November 20, 2017
9 min read

Best practices for mitigating the risks of EMR eDiscovery

You've successfully added to your alerts. You will receive an email when new content is published.

Click Here to Manage Email Alerts

We were unable to process your request. Please try again later. If you continue to have this issue please contact


Electronic medical record systems (EMRs) are the lifeblood of dialysis facilities; they avoid the gaps in documentation that occur with paper records, enhance consistency, and improve facility efficiency. But they can also create vulnerabilities when it comes to litigation and regulatory investigations. This article will cover the potential risks of EMRs in e-discovery and explain what best practices health care facilities can follow to avoid these risks. It also addresses how to mitigate the challenges of data loss or destruction, improper corrections to medical records, inaccurate data entry, and errors that arise during the use of EMRs, among other issues.


As recently as a decade ago, e-discovery was just a glimmer in the eye of many lawyers pursuing health care-related claims. A request for a patient’s medical records was usually satisfied by finding the proper manila folder and firing up a photocopier or a fax machine. No more.

In 2006, the Federal Rules of Civil Procedure acknowledged the advent of e-discovery for the first time. The amendments to Rules 16, 26, 33, and 34 govern the disclosure and production of relevant electronically stored information in federal courts. For example, Rule 26(a)(1) obliges a party to disclose all electronically stored information in its “possession, custody or control” that it “may use to support its claims or defenses.” Rule 26(f) requires a party to devise a discovery plan for how to produce this data.

On the health care front, the Health Information Technology for Economic and Clinical Health (HITECH) Act passed by Congress in 2009 gave patients the right to receive electronic copies of their protected health information (PHI), including metadata that reveal how their medical provider entered, accessed, and revised their records over time. Two years later, the Centers for Medicare and Medicaid Services (CMS) implemented its Electronic Health Record Incentive Programs to encourage providers to transition away from hard-copy records toward the meaningful use of electronic medical record systems (EMRs).

Providers have enjoyed the benefits of EMRs, using them to standardize care, ensure that patient records are complete, and enforce policies, procedures, and care protocols. However, providers are also beginning to recognize that their use of EMRs may have inadvertently pinned a bullseye squarely on their backs.

EMRs are attractive e-discovery targets in litigation matters, including medical malpractice claims, False Claims Act allegations, and HIPAA-related claims, as well as in regulatory agency investigations. They are a treasure trove of information; providers use EMRs to track patient demographics, symptoms, vital signs, medical diagnoses, treatments, progress notes, medications, immunizations, past medical history, laboratory data, care plans, and the like. EMRs are dynamic, offering more insight into a practice than a static paper record ever could. They illustrate the standard of care, demonstrate consistency (or inconsistency) in treatment and policy application, and reflect patient engagement and interaction.

Unfortunately, though, many of the applications that facilities use to create and store these records are incomplete: they are not designed to manage the rigors of e-discovery, or they may lack critical capabilities and controls to reduce your risk. Providers that choose applications without adequate features to track their data entry unwittingly add legal exposure to their portfolio.

The risks of EMRs and how to solve them

The 2006 change incorporating e-discovery in the procedural rules at the federal court level, which has trickled down to many state courts as well, has created new burdens for health care providers, including dialysis facilities and nephrologists. Among these responsibilities are the duties to ensure that their EMRs correctly identify all potentially relevant data and allow for its preservation and collection. Each stage of this process introduces risks, which are outlined below, along with suggested best practices for addressing them.The problem: Incomplete data

Providers have a responsibility to ensure the integrity and authenticity of their patients’ treatment records. This means that all clinicians must make correct, timely entries to patient records. However, with tightened reimbursements and dwindling staff-to-patient ratios, clinicians face an onerous workload, often making contemporaneous documentation burdensome and inconsistent. Their focus is on treating the patient, so documentation often becomes secondary.

The solution

Robust EMRs should manage the consistent entry of data across the varying levels of experience and training of the clinicians, from the most seasoned dialysis nurse to the newest tech. But to get the maximum value from their systems and to avoid improper corrections to patient records and inaccurate data entry, providers must also implement and enforce standards of documentation for end-user data entry. A great tool is software-mediated workflows, which remind—or require—clinicians to document completely and appropriately.

The  problem:  Untimely recordkeeping

Look to the metadata. Metadata, or “data about data,” are the hidden data attributes underlying medical records, such as who created a record, which users accessed a record and when, and what actions users took with regard to each record. Embedded metadata track each change to every version of a record in the system and identify specific users associated with those changes.

Documenting patient care after the fact can damage the credibility of patient records.

In particular, teams must timely record any adverse events, such as a blood pressure crash, an out-of-range measurement, or a shortened treatment. Patient noncompliance must also be promptly noted, including documentation of the recommended course of action and educational pathway for the patient. Failure to accurately and timely document these circumstances and interventions is tantamount to failing to treat the patient at all in the eyes of the court or surveyor. In addition, the absence of metadata raises the presumption that the record may be inaccurate or has been tampered with, which puts facilities at additional risk. Metadata will reveal whether all of this documentation was timely.

The solution

Every EMR vendor captures different metadata. Make sure you choose a software vendor that collects the full metadata you need to establish the veracity of your patient records. The most effective EMRs record complete audit-trail metadata, which can authenticate records, create a chronological record of events, and reveal any telltale late entries or after-the-fact alterations to records. Some systems have a lockout control that prevents modifying records without an administrator override after a certain period.

The audit trail details the date and time of any changes to the medical record, including the person responsible for making the change. The lack of a log may indicate that the provider did not take appropriate action at the appropriate time. Health care providers should monitor the information in their system closely. Using the audit-trail functionality, providers can track the performance of their practitioners and staff, hold them accountable for late entries or other errors, and improve documentation compliance.

Because metadata reveals untimely documentation, facilities must take steps to enforce timely data entry, such as forced progress notes for a late data entry, correction, or time change. Alerts and dashboards can provide a mechanism to identify outliers that require additional action, but they also can remind facilities—or mandate—where they need documentation and provide the ability to audit whether clinicians have addressed each item.

The problem: Unsynchronized records

Facilities that keep some patient data in paper format, some data in their EMRs, and other data in outside systems run the risk of having asynchronous records. Look at your patient’s medical record. How much of it is in your EMR, and how much of it is stored outside your system? Dialysis facilities often receive documents, such as discharge summaries, vascular access studies, and surgical reports, about their patients from other providers. These documents should be kept with the patient’s medical record, yet the path of least resistance is often to file the hard copies rather than scan them, particularly if the EMR makes it difficult to capture and retrieve the information.

Does the patient’s social worker track notes in a different application? Are the patient’s doctor visits tracked on paper or outside of the system? For facilities using an EMR that is not specific to dialysis, does it address all of your clinical needs? If not, are you tracking information in unintended locations, or is it buried in the medical record that is invisible during treatment? Regardless of where the information is documented and stored, judges or surveyors will assume that everyone is aware of relevant clinical information.

The solution

To reduce risk, the patient record must contain all pertinent patient information. Therefore, the EMR must make it easy for staff members to do the right thing: enter all clinical data in the EMR, including scanning documents from other providers.

The problem: Preserving records

The duty to preserve relevant electronically stored information, including patient records, begins as soon as litigation can be reasonably anticipated. That reasonable anticipation might not occur until a lawsuit or regulatory investigation is filed, but in some cases, it can occur well before the initiation of legal action. For example, if a patient or counsel sends a letter threatening legal action or requests medical records to support a legal claim, a reasonable provider would begin preserving information. Reasonable anticipation of litigation may also occur when a serious patient event occurs. Whenever litigation appears possible, providers have a legal obligation to preserve all potentially relevant evidence.

With EMRs, it can be difficult to preserve the sanctity of the original record, as patient records are continuously evolving. It may also be impractical to recreate a copy of the record as it existed at the relevant time. Furthermore, as technology vendors upgrade their systems, allowing them to capture new information and perform different functions, it may be impossible to replicate information that would have been available in the past. This becomes particularly complex as litigation and investigations can span a number of years, during which many software upgrades might occur. Providers cannot realistically retain old versions of their EMRs so they can print out-of-date versions of their records for litigation.

But providers that lose or destroy data after litigation is reasonably anticipated can face dire consequences. Courts can, and do, punish providers that engage in intentional or negligent spoliation, which is the legal term for the loss, alteration, withholding, or destruction of evidence. Sanctions for spoliation may include payment of the other party’s attorneys’ fees and costs, dismissal of defenses or claims, and jury instructions that damage your defense.

The solution

As soon as you anticipate litigation, issue a litigation hold, which is a document informing all document custodians of the nature of the case and the need to retain all information. Regularly issue reminders about the hold to all affected staff members. In addition, be sure to train all personnel ahead of time on appropriate procedures in the event of litigation or a regulatory investigation, and reinforce that training periodically throughout the pendency of the hold. Any after-the-fact data revisions that staff make to cleanse or bolster records will be evident from the metadata.

The problem: Exporting records for data collection and production

Federal Rule of Civil Procedure 34(b)(2)(E)(i) provides that a party responding to a discovery request for electronically stored information “must produce it in a form or forms in which it is ordinarily maintained or in a reasonably usable form or forms.” Opposing counsel may argue that this provision means they are entitled to access the EMR to review records as they are ordinarily maintained. However, this access is typically not feasible, so parties produce records from the system in one of two forms: hard copy or electronic.

EMRs were designed to facilitate health care, not litigation. Therefore, the formatting of patient records often leads to challenges when it comes to production in either form. Hard-copy printouts of patient records satisfy the Federal Rules of Evidence and are admissible. They are also accurate as of the time of printing, which can be a bonus. However, one-dimensional, static screenshots from EMRs often vary in appearance and content from what providers view on the screen, which may render them unusable. Printing this data manually, screen by screen, can become time consuming and costly, and it eliminates parties’ ability to filter and categorize the data.

Alternatively, providers can export patient records in native format to a flash drive or other portable storage media. This approach is also flawed, though, as the person on the receiving end may not have the software required to review the native data.

The solution

Before providing any data to the opposing party or a government agency, negotiate the format for data production with opposing counsel or the surveyor. Attempt, to the extent possible, to narrow the volume and scope of the production as well. Remember that a clinic with a robust EMR is in the best position to know what data is potentially responsive and should suggest a reasonable discovery plan; the other side may have issued a broad discovery request, subpoena, or civil investigative demand not recognizing the extent or burden of the request.

When selecting an EMR provider, look for one that meets EMR certification requirements for interoperability and one that offers data in a format that can be exported, such as via a Continuity of Care Document (CCD) or, optimally, Consolidated-Clinical Document Architecture (C-CDA) output as defined by the Office of the National Coordinator for Health Information Technology 2015 certification.

CCD and C-CDA formats can be viewed in different EMRs. Also, determine whether you might be able to generate a custom report that will satisfy the production request. The EMR you select should be capable of generating custom reports based on user input.


EMRs create many opportunities to improve dialysis providers’ efficacy and raise the standard of patient care. However, unless providers have a robust EMR that captures all relevant data, generated both internally and externally, and that enforces policies to ensure that accurate, complete, and timely records are kept, they can also create innumerable vulnerabilities that opposing counsel and government agencies can exploit in discovery. To avoid creating liability, providers implementing EMRs must begin with the potential end—e-discovery—in mind.


The author would like to thank Kristin P. Walinski, Esq., for her insights on the intersection of electronic medical records and e-discovery.