“Everything you’ve been told about building
an injury law practice is wrong”

Discovering the Forbidden Secrets of Electronic Medical Records

When it comes to medical records, you never get what you ask for. With rare exception, the hospital (or doctors’ office) will send you an incomplete set of medical records, despite your clear request for the “entire” medical records. And an incomplete set of medical records can be a major problem.

Let’s say you make the bad assumption that the hospital has provided the medical records in their entirety. Throughout discovery, you base your preparation upon an incomplete set of medical records and unbeknownst to you, there are crucial electronic records that were never disclosed. At trial, you discover for the first time an electronic physician’s order that blames your client for failing to have certain testing performed. Unfortunately, at this point, it’s too late to fix the damage.

You need to demand the electronic medical records in the same digital format as they were created and maintained by the hospital. You will face plenty of pushback from the hospitals and doctors, but this is your statutory right under federal law–you must insist upon compliance.

Here’s the Notice to Produce that we use for electronic medical records:

Our Notice to Produce for Electronic Medical Records

PLEASE TAKE NOTICE, that the undersigned demands, pursuant to the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”)[1], that the defendant:

#1:      Disclose the metadata that exists in all electronic health records (“EHR”) and/or computer-based medical devices for the patient, Joseph Smith (hereinafter referred to as the “patient”), from October 27, 2014 through November 3, 2014.

The metadata shall be produced in electronic format on a compact disc, or via a file sharing service, i.e., Dropbox.

“Metadata” for the purposes of this demand shall include, but is not limited to, the creating and/or storage and/or amendment and/or alteration and/or change and/or deletion of:

  • medical records,
  • administrative records,
  • radiological and diagnostic studies and reports,
  • logs,
  • laboratory results,
  • billing records,
  • e-mails and/or other correspondence and materials received, sent or maintained electronically, and
  • incident reports, medical literature reviewed, quality assurance and/or mortality and morbidity conference records and complaints.

The metadata, or audit trail, shall include the date and time of EHR access, EHR section/tab/function accessed, user name performing the access, user position/role, computer workstation name or other identification, action(s) performed, and any other metadata stored by the defendant’s EHRs.

#2:      Create and implement a “litigation hold” and implement retention and preservation plan to preserve and prevent the destruction of all electronic data regarding the patient.

#3:      Identify any and all electronic data regarding the patient herein created and/or saved electronically.

#4:      Identify and disclose the name(s) of any and all computer systems and/or programs and/or database and/or software and/or storage devices, including the specific version utilized to create and/or store electronic data regarding the patient.

#5:      Identify and disclose any and all computer systems utilized to create and/or store electronic data regarding the patient.

#6:      Produce the user manual(s) for any and all computer systems and/or programs and/or databases and/or software and/or storage devices, including the specific version utilized to create and/or store electronic data regarding the patient.[2]

[1] 45 C.F.R. section 164.524, entitled “Access to Certain Information in Electronic Format”, provides that patients, and their legal representatives, must be given access to their own electronic medical records within 30 days of the request. Patients should be able to see the electronic records in the same format that the healthcare providers see when they are making or accessing the patients’ records.

[2] 45 C.F.R. section 164.316(b)(2)(i), entitled, “Security Standards: Organizational Policies and Procedures and Documentation Requirements” requires that medical facilities have specific policies and procedures for the creation and storage of electronic health records.
photo credit: jfcherry laptop and stethoscope via photopin (license)

Leave a comment below telling me what surprised, inspired or taught you the most (I personally respond to every comment). And if you disagree with my take on running a personal injury law firm, or have a specific, actionable tip, I’d love to hear from you.
CLOSE
CLOSE