Obtaining Direct Access to Another Party’s Electronic Health Record

Legal consequences abound at every corner in healthcare. Each month this blog discusses examples of what those consequences can be.


Every judicial decision is sui generis*; Judges make decisions based on what the parties present, applying governing law to those presentations (and findings of fact made by a judge) to reach a decision. One such decision is Borum v. Smith, No. 17-CV-00017-JHM (W.D. Ky. July 14, 2017).

Borum arose from tragic facts. The plaintiff, the administrator of the estate of a decedent, alleged that the decedent attempted to harm herself at the end of a relationship. After initial treatment elsewhere, the decedent came under the care of the defendant doctor, who was employed by the defendant healthcare provider. The doctor prescribed an antidepressant, then doubled the prescription, and scheduled another visit with the decedent for a year later. Three weeks after her last visit with the doctor the decedent committed suicide. The plaintiff alleged that the defendants (the doctor and the provider) “were negligent in failing to closely monitor [the decedent’s] condition notwithstanding a product warning that the medication could increase the risk of suicide in young adults and therefore close supervision was required.”

Unsurprisingly, the provider used an electronic health record (EHR) system. The plaintiff requested a direct inspection of the decedent’s “medical records in electronic format” on the system. The provider opposed the request, arguing that direct inspection would violate the confidentiality provision of a software licensing agreement. The court rejected that argument, concluding that the confidentiality provision did not restrict discovery and that any confidentiality concerns could be satisfied by a protective order. The court also rejected defense arguments that direct inspection could run afoul of the Computer Fraud and Abuse Act, the Copyright Act, and HIPAA. In short, the court allowed direct inspection.

But the plaintiff wanted more. She wanted to:

  1. Create a “test” patient to explore the functionality of the EHR
  2. Use the EHR during depositions to “explore the physician’s uses and understanding” of the EHR

The court rejected (1), finding that to allow the exploration of a test patient would “create new facts not in existence at the time of [the decedent’s] treatment.” The court also rejected (2), finding that allowing the deposition of the defendant doctor about the EHR system itself would be unduly burdensome. Instead, and in addition to allowing direct inspection, the court ordered the provider to give the plaintiff a printout of a complete audit trail.

Discovery-related decisions are discretionary. The parties could seek review of the rulings made in this instance by a United States magistrate judge, but the standard of review would be abuse of discretion—a difficult burden to meet. With this in mind, what might be the teachings, if any, of Borum? Simply put, there are times when a party might secure direct access to another party’s EHR system. However, any such request should be carefully framed to seek access only to what is relevant and subject to discovery.

*sui generis: unique, of its own kind

 

**Editor’s note: The views expressed in this column are those of the author alone and should not be interpreted otherwise or as advice.

Ron Hedges, JD, is a former US Magistrate Judge in the District of New Jersey and is a writer, lecturer, and consultant on topics related to electronic information. He is a Senior Counsel with Dentons US LLC. 

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!