prescribing; specific providers accounting for most of the inappropriate prescribing; and high-risk patients who engage in abuse and drug diversion by combating the epidemic.
Diana Douglas is vice president of Risk Management & Patient Safety Department at the Cooperative of American Physicians, Inc. (CAP) and has been with CAP for nearly 25 years. She earned a BS in Health Sciences from California State University, a degree in vocational nursing from Los Angeles Trade Technical College and is a Certified Professional in Healthcare Risk Management (CPHRM). Allan Ridings is a Senior Risk Management and Patient Safety Specialist for CAP. Allan has more than 25 years of experience in risk management and health care operations.