Risk Pearls: July 2017

By Justin Joy, JD, CIPP
July, 2017

Tempting as it may be, think twice before accessing medical records if you receive a notice of intent to sue or are served with a lawsuit. An electronic health record (EHR) system tracks activities and records the information in metadata—the “data about data”—or in audit logs. This recorded information may include details about the date and time a record was accessed, who accessed it, and in certain circumstances, how long the record was viewed. While this “digital footprint” is largely invisible in day-to-day operations, a lawyer for a patient could have an interest in which records a defendant provider reviewed after learning of a lawsuit, which could then lead to more questions about the reasons the records were viewed. Whether inadvertent or intentional, alteration of a medical record (even to correct an earlier typographical error or misstatement) could have serious negative implications on the defense of a lawsuit. Because there is an obligation of all parties to preserve evidence once they are in reasonable anticipation of litigation, alteration or destruction of a medical record could lead to a claim of attempting to conceal evidence. Such actions can lead to court sanctions and possibly eliminate the protection of statutory damage caps.  The burden of disproving an alteration was intentional could, at best, provide an unpleasant distraction from the defense of an otherwise defensible claim.

The take-away here: A record cannot be altered if it is not accessed. 


Justin Joy, JD, CIPP

About the Author

Justin Joy is an attorney with Lewis, Thomason, King, Krieg & Waldrop, P.C. He has a variety of experience in the area of information privacy and cybersecurity including security incident investigation, security awareness and policy drafting, cyber risk management including insurance policy coverage consultation and breach response management. He also provides counsel  in healthcare liability defense and healthcare compliance matters. As Lewis Thomason's chief privacy officer, Justin promotes an awareness of privacy and security-related issues for the firm. Justin has earned the Certified Information Privacy Professional/United States (CIPP/US) credential through the International Association of Privacy Professionals (IAPP).


The contents of The Sentinel are intended for educational/informational purposes only and do not constitute legal advice. Policyholders are urged to consult with their personal attorney for legal advice, as specific legal requirements may vary from state to state and/or change over time.