September 14, 2009

Electronic Medical Records in Clinical and Forensic Practice: A New Pandora’s Box?

By Jonathan A. Dudek, Ph.D.

Editor's Note: This post is part of a series that addresses the opportunities and challenges of using technological innovation in health care management and electronic health records.

In August, 2009, the U.S. Government announced that $1.2 million in grants would be provided to help hospitals and healthcare providers implement and use electronic medical records (EMRs), to include a system to facilitate the exchange of this information. The benefits of this technology have been well outlined in previous blog entries, such as permitting immediate access to records during a crisis, empowering the patient, and allowing family members to both monitor and assist with a loved one’s medical care. However, the use of EMRs raises a host of clinical, legal, human capital, and even criminal justice issues warranting thoughtful attention and caution.

In medical and psychological practice, there is a morass of applicable federal and state laws governing various aspects of personal health information, such as the Health Insurance Portability and Accountability Act (HIPAA; addressing the disclosure, protection, and electronic transaction of confidential patient information), the Americans with Disabilities Act (ADA; prohibiting discrimination against persons with disabilities with respect to employment practices), and state laws regarding confidentiality and doctor-patient privilege and exceptions thereof. In the latter regard, physicians, licensed psychologists, and other healthcare professionals are bound ethically and legally to keep a patient's healthcare information confidential, although there are exceptions, (e.g., when obtaining insurance reimbursement or when there is a duty to protect a third party threatened by a patient). In a legal context, the patient holds the so-called privilege (his or her right to prevent the clinician from disclosing this information in legal proceedings). Healthcare personnel will, in most cases, release confidential healthcare information only with the patient’s written consent. A critical question is who actually “owns” the information contained in EMRs. Is it the patient, their healthcare provider, their insurance company, the owner of the information management system, or some combination of these? How does this impact the laws governing confidentiality and privilege?

With respect to psychological records, licensed psychologists are required to maintain records in accordance with federal and state laws and professional ethics. They are also ethically and legally bound to protect proprietary psychological test information. Such testing data, when shared, is typically provided to another professional who is trained to understand and interpret the information. Providing such information directly to a patient, examinee, or defendant may be clinically (as well as ethically and legally) contraindicated because this data could be easily misinterpreted and even traumatic. Some specific personal healthcare information (e.g., HIV status and alcohol and drug abuse treatment information) may have special protection under state and/or federal statutes. How will such data be safeguarded electronically, to include accommodating variations among state laws with respect to releasing this information? Will patients have complete access to their medical records in this regard? Who is liable if proprietary information becomes part of an EMR? How will the use of EMRs impact psychologists' tangible record-keeping requirements?

Clearly, as has been observed, safeguards must be in place to protect information contained in EMRs, but the presence of confidential, personal data in an accessible, electronic format, in-and-of-itself, seems problematic. With such global transparency, who has access to this data (e.g., in a medical office, insurance company, data management center, etc.)? Are their different levels of access? Who makes these decisions? There is always the potential for unauthorized access to EMRs, to include identity theft, sabotage, and other forms of cybercrime, such as cyberextortion (e.g., threatening to release embarrassing patient information unless a ransom is paid). There is also an increased potential for external and internal healthcare fraud. An internal case of fraud would involve, for instance, an insurance company employee fabricating and/or altering claim information so that it is paid for personal gain, for a friend or relative filing the claim, etc. An external case of fraud would involve direct collaboration with a medical provider on the "outside," altering claims (e.g., making inappropriate claims appear legitimate, embellishing a claim to increase the amount paid by the insurance company, etc.) for illicit profit.

The use of electronic medical records further raises a host of legal and psycholegal questions. For instance, when processing a "first report of injury," an insurance company may scan a medical document after which it is codified into an electronic format. Employees then examine the scanned document, extract relevant data germane to the claim, and enter this information into an electronic record. There may be restrictions on the number of characters allowed in any given data entry field, so, inevitably, the data is summarized, shortened, etc. As such, the original information is modified while other important information may be omitted. From a legal standpoint, this altering of the original document as well as the potential for error in extrapolating information creates a real potential for heresay (in this case, written statements created by a party outside of a court of law or other legal jurisdiction who is therefore not present in the respective legal setting to make these assertions under oath while also being subjected to cross-examination). Heresay is generally excluded as evidence in U.S. courts, although there are exceptions (see the Federal Rules of Evidence).

In forensic psychological work, the "Devil's often in the details," and the use of EMRs has implications in this regard. During a recent pre-employment evaluation for a police department client, pursuant to a signed release of information from the examinee, I obtained a set of electronic medical records for review. The printed documents were extremely choppy to read to the point of being almost useless. Extraneous and "canned" data fields and descriptions were provided, making interpretation difficult along with the real possibility of drawing invalid conclusions. In essence, one may be creating heresay from heresay. In a courtroom setting, these mistakes would inevitably be drawn out during cross-examination. In such instances, forensic examiners might extract data they could understand and incorporate ethically while being at risk for omitting useful or even critical data. The latter problem is confounded given the time constraints inherent in such evaluations as well as the real difficulty of pursuing due diligence with an out-of-state medical facility (e.g., tracking down the actual provider who entered the data into the electronic record). Recently, a physician informed me about the negative impact of electronic medical records on her busy practice, having to now peruse volumes of irrelevant and poorly organized medical data (again, attributable to the software utilized) to find the same information that was better organized, more clearly written, and more easily retrieved in a written file. She now wastes considerable time reviewing charts. Clearly, such limitations could impact a provider's overall time spent with patients, increase stress, and, most significantly, increase the likelihood of error (e.g., missing critical information during a chart review). Given the sensitive nature of the stored data and the numerous, aforementioned concerns, EMR software producers should be expected, if not required, to maintain the highest quality standards.

The introduction of electronic medical records also impacts the "human side" of medical practice. My internist's medical group recently made the switch, and during appointments I have noted multiple effects of concern. First of all, errors and omissions were made in my EMR during the conversion from printed records to electronic format. Had I not noticed these while being interviewed by a nurse, it is questionable whether or not they ever would have been rectified. More significantly has been the negative impact on the doctor-patient relationship. Nurses and physicians alike now tote laptop computers and, understandably, are preoccupied with the accuracy of data entry and asking mandated prompts, resulting in an awkward conversation while looking at the machine. My physician - a wonderful, empathic person embodying the best qualities of the profession - now seems circumscribed by the dictates of computer software. In making the switch to EMR , the programmers have introduced an elephant into the examining room. Losing the critical bond between doctor and patient because of this new technology would be a travesty; the challenge lies in modifying the technology and/or its application so as to preserve this relationship. To maintain the status quo would seemingly continue a sea change toward McMedicine.

In summary, despite the best of intentions, the creation of electronic medical records has inadvertently opened a new Pandora's Box. The introduction of EMRs impacts the doctor-patient relationship; raises significant questions about the confidentiality, ownership of, and access to these records; creates the potential for a host of related criminal activities (e.g., healthcare fraud, identity theft, and cybercrime); raises questions about the accuracy and interpretation of recorded electronic information, to include its admissibility in court; and unnecessarily complicates the responsibilities of healthcare personnel who must read and interpret sometimes cumbersome and, possibly, inaccurate electronic records, increasing the likelihood for further human error and related liability. Software designers, legislators, and jurists would be well advised to consider these real human and legal implications.

Jonathan A. Dudek, Ph.D. is a forensic psychologist with a national security and law enforcement background. He maintains an international consulting practice assisting developing countries, corporations, and other public and private sector entities with business and program development; human capital and systems-based risk management, risk mitigation, and problem-solving; identifying strategic opportunities; and forensic and investigative consultation. Dr. Dudek may be contacted at The opinions expressed in this commentary are solely those of Dr. Dudek.


  1. I think that electronic records are a mistake. Some ideas should just remain ideas. This world is not perfect enough for such an event, and I can guarantee that the problems that occur after-wards will be detrimental. There are thousands of potential threats out there from hackers, invasive doctors, etc. We do not currently have the security to be confident in such a system.

  2. This comment has been removed by a blog administrator.