What do you do if you get an administrative or court subpoena to produce “all” medical records on one or more patients? Are you sure that your electronic medical records can even create a true “legal” chart? With everything recorded chronologically? How would you know if something was left out? And if you get an administrative or court subpoena for “all” medical records, what does that mean? What about access logs and metadata? It’s there on the system. Is that part of “all”? These are not just academic questions. Almost everyone has switched to electronic health records now. Also called electronic medical records, of course. These were forced onto the medical community by law. Specifically, the American Recovery and Reinvestment Act of 2009, which stated that all public and private health care providers and other eligible professionals (EP) were required to adopt and demonstrate “meaningful use” of electronic medical records (EMR) by January 1, 2014, in order to maintain their existing payments through Medicaid and Medicare. The definition of “meaningful use” was defined by The Health Information Technology for Economic and Clinical Health Act, abbreviated the HITECH Act, which was enacted under Title XIII of the American Recovery and Reinvestment Act of 2009. In 2008 a survey by DesRoches et al. of 4,484 physicians found that 83 percent of them had no EHR, though 16 percent had bought one that they didn’t use. I was a physician using an EHR in private practice at that time, an early adapter if you will, and I can address the issue of nonuse. I was better off than the average physician. Having a bachelor’s degree in computer science with a certificate in scientific engineering and also serving as an Air Force officer in U.S. Space Command with command and control of nuclear weapons. Needless to say my training helped me type like a madman with fairly good accuracy. No one likes it when you misspell something programming an ICBM. And since early childhood, I have loved computers and technology in general. I wanted my office to look like the bridge of the USS Enterprise. Sadly, that was not easy. These systems were almost universally designed by programmers with little or no input by actual physicians or medical staff. But the software being generated for medical use was not just harder to use than a Strategic Air Command Digital Information Network terminal, but it also failed to carry out its basic function. It did not make a good medical record. I searched through several programs until I found one that had been designed by a former software engineer from India who was now a doctor in the U.S. He had also searched for a good program and, when he couldn’t find one, wrote his own. It was better than anything else I could find but still. It wasn’t perfect. The entire purpose of EHRs was to go paperless, but we quickly realized that instead of keeping one paper chart, we now had to keep two systems, one paper and one digital. When a lab test or drug screen came back on paper, there was no way to integrate them into the chart. Oh, you could make a note saying, “UDS reviewed and…” etc., but where do you put the paper record? What if there was a legal action? Would that note be enough? Or would you need the hard copy? This may seem like an academic question, but I assure you it is not. A decade later, the answer to this question would help destroy my practice. And if you’re not careful, it can destroy yours today. As scanners became faster and computer memories and storage capacities increased, scanning these hard copies into the EHRs database became possible. This makes it much easier to access the records, no more hunting for paper files, but it still left us with the problem of what to do with the hard copy. Do you destroy it? What if your database fails and the backup is incomplete? So the paper records started going into banker’s boxes after scanning and to be stored away. Now, we have three sets of records, paper, scanned database, and digital records. But, as everything was scanned or imported into the electronic record, I was confident that we had a good system. This was not a problem until the state medical board asked me for some records to review. I hit the “print entire chart” button and handed it over. Then my license was suspended. The board said they had no drug screens, signed patient contracts, or prescription monitoring reports. I reviewed the digital records and saw that the notes, “UDS checked and scanned in” and “contract signed and scanned” were in every chart. Obviously, the note itself was not enough. But why didn’t they also get the scanned-in items when the chart was printed? When I finally had a chance to speak to the board, it turned out that the scanned items did not integrate into the digital record when printing the “entire chart.” There was actually no function to do this in the program. That left me scrambling to print every visit and scanned in PDF and hand integrating these together by date into a comprehensive chart. This was done and delivered to the board. I also educated them to the fact that, while they were apparently scanning the PMP reports into the chart, this is actually illegal in our state. You cannot give a patient access to PMP records; scanning it into their chart would give them access when they asked for their medical records. Eventually, after some acrimony, the suspension was lifted. I don’t know how your system works, but you might want to check. But there is another issue to consider. My system used a local server with offsite backup, but some of you probably use cloud-based systems. In 2015, the DEA was caught accessing these databases at the medical records company source, without getting a search warrant. It turns out that the DEA was able to access medical records by using what is called an administrative subpoena. Unlike warrants, there is no showing of probable cause, and they are not signed by a judge. The DEA was also caught having state medical boards ask for records they wanted, then getting access to the records through the boards, avoiding that troublesome old fourth amendment to the constitution. Mari Robinson, the Texas Medical Board executive director, did not deny this in a congressional hearing, saying, “What they [the DEA] do is up to them.” The DEA insists that they don’t need probable cause and can basically go fishing through the databases looking for an excuse to prosecute. According to the ACLU on their FAQ page: “Q: Can the police get my medical information without a warrant? A: Yes. The HIPAA rules provide a wide variety of circumstances under which medical information can be disclosed for law enforcement-related purposes without explicitly requiring a warrant. These circumstances include (1) law enforcement requests for information to identify or locate a suspect, fugitive, witness, or missing person, (2) instances where there has been a crime committed on the premises of the covered entity, and (3) in a medical emergency in connection with a crime. In other words, law enforcement is entitled to your records simply by asserting that you are a suspect or the victim of a crime.” Source
