An Overview of the Risks and Risk Management Advice


Choosing An EHR System

Risk Management Issue: To ensure physicians are able to meet the obligations to maintain records in a confidential and secure manner, physicians need to understand exactly where their EHR data will be stored (during and after the contract period with the vendor), who will have access to the data, and for what purpose.

Risk Management Tips:

  • Ensure the applicable issues addressed above are resolved adequately in the vendor contract.
  • Understand applicable state law requirements for EHRs.
  • Understand the HIPAA regulations, particularly the Security Rule and Privacy Rule.
  • Covered providers under HIPAA should have a Business Associate Agreement with the vendor; noncovered providers should have a similar confidentiality agreement.
  • Understand the specific eligibility requirements for governmental funding assistance under the Recovery Act.
  • Approach “click and agree” online agreements with caution. Make sure you understand what you are agreeing to before accepting the terms by simply a point and click.
  • Seek legal advice to facilitate compliance and for review of contracts with vendors.

Resources To Review Prior To Signing

  • AMA (Home >> Physician Resources >> Solutions Managing Your Practice >> Health Information Technology)
  • APA (Home >> Psychiatric Practice >> Quality Improvement >> Electronic Health Records)
  • AAFP (American Academy of Family Physicians): Center for Health IT at the AAFP
  • AAN (American Academy of Neurology): (Home >> Practice >> Health Information Technology >> Electronic Health Records)
  • The Joint Commission Sentinel Event Alert 42 Safely implementing health information and converging technologies

Operating An EHR System

Risk Management Issues:

  • To gain improvements in clinical care and patient safety, the various technology components have to be used.
  • To be used, the various technology components, such as clinical decision support features, have to be relevant to physicians.
  • The vast amount of metadata created in an EHR could be used against the physician defendant.
  • Information created by an EHR has to be accurate and useful.
  • The confidentiality, security, and integrity of the patients’ electronic records have to be maintained.

Risk Management Tips:

  • Utilize appropriate clinical decision support tools, including alerts, guidelines, tracking, and reminder functions.
  • If you choose to override or ignore an alert or reminder, document briefly the clinical justification.
  • Avoid cutting and pasting.
  • Ensure appropriate, applicable templates; understand the automatic populating features and default language.
  • Ensure appropriate data input and retrieval.
  • Periodically print out a patient record and evaluate for adequacy. Would another clinician (such as a subsequent provider or an expert witness) be able to understand what happened in treatment and why?
  • Understand metadata – and the fact that the user’s every key stroke will be tracked and recorded.
  • Ensure appropriate security protections on hardware (including portable devices) and software; an example is an automatic lock-out after a specified period of inactivity.
  • Ensure compliance with federal and state confidentiality law, including confidentiality agreements with those third parties accessing your EHR.
  • Prevent inappropriate access and disclosure; appropriate employee training is key.