Ten years after the EHR-promoting HITECH Act was passed, many EHRs still struggle with functionality, are not user friendly, don’t “talk to each other”, and even malfunction, according to Fortune and Kaiser Health News. Most of of the time, these issues merely result in frustration among physicians and staff. The Fortune/Kaiser article makes clear that EHR problems are resulting in outcomes far worse — including patient injury, permanent disability and even death.
Here are a few horror stories that resulted from EHR software either malfunctioning, being improperly configured, or being misused:
- A 47-year-old woman visited her doctor because she was suffering from excruciating headaches. Her doctor ordered a head scan to check for a brain aneurysm through the EHR. The order for the scan never made it to the lab. The doctor didn’t receive any report and didn’t follow-up (would you remember?). Two months later, the patient was taken to the ER where a head scan confirmed she had an aneurysm. She died days later.
- A young man was taken by ambulance to a hospital because of debilitating headaches and fever. Doctors theorized he was suffering from meningitis and ordered a lab test to check the spinal fluid for viruses, including herpes encephalitis, through the EHR. The test was not sent to the lab despite the EHR showing that the order was sent. Because of delays, it required multiple days for the positive herpes encephalitis result to reach the EHR and the doctor. The patient is now in litigation claiming that he suffered irreversible brain damage because of the delay.
- A 12-year-old boy got a cut during gym class and contracted sepsis. The boy was given a panel of tests, which included a blood test which would indicate sepsis. ER doctors discharged him after reviewing lab results in the EHR, not realizing that they were incomplete. (The EHR failed to show the that some results were still pending.) The boy later died.
- A 13-year-old girl’s severe dairy allergy was entered into an EHR. The EHR failed to alert the physician that the patient was allergic to the prescribed treatment, a milk-containing probiotic. The girl went into “complete respiratory distress” and suffered a collapsed lung.
Some of these cases involve litigation against the EHR vendors. Settlements are possible, but most EHR vendors have air-tight “hold harmless clauses” in their contracts which protect them from liability. In other cases, providers often can’t blame the EHR vendor because some problems are a result of misconfiguration and/or lack of training which is the provider’s responsibility.
Security Risk Assessment
Many providers think that HIPAA compliance and the HIPAA Security Risk Assessment is a simple technical and/or compliance exercise relating to just patient confidentiality. But the Security Risk Assessment must evaluate the risks arising from failures in the integrity and availability of the data in the EHR.
A proper, effective Security Risk Assessment will identify and calculate the risks posed by EHR malfunction, misconfiguration and/or lack of training. Providers must then engage in effective risk management to treat these risks. Eagle’s Security Risk Assessment has, for years, accounted for patient safety risks posed by EHRs.
All risk assessment findings should be shared with the organization’s leadership including the owner(s), top management and/or or board of directors. Ultimately, these risks must be evaluated and managed at this level.