Tempting as it may be, think twice before accessing medical records if you receive a notice of intent to sue or are served with a lawsuit. An electronic health record (EHR) system tracks activities and records the information in metadata—the “data about data”—or in audit logs. This recorded information may include details about the date and time a record was accessed, who accessed it, and in certain circumstances, how long the record was viewed. While this “digital footprint” is largely invisible in day-to-day operations, a lawyer for a patient could have an interest in which records a defendant provider reviewed after learning of a lawsuit, which could then lead to more questions about the reasons the records were viewed. Whether inadvertent or intentional, alteration of a medical record (even to correct an earlier typographical error or misstatement) could have serious negative implications on the defense of a lawsuit. Because there is an obligation of all parties to preserve evidence once they are in reasonable anticipation of litigation, alteration or destruction of a medical record could lead to a claim of attempting to conceal evidence. Such actions can lead to court sanctions and possibly eliminate the protection of statutory damage caps. The burden of disproving an alteration was intentional could, at best, provide an unpleasant distraction from the defense of an otherwise defensible claim.
The take-away here: A record cannot be altered if it is not accessed.
Justin Joy is an attorney with Lewis, Thomason, King, Krieg & Waldrop, P.C. He has a variety of experience in the area of information privacy and cybersecurity including security incident investigation, breach response management, security awareness training, HIPAA policy drafting, and cyber risk consulting. He also provides counsel in healthcare liability defense, telemedicine, and healthcare compliance matters. As Lewis Thomason’s chief privacy officer, Justin promotes an awareness of privacy and security-related issues for the firm. Justin has earned the Certified Information Privacy Professional/United States (CIPP/US) and Certified Information Privacy Technologist (CIPT) credentials through the International Association of Privacy Professionals (IAPP).
We're always just an email or phone call away.contact us