Complete list of eDiscovery Questions For Electronic Medical Records

Enigma Forensics are experts in collecting and understanding electronic medical records or the EMR audit trail. Check out this blog to view our list of EMR Discovery Questions.

Electronic Medical Records (EMR) can be tricky! In most cases, during eDiscovery, you get what you ask for and only what you ask for! Every Discovery request involving a healthcare provider has unique aspects that need to be considered.

Enigma Forensics is an established Computer Forensic Expert Witness firm that has been involved in many medical malpractice cases and specializes in interpreting electronic medical records (EMR) audit trail or audit logs. Our staff has extensive experience with numerous EMR applications and can assist you with navigating through the challenges of EMR Audit Trails and/or Audit Logs. Electronic Medical Record a.k.a., EMR audit trail or log is the answer to who knew what when, in essence, it tells the story about what took place during the treatment of that patient.

The following is a list of important questions to file for the demand for eDiscovery for Electronic Medical Records, in a medical malpractice case.

  1. Provide the name of all medical software applications utilized to store [Patient Name]’s Electronic Medical Records (EMR).
  2. For each medical software application that contains [Patient Name]’s EMR, please provide the specific version of the software as well as the name of the company that produces the software during the relevant time period beginning on [beginning date] through the present date.
  3. For each medical software application that contains [Patient Name]’s EMR, please indicate if any of the specified software applications were migrated off to a new platform and what the current status is of [Patient Name]’s EMR on the original system.
  4. For each medical software application that contains [Patient Name]’s EMR, please provide the application administrators that have full access to the stored data and audit trails.
  5. For each medical software application that contains [Patient Name]’s EMR, please provide all user and administrator manuals for each of the medical software applications.
  6. For each application that contains [Health Care Provider Name]’s EMR, please provide the current retention settings for the audit trail for all patient’s EMR. Are the privacy log retention settings sent to a secondary audit log (e.g., Fair Warning)? Is the secondary audit log retention configurable within the systems and/or applications?
  7. For each application that contains [Health Care Provider Name]’s EMR, please provide the earliest date that [Patient Name]’s EMR appears in the application’s audit trail.
  8. Please provide the complete EMR audit trail for [Patient Name] detailing any health care provider’s access, review, modification, printing, faxing, or deletion activities in a comma-delimited format with any and all corresponding native files that may relate to the Electronic Medical Record for [Patient Name] as required by the Health Insurance Portability and Accountability Act § 164.312(a)(1).  Such an audit trail should include the original values and new values for any alteration of the EMR and shall indicate the user making the change and the date and time of the change.
  9. Please provide the data dictionary for each software application containing  [Patient Name]’s EMR.  Such dictionary shall include the username key that maps the real names of individuals to their unique user login account IDs for each medical software application containing any EMR for [Patient Name] as required by the Health Insurance Portability and Accountability Act § 164.312(a)(2)(i). Additionally, any lab test, codes, or other short-form identifiers included in  [Patient Name]’s EMR Chart or EMR audit trail should be provided as part of the data dictionary production.
  10. Please provide any and all original voice transcription recordings that were made by [Health Care Provider Name], or any other staff that related to [Patient Name].
  11. Please provide any other native electronic files or emails that relate to  [Patient Name] in the native format with an index containing the original unmodified metadata for each of the native files or emails produced.
  12. Please provide any DICOM files that were captured as part of [Patient Name]’s treatment by [Health Care Provider].
  13. Please provide electronic records of any outbound faxes and/or other methods of communication that were utilized by [Health Care Provider Name] to [EMR Recipient], in its native form with a corresponding comma file listing containing all available metadata in a delimited format with the corresponding file path to the native file produced for each record.
  14. Please provide the name and title of the person most knowledgeable for the [Health Care Provider Name]’s software/auditing and compliance system. 
  15. What customizations and settings were active at the time when the plaintiff was admitted into the hospital? What privacy-related logging is in place for each such system and/or application? Are privacy log retention settings in place for each such system and/or audit log?

EMR Audit Trails

An electronic medical record (EMR) audit trail is a log file required by HIPAA of all electronic medical record software systems. The EMR audit trail documents all points of access of a patient electronic medical record system including any actions to modify, view, print or amend the record by replacing or adding new data.

Electronic Medical Record (EMR) Audit Trails are key to effective electronic discovery during medical malpractice litigation. Renowned EMR Computer Forensics Expert, Lee Neubecker interviews Insurance Defense Attorney Bill McVisk who usually helps defend hospitals embroiled in medical malpractice litigation. McVisk discusses common areas of confusion during discovery of patient medical records. Neubecker relays some of his past experiences helping plaintiffs uncover important medical records that are often hidden from plaintiffs during discovery. Enigma Forensics has assisted counsel with conducting depositions relating to Electronic Health Records (EHR) and EMR. The two discuss how electronic medical record systems have often made the process of discovery more difficult and confusing to attorneys and litigants.

The transcript of the interview follows:

The transcript of the interview follows:

Lee Neubecker: Hi. I’m here today with Bill McVisk. He’s a patient medical records expert, a litigator. He works with hospitals that are dealing with EMR-related patient medical records and whatnot. I had him on my show today because I want to talk a little bit about electronic medical records. Bill, they said that electronic medical records were going to revolutionize everything and make everything so much better. What’s the reality of what’s happened since we’ve brought about medical records?

Bill McVisk: A lot of EMR has been great. I mean, there’s an ability of doctors to provide records to other people that they couldn’t have done before. There’s the ability, for instance, of a radiologist to look at a film that was taken, and he can be in San Diego, and the patient can be in New York, and it still works. The problems, though, there are some problems. I mean, the biggest problem I see is that anyone who’s ever gone to a doctor’s… the doctors are focused on their computers instead of focusing on the patient. What they’re doing is hitting all sorts of drop-down menus and stuff, and I think we’re losing something from the standpoint of presenting physicians and nurses in malpractice cases. It creates a situation where you don’t really get a sense of exactly what that nurse or doctor is thinking, and so the records just aren’t quite as helpful in medical malpractice cases as they used to be. On the upside, we can read them now, whereas in the past we had to worry about doctors’ handwriting.

Lee Neubecker: Yeah. I know from experience working as a EMR, a patient medical record expert, that discovery can often become challenging. When an attorney is preparing a witness for deposition related to patient medical records, what are some of the things that you look for and care about in that process?

Bill McVisk: Well, the first thing, quite frankly, is to make sure I have the entire record. I can’t tell you how often I’m getting records where I get part of the record, and for some reason, I don’t know if it’s stored on a different server or what, I’m not getting all of the record. I may get all the physician’s part of the record but not the nurse’s part of the record, and obviously, that’s essential. Other problems, like when I’m preparing a witness for a deposition, the big problem is that they’re not used to seeing these records printed out. I mean, in the past, they would look at the chart, it would be exactly the same as the chart they were looking at in the hospital. Now, they are looking at the chart on a computer screen when they’re in the hospital, but when you’re preparing them for a deposition, you’ve got a paper chart, and the paper chart prints out terribly. Every time there’s a slight change of any kind in the record from one minute to the next, the chart prints out the page again and again and again, so there’s all this stuff, and it’s just getting the nurses and the doctors to know where in the chart their entry is going to be makes it a little bit harder.

Lee Neubecker: Yeah. I have experience working with that, and I know that HIPAA requires that every instance of that medical record, pre-editing and post-editing, that that data be preserved and discoverable, but in reality, a lot of the software packages, they only have reports that run the last version, so to get into the true audit trail, you often have to get into the database backend to get access to that information.

Bill McVisk: Well, and I think audit trails are the other aspect of things that makes it a little bit harder in this situation. In the past, we basically, I could give the original medical record to the plaintiff’s attorney to inspect. If somebody had erased something or done something like that, it’d be pretty obvious. I would hopefully know about it before the plaintiff’s attorney would know about it. Then I’d deal with that. But, it may not be obvious now because people can go in, change records, and now, if an audit trail is suddenly showing me, “Oh, my god, somebody was in and did something “to the record,” and it’s two or three weeks after the treatment was over, or, say, two or three hours after a terrible incident occurred, that’s going to make it look concerning. So I think from our standpoint, it’s a matter of making sure healthcare providers are aware of how to do it in a way that isn’t going to look like you’re trying to fake or lie.

Lee Neubecker: And there’s a big difference between accessing a medical record, and editing it.

Bill McVisk: Right.

Lee Neubecker: That’s where sometimes attorneys on both sides become confused about the significance of what’s happening with the patient record.

Bill McVisk: Right. I mean, records get accessed all the time. Maybe it’s to prepare for a deposition. You have to access the record to look at it. Maybe it’s because there’s followup treatment and you need to access the record. That happens all the time, but sometimes, on these audit trails, it’s not always easy. Is this just an access, or is somebody going in and changing something?

Lee Neubecker: And there’s a whole other layer, too. I know from my experience working with many of the packages that the hospitals often use systems that have something known as sticky notes, where they can put comments about a patient. There’s a wide perception that those notes aren’t discoverable. Just because the software doesn’t have a report that will run it, doesn’t mean that if someone like me is coming in, and I get access to the backend database, those comments about the patient and whatnot become apparent. But unfortunately, it’s difficult to get at that data if you don’t know what you’re looking for.

Bill McVisk: And that creates a real problem if you’re defending the hospital, because if I don’t know about these sticky notes in the beginning, first of all, I’m not going to be thinking, “Oh, my goodness.” Then, if you come and discover them, it obviously is going to be, “Oh. I was trying to hide those notes,” or, “The hospital was trying to hide those notes,” which is always the worst thing you can do as a defendant in litigation. And they’re clearly, if there’s something about a patient in those notes, it’s almost never privileged, it is discoverable, and it should be provided immediately.

Lee Neubecker: Also, you know, there’s a tendency I see for the hospitals to try to cover things up. Do you think that there’s some value in bringing in, when you’re defending a hospital, your own forensic expert to dig around and find out what’s really happening?

Bill McVisk: See, I don’t think the hospitals are intentionally trying to cover stuff up. I really don’t think that’s, I’ve almost never seen that happen. There may be, you know, one or two, but in most of these cases, I think the hospitals are trying to find out what the truth is. That being said, the hospital may not be aware that some of these things, because the risk management for the hospital might not be fully aware of all of the situations that are involved in electronic medical records, and yes, at that point, it may be a good idea for me just to have somebody like you go through those records, let me know. Before I produce them to the plaintiff, I would like to know what’s out there.

Lee Neubecker: It would probably be a lot more useful for you to get just a listing of the changes on the record so you’re not looking at the whole document, but maybe here’s a first instance, and then change one, change two, change three, so you can see before text, after text.

Bill McVisk: Sure.

Lee Neubecker: That’s the type of thing that, unfortunately, there’s not canned reports that are in the software that do that. I think that could be by design of the software makers because they don’t want to make it worse for their clients, the hospitals, but it’s certainly possible that it’s just something that was never asked for.

Bill McVisk: That’s quite possible, and I don’t know any of these software makers, but to me, it would be really helpful to know what those are. Of course, that does make it more discoverable, easily discovered by the plaintiff’s attorneys, but on the other hand, I as a defense attorney need to know about it, and if there’s a change that’s improper, I need to know about it right away.

Lee Neubecker: Yeah. What kind of problems can occur when different providers have different EMR systems?

Bill McVisk: Well, that can create problems of a number of ways. Sometimes, the software of one hospital doesn’t communicate with the software of another. There have been situations, for instance, where a physician enters an order for something to happen, and then because of the software problems, it doesn’t get to the provider who’s supposed to do it, and they don’t know that they’re supposed to do it. That creates serious problems for patient care. And similarly, it’s like, if a hospital is discharging a patient to a nursing home, and they want the nursing home to have a certain specific type of care regimen afterward, that can create problems if they don’t communicate well.

Lee Neubecker: Well, thanks a bunch, Bill, for being on the show. I appreciate it.

Bill McVisk: Lee, thanks so much.

Other Medical Related Posts:

Related Links on the Web:

Related Links on the Web:

Computer Forensics in Medical Malpractice

Importance of Computer Forensics in Medical Malpractice Litigation by revealing patient electronic medical records.

Computer Forensics Wins Litigation

Enigma Forensics CEO & President Lee Neubecker interviews James Meyer a personal injury attorney from Ialongo and Meyer. Computer Forensics uncovers answers to important questions such as; what orders may or may not have been entered as a result of that medical test. In this video, Lee and Jim share some of the changes that have ocurred that impact medical malpractice litigation. Tune in to find out how using computer forensics can make or break a case.

The transcript of the video interview follows:

Lee Neubecker: Hi this is Lee Neubecker, I’m here with Jim Meyer from Ialongo and Meyer, and we’re here today talking about patient medical records, specifically electronic medical records. Some of the changes that have happened that impact medical malpractice litigation. So Jim, can you tell me a little bit about EMR and how computer forensics plays a role in cases that you’re litigating, where you’re trying to get a result for your client?

Jim Meyer: Well EMR has changed everything, in regards to medical records. HIPAA is required that the electronic medical records, both be secure and private, that requirement provides that a lot of metadata is collected with every electronic medical record. That metadata itself is very important in… Capturing information about where, when, how and whom, made the medical record, can be crucial in any medical investigation.

Lee Neubecker: Look, can you tell me an example of what type of metadata you might be asking for, and why it would be relevant to the outcome of litigation?

Jim Meyer: Well… The metadata that is most interesting in most cases is, when certain events occurred in a medical record. When a test was ordered, when it was performed, when the results were placed in the patient’s medical record, when the physician saw those results, what orders may or may not have been entered as a result of that medical test. When medication is prescribed, when it’s administered, who administered the medication. Many of these details are now electronically captured, as opposed to being physically noted, as they were in old written medical records. It can make a… Big difference in trying to determine when events occurred in a case.

Lee Neubecker: I know one of the cases I was involved in, I discovered that many of the different default reports that are provided with these medical software packages, don’t necessarily show all available metadata. In fact, what we had to do on one of the cases, we had to work through discovery to try to get the scheme of the database. And then we discovered in once instance that there was something known as a sticky note, that the nurses and physicians could type little comments in, but there was a presumption that would never get printed because it’s not in any of the default reports. So what we actually had to do is find the table that had these notes, and then work to get the data dumped. And as soon as we found that, the case quickly settled, because obviously, the hospitals don’t want everyone knowing what’s going on.

Jim Meyer: That’s a disadvantage that a plaintiff in a case may have. Hospitals often times have entire departments in medical informatics, departments in which they have experts that know the in’s and out’s of the EMR, the metadata collected, often times plaintiffs do not, but they should be aware of the fact that that metadata exists. Extracting it from the record is often times… It is a need for an expert at computer forensics, expert, an IT expert. But it’s important that plaintiffs, and all attorneys, defense attorneys and plaintiffs attorneys realize that that information exists as metadata in these records, it can be obtained. We take great deal of effort to obtain it, but it’s there.

Lee Neubecker: And Jim and I co-authored a paper along with another attorney that appeared in the Illinois State Bar Association on EMR patient medical records, the audit trail and other things impacting HIPPAA and medical malpractice regulations. We’ll put that up here too so that you check that out. Anything else you’d like to add about your practice, Jim?

Jim Meyer: No, we’re happy practicing attorneys in Chicago, Illinois. I would recommend any attorney who is involved in any issue similar to this, to take a look at the article that Lee was kind enough to co-author with me and John Tomes, it really is a lot of information. Detailed information that attorney’s should know.

Lee Neubecker: Great, thank you.

Jim Meyer: You’re welcome.

To Learn More about Computer Forensics and Patient Electronic Medial Records

Read the Illinois State Bar Article co-authored by the interviewed subjects on Patient Medical Records.

Patient Medical Records: Metadata as Evidence in Litigation

ELECTRONIC MEDICAL RECORDS:

Metadata As Evidence in Litigation

By James G. Meyer* Jonathan P. Tomes** and Lee Neubecker***
As published: Vol. 101 #8, August 2013. Copyright by the Illinois State Bar Association www.isba.org

Doctor and hospital records are changing. The paper medical records that we have been familiar with, along with the rest of the “written” world, are becoming electronic —that is, written, maintained, and retrieved as digital data.

Because of many emerging “after entry” benefits, federal and state governments, insurance companies, and medical institutions are heavily promoting the adoption of Electronic Medical Records (“EMR”).[1] For example, the HITECH Act (American Recovery and Reinvestment Act of 2009[2]) includes both incentives and penalties in its calculations to encourage adoption of electronic records, versus continued use of paper records. The Act allows benefits of up to $44K per physician under Medicare or up to $65K over six years under Medicaid for adoption of electronic records. Additionally, Congress decreased Medicare/Medicaid reimbursements to doctors who fail to use electronic medical records by 2015 for covered patients.

This change in medical record keeping and changes in the laws and regulations associated with electronic medical record keeping are creating significant changes in what and how information may become evidence in litigation.

Attorneys who deal with medical records in any type of litigation should be aware of the changes in the following areas:

I. Electronic Medical Records and HIPAA

II. PHI as Electronically Stored Information

III. What is Discoverable: Metadata and Computer Forensics

IV. A Word about Encryption

V. Discoverability and Admissibility of Electronic Medical Records and Metadata

I. ELECTRONIC MEDICAL RECORDS AND HIPAA

Before the advent of electronic medical records, The Illinois Administrative Code itemized the minimum requirements for the content, management, and administration of medical records.[3]

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)[4] sets out a comprehensive set of rules, safeguards, and definitions that are, effectively, applicable to most health care providers that use computers and electronic storage devices to store or transmit patient medical records. Excepted from the statute are institutions that do not transmit billing transmissions to and from Medicare/Medicaid or other health plans, an uncommon circumstance. With the HITECH Act’s incentives to use electronic health records, more and more providers will do so.

What we have understood to be doctor and hospital medical records, HIPAA defines more comprehensively as health information: “any information, whether oral or recorded in any form or medium, that:

i. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

ii. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.”[5]

Under HIPAA, Protected Health Information(“PHI’) is “individually identifiable health information” that is:

i. Transmitted by electronic media;

ii. Maintained in electronic media; or

iii. Transmitted or maintained in any other form or medium.”[6]

II. PHI AS ELECTRONICALLY STORED INFORMATION

To understand where and how EMR systems “transmit” and “maintain” PHI, it is helpful to use the terminology of computer experts. From their viewpoint, HIPAA’s PHI is Electronically Stored Information (“ESI”).

ESI is data stored, processed, retrieved or transferred by “Electronic Storage Devices.”[7] Electronic Storage Devices – a subclass of Electronic Media – are commonly known as diskettes, Flash Drives and CD/DVD Disk media. Both Electronic Storage Devices and Electronic Media are capable of containing ESI (thus PHI).

Electronic Storage Devices capable of storing ESI can be classified into two main categories – Non-Volatile Electronic Storage Devices and Volatile Electronic Storage Devices.

Non-Volatile Electronic Storage Devices store data on a more or less permanent basis, but can often be deleted or destroyed. These can be grouped into several categories – Primary Storage Devices, Secondary Storage Devices, Offline Backup/Archival, and “In the Cloud.” Examples of each are:

Primary Storage Devices

(1) Hard Disk Drives

(2) Disk Media

(3) ROM / PROM / EPROM

(4) Solid State Drives (Flash Storage)

(5) SIM Cards

(6) Multi Media Cards (SD, SDHC, SDXC, SDIO, and Others)

(7) Smart Cards, Chip Cards or Integrated Circuit Card

(8) Paper Based Storage (Punch Cards, Bar Codes, Scantron)

Secondary Storage Devices

(1) USB Thumb Drives / Flash Drives

(2) External Hard Disk Drives

(3) Disk Media (Floppy Disk, CD, DVD, Blue Ray)

(4) Radio-Frequency Identification (RFID) Tags

Offline Backup / Archival

(1) Magnetic Tape

(2) Disk Media (Floppy / CD / DVD / Blue Ray)

(3) Bar Code Paper Records

(4) CD / DVD Disk Media

In the Cloud (Utilizes all types of Storage)[8]

Volatile[9] Electronic Storage Devices retain a good deal of ESI for a discrete period of time, e.g. until such time that the Volatile source loses power. The RAM in a computer is an example of Volatile Electronic Storage Devices.

ESI may be transmitted between Electronic Storage Device sources via the internet, extranets, infrared, radio, Wi-Fi, Satellite, Cable, Broadband, cellular, leased lines, barcode, dial-up telephone lines, private networks, connected external devices, and devices that are physically moved from one location to another using magnetic tape, disc, or compact disc media.[10]

A patient’s PHI maintained in any of these Electronic Storage Devices or transmitted by any of these means of electronic transmission are potential sources of discoverable information. Smart phones and PDAs are increasingly used in association with electronic health data. Industry sources estimate that “in 2010, more that 50 percent of physicians were using smartphones or PDAs on a regular basis in clinical decision making.”[11] As an indication of how important mobile devices have become in healthcare, the Healthcare Information and Management Systems Society (“HIMSS”), a leading non-profit industry group, has formed a separate entity, mHIMSS, to focus exclusively on the use of mobile and wireless technologies in healthcare.[12]

III. WHAT IS DISCOVERABLE: METADATA AND COMPUTER FORENSICS

The Department of Health and Human Services (“DHHS”) regulations implementing HIPAA govern PHI with both a Privacy Rule[13] and a Security Rule[14]. As their names imply, the rules require adoption of enumerated standards and safeguards so that covered entities protect a patient’s electronic (and paper) medical records from unauthorized access,[15] tampering, or destruction[16].

Attorneys that have been involved with medical records in litigation since the enactment of HIPAA and the implementation of the DHHS regulations are generally aware that the Privacy Rule enumerates the ways to obtain PHI from health care providers during discovery by the use of written authorization or subpoena.[17]

In addition to delineating how to obtain PHI, HIPAA’s Privacy Rule also requires that covered entities have procedures in place to give individuals an accurate accounting of disclosures of their PHI in cases in which an accounting is required.[18]

HIPAA’s Security Rule requires that a covered entity “ensure the confidentiality, integrity and availability of all electronic PHI the covered entity creates, receives, maintains or transmits”.[19] The standard specifically defines “confidentiality” as “the property that data or information is not made available or disclosed to unauthorized persons or processes” and “integrity” as “the property that data or information have not been altered or destroyed in an unauthorized manner.”[20]

In order to implement the Privacy and Security Rules, HIPAA requires covered entities to use “audit controls,” such as “hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information”[21] and to “implement procedures to regularly review records of information system activity, such as audit logs, access reports and security tracking reports.”[22] The Metadata generated by these audit control systems, about the access and use of a patient’s records and the use and operation of the computer device maintaining or transmitting the records, is typically not part of the formal medical record. But it can often be a gold-mine of important information that would not otherwise be obtainable in discovery.[23]

For example, Metadata in the form of an audit log or audit trail may be helpful with faulty or incomplete memories. An audit trail is a record of who, when, where, how and sometimes why a person used a computer program or accessed a patient’s medical record. Typically, the identity of the user who accesses the patient’s record, the time of access, the terminal or device used for access, the action taken by the user (i.e., viewing the record, changing the record), and the substance of anything added to the record and any changes or corrections made by the user are recorded in the Metadata which can be reproduced in the form of an audit trail or log. In a case known to the authors, a hospital audit trail produced during discovery, showing the “terminal identifier” for an EMR entry (the unique number assigned to each computer terminal in the EMR system) resulted in a nurse changing her testimony when it disclosed she was using a computer terminal in another part of the hospital, and was not with the patient, as she had testified.

Metadata, such as in an audit trail, is captured automatically by the EMR system. As a result, the audit trail should correspond, entry by entry, to the patient’s medical chart or record. If an entry in the audit trail shows data was added, changed or deleted, a corresponding entry should appear in the patient’s chart, and vice versa.

Metadata found in a forensic image of a medical record may be more helpful. A “forensic image” is not simply a copy of the electronic record; it is a bit-for-bit copy of all sectors of the media involved and must be done properly.[24] In a case known to the authors, the analysis of the Metadata on a video disk of a surgical procedure produced during discovery showed that the several of the video clip files in the series of video files that were generated during the procedure were deleted, with the remaining video clips renumbered in an apparent attempt to conceal what transpired during the missing video clips. An analysis of the DICOM video clip embedded Metadata within the contents of each of the DICOM video files revealed the original clip sequence numbers were different for the last few video clips. The file Metadata compared to the DICOM video clip embedded Metadata implied an intentional manipulation of the data in order to alter the events that actually occurred.

IV. A WORD ABOUT DATA ENCRYPTION

Data encryption does not ensure the confidentiality or integrity of PHI. HIPAA’s data encryption standards allow health care providers, health insurance companies and business associates who transmit, store or access protected health information in electronic form to utilize a standardized level of data encryption when encryption is reasonable and appropriate. The Advanced Encryption Standard (AES) is an Federal Information Processing Standards (FIPS) approved cryptographic algorithm used to protect electronic data and is quite prevalent in the healthcare industry to secure data-at-rest, data-in-motion and data-in-transit.[25]

PHI data is vulnerable when actively used and stored in volatile memory. Much of a patient’s information is stored unencrypted in volatile memory when a computer device is actively working with a patient’s record or following the access of a patient’s record until such time that the data is discarded automatically or the computer device shuts off. Anyone with physical or network access to the device or a strong hacker skill set would have a reasonable opportunity to capture the non-encrypted information stored in volatile memory.

Another vulnerable area of risk is when PHI is in transit without the appropriate encryption safeguards. Encrypted ESI using today’s standards is unlikely to be compromised while in a data-at-rest, data-in-motion and data-in-transit state. But, ESI containing PHI is unencrypted at the point of service on a portable or fixed computing device. These devices are sometimes not properly secured with the appropriate physical and network security protections required, providing an opportunity to manipulate the unencrypted data.

V. Discoverability and Admissibility of Electronic Medical Records and Metadata

Illinois Supreme Court Rules make electronic data discoverable. Under Rule 201, “General Discovery Provisions,” discoverable “documents” include “all retrievable information in computer storage.”[26] Rule 214, “Discovery of Documents, Objects, and Tangible Things,” specifically requires production of “all retrievable information in computer storage in printed form.”[27]

Medical records have long been admissible as an exception to the hearsay rule. Before adoption of the Illinois Rules of Evidence (effective January 1, 2011), Illinois Supreme Court Rule 236(b), as amended in 1992, was generally accepted as permitting the admission into evidence of medical and hospital treatment records, in written or computer form, as business records. That rule is silent, however, as to computer generated “data” or “data compilations.” Any confusion in that regard seems resolved in the new Rules of Evidence.

In the first instance, much of the Metadata recorded in an electronic medical record may not be hearsay at all. Rule 801 defines a hearsay “statement” as the oral or written assertion or conduct of a “person.”[28] Automatically imprinted Metadata, is not the assertion or conduct of a person. See, People v. Holowko, 486 N.E.2d 877, 109 Ill. 187 (1985) (recognizing the difference between computer stored information, which may be hearsay, and computer generated information, which is not hearsay). Recorded Metatdata in an EMR system is similar to images recorded on surveillance cameras, which are not hearsay. People v. Tharpe-Williams, 676 N.E. 2d 717, 286 Ill. App. 3d 605 (1997). Because Metadata involves no human input in its creation, other than the actions taken by the user in creating or manipulating the file or record referenced by the Metadata, it is non-hearsay evidence.[29]

To the extent that Metadata does include human input, the new rules provide a hearsay exception for “a memorandum, report, record, or data compilation, in any form, of acts, events, conditions, opinions, or diagnoses” kept as part of a regularly conducted business activity.[30] In addition, the new rules make “writings” and “recordings,” defined to include “numbers . . . set down by . . . magnetic impulse, mechanical or electronic recording, or other form of data compilation,”[31] admissible as “duplicates”[32] or when offered “in the form of a chart, summary, or calculation.”[33]

Although Illinois decisions on the admission of electronic data are not as common as cases in the federal courts, Illinois cases predating the new rules have approved its admission. See, for example, Bachman v. General Motors, 776 N.E.2d 262, 332 Ill.App.3d 760, 267 Ill. Dec. 125 (2002), (approving admission of data retrieved from an automobile crash sensor in a personal injury case).

CONCLUSION

Medical records are in a state of transition from paper records to electronic data. Being aware of the changes to HIPAA, the HITECH Act, the DHHS Privacy Rule and Security Rule, and the capabilities of computer forensics, are necessary in dealing with electronic medical records as evidence.

*James G. Meyer is an attorney who practices in the law firm of Ialongo & Meyer in Chicago.

**Jonathan P. Tomes is an attorney admitted in Illinois, Missouri, Kansas, and Oklahoma who practices in the law firm of Tomes & Dvorak, Chartered, in Overland Park, Kansas, and consults around the country on HIPAA and the HITECH Act. He has also served as an expert witness on HIPAA, medical records, and the Federal Tort Claims Act in cases in Illinois, Washington, DC, and Colorado.

***Lee Neubecker is a computer forensics expert and the principal of Enigma Forensics, a Chicago based computer forensics & expert witness consulting firm.

Notes

[1] We mean “EMR” to include Electronic Medical Records (digital information created, gathered, managed and consulted by clinicians and staff within one health care organization), Electronic Health Records (“EHR”) (digital information that may be operated by clinicians and staff across more than one healthcare organization – sometimes referred to as “interoperability”) and Personal Health Records (“PHR”) (digital information that can be accessed and created by patients themselves). See, http://www.healthit.gov/providers-professionals/faqs/what-difference-between-personal-health-record-electronic-health-record

[2] U.S. Department of Health and Human Services Centers for Medicare & Medicaid Services, 42 C.F.R. Parts 412, 413, 422, et seq., Medicare and Medicaid Programs; Electronic Health Records Incentive Program; Final Rule; Title XIII of the American Recovery and Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health Act, Subtitle A, Part 2, Subtitle C (hereinafter “HITECH Act”).

[3] 77 Ill. Admin. Code § 250.1510(b)(2).

[4] Public Law 104-191, 110 Stat. 1396 (1996).

[5] 45 C.F.R. §160.103.

[6] Id. (Note that PHI may also consist of paper records and oral communications).

[7] storage media

[8] The National Institute of Standards and Technology (“NIST”) of the U.S. Department of Commerce has defined cloud computing as follows:

Cloud computing has been defined by NIST as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction.

Peter Mell, Tim Grance, The NIST Definition of Cloud Computing, Version 15, October 7, 2009 at http://csrc.nist.gov/groups/SNS/cloud-computing. More and more large health care providers are hiring outside hosts to maintain their electronic health records “in the cloud,” using large companies like Google, Microsoft, or Amazon or smaller companies that provide hosting only for medical records.

[9] http://en.wikipedia.org/wiki/Volatile_storage

[10] Id.

[11] Putzer, J. MD, Park, Y, Are Physicians Likely to Adopt Emerging Mobile Technologies? Attitudes and Innovation Factors Affecting Smartphone Use in the Southeastern United States, Perspectives in Health Information Management, Spring 2012. p. 2, at http://www.perspectives.ahima.org/attachments/article/241/ArePhysiciansLikelyTo AdoptEmergingMobileTechnologies_final.pdf (last visited January 14, 2013).

[12] http://www.mhimss.org/about-us (last visited February 25, 2013).

[13] 45 CFR §164.500, Subpart E, Privacy of Individually Identifiable Health Information. (The Privacy Rule applies to both paper and electronic medical records.)

[14] 45 CFR §164.302, Subpart C, Security Standards for Protection of Electronic Protected Health Information.

[15] 45 CFR §164.502 Uses and disclosures of protected health information: general rules.

“(a) Standard. A covered entity may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter.”

[16] 45 CFR §164.306 Security standards: general rules.

“(a) General requirements. Covered entities must do the following:

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information he covered entity creates, receives, maintains, or transmits.”

[17] See generally, 45 CFR §§ 164.506, 164.508, 164.510, 164.512.

[18] 45 C.F.R. § 164.528.

[19] 45 CFR §164.306(a)(1).

[20] 45 CFR §164.304.

[21] 45 C.F.R. § 164.312 (b) Standard: Audit controls.

[22] 45 C.F.R. § 164.308(a)(1)(D).

[23] See Thomas R. McLean, EMR Metadata Use and E-Discovery, 18 Ann. Of Health Law 75 (2009).

[24] hard drive imaging

[25] http://www.hipaacompliancejournal.com/2011/03/knowing-about-advanced-encryption-standard-aes/

[26] Ill. Sup. Ct. Rule 201 (b)(1).

[27] Ill. Sup. Ct. Rule 214. The Committee Comments to Rule 214 further clarify. “The first paragraph has also been amended to require a party to include in that party’s production response all responsive information in computer storage in printed form. This change is intended to prevent parties producing information from computer storage or computer discs or in any other manner that tends to frustrate the party requesting discovery from being able to access the information produced. Rule 201(b) has also been amended to include in the definition of ‘documents’ all retrievable information in computer storage, so that there can be no question but that a producing party must search its computer storage when responding to a request to produce documents pursuant to this rule.”

[28] Illinois Rule of Evidence 801(a).

[29] See generally, The Sedona Conference Commentary on ESI Evidence & Admissibility 10 (2008).

[30] Illinois Rule of Evidence 803(6) “Records of Regularly Conducted Activity.”

[31] Illinois Rule of Evidence 1001.

[32] Illinois Rule of Evidence 1003.

[33] Illinois Rule of Evidence 1006.

Reprinted with permission of the Illinois Bar Journal,

Vol. 101 #8, August 2013. Copyright by the Illinois State Bar Association www.isba.org

Related Electronic Medical Records Posts: