Legal consequences abound at every corner in healthcare. Each month this blog discusses examples of what those consequences can be.
In my last post of 2015 I tried to predict what types of challenges health information management (HIM) professionals might have to deal with in 2016 and beyond. One prediction involved technological innovation, as I surmised that we could “expect to see more and more ‘apps’ being offered which create, store, and transmit protected health information (PHI) about an individual to, for example, insurers and healthcare providers.”
That future is already fast approaching on the horizon, as illustrated by two recent articles in FierceHealthcare. The first made note of the “change in how patients interact with their data” that is taking place, and how companies like Apple appear to be “getting in on the health record boom” as mobile health technology continues to evolve. The other described messaging app services for doctors, noting that the addition of encryption abilities for this technology “bodes well for the technology’s future as a healthcare tool and for protecting the privacy of its user base.”
But what issues might these and other apps pose? Let’s consider a few potential issues related to a hypothetical app on a mobile device (smart phone) that allows an individual to record and transmit symptoms to a physician and a hospital with which the physician is associated.
- How do the transmissions “fit” into the electronic health record (EHR) for the individual maintained by the physician and/or the practice group and the hospital? This is not a simple question. I have previously explored the topic in other posts in this blog, including “What do You Mean by ‘Electronic Health Record’” and “Revisiting What Might Constitute the Electronic Health Record.” What happens, for example, if a staff member’s typical practice is to note what he deems important from the transmission in a physical chart and then “discard” the electronic transmission? What is the record? Might the definition of “designated record set” in 45 CFR 164.50(1) set a standard that would be recognized by, for example, accrediting bodies, regulators, and courts?
- Assume that the individual suffers some adverse event and commences litigation. What steps should the physician and the hospital take, if any, to preserve the transmissions, the EHR, or the physical chart once they become aware of the litigation? Who decides when to issue a legal hold notice? When should the notice issue and to whom should it be sent? Who should monitor compliance with the notice? These questions bear on the avoidance of sanctions should any relevant electronically stored information (ESI) be “lost.” See my previous post titled “A Primer on Avoiding Sanctions for the Loss of Electronically Stored Information.”
- How do the transmissions relate to the individual’s duty to preserve? At some point he reasonably contemplated litigation before it was actually commenced. His duty to preserve arose at that point, whenever it was. How does he go about preserving whatever transmissions exist when the duty to preserve arose?
- One final scenario: One of the articles I quoted above spoke of encryption. Let’s work that in to the hypothetical: Assume that the individual transmitted his symptomology on a daily basis but that, until a transmission was made, it was stored on whatever device on which the app had been. Then assume that the individual stopped making any transmissions when he decided that the physician or the hospital had done something wrong. The individual passed away three months after litigation commenced and the executor of his estate continued the litigation. The defendants (the physician and the hospital) demanded production of the stored but un-transmitted symptomology. The executor has the device but, when she tried to access the information that was demanded, she discovered that the content of the device is encrypted. She has no knowledge of the password and the manufacturer says that it cannot “break” the encryption? Now what happens?
These are only a few of the questions that could arise on a recurring basis. Note that I have not even touched issues related to HIPAA compliance, information governance, or production and use of the transmissions during discovery or at trial. Moreover, although this post focuses on the loss of ESI under the Federal Rules of Civil Procedure, most litigation in the United States takes place in state courts—and the States have their own rules about spoliation. These and even more issues might be topics for another day.
The author would like to thank Ken Withers and Kim Reich for their comments.
**Editor’s note: The views expressed in this column are those of the author alone and should not be interpreted otherwise or as advice.