E-Discovery is a complex issue that can impact psychiatrists who may encounter civil or criminal matters. Before advising on best practices related to electronic records and electronic communication, such as email and cell phones, e-discovery needs to be defined. To put into lay and not legal terms, e-discovery means that whatever documentation in the electronic health record, in your email system, texts on your cell phone, telephone calls, e-prescriptions, entries into the patient portal (should you use one), or any other means of communication with your patients via electronic systems are discoverable by a plaintiff’s attorney in case of a lawsuit.¹

Consider a non-medical case involving e-discovery: when there was a question regarding communication between an NFL quarterback and the equipment manager on the deflation of a football, the NFL Commissioner sought to obtain the cell phone of the NFL quarterback to view his text messages. What became problematic for the NFL quarterback was when he discarded that cell phone for an upgraded model, the act made the NFL Commissioner think that the quarterback was destroying evidence, also called “spoliation.” Spoliation of evidence is a term often used during the process of discovery.  Spoliation happens when a document or information that is required as part of discovery is destroyed, lost, or altered significantly.  If a psychiatrist negligently or intentionally withholds or destroys relevant information, it may appear that the physician has “something to hide.” A jury is typically instructed that they may assume that the evidence, which was altered or damaged (spoiled), would have damaged the psychiatrist’s case.

The end result of the non-clinical situation, if you recall, was a four-game suspension for that quarterback.

What does this example mean to you? It means that discovery requests for electronic documents raise legal and operational issues that are not typically encountered with requests for paper records. Discovery of electronically stored information (ESI) can be burdensome and expensive.

Electronically Stored Information [ESI]

Electronically stored information is any information created, stored or used with digital technology. This includes, but is not limited to, word-processing files, e-mail and text messages, including attachments, voicemail, information accessed via the internet, including social networking sites, information stored on cell phones, information stored on computers, computer systems, thumb drives, flash drives, CDs, tapes, and other digital media.²

Generally, plaintiff’s attorneys request printed copies of the electronic medical record and copies in “native format.” The native file is the source file – the actual electronic record or file—not a printout or conversion to a different format such as PDF.  For instance, when you create a document in Microsoft’s PowerPoint, the native format is a PPTX file; creating a document in Microsoft Word creates a DOCX file, etc. However, when sending records in the native format, you should be careful to send only copies of the original file to ensure that the record is not altered inadvertently.

Metadata

Plaintiff’s attorneys often request the “metadata,” which is data about data in electronic format. These are audit trails which include individual practitioner log-on and log-off times, what was reviewed and for how long, what changes or additions were made, if any, and when the changes or additions were made. It goes without saying that psychiatrists should never document events before they actually occur. All entries and interactions with any electronic medical record, email, texts, and other electronic communication are both time-tracked and discoverable. It is important to discuss the issue with the attorney representing you during the legal proceeding. However, in general, psychiatrists should only review patient records for patients under their care and treatment. If asked to consult on a patient’s treatment or medications, be sure to document that you are reviewing the record as part of a consultation.

Metadata can be used to authenticate the electronic health record, for example, to verify that an EHR was modified at the time of the office visit and not later. Typically, this should bolster the psychiatrist’s ability to rely upon the electronic medical record when defending against a medical malpractice claim. However, if the record was modified at an inappropriate time, the metadata can raise questions about falsification of records, even in the absence of actual wrongdoing.

You need to be prepared to respond properly and in a timely fashion to discovery requests for business records and patient information, whether in paper format or ESI such as email, word processing, databases, webpages, magnetic and optical disk data, flash drive data, cloud storage, and mobile data. It is best practice to proactively examine ESI, including metadata. Protocols need to be developed to identify, gather, preserve, recover, and produce non-privileged ESI. However, it is important and prudent to obtain advice on what to provide prior to doing so.

BEST PRACTICES

Informed Consent

Ensure that you obtain informed consent for the use of electronic communication, including:

• Emails, texts, and patient portals should not be used for emergent needs but rather for routine communication;
• Communication via emails, texts, and patient portals will be retained as part of the medical record;
• Emails and patient portals should be encrypted; and
• Awareness of the relative risks of using unencrypted email or texts to communicate sensitive information, such as the potential for interception by a third party; having the email read by a person with whom the patient has shared their email login and password; accessing private email on a public computer, such as in a library or on a shared computer at work.³

Electronic Medical Record

Electronic health records (EHRs) have introduced new functionality in the ways that healthcare information is documented, produced, defended, evaluated, and billed. Complete medical records might include a combination of handwritten medical notes scanned as “PDFs” into the patient’s file, information manually or electronically entered directly into the EHR, and data electronically transferred from another electronic system, such as the lab. Psychotherapy notes, however, need to be kept separate in the medical record system with limited and authorized access.

As with paper charts, altering documentation, in an effort to paint yourself in a better light, may be considered fraudulent documentation and may not be covered by your professional liability insurance policy. In addition, the changes are discoverable: all the entries remain in the record, whether the initial documentation or any changes made with the evidence of when the changes were made and who made them. Every change in the electronic health record needs a reason for the change and this should be documented when a change is made.

A “late entry” should not be dated as with the original note or date the patient was seen but rather the actual date and time when the entry was made, which may be the default time and date and should not be changed back. Some systems automatically assign the date to an entry. Others allow authorized users to change the entry date to the date of the visit or service. Some systems allow providers to make undated amendments without noting the change of an original entry. If there is no date and time on the original entry or subsequent amendments, documentation to support services provided may be in question. Additionally, if providers cannot determine the order of events, it can affect the quality of patient care.⁴

To correct an error made in a medical record, do not attempt to delete the original entry. Indicate in the medical record the reason for the correction, such as “entry in wrong chart,” and then make the necessary changes with the identity of the individual making the correction, the date created, and the electronic signature of the individual making the change.

It is hard to defend a case when it is evident that the EHR documentation was revised after the psychiatrist received a claim or suit.

Pop-Up Reminders and Alerts

EHR pop-up notices are intended to help physicians by providing timely reminders and alerts, such as drug-drug contraindications or drug-food interactions. It is critical for psychiatrists to ensure that the reminders are relevant, helpful, and are not distracting. Alerts may have “low” to “high” severity, with most systems using reminders of interactions or problems that may present a true (severe) risk to the patient.

In addition to setting alert sensitivity, some systems allow psychiatrists to enter override alerts, such as “alert not significant” or “patient is already taking drug with no adverse reactions,” which appear for specific patients or under specific circumstances. The key is to filter the alarms so you receive what is significant, read, and document an override. For physicians who have adjusted their EHR settings so that fewer alerts appear, those pop-ups receive greater attention.

Remember that the metadata will show if the clinical decision support alerts and prompts were followed or overridden and if there are notations, why the alerts were overridden.

Email Communication

We all communicate via email on a daily basis. You may also do so within your practice. Email should be used cautiously with copies of the email communication retained with the medical record.

Develop and comply with criteria for email communication, such as scheduling appointments and/or requests for medication refills. Email communication should not be used to provide care and treatment, as you do not know whether it is your patient or someone else on the other end of that email. In addition, if a patient is having an adverse reaction or side effect, you are not able to have a dialog to evaluate the severity.

Establish through informed consent, reviewed and signed by the patient, that email is not to be used in emergent situations, the frequency when email will be checked (such as during business hours), how email should be used and not used, and that the patient is aware that email is subject to hacking. Also, consider an email automatic response that indicates the frequency when email will be checked and if there is an emergency to proceed to the nearest emergency room or call 911.

Text Messages

Use text messages to and from patients sparingly, if at all. Your messages can be read by anyone, forwarded to anyone and become permanent. Often they are unauthenticated or unverified that they have gone to the right person. In fact, there is no guarantee that the information is being sent or received by the patient. Text messages should be used as appointment reminders and/or medication reminders but should not be used to provide care and treatment. No matter how informal the communication may be, texts should be printed off and scanned into the patient’s medical record.

While a text message cannot be encrypted, there are third party vendors that offer “HIPAA-compliant” text messaging services, which address the Person or Entity Authentication and the Transmission Security standards of the Security Rule.⁵

If you are using your personal cell phone, iPad or other personal device, that device may need to be provided to plaintiff’s counsel to track the messages including when and if responses or actions were taken. The risk of personal information being accessible is another reason why personal devices should not be used for professional communication.

Patient Portals

Security and privacy of patient information, especially via electronic means, continue to be top concerns in healthcare, including psychiatry. While you may encourage patient engagement, it is critical that the sharing and transmitting of information online is secure and accessible only by the patient. As noted, informed consent should emphasize the need to protect the patient and that only the individual patient should enter and view information.

Requests for Electronic Communication

Should you receive a request for your electronic communication, notify your professional liability   carrier before releasing any information. Absolutely do not throw away the cell phone or try to remove messages from any of your devices because you may be accused of spoliation. Be aware that messages are retrievable on your electronic systems, including your hard drive, cell phone, email system, or patient portal.

Review the materials requested with your legal counsel. As a rule of thumb, unless the native format and audits are requested, they should not be provided.

Special Considerations for Treating Minors

E-discovery is the responsibility of all parties for the careful handling of a variety of sensitive information, including confidential personal information. With ESI discovery, the responsibilities need to be emphasized because ESI is easily produced and disseminated and unauthorized access or disclosure could compromise the minor patient’s privacy, security, and in certain situations, safety. Reasonable and appropriate measures should be taken to secure ESI against unauthorized access or disclosure for all behavioral health patients, but especially the minor child. State laws vary considerably on the age of consent to behavioral health or substance use treatment. Prior to releasing information to any party, psychiatrists should consider consultation with a legal professional. If there are concerns regarding the potential unauthorized access to the ESI of a minor patient, the psychiatrist, through his legal counsel, should seek a protective order from the court addressing the management of the particular ESI at issue. The psychiatrist, and the party who is producing the ESI, has the responsibility to raise the issue if he/she has any concerns about any ESI discovery.

Conclusion

We live in a digital world with access to multiple electronic devices at our fingertips. Use of electronic communication comes with a caution that everything written, viewed, changed, modified, added, deleted or any other action in the electronic world and especially the electronic record system is discoverable. Additionally, documentation, in any format, should reflect professionalism and concern for patient privacy and security of the patient’s PHI, no matter how informal the communication may appear.

Resources

• American Health Information Management Association. (2013, August). Integrity of the Healthcare Record: Best Practices for EHR Documentation (2013 Update). http://library.ahima.org/ doc?oid=300257
• American Psychiatric Association. Resources: Choosing the Right EHR. https://www.psychiatry.org/psychiatrists/practice/practice-management/health-information-technology/resources-choosing-the-right-ehr
• American Psychiatric Association. Psychiatric News {July 19, 2017). Are Today’s EHR Alerts Putting Clinicians, Patients at Risk? http://psychnews.psychiatryonline.org/doi/full/10.1176/appi.pn.2017.5b23
• American Psychiatric Association. Email and Text Messaging (SMS) https://www.psychiatry.org/psychiatrists/practice/practice-management/hipaa/hipaa-and-hit-primer/e-mail-and-texting
• Health IT website: https://www.healthit.gov/
• U.S. Department of Health and Human Services. (October 16, 2015). 2015 Edition Health Information Technology (Health IT) Certification Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modifications; Final Rule (45 C.F.R. §170.210(e)(1)(i), (h); p. 62745). https://www.gpo.gov/fdsys/pkg/FR-2015-10-16/pdf/2015-25597.pdf
• Vigoda, Michael M. E-Record, e-Liability: Addressing Medico-Legal Issues in Electronic Records. Journal of AHIMA 79, 10 (October 2008): 48-52.