Skip to main content

Potential pitfalls: Risk management for the EMR

Published Date
Author Laura Hale Brockway

Issues related to documentation are a leading cause of medical liability suits. This article will cover the documentation pitfalls specifically related to electronic medical records (EMRs) and how to avoid them.

Each year, TMLT risk management representatives visited more than 1,500 physicians to help identify liability exposures and suggest methods to reduce risk. The following list is based on their observations and recommendations to physicians using EMRs.

Implement a strict policy regarding passwords and security. Authorized users of an EMR system are given passwords. The system associates the person who enters that password as the author of the entry in the patient's medical record. It is imperative that passwords only be used by the individuals to whom they were assigned.

Staff members should not have access to the physician level of security because that would allow them to add or alter information as if they were the physician. Staff members should have their own passwords and level of security clearance based on their job functions. Again, avoid sharing passwords simply to make the entry of information easier. (TMLT risk management representatives have visited practices where all clinical staff share the physician's password.)

Not all employees need access to the EMR. Some practices limit access to those in direct patient care. Others may allow non-clinical staff to only view (and not enter or edit) information in the EMR. When an employee who had access leaves the practice, delete his or her password immediately.

Ensure patient encounter records are locked. The information entered into the EMR is likely to be more accurate if done immediately after the visit. The date of dictation or date of transcription should be included. The author of each entry must take specific action to verify that the entry is his or hers and that it is accurate. Once a patient encounter entry is completed, the author should sign it and it should be locked in the system. Not all EMRs are set up to perform this task.

If information needs to be added or comments made after the entry has been locked, the new entry should be clearly identified as an addendum with current date, reference to the date being amended, the reason for the late entry, and electronic signature. Anyone who makes changes and addendums should ensure that they are clearly marked as such. Unclear, after-the-fact entries may be viewed as alterations to the medical record, which can compromise the defense of litigation.

Be aware that templates can import old or inaccurate information. Most EMRs have been designed with templates for patient encounters. While these drop-down menus save time, many physicians are not aware that some EMRs re-populate the same data in the templates for each subsequent visit.

For example, a physician sees a patient who has conjunctivitis and this is noted in the "review of systems" section. At the next visit, if the physician does not edit the "review of systems" section, the conjunctivitis is again noted. It will continue to be picked up from the templates, giving the impression that the treatment plan is not working or that the physician is not editing the record.

Conversely, some programs may be set up so that specific complaints default to "resolved" if the physician or the patient does not renew that complaint on the next visit. Notes should be individualized for each patient encounter, and relevant sections reviewed to avoid importing incorrect, redundant, and irrelevant information.

Make sure physician sign off is clear. Another potential weakness identified in some systems — it is not clear to an outside reviewer that the physician signed the record at the end of the visit. While physician signature could most likely be verified somewhere in the system, the note itself needs to be signed. Initiate an electronic signature when documenting patient encounters.

Additionally, some programs do not allow each clinical staff member making entries to authenticate the entry with a signature or initial. It is recommended that each staff member sign or initial all entries in the medical record or that the EMR "audit trail" be adapted to trace staff entries.

Review orders or emails before signing off with electronic signatures. In conjunction with the previous recommendation, signing an order is an affirmation that the order is correct. Auto-authentication techniques that do not require the author to review the entry should be avoided. Do not "universally" click off on a series of orders or emails without reading them. (A closed claim study involving this issue was published in the July-August 2005issue of the Reporter.)

Enable tracking mechanisms. Most software programs include a tracking system to help ensure that patients have completed recommended tests or consultant referrals. However, risk management representatives have visited practices that are not using these systems or have not discovered them. These tracking systems can minimize exposure to allegations of failure to diagnose and can lead to better patient care. Specifically, they can provide ways to:

  • verify that the patient keeps the appointment or completes the test;
  • confirm receipt of the report;
  • prompt a call to the consultant, imaging center, or lab if a report is not received;
  • make sure the physician reviews the report;
  • communicate the results to the patient;
  • arrange for follow up if necessary; and
  • document all these steps with dates and electronic signatures.

It is strongly recommended that physicians employ these tracking systems. Additionally, if you are planning to purchase an EMR, do not buy one without a tracking system.

Establish a system to appropriately capture paper and other external clinical documents. Optimally, all paper documents should be scanned into the electronic record for easy accessibility. These documents could include paper records used before implementing an EMR, diagnostic test results, consultant reports, hospital reports, or records from other physician offices. Additionally, a process should be implemented to ensure that, once scanned, the paper documents are properly stored or destroyed.

Alternatives exist for practices working with systems that have limited memory or scanning capability. Since some patients' previous medical records can be lengthy (hundreds of pages), physicians can review the records, summarize them, and include that information in the patient's history within the EMR. The original paper records will still be available from the previous physician, if copies are ever required. While scanning a patient's entire paper record into the system is preferred, we recognize that this is not always possible. The important step is to develop a policy for capturing patients' previous medical records and follow it consistently.

Prescriptions are not always captured in the EMR. E-prescribing can be very helpful if it saves the information as part of the patient's medical record. If physicians who use EMRs are not e-prescribing, prescriptions should be captured by scanning the paper prescription into the EMR or fully documenting the name, dose, quantity, instructions, and refill amount. Documenting only the name of the medication does not meet the documentation guidelines set by the Texas Medical Board. The same is true when dispensing sample medications to a patient.

Ensure records are backed up reliably. The HIPAA security rule requires that patient data be backed up to ensure it can be retrieved if a hardware failure or other event occurs. The risk management department has received several calls from physicians whose back-ups failed. One physician lost 600 patient records due to a hardware failure. He had been diligently backing up the data on a regular basis and storing copies off-site. However, when the back-up was set to restore, the data was unavailable. The back-up process that he had been following since the set up of the EMR was not adequately capturing the patient data.

Creating a back-up data set is only the first step. The back-up record must be tested regularly to ensure that all appropriate data are being copied, and that data restoration is possible. Testing should occur for all back-up types, including in-house creation on a removable hard drive or for processes that send the information over the Internet for offsite storage. Even if an EMR vendor is providing offsite back up, physicians are advised to confirm that the data is created appropriately.

Make sure the records are complete when providing printed copies. Many physicians using an EMR do not regularly print a patient record, and they may be unaware that clicking the print button on an EMR does not always provide a complete record. A patient or subsequent treating physician could receive an incomplete record as the result of the EMR printing protocols. If the records request came from an attorney, and that attorney received an incomplete record, this could cause the attorney to accept and file a malpractice claim based on incomplete information.

After printing what one assumes to be a complete record, ask these questions:

  1. Does the record show the electronic signature and date the physician signed the progress notes?
  2. Does the record indicate when entries were made by staff, showing their initials or unique identifier?
  3. Does the record show all lab and consult reports with the physician signature and date indicating timely review?
  4. Does the record show all medications prescribed, refills authorized, and samples given (if relevant)?
  5. Are patient consent forms included in the printed record?
  6. Are patient telephone calls included in the printed record?

In some EMRs, all this information is available on the screen but does not show up on the printed record when the general print button is clicked. It may be necessary to go to phone notes, prescription refills, etc. and print them individually to ensure that they are included in the complete record that was requested. Confirming that a complete record is sent is a prudent risk management practice.

When implementing systems to have a patient's paper records scanned, test the print function to make sure it captures everything from the scanned documents. Items often overlooked include documentation of phone calls or requests for medication refills.