CHAPTER 17

The Electronic Health Record as Evidence

Kimberly A. Baldwin-Stried Reich

   In this chapter, you will learn how to

•  Discuss the sources and structure of law within the United States and federal agencies that provide oversight of the nation’s healthcare system, including the laws, rules, and regulations governing healthcare delivery

•  Examine the importance of privacy and security of health information in regulatory investigations and the admissibility of electronic health records into a court of law

•  Delineate the differences between federal, state, and local courts

•  Describe the process of the discovery of the electronic health record and ensuring its admissibility as evidence into a court of law

•  Explore the role that technology plays as the underpinning of the nation’s healthcare information infrastructure

•  Explain the impact the 2016 HIPAA access rules are having on the release of information and definition of the legal health record

•  Review the 2015 amendments to the Federal Rules of Civil Procedure and the 2016 amendments to the Federal Rules of Evidence and understand their impact on the process of electronic discovery of the EHR and its production in a court of law

This chapter explores the primary role the electronic health record (EHR) plays in support of direct and indirect patient care activities and the secondary role it serves as evidence in legal, administrative, investigative, and regulatory proceedings. This chapter examines the legislative process and the federal agencies that oversee the nation’s healthcare system and promulgate the laws that serve as the underpinning of the nation’s health information infrastructure. It also examines the evidentiary impact of the 2015 amendments to the Federal Rules of Civil Procedure (FRCP), the 2016 Health Insurance Portability and Accountability Act (HIPAA) rules, and the 2016 amendments to the Federal Rules of Evidence (FRE). Finally, this chapter anticipates the impact that the passage of the Cures Act in 2016 will have on the future of healthcare delivery and the nation’s health information infrastructure.

Sources and Structure of U.S. Law

U.S. laws establish the standards of behavior, the means by which standards are enforced, and the mechanism to guide conduct. There are four primary sources of law within the U.S. legal system:

•  Federal and state constitutions

•  Federal and state statutes

•  Decisions and rules of administrative agencies

•  Decisions of the court

In this chapter we discuss the sources and structure of U.S. law to understand how each branch of the U.S. government operates. We examine how the branches of government work together to provide oversight of the nation’s healthcare system, as well as to establish the laws, rules, and regulations that govern the nation’s healthcare delivery system, including the admissibility of the EHR as evidence into a court of law. Through this appraisal of the legal system and overview of the structure and function of the federal government, we gain a better understanding of how the Constitution underpins all branches of government and serves as the ultimate source of law.

Three Branches of U.S. Government Responsible for Carrying Out Government Powers and Functions

The healthcare industry is one of the most (if not the most) highly regulated industries in the United States today. As such, it is important to understand the structure of the federal government, how laws are created, and the role the government plays in oversight and enforcement of the laws, rules, and regulations that impact the nation’s healthcare delivery system. A law is defined as “any system of regulations to govern the conduct of the people of a community, society, or nation, in response to the need for regularity, consistency, and justice based upon collective human experience.”¹ A regulation is defined as “a rule of order having the force of law, prescribed by a superior or competent authority, relating to the actions of those under the authority’s control.”²

The three branches of the government—legislative, executive, and judicial—are responsible for carrying out the governmental powers and functions and creation of laws, rules, and regulations. Each of the three branches of government has a different primary function. The following is a summary of the primary functions of each of the three branches of the U.S. government:

•  Legislative branch   The legislative branch is the law-making branch of government, made up of the Senate, the House of Representatives, and agencies that support Congress. The primary function of the legislative branch is to enact laws.

•  Executive branch   The president is the head of the executive branch of the government, which includes many departments and agencies. The primary function of the executive branch is to enforce and administer the law.

•  Judicial branch   The judicial branch is made up of the Supreme Court, lower courts, special courts, and court support organizations. The primary function of the judicial branch is to adjudicate and resolve disputes in accordance with the law.

The three branches of government operate under a concept known as the separation of powers. Under this concept, no branch of the government shall have more power or control than the other two branches in the exercise of its functions and activities.

Executive Branch: President, Vice President, and Cabinet

Under Article II of the Constitution, the power of the executive branch is vested in the President of the United States, who also serves as head of state, leader of the federal government, and Commander in Chief of the armed forces. The president and the vice president comprise the executive branch. The president appoints the heads of the federal agencies, ambassadors, and other high-ranking officials, including members of the cabinet who also serve as members of the president’s administration. The president and the president’s administration are responsible for the execution and enforcement of the laws, rules, and regulations written by Congress. Fifteen executive departments, each led by an appointed member of the president’s cabinet, are responsible for the day-to-day administration of the federal government. They are joined in this responsibility by other executive agencies such as the Department of Health and Human Services (HHS) and the Department of Justice (DOJ), the heads of which are not part of the president’s cabinet but operate under the full control and authority of the president.³

The president also appoints the heads of more than 50 independent federal commissions, such as the Federal Trade Commission (FTC), and is empowered to enact special boards, commissions, or committees, such as President Bill Clinton did in 1997 when he created the President’s Advisory Commission on Consumer Protection and Quality in the Health Care Industry.⁴ The president also makes appointments to the Supreme Court, appointments of federal judges, appointments of ambassadors, and appointments to other federal offices. The Executive Office of the President (EOP) is composed of the immediate staff to the president, along with entities such as the Office of Management and Budget and the Office of the United States Trade Representative.

The president is vested with the power to sign legislation into law or veto bills enacted by the Congress, although Congress is vested with the power to override a presidential veto with a two-thirds vote in both the Senate and the House of Representatives. The president has broad authority to manage national affairs and establish the priorities of the government. The president also conducts diplomacy with other nations and has the power to negotiate and sign treaties. In addition the president has the power to issue rules, regulations, and instructions called executive orders,⁵ which have the force and effect of law by carrying out a provision of the Constitution, a federal statute, or a treaty. Executive orders are published in the Federal Register to notify the public of presidential actions.

The president has unlimited power to extend pardons and clemencies for federal crimes, except in cases of impeachment. Article II, Section 2 of the Constitution states that the president “shall have Power, by and with the Advice and Consent of the Senate, to make Treaties, provided two-thirds of the Senators present concur.” This means that two-thirds of the Senate must approve a treaty in order for it to be ratified.

Article II, Section 3 of the Constitution further stipulates that, with these powers, the president shall “from time to time give to the Congress Information of the State of the Union, and recommend to their Consideration, such Measures as he judge necessary and expedient.”⁶

The president has the power and duty to make recommendations to Congress that the president deems “necessary and expedient.” However, the judgment as to what a president determines as “necessary and expedient” has been argued in the courts. In the landmark opinion Youngstown Sheet & Tube Co. v. Sawyer⁷ (1952), the Supreme Court ruled that President Truman lacked either constitutional or statutory authority to seize the nation’s strike-bound steel mills. Instead, the court ruled that Congress would have had constitutional authority to do so.

This landmark decision is important to understand because it teaches us both about the Constitution, the role of Congress, the separation of powers doctrine, and the limits of presidential powers in issuing executive orders. Although the framers of the Constitution did not expressly enjoin the system of checks and balances of power our nation enjoys today, Youngstown demonstrates “that significant separation of powers depends on the existence of some effective counterweight to the executive ruler, which in turn presupposes a disposition to restrain the ruler that does not come from the ruler himself.”⁸

Legislative Branch: The Senate and the House of Representatives

Under Article I of the Constitution, the legislative branch is made up of the Senate and the House of Representatives, which together form the United States Congress. The Constitution vests the Congress with the power to enact legislation, confirm or reject presidential nominations, establish congressional investigations, and declare war.

The Senate is composed of 100 senators, two from each of the 50 states. The vice president serves as the president of the Senate and may cast the decisive vote in the event of a tie in the Senate. The Senate has the power to ratify treaties to confirm presidential appointments that require the consent of the Senate.

The House of Representatives is composed of a total of 435 elected officials, divided among the 50 states proportional to their population. In addition, there are six nonvoting members in the House of Representatives that represent the District of Columbia, the Commonwealth of Puerto Rico, and four other U.S. territories. The Speaker of the House of Representatives is elected by the House of Representatives and is third in line in succession to the presidency. The House has several exclusive powers, including the power to initiate revenue bills, to impeach federal officials, and to elect the president of the United States in the event of a tie in the electoral college.

In order to pass legislation, the House of Representative and the Senate must pass the same bill by majority vote in order to send it to the president for his signature. The president has the power to veto legislation sent by the Congress, but the Congress may override a presidential veto by passing the bill again in each chamber with at least two-thirds of both bodies voting in favor of the bill.

The Legislative Process

Before a bill is signed into law, the first step it must undergo is its introduction to Congress. Anyone can write a bill, but only members of Congress can introduce legislation. The president traditionally introduces some bills, before Congress, such as the federal budget. However, after a bill is introduced to Congress, it may (and generally does) undergo drastic changes before it is signed into law.

Once a bill is introduced to Congress, it is referred to the appropriate committee for review. There are 17 Senate committees, with 70 subcommittees, and 23 House committees, with 104 subcommittees. The numbers, scope, and responsibility of the committees change with each new Congress. Each committee is responsible for the oversight of a specific policy area, and subcommittees take on more specialized policy areas or responsibilities. For example, the Senate Committee on Health, Education, Labor, and Pensions is composed of three subcommittees: Subcommittee on Children and Families, Subcommittee on Employment and Workplace Safety, and Subcommittee on Primary Health and Retirement Safety.

The election of Donald J. Trump as the 45th President of the United States on November 8, 2016, is expected to bring about “significant legal and regulatory changes.”⁹ There is no greater insight into some of the significant changes that the nation is about to undertake in reforming and reshaping the nation’s healthcare delivery system than is evidenced by President Trump’s appointment to lead the Department of Health and Human Services (HHS).

On February 10, 2017, Rep. Tom Price, a retired orthopedic surgeon from Atlanta, was confirmed as Secretary of HHS. In this new role, Secretary Price will oversee the Medicare and Medicaid Programs and the National Institutes of Health, making the Department of HHS a $1 trillion agency, the largest of any budget in the president’s cabinet. Secretary Price is also expected to implement the repeal and the replacement of the Affordable Care Act. During his confirmation hearing, Rep. Price said this about health care coverage and his vision for the future:

The details as to what the repeal and replacement of the Affordable Care Act will look like are unknown at this time, but it is the current administation’s stated commitment to reform the healthcare delivery system and to assure all Americans have access to affordable health care coverage.

On February 27, 2017, President Trump hosted a listening session with the CEOs of some of the nation’s largest health insurance companies. During this session President Trump appealed to the CEOs of the nation’s largest health insurance plans to work with Secretary Price to “stabilize the insurance markets and ensure a smooth transition to the new plan.”¹¹

President Trump’s appointment to lead the Centers for Medicare and Medicaid (CMS), Seema Verma, was expected to be confirmed in early March, 2017. The CMS administrator “has the power to drive our nation’s healthcare transformation—from volume to value…and innovations in healthcare delivery and services in Medicare can set the course for the entire healthcare industry.”¹²

On February 28, 2017, in his first address to a joint session of Congress, President Trump reconfirmed to the nation his commitment to reshaping the nation’s healthcare delivery system by promising to replace the Affordable Care Act “with reforms that expand choice, increase access, lower costs, and at the same time, provide better healthcare.”¹³

In the coming months, the scope and direction of the healthcare delivery system and the laws, rules, and regulations impacting it will become clear once the president’s cabinet appointments are confirmed and the membership of Congressional committees is solidified.

Administrative Agencies

The rules and decisions set forth by administrative agencies are other sources of law. Administrative agencies are established under Article 1, Section 1 of the Constitution, which states that “[A]ll legislative Powers herein granted shall be vested in a Congress of the United States.”¹⁴ The legislature has delegated to numerous administrative agencies the power through Article 1, Section 8, Clause 18, “…to make all Laws which shall be necessary and proper for carrying into Execution the foregoing Powers, and all other Powers vested by this Constitution in the Government of the United States, or in any Department or Officer thereof.”¹⁵ A summary of the powers and authorities of the administrative agencies are outlined in the sections that follow.

The Department of Health and Human Services¹⁶ The Department of Health and Human Services (HHS) represents almost a quarter of all federal outlays. It administers more grant dollars than all other federal agencies combined. HHS’s Medicare program is the nation’s largest health insurer, handling more than 1 billion claims per year. Medicare and Medicaid together provide healthcare insurance for one in four Americans, and today with the addition of the Health Insurance Marketplace and the Children’s Health Insurance Program (CHIP), at least one in three Americans receives some sort of coverage under HHS.

HHS works closely with state and local governments, and many HHS-funded services are provided at the local level by state or county agencies or through private-sector grantees. The department’s programs are administered by eleven operating divisions, including eight agencies in the U.S. Public Health Service and three human services agencies. The department includes more than 300 programs, covering a wide spectrum of activities. In addition to the services they deliver, the HHS programs provide for equitable treatment of beneficiaries nationwide and enable the collection of national health and other data.

The Centers for Medicare and Medicaid Services¹⁷ The bill that led to the establishment of Medicare and Medicaid was signed into law on July 30, 1965, by President Lyndon B. Johnson. Formerly known as the Health Care Financing Administration (HCFA), the Centers for Medicare and Medicaid Services (CMS) has been providing health insurance coverage for Americans since 1966. CMS operates as part of HHS and administers the Medicare, Medicaid, CHIP, and Health Insurance Marketplace.

CMS is headquartered in Baltimore, Maryland, and maintains ten Regional Offices (ROs) throughout the country based on the agency’s key lines of business: Medicare Plans Operations, Financial Management and Fee for Service Operations, Medicaid and CHIP, Quality Improvement, and Survey and Certification Operations. The ROs are the state and local presence and provide oversight, outreach, and education to beneficiaries, healthcare providers, state governments, CMS contractors, community groups, and others.

As the steward of the nation’s healthcare funds, CMS is committed to strengthening and modernizing America’s healthcare system. CMS does this by developing mechanisms to assure program integrity (reducing fraud, waste, and abuse), establishing value-based incentives to reward providers’ clinical performance, and tying provider payments to expected clinical outcomes.

The Office for Civil Rights¹⁸ The HHS Office for Civil Rights (OCR) is the federal agency designated to provide administrative oversight and enforcement of the HIPAA Privacy and Security rules. The OCR has been responsible for oversight of the HIPAA Privacy Rule since April 14, 2003, and the HIPAA Security Rule since July 27, 2009. The OCR ensures that people have equal access and opportunities to participate in certain healthcare and human services programs without unlawful discrimination.

The goals of the OCR are accomplished by

•  Teaching health and social service workers about civil rights, health information privacy, and patient safety confidentiality laws

•  Educating communities about civil rights and health information privacy rights

•  Investigating civil rights, health information privacy, and patient safety confidentiality complaints to identify discrimination or violation of the law and take action to correct problems

The Office of the National Coordinator¹⁹ The Office of the National Coordinator for Health IT (ONC) was created in 2004 under Executive Order and was legislatively mandated in the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. The ONC is located within the Office of the Secretary of HHS and is the federal agency responsible for coordinating nationwide efforts to implement and use healthcare information technology (healthcare IT) and to facilitate the exchange of health information. The ONC serves as a resource to the entire healthcare system and was created to support the federal government’s efforts to advance the adoption of healthcare IT.

On July 19, 2016, the ONC, OCR, and Federal Trade Commission (FTC) jointly published a report to Congress entitled Examining Oversight of the Privacy and Security of Health Data Collected by Entities Not Regulated by HIPAA.²⁰ This groundbreaking report was developed to specifically address the oversight gaps that exist today between HIPAA covered entities that collect and process health data from individuals and those that are not regulated by HIPAA but also collect and process health data from individuals.

The health data that are collected, used, and shared by entities not currently covered by HIPAA can be valuable for clinical decision making or relevant in a court of law. As such, this report is an important first step in advancing the standards and processes surrounding the searching, preservation, collection, processing, and production of such information as evidence, whether for clinical decision-making purposes or for submission to a court of law.

At the present time, while the ONC is at the forefront of national initiatives to advance the adoption of healthcare IT, it does not have administrative oversight responsibility for the design, usability, safety, or clinical functionality of healthcare IT or information exchange systems or any of the consumer devices in use today. The ONC is solely focused on advancing the implementation of healthcare IT and exchange of health information.

The passage of the 21st Century Cures Act on December 13, 2016, also established new requirements under HIPPA which specify that a researcher’s remote access of protected health information (PHI) held within a covered entity’s EHR does not constitute the removal of the PHI from the covered entity, provided that HIPAA-compliant privacy and security safeguards are in place within the covered entity and the researcher, and the researcher does not copy or otherwise retain any PHI.²¹

This provision was enacted in an effort to reflect the shift from paper-based medical records to maintenance of digital records. While the Cures Act directly addresses questions posed by covered entities about remote access, further legislative or regulatory activity appears to be necessary to clarify what constitutes the “premises” of the covered entity, as many covered entities do not maintain their EHR systems via local storage (digital or otherwise) but instead rely on third-party business associates.²² In addition, the Cures Act does not provide direction as to harmonization of HIPAA and the Federal Policy for the Protection of Human Subjects (aka Common Rule) with respect to how such preparatory research activities should be structured. The Common Rule definition of research contained in 45 CFR 46.102(d) also includes “research development.” Given that definition, more rules regarding the privacy and security of PHI regarding research activities conducted by the National Institutes of Health (NIH) and/or other federal agencies may be developed in the future.²²

The Federal Trade Commission²³ The Federal Trade Commission (FTC) conducts a variety of activities to promote competition in healthcare, including outreach and education to businesses and consumers on healthcare privacy and security practices.

The FTC enforces federal consumer protection laws that prevent fraud, deception, and unfair business practices and provides guidance to market participants—including physicians and other health professionals, hospitals and other institutional providers, pharmaceutical companies and other sellers of healthcare products, and insurers—to help them comply with the nation’s privacy and antitrust laws.

As part of the American Recovery and Reinvestment Act (ARRA) of 2009, the FTC issued a final rule requiring certain web-based businesses to notify consumers when the security of their health information is breached. In 2010, the FTC began enforcing the HIPAA Breach Notification rule, which applies to the following entities:²⁴

•  Vendors of personal health records (PHRs)

•  PHR-related entities

•  Third-party service providers for vendors of PHRs or PHR-related entities

In addition, the FTC has a Mobile Health Apps Interactive Tool to help developers learn the privacy and security rules and regulations they need to follow when creating their health apps for mobile devices.²⁵

The Food and Drug Administration²⁶ The Food and Drug Administration (FDA) has the following responsibilities:

•  Protecting the public’s health by assuring that foods are safe, wholesome, sanitary, and properly labeled, and that human and veterinary drugs, vaccines, other biological products, and medical devices intended for human use are safe and effective

•  Protecting the public from electronic product radiation

•  Assuring that cosmetics and dietary supplements are safe and properly labeled

•  Regulating tobacco products

•  Advancing the public’s health by helping to speed product innovations

•  Helping the public get the accurate, science-based information they need to use medicines, devices, and foods to improve their health

The FDA’s responsibilities extend to all 50 states, the District of Columbia, Puerto Rico, Guam, the Virgin Islands, American Samoa, and other U.S. territories and possessions.

The Internal Revenue Service²⁷ The Internal Revenue Service (IRS) is organized to carry out the responsibilities of the secretary of the Department of the Treasury under section 7801 of the Internal Revenue Code. The secretary has full authority to administer and enforce the internal revenue laws and has the power to create an agency to enforce these laws. The IRS was created based on this legislative grant. Section 7803 of the Internal Revenue Code provides for the appointment of a commissioner of internal revenue to administer and supervise the execution and application of the internal revenue laws.

On June 28, 2012, the U.S. Supreme Court ruled on several key issues affecting the Affordable Care Act (ACA)²⁸ in National Federation of Independent Business, et al. v. Sebelius, et al.²⁹ The Court ruled that the “individual mandate” to require individuals to purchase health insurance was constitutional. However, the Court also ruled as unconstitutional the provision that would permit the secretary of HHS to withdraw all of the Medicaid funding provided to a state if that state chooses not to expand Medicaid to certain thresholds set forth in the ACA.

Until recently, the IRS served as the administrative agency responsible for providing the administrative oversight and review in the collection of all taxes and penalties to be assessed on individuals who do not have health insurance in accordance with the Supreme Court decision handed down on June 28, 2012. However, on January 20, 2017, when Donald J. Trump was sworn into office, he signed an executive order aimed toward the ultimate replacement of the ACA, which reads in part:

Sec. 2….[T]he heads of all other executive departments and agencies (agencies) with authorities and responsibilities under the Act shall exercise all authority and discretion available to them to waive, defer, grant exemptions from, or delay the implementation of any provision or requirement of the Act that would impose a fiscal burden on any State or a cost, fee, tax, penalty, or regulatory burden on individuals, families, healthcare providers, health insurers, patients, recipients of healthcare services, purchasers of health insurance, or makers of medical devices, products, or medications.³⁰

In accordance with this executive order, the IRS will no longer be responsible for the collection of taxes or penalties on individuals who do not purchase health insurance. And furthermore, this executive order also lays forth the foundation for another restructure and redesign of the nation’s healthcare system.

The Office of Inspector General³¹ Established in 1976, the Office of Inspector General (OIG) is part of HHS and is the largest inspector general’s office in the federal government. The OIG provides oversight of the Medicare and Medicaid programs, as well as the Centers for Disease Control and Prevention (CDC), NIH, and the FDA.

The vast majority of the OIG’s resources are dedicated to fighting fraud, waste, and abuse in Medicare, Medicaid, and more than 100 other HHS programs. The OIG carries out its mission through audits, investigations, and evaluations that result in cost-savings or policy recommendations for decision-makers and the public. The OIG also educates the public and the healthcare industry about fraudulent schemes, including what to look for and how to report them, and develops and distributes resources to assist the healthcare industry in their efforts to fight fraud, waste, and abuse.

The Federal Bureau of Investigation³² Established in 1908, the Federal Bureau of Investigation (FBI) reports to both the U.S. Attorney General, who serves as the head of the Department of Justice (DOJ), and the Director of National Intelligence (DNI). The FBI maintains dual responsibilities for law enforcement and intelligence. The mission of the FBI is to protect the American citizens and uphold the U.S. Constitution.

The FBI employs over 35,000 people, working in 56 field offices located in major cities throughout the United States, 350 resident agencies located in cities and towns across the country, and more than 60 international offices located in U.S. embassies worldwide.

Combating and rooting out healthcare fraud is a high priority for the FBI because healthcare fraud impacts both the nation’s economy and the lives of American citizens. The FBI serves as the principal investigative agency involved in the fight against healthcare fraud and maintains jurisdiction over both federal and private healthcare insurance programs. Healthcare fraud investigations are an integral area of focus for the FBI, and personnel in each of the 56 field offices are specifically assigned to investigate matters involving healthcare fraud.

To promote the exchange of facts and information between the public and private sectors in an effort to reduce the prevalence of healthcare fraud, the FBI works collaboratively with other federal agencies such as the OIG, FDA, and Drug Enforcement Administration (DEA); with state and local agencies; with private insurance groups, and with public-private entities such as the Healthcare Fraud Prevention Partnership (HFPP)³³ and the National Health Care Anti-Fraud Association.³⁴

The Department of Justice³⁵ The Judiciary Act of 1789 created the Office of the Attorney General. The Act specified that the Attorney General, originally a part-time position, must be “learned in the law,” with a duty “to prosecute and conduct all suits in the Supreme Court in which the United States shall be concerned, and to give his advice and opinion upon questions of law when required by the President of the United States, or when requested by any of the heads of the departments, touching on any matters that may concern their departments.”³⁵

The DOJ officially came into existence on July 1, 1870, when Congress empowered it to handle all criminal prosecutions and civil suits in which the United States had an interest. In 1870, Congress also created the Office of the Solicitor General, who was charged with the responsibility of representing the United States in matters argued before the Supreme Court and to support and assist the Attorney General.

The 1870 Act was foundational to the establishment of DOJ, but over the years, with the addition of the Offices of Deputy Attorney General and Associate Attorney General and the formation of various components, offices, boards, and divisions, the DOJ has grown into the world’s largest law office and the chief enforcer of all federal laws. The DOJ plays a crucial role in the enforcement of the laws, rules, and regulations governing the healthcare delivery system. The detection and elimination of healthcare fraud and abuse is one of the top priorities of the DOJ, along with advocacy to promote competition in the healthcare industry. The Antitrust Division of the DOJ enforces the antitrust laws in healthcare to protect competition and to prevent anticompetitive conduct.

HIPAA established a national Health Care Fraud and Abuse Control Program, under the joint direction of the Attorney General and the Secretary of HHS, acting through the HHS Inspector General (HHS/OIG), designed to coordinate federal, state, and local law enforcement activities with respect to healthcare fraud and abuse. In May 2009, the Attorney General and Secretary of HSS announced the creation of the Health Care Fraud Prevention and Enforcement Action Team (HEAT), an initiative designed to enhance collaboration between the DOJ and investigative agencies, such as the FBI. With the creation of the new HEAT effort, the DOJ pledged a cabinet-level commitment to prevent and prosecute healthcare fraud.³⁶ HEAT is composed of top-level law enforcement agents, prosecutors, attorneys, auditors, evaluators, and other staff from DOJ, HHS, and their operating divisions, and is dedicated to joint efforts across government to both prevent fraud and enforce current antifraud laws around the country.

Since its inception, HEAT has charged more than 2,300 defendants with defrauding Medicare of more than $7 billion and convicted approximately 1,800 defendants of healthcare felony fraud offenses.³⁶ The medical record is a key source of evidence used by federal investigators to root out and convict suspects of healthcare fraud. For example, a federal jury in the Southern District of Texas convicted a Houston-based home-health agency owner for her role in a $13 million Medicare fraud and money laundering scheme.³⁷ The home-health agency provider falsified medical records to make it appear as though the Medicare beneficiaries qualified for and received home-health services.

Judicial Branch: Structure and Function of the U.S. Court System

The U.S. court system is divided administratively into two separate systems: the federal district courts and the state courts. Each court system operates independently of the executive and legislative branches of government. The federal court system is set forth in Article III, Section 1 of the Constitution, which states that “[T]he judicial Power of the United States shall be vested in one supreme Court, and in such inferior Courts as the Congress may from time to time ordain and establish. The Judges, both of the supreme and inferior Courts, shall hold their Offices during good Behavior, and shall, at stated Times, receive for their Services, a Compensation, which shall not be diminished during their Continuance in Office.”³⁸ While both the federal and state court systems are responsible for hearing certain types of cases, neither system is completely independent of the other, and the systems do interact on occasion.

Federal Court System³⁹

The federal court system is composed of 94 district courts, 13 circuit courts, and one Supreme Court with at least one bench in each of the 50 states, as well as benches in Puerto Rico and the District of Columbia. A total of 1 to 20 judges preside in each district. District judges are appointed by the president and serve for life. Cases handled by federal district court include: cases involving violation of federal law and/or allegations of Constitutional violations; cases directly involving a state or federal government; maritime disputes; and/or cases involving foreign governments, citizens of foreign countries, or in which citizens of two or more different states are involved.

The courts of appeals are directly above the federal district court. The court of appeals system is composed of 13 judicial circuit courts throughout the United States, plus one court of appeals in the District of Columbia. There are a total of 6 to 27 judges in the courts of appeals. In addition to hearing appeals for their respective federal district courts, the courts of appeals also have jurisdiction to hear cases involving a challenge to an order of a federal regulatory agency.

The Supreme Court is located in Washington, D.C., and is also known as “The Highest Court in the Land.” It is the only court that is explicitly mandated by the Constitution. The Supreme Court is composed of one chief justice and eight associate justices. When there is a vacancy on the Supreme Court, the president makes a nomination for membership and the Senate confirms or rejects the nomination. Like federal judges, once confirmed, a Supreme Court justice serves for life. When the Senate is in recess, the President may make a temporary appointment, called a recess appointment, to any federal position, including the Supreme Court, without Senate approval in accordance with Article II, Section 2, Clause 3 of the Constitution. A recess appointment shall last for one year or until such time that a nomination is confirmed by the Senate. The Supreme Court hears cases from state appellate courts on federal or constitutional matters. The Supreme Court has the authority to decline to review most cases and maintains final jurisdiction over all cases it hears.

State Court System⁴⁰

The state court system is large and diverse. Currently, there are more than 1,000 various types of state courts and judges. State courts, which are also referred to as local courts, include magistrate court, municipal court, justice of the peace court, police court, traffic court, and county court. These courts are called the inferior courts. The more serious cases are heard in a superior court, also sometimes known as state district court, circuit court, or by a number of other names. The majority of healthcare medical malpractice cases are heard in the state superior court system.

State superior, district, or circuit courts are generally organized by counties, hear appeals from the inferior courts, and have original jurisdiction over major civil suits and serious crimes. Most of the nation’s jury trials occur in state superior court. The highest state court is usually called the appellate court, the state court of appeals, or state Supreme Court and generally hears appeals from the state superior courts and, in some instances, has original jurisdiction over particularly important cases. A number of the larger states, such as New York, may also have intermediate appellate courts between the superior courts and the state’s highest court. Additionally, a state may also have a wide variety of special tribunals, usually on the inferior court level, including divorce court, mental health court, housing court, juvenile court, family court, small-claims court, and probate court.

The Judiciary

The fourth source of U.S. law arises from judicial decisions, also known as case law (discussed in further detail in the next section). Today, many of the legal rules and principles applied by U.S. courts are rooted in the traditional unwritten law of England, based on custom and usage known as “common law.” Today, “almost all common law has been enacted into statutes with modern variations by all the states except Louisiana, which is still influenced by the Napoleonic Code. In some states the principles of Common Law are so basic they are applied without reference to the statute.”⁴¹ In the process of deciding an individual case, the courts interpret regulations and statutes in accordance with the relevant federal or state constitution. The court will create and establish the “common law” when it decides cases that are not controlled by regulations, statutes, or a constitution.

The courts are responsible for making determinations as to whether specific regulations or statutes are in violation of the Constitution. The case of Marbury v. Madison established that all legislation and regulations must be consistent with the Constitution and that the courts hold inherent powers to declare legislation invalid when it is unconstitutional.⁴² Some state courts have established specific sets of rules for interpretation of conflicting regulations and statutes.

Administrative agencies also have discretion as to how regulations or statutes are applied—and disagreements over the application of a specific regulation or statute can and do arise frequently. While the decision of an administrative agency can be appealed to the courts, the courts generally defer decisions to the relevant administrative agency and will limit their review of the matter unless the following conditions were not met:

•  A delegation of the matter to the administrative agency was constitutional.

•  The administrative agency acted within its authority and followed proper procedures.

•  The agency acted on a substantial basis and acted without discrimination or arbitrariness.

Case Law Case law is defined as “reported decisions of appeals courts and other courts which make new interpretations of the law and, therefore, can be cited as precedents. These interpretations are distinguished from ‘statutory law,’ which are the statutes and codes (laws) enacted by legislative bodies; ‘regulatory law,’ which are regulations required by agencies based on statutes; and in some states, the ‘common law,’ which is the generally accepted law carried down from England. The rulings in trials and hearings which are not appealed and not reported are not case law and, therefore, not precedent or new interpretations.”⁴³ The term “common law” is often used interchangeably with case law.

CAUTION   Avoid using the terms “common law” and “case law” interchangeably, because “common law” refers to the traditional unwritten law of England, while “case law” refers to the laws that were established by judicial decision.

The Medical Record

An individual’s health information, irrespective of its form, format (paper, EHR, EMR PHR, mHealth, telemedicine, health social media, or e-prescription), or location, contains vital clinical information to support the diagnosis and justify the care and treatment rendered to the patient. Certain information—including the patient’s history, physical examination results, radiology and laboratory reports, diagnoses and treatment plans, as well as orders and notes from doctors, nurses, and other healthcare professionals—is routinely recorded into an individual’s medical record when the individual is treated as an inpatient or an outpatient in a care facility.

EHR stands for “electronic health record” and is a computerized record system that originates and is controlled by physicians, hospitals, or clinics. EMR stands for “electronic medical record” and is a digital version of the patient’s paper chart in the clinician’s office. The EHR is viewed within the industry as the patient’s “legal medical record.” An EMR contains the medical and treatment history of the patient in one practice.⁴⁴ Oftentimes, the terms EHR and EMR are used interchangeably, but the EHR is intended to refer to a much more robust health record system versus the medical record of a physician office.

The PHR stands for “personal health record” and is a computerized record system that is maintained by the patient or a patient’s caregiver or family member. The PHR is a tool that is used to collect, track, and share past and current information about a patient’s health. At this time, in the absence of legal standards for preservation data from PHI, the “PHR is separate from, and do[es] not replace, the legal record of any health care provider.”⁴⁵ In today’s digital era, the fact that the PHR is not defined as a “legal record” presents a perplexing dilemma for patient care. For providers and organizations in malpractice claims, this information that may reside in a patient’s PHR or other third-party devices can be valuable and clinically relevant, yet it may or may not be shared with the provider.

mHealth stands for mobile-health. This term refers to the delivery of medicine and public health using mobile devices, including smartphones, tablet computers, and laptops.

Telemedicine is a term used to refer to the evaluation, diagnosis, and treatment of patients at a distance using telecommunications technology.

Health social media is a term that generally refers to Internet-based tools that allow individuals and communities to gather and communicate; to share information, ideas, personal messages, images, and other content; and, in some cases, to collaborate with other users in real time.

The quality and integrity of the information contained in a medical record are essential for clinical, legal, and fiscal purposes, for correct and prompt diagnosis and treatment of the patient’s condition, and for continuity of care. Therefore, all providers and entities alike should have some protocol in place to verify the authenticity and integrity of the information that is recorded into an individual’s medical record, especially information obtained from external sources, such as PHRs, mHealth, and health social media.

According to Matthew Murray, MD, Chairman of the Texas Medical Association’s Ad Hoc Committee on Health Information Technology, “Whether we’re copying and pasting information from an old note to a new note or using templates that automatically bring in clinical information…it is our responsibility to make sure that the information that got pulled is accurate.”⁴⁶

In addition to assuring that the information that is pulled into the EHR is accurate, when providers or entities are presented with recordings or results from mHealth devices, PHRs, or health social media from their patients, the copies of these recordings, or notations, should be placed into the patient’s medical record. The provider receiving such information should document that the results from the mHealth device or PHR were reviewed and discussed with the patient along with the actions, or recommendations, if any, that were made. Although there are benefits to incorporating data from PHRs, mHealth devices, and health social media into the medical record, it must be noted that, at this point in time, there are also risks associated with these data.⁴⁷ There is no way for providers or entities to assure the quality or integrity of data from these sources, yet providers and entities alike are now charged with a duty to review and discuss this health information with their patients when it is presented to them. Furthermore, it is distressing that because there are no standards related to the preservation of PHI data from PHRs, health social media, and other third-party devices, providers may be left unaware of the existence of valuable clinical data on these devices that may help defend them in the face of a malpractice claim.

Although the primary use of the medical record is to serve as a tool for the planning and communication of the patient’s treatment and care, it also serves as a secondary source of information for other uses. It provides support and documentation for insurance claims, legal matters, utilization review, case management, care coordination, professional quality and peer-review activities of prescribed treatments and medications, and the education and training of health professionals. Medical records also contain useful statistical and research information for public health and resource-management planning purposes. They contain data for clinical studies, evaluation and management of the costs associated with treatment, and the assessment of population health.

Medical records also often serve as a vital piece of evidence in a court of law.⁴⁸ Today, with the widespread adoption of electronic health records, attorneys and providers now find themselves struggling to verify the accuracy and make sense of all the information contained in today’s EHR systems, so much so that some states, such as Texas, have adopted position statements on the maintenance of accurate medical records.

In April 2015, Wynne M. Snoots, MD, released a position statement on behalf of the Texas Medical Board (TMB). It reads in part as follows:⁴⁹

Perhaps one of the best examples of one of concerns expressed by the TMB about EHRs is that, unlike paper-based medical records, the EHR is proving to be a difficult witness in a court of law.⁵⁰ Providers and attorneys alike are finding the outputs and screenshots from the EHR look nothing like the actual computer screen or data entry fields the provider saw, clicked, or keyed at the time he or she saw a patient or made a clinical decision. This dilemma is causing many problems for providers and attorneys alike because it is difficult for attorneys to take a deposition of a provider using the outputs from an EHR. In the paper era, the record was the paper record and the record reflected what the provider wrote and thought at the time the provider recorded or dictated his or her note. In the digital era, the providers and attorneys are finding that because EHR screenshots and the outputs look nothing like the tool the provider used to record his or her entries on a patient, it is very difficult for a provider to verify the authenticity of the information contained in the medical record. As a result, attorneys and a new team of expert witnesses now are tasked with spending hours reading, tracing, and reviewing the meta-data audit trails.⁵¹ Those jobs didn’t exist in the paper-based medical record era. Rather than being efficient tools, EHRs are now actually adding time and cost to the discovery process because there is no easy way to conduct testimony from providers or to search, cull, process, and produce relevant data from EHR systems today.⁵¹

To add further confusion about the medical record as evidence in a court of law, the introduction of new technologies, such as PHRs, mHealth devices,⁵² health social media, telemedicine, e-prescribing, interoperability, and the electronic exchange of health information all add a new dimension to the legal process of discovery, especially e-discovery. These new technologies may contain important and/or clinically relevant information about a patient, but the information may be inaccessible to the provider as it may reside in locations outside the patient’s EHR, or in a system or device outside the provider’s or organization’s control.

In some cases, a provider may have referenced or relied upon this information to make a treatment decision for a patient, and will have copies of the patient’s medical records obtained from other sources incorporated into the EHR system for reference. All relevant or potentially relevant information is discoverable. However, this information, along with other potentially relevant information, such as the patient’s genetic or genomic information, which presently resides outside of the EHR⁵³ but is not considered to be part of the “legal medical record” or part of the individual’s HIPAA-designated record set, is released upon request for disclosure purposes.

Yet, under 45 CFR 164.524 an individual is entitled to their genetic or genomic information if they request it, along with “any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.”⁵⁴

Under 45 CFR 164.524, organizations may be left unaware of the existence of an impending lawsuit in today’s digital era. A savvy attorney or plaintiff interested in going on a fishing expedition can request “complete copies” of “any and all of their PHI, in any form, or location wherever it may exist” (including all electronic PHI) and the organization under this rule would be required to provide the individual potential to their information.

It is generally easier for plaintiffs to identify and obtain anything potentially relevant they may need to initiate a malpractice claim than it is for a defendant to obtain all of the relevant clinical information that they may need to defend themselves. This is because at this time, there are no standards for the preservation of PHI from PHRs and other third-party medical devices, nor are PHRs, social health media, or other third-party medical devices defined as “legal medical records.” And sometimes, crucial clinically relevant information that may help a provider or an organization defend themselves against a malpractice claims may exist in a PHR, mHealth device, social media platform, or other medical device.

This presents a perplexing dilemma for the healthcare defense attorney because when it comes to the legal process of discovery, especially e-discovery, the process can be time consuming, expensive, and technically overwhelming. Yet, the need to obtain all relevant information is crucial to the defense of a lawsuit. The process will be even more challenging if the provider, organization, or legal counsel has not established a litigation response team that can respond to e-discovery requests, testify about the organization’s EHR systems, and address other information and record keeping systems within the organization. Paper-based record outputs no longer tell the complete story—rather, a team of technical experts is now needed to obtain the complete set of digital and paper records to reconstruct the events of a case. This is further complicated by the fact that there are no standards for easily searching, culling, processing and producing relevant clinical information from today’s EHR systems, not only for litigation, but for any clinical encounter. EHR systems, to be of any value in improving population health while reducing care delivery and litigation costs, will have to evolve to become more efficient and useful tools that are easily searchable and able to produce just the right clinical information at the right time. At the conclusion of the patient’s encounter, the clinical data in the EHR should accurately tell the patient’s story while justifying the diagnoses, treatment, length of stay, documentation, coding, and billing without providers, attorneys, and technical experts having to spend hours reconciling paper outputs, screen shots, HIPAA audit logs, metadata and data sets, and staffing logs in order to figure out what happened to a patient and why.

Until such time that standards are developed for the preservation of PHI from PHRs, health social media, and other third-party medical devices, or unless providers and organization are able to obtain copies of relevant clinical data from a patient’s PHR, health social media, or other medical devices through discovery, they will often be at a disadvantage because they are left unaware of the existence of crucial clinical data that they may need to defend themselves in a malpractice case.

Because there are no legal standards or systematic approaches for the submission of the EHR as evidence into a court of law, there continue to be privacy and security gaps, along with varying approaches in how health information is collected, stored, and used by entities not covered under HIPAA. The federal e-discovery rules that were enacted in 2006 and amended in 2010 and 2015 (and have been modeled in some state court systems) are the closest thing the industry has today as a standard approach for the discovery of information of EHR systems.

As we will examine later in this chapter, the federal e-discovery and evidence rules have begun to converge and overlap with the HIPAA 2016 OCR access rules. Covered entities, vendors, and legal professionals alike are now being mandated to take a close look at their organizations’ release-of-information processes and how their medical records are accessed and used as evidence in a court of law and for regulatory investigations.

As these processes conduct reviews of their systems, it is hoped that through the changes they are now undertaking, they will ultimately lead to the development of new standards, systems, and processes related to the definition of an organization’s HIPAA designated record set for disclosure purposes, and that the policies and procedures the organization will undergo when responding to various requests for patient information from patients and attorneys will be improved. It is also hoped that EHRs will evolve to become not only more interoperable but also searchable and able to produce the right summary of data at the right time based on the user’s query.

The USA PATRIOT Act, signed into law in October, 2001, by President George W. Bush, also significantly expanded the search and surveillance powers of the federal government and provides federal officials with greater access to medical records. This law impacts HIPAA privacy and security rules, and how a medical record can be used as evidence in a legal procedure.

Furthermore, the passage of the 2016 Cures Act has laid the foundation for a new era in the nation’s health information infrastructure through healthcare IT standards development to advance interoperability, assignment of penalties for blocking the sharing of electronic health records, development of registries through the exchange of EHR data and review, and development of HIPAA privacy and security rules governing human subjects protection (Common Rule) and the confidentiality of EHRs of individuals with behavioral health and substance use disorders.

The efforts CMS is establishing to innovate and strengthen Medicare coupled with demands by consumers, providers, and payers that they be given access to their health information that exists in a wide variety of forms, formats, and locations (even outside the EHR) are causing many entities and providers to rethink the processes by which they manage health information, giving rise to a new era known as health information governance.⁵⁵

This paradigm shift from the centralized management and processing of the release of health information requests to a more decentralized process in which the individual’s medical record can be more quickly and easily searched for the relevant information in a variety of forms, formats, and locations is necessary in order to meet the OCR’s goal of providing individuals with timely and robust access to their health data so they can be empowered and engaged in the care coordination and decision-making process.

Furthermore, as national security, surveillance, and the rooting out of terrorism become increasingly important to the federal government, the government is placing new demands upon healthcare organizations. These demands are to develop new health information and records management policies that include the ability to quickly and easily search the records of individuals suspected of involvement in federal crimes or terrorist activities, and establish policies that notify individuals of their privacy and security rights under both HIPAA and the USA PATRIOT Act.

Under HIPAA, medical records can be used as evidence for law enforcement purposes. Law enforcement officials can obtain an individual’s medical record without a warrant under the following circumstances:⁵⁶

•  To identify or locate a suspect, fugitive, witness, or missing person

•  Instances where a crime has been committed on the premises of the covered entity

•  In a medical emergency in connection with a crime

Under Section 215 of the USA PATRIOT Act,⁵⁷ the FBI Director and/or his/her designee has the power to obtain a court order under the Foreign Intelligence Surveillance Act (FISA), “requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution.” Like the provision under HIPAA that allows a law enforcement official to obtain copies of an individual’s medical records without a warrant, the FBI has the power to obtain medical records of individuals suspected of engaging in terrorism or clandestine intelligence activities.

EHR Standards for Records Management and Evidentiary Support

Electronic health records are a complex and evolving ecosystem. As such, the Health Level Seven (HL7) standards development organization (SDO) has developed an EHR system standard known as the Records Management and Evidentiary Support Functional Profile (RM-ES FP). This profile serves as a framework for the functions and conformance criteria for EHR systems to follow in the design and implementation of an EHR system. On a regular and ongoing basis, an HL7 volunteer workgroup meets to review and discuss EHR conformance criteria for the RM-ES profile. The HL7 RM-ES workgroup charter is as follows:⁵⁸

The RM-ES Functional Profile is based on the premise that an “EHR-S must be able to create, receive, maintain, use, and manage the disposition of records for evidentiary purposes related to business activities and transactions for an organization. … This profile establishes a framework of system functions and conformance criteria as a mechanism to support an organization in maintaining a legally-sound health record.”⁵⁹ Given this purpose, it is recommended that vendors and organizations alike regularly review this profile to receive guidance and updates for these purposes. The progress of the workgroup can be followed on the HL7 wiki.⁶⁰

The Role and Use of the Medical Record in Litigation and/or Regulatory Investigations

As previously discussed, one of the important secondary uses of the medical record is to provide support and documentation for legal matters regardless of its form, format (paper, electronic as an EHR, EMR, PHR, mHealth device, etc.), or location, or who the custodian of the record is. The patient’s medical record also serves as an important form of evidence that is often used in the litigation process or as evidence in regulatory investigations. Yet the process by which medical records are discovered and admitted into evidence continues to change, evolve, and grow as rapidly as our nation’s health information infrastructure. Vast and significant differences exist between the role and use of paper versus EHRs as evidence in a court of law and whether or not the official custodian of the medical record is the provider who treated the patient or the individual who maintained the information on their PHR or mHealth device. The remainder of this chapter will focus on the legal process of discovery and the role of the medical record as evidence in a court of law.

Paper-based Medical Records vs. Electronic Health Records in Discovery

There are vast and important differences between paper-based medical records and electronic health records and the process by which the information is collected, preserved, processed, and produced for litigation and/or regulatory investigations. Table 17-1 provides a synopsis of these important differences. It is important to review and understand these differences because they describe how and why the legal process and standards surrounding the discovery of electronically stored information (ESI) from EHRs in litigation and regulatory investigations is in a state of constant growth and evolution.

Table 17-1 Synopsis of Differences Between Paper-Based Medical Records and EHRs

Although the federal mandate to implement EHRs was to improve healthcare quality and patient safety while reducing cost by an estimated $78 billion, the reality is that there are unintended consequences that also go along with the implementation of EHRs.⁶¹ These unintended consequences include but are not limited to design flaws and data entry and documentation errors, all of which can result in harm, or even death, to a patient.⁶² In Illinois, for example, a Chicago law firm won a record-breaking $8.25 million wrongful death settlement on behalf of a Chicago couple who suffered the loss of their infant son at only 40 days after a pharmacy technician typed the wrong information into a field in the hospital’s EHR system and the infant died from an excessive sodium overdose.⁶³ To this day, this case serves as a call for action for some sort of regulatory oversight of the safety of EHR systems.

Litigation and regulatory investigations are a fact of life. With the advent of EHRs, EMRs, PHRs, and mHealth devices, the discovery process has become more complex and time consuming than ever before. It is very different from paper-based discovery. With EHRs and digital devices, a whole new team of professionals with very specific skills and background is needed to conduct forensic examinations of the digital data so testimony can be taken before the court as to what happened in a case and why. According to healthcare defense attorney and e-discovery expert Chad Brouillard, “healthcare institutions will be footing the bill for increasing demands by litigants who want access to the data, metadata, and the original displays of data as originally viewed by the clinicians. Those demands come with significant technical, administrative, and legal expenses, which are born solely by the parties in healthcare.”⁵¹

Discovery and Admissibility of the EHR

Whether a record that is requested for litigation is actually discoverable or will be admitted as evidence during the course of a trial may significantly affect the outcome of a lawsuit. Therefore, it is important to distinguish between the discoverability versus the admissibility of a record as evidence into a court of law. Following is a summary of the differences between discovery and admissibility:

•  Discovery   Discovery is defined as “the entire efforts of a party to a lawsuit and his/her/its attorneys to obtain information before trial through demands for production of documents, depositions of parties and potential witnesses, written interrogatories (questions and answers written under oath), written requests for admissions of fact, examination of the scene and the petitions and motions employed to enforce discovery rights. The theory of broad rights of discovery is that all parties will go to trial with as much knowledge as possible and that neither party should be able to keep secrets from the other (except for constitutional protection against self-incrimination).”⁶⁴ Often much of the fight between the two sides in a suit takes place during the discovery period.

•  Admissibility   Admissibility denotes “evidence which the trial judge finds is useful in helping the trier of fact (a jury if there is a jury, otherwise the judge), and which cannot be objected to on the basis that it is irrelevant, immaterial, or violates the rules against hearsay and other objections. Sometimes the evidence an attorney tries to introduce has little relevant value (usually called probative value) in determining some fact, but prejudice from the jury’s shock at gory details may outweigh that probative value. In criminal cases the courts tend to be more restrictive on letting the jury hear such details for fear they will result in ‘undue prejudice.’ Thus, the jury may only hear a sanitized version of the facts in prosecutions involving violence.”⁶⁵

The Federal Rules of Evidence (FRE)⁶⁶

The Federal Rules of Evidence (FRE) are civil code adopted under the Rules Enabling Act that governs civil and criminal proceedings in federal court. The FRE are designed to secure judicial fairness, eliminate unjustifiable expense and delay, and promote the growth and development of the law of evidence. They provide for the exclusion of hearsay and exceptions to that rule. They also provide rules related to the authentication of evidence. For example, FRE Article X (Contents of Writings, Recordings and Photographs), Rule 101(1) sets forth the rules for the admission of digital writings, recordings, and photographs into a court of law. Under FRE Article X, writings and recordings are defined to include magnetic, mechanical, or electronic recordings. This means digital photographs that are stored on a computer are considered to be an original, and any exact copy of the digital photograph is admissible as evidence. (You should check your state’s rules of evidence for admissibility of digital recordings and photographs. Most states have enacted their own rules related to the admissibility of digital evidence into a court of law.)

The FRE have the force of statute, and the courts interpret them as they would any other statute. The Supreme Court promulgates the FRE, and they are amended from time to time by Congress, as they were in 2008, when FRE 502 was enacted to provide limitations on the waiver of attorney-client privilege and work product protection.

In September 2016, proposed amendments to FRE 803(16), Exceptions to the Rule Against Hearsay – Regardless of Whether the Declarant Is Available as a Witness – Statements in Ancient Documents, and FRE 902, Evidence That Is Self-Authenticating, were approved by the Judicial Conference Committee and submitted to the Supreme Court.^{67, 68} Barring any unforeseen changes, the amendments are expected to go into effect on December 1, 2017.

Medical Records as Hearsay

Hearsay is defined as “second-hand evidence in which the witness is not telling what he/she knows personally, but what others have said to him/her.”⁶⁹ Under traditional rules of evidence, medical records are considered to be hearsay by a court of law. Hearsay is generally not admissible as evidence into a court of law, because the person who made the original statement is not available to be cross-examined. EHR systems and the electronic exchange of health information sometimes add more challenges to the hearsay rule because of the distinction between electronically stored information that was generated by the computer versus information that was entered by a user into a computer system. That said, “The courts have acknowledged the distinction between computer-generated and computer-stored information. ‘If the system made the statement it is “computer-generated.” If a person inputs a statement into the system that then preserves a record of it, it is “computer stored” evidence.’”⁷⁰

Exceptions to the Hearsay Rule

Medical records are considered to be hearsay in the eyes of the court. However, they generally are admitted as evidence on other grounds. The most common way in which medical records are admitted as evidence into a court of law is through FRE 803. This rule is titled “Exceptions to the Rule Against Hearsay” and is also sometimes called the “business records exception.” It applies regardless of whether the declarant is available as a witness. Under FRE 803, there are 24 key exceptions to the rule against hearsay, regardless of whether the declarant is available as a witness:⁷¹ Summarized below are the most common exceptions to the hearsay rule that are used to admit medical records as evidence into a court of law.

•  Present sense impression   A statement describing or explaining an event or condition, made while or immediately after the declarant perceived it.

•  Excited utterance   A statement relating to a startling event or condition, made while the declarant was under the stress of the excitement that it caused.

•  Then-existing mental, emotional, or physical condition   A statement of the declarant’s then-existing state of mind (such as motive, intent, or plan) or emotional, sensory, or physical condition (such as mental feeling, pain, or bodily health), but not including a statement of memory or belief to prove the fact remembered or believed unless it relates to the validity or terms of the declarant’s will.

•  Statement made for medical diagnosis or treatment   A statement that is made for—and is reasonably pertinent to—medical diagnosis or treatment and describes medical history, past or present symptoms or sensations, their inception, or their general cause.

•  Recorded recollection   A record that is on a matter the witness once knew about but now cannot recall well enough to testify fully and accurately, was made or adopted by the witness when the matter was fresh in the witness’s memory, and accurately reflects the witness’s knowledge. If admitted, the record may be read into evidence but may be received as an exhibit only if offered by an adverse party.

•  Records of a regularly conducted activity   A record of an act, event, condition, opinion, or diagnosis that is admissible when it meets all of the following conditions:

• The record was made at or near the time by—or from information transmitted by—someone with knowledge.

• The record was kept in the course of a regularly conducted activity of a business, organization, occupation, or calling, whether or not for profit.

• Making the record was a regular practice of that activity.

• All these conditions are shown by the testimony of the custodian or another qualified witness, or by a certification that complies with Rule 902 or with a statute permitting certification.

• The opponent does not show that the source of information or the method or circumstances of preparation indicate a lack of trustworthiness.

•  Absence of a record of a regularly conducted activity   Evidence that a matter is not included in a record if the evidence is admitted to prove that the matter did not occur or exist when the record was regularly kept for a matter of that kind; and the opponent does not show that the possible source of the information indicates a lack of trustworthiness. The FRE and some states contain provisions that also make medical records admissible under the hearsay exception for public or official records, along with various other types of records such as marriage, birth, and death certificates and records from religious organizations.

You should check to determine if hearsay exception rules exist within your state. If so, understand what those exceptions are with regard to medical records and what the process is to authenticate and admit a medical record as evidence within your state. Medical records are also admissible in most states under workers’ compensation laws.

Physician-Patient Privilege

In certain circumstances, patients or healthcare providers may wish to safeguard protected health information from discovery by asserting a physician-patient relationship, thus shielding the protected health information from discovery. Nearly all states maintain statutes that protect the communications of a physician-patient relationship from disclosure in judicial or quasi-judicial proceedings under certain circumstances. The purpose of the physician-patient privilege doctrine is to encourage the patient to discuss and disclose all information for care and treatment.⁷²

Incident Report Privilege

An incident report is a useful tool for making decisions regarding liability issues that may stem from the event for which the report was generated. As a general rule, incident reports are protected from discovery. However, in 2014, supreme court decisions in three states—Kentucky, Utah, and North Carolina—addressed the discoverability of incident reports and focused on three distinct aspects of the issues.

In Tibbs v. Bunnell⁷³ the Kentucky Supreme Court held that data collected, maintained, and utilized as part of the Commonwealth of Kentucky’s Patient Safety Evaluation System (PSES) was not privileged under the Patient Safety Quality Improvement Act (PSQIA) and may be discovered.

In Allred v. Saunders⁷⁴ the Utah Supreme Court adjudicated an important discovery dispute between a hospital and a physician. The plaintiffs sought discovery of the physician’s credentialing file from the hospital as well as the incident report from the patient’s lithotripsy procedure. The hospital and the physicians petitioned for a protective order pursuant to Utah Rule of Civil Procedure 26(b)(1) that provides the following:

The Court held that this petition ought to have been granted, conditional on a proper factual foundation, since Utah R. Civ. P. 26(b)(1) created a broad evidentiary privilege. The Court then remanded the case back to the district court for an individualized assessment of the applicability of the privilege.

In Hammond v. Saini⁷⁵ the plaintiff was injured in a fire that occurred in an operating room that was part of a county health system. The defendants argued the establishment of a Root Cause Analysis (RCA) team constituted a medical review committee, and the documents created by the RCA team were shielded from discovery. The North Carolina Supreme Court found that an affidavit from the county health system’s risk manager was insufficient in meeting the required medical criteria as defined under N.C.G.S. § 131E–76(5)(c). Furthermore, the North Carolina Supreme Court ruled that the RCA Policy was also insufficient in demonstrating the applicability of N.C.G.S. §§ 131E–76(5) and 131E–95(b), in part, because the Court found that it did not appear that the RCA Policy had been adopted by the governing board or medical staff of the county health system. As a result, the Court held that the documents created by the RCA Team did not constitute a medical committee and thus their documents were not shielded from discovery.

Even if incident reports are not protected from discovery by state statute, the incident reports may be determined to be inadmissible as evidence under the hearsay rule. Incident reports serve not only to document the details, circumstances, and witnesses to an unusual event but also to alert defense counsel or insurers about potential liability issues that may arise at a future date. As is the case with records of peer-review activities, the first step in determining whether the records of the organization’s incident reports are discoverable or admissible is to examine state statutory and case law for an understanding of how the statutes were applied by the court.

Similar to records of peer-review activities, incident reports hold significant evidentiary value to individuals and attorneys who are suing the organization for damages that may have occurred to them as a result of the untoward event. Therefore, the scope and application of any privilege that may protect incident reports from discovery is highly dependent on state law; the allegations contained in the lawsuit; and the nature, scope, and duties of the individual(s) responsible for reviewing the incident report, investigating the circumstances, and developing the report surrounding the event. Based on the decisions in the Kentucky, Utah, and North Carolina state supreme courts, entities are being challenged now to review their organizational policy and procedures. Organizations must establish information governance programs that include quality improvement, risk management, and litigation response planning activities as foundational components of their programs. Legal counsel and risk management staff must be knowledgeable about local, state, and federal rules of evidence and civil procedure surrounding the submission of evidence into a court of law.

The Scope and Procedures of E-Discovery Process

The scope and procedure for the process of discovery of information that may be relevant to litigation is contained in Rule 26(b) of the FRCP (Duty to Disclose; General Provisions Governing Discovery; Discovery Scope and Limits), which states:

Like the FRE, the FRCP are amended periodically by Congress. They underwent significant changes in 2006, 2010, and 2015 to address issues related to the discovery of electronically stored information in federal district courts. As the following excerpts indicate, these e-discovery amendments have been adopted by many states:

•  As Thomas Allman notes in “E-Discovery in Federal and State Courts: The Impact of Rulemaking – Past and Future,” “Thirty-two states have adopted e-discovery amendments as part of their civil rules inspired in whole or in part by the provisions of the 2006 Amendments.”⁷⁷

•  As Chad Brouillard, an attorney practicing in Boston, observes in “Not a Bang, a Whimper: The Silent E-Discovery Revolution,” “…e-discovery has impacted our state practice in a subtle, not dramatic fashion.”⁷⁸

The subtle changes at the state and local court levels combined with the proliferation of electronically stored information now being utilized in the state and local court systems are further driving the need not only for legal counsel, the judiciary, and healthcare professionals to understand the design, structure, and function of today’s EHR systems, but also for the establishment of standardized systems and approaches in the culling, searching, preservation, collection, processing, and analysis of information in order to produce relevant information from EHRs, PHRs, eHealth devices, and other healthcare systems, such as eHealth Exchange data, e-prescribing, and telemedicine encounter data.

Impact of the 2015 Amendments to the E-Discovery Process

Despite the 2006, 2010, and 2015 amendments to the FRCP, legal counsel and judges are continuing to engage in discovery disputes and struggle with issues pertaining to the identification, preservation, collection, and production of electronically stored information (ESI) in the digital era. Furthermore, these challenges are becoming particularly perplexing when it comes to the healthcare e-discovery process. As Chad Brouillard writes in “EHR Audit Trails Might Reveal More Than You Think: Hall v. Flannery, a Sign of the Times:”

On December 1, 2015, the third set of amendments involving the discovery of ESI were made to the FRCP, which govern civil litigation in the federal courts.⁷⁹ These amendments highlight the important role electronic discovery continues to play in both litigation and regulatory investigations. The 2015 amendments reflect a diligent effort on the part of the drafters to reduce the costs and burdens that are associated with discovery and a continued concentrated effort to streamline the process and advance cooperation between the parties and to involve the court in the process.

It remains to be seen what, if any, impact the amendments will have in reducing overall discovery costs and burdens until such time that the courts apply and interpret them. Many experts predict increased costs in the initial stages of litigation, as some of the new rules shift certain actions to earlier in the proceedings.

To date, the courts that have dealt with these new amendments have found that, by and large, they have not radically altered the nature of the discovery process.

The key 2015 FRCP amendments are summarized in Table 17-2.⁷⁹

Table 17-2 FRCP 2015 Amendments

Figure 17-1 shows the Electronic Discovery Reference Model (EDRM), a leading standards organization for the e-discovery and information governance marketplace acquired by Duke Law in August 2016.⁸⁰ The EDRM provides a conceptual view of the ESI discovery process and demonstrates how and why the management of health information involves the adoption of good information governance policies and procedures regarding privacy, security, and the storage, retention, and destruction of information. In addition, covered entities should establish data maps and information management plans to help legal counsel and regulatory agencies understand the uses of data and how data flow in and out of the organization.

Figure 17-1 Electronic Discovery Reference Model

The 2006, 2010, and 2015 FRCP amendments, coupled with widespread adoption of EHRs, continue to mandate the need for new HIT standards and approaches to support the discovery of health information from EHRs, PHRs, mHealth devices, e-prescription management, telemedicine, and eHealth information exchange systems. Chad Brouillard addresses this need in “EHR Audit Trails Might Reveal More Than You Think: Hall v. Flannery, a Sign of the Times”:⁵¹

As Brouillard concludes, the answers to these questions will have a direct and profound impact on litigation, especially as it relates to the discovery of health information from EHRs and other related devices and the disruptive impact that EHRs are having on litigation costs.

The passage of the 21st Century Cures Act will also further advance the development of standards for EHR usability and interoperability for both the clinical and legal processes. The new healthcare IT standards that will be developed through the implementation of electronic exchange will help to drive down discovery costs, and improve innovation techniques to be used to aid in the searching, culling, preservation, and production of PHI data.²¹

Duty to Preserve Relevant Evidence and Establishing Legal Holds

A classic series of precedent-setting caselaw decisions regarding e-discovery arose out of the case Zubulake v. USB Warburg between 2003 and 2005. The decisions, issued by Judge Shira Scheindlin in the U.S. District Court for the Southern District of New York State, are known as Zubulake I–V and are significant because they were utilized in the development of the 2006 and 2015 amendments to the Federal Rules of Civil Procedure. Zubulake IV remains known as the “gold standard” caselaw decision regarding the duty to preserve evidence. In this landmark decision, the court determined “The obligation to preserve evidence arises when the party has notice that the evidence is relevant to litigation or when a party should have known that the evidence may be relevant to future litigation.”⁸¹

To comply with the Zubulake IV standard, a component of any litigation response plan should include the identification of specific events or occurrences known as “litigation triggers,” in which the organization or provider immediately identifies, preserves, and establishes a legal hold on all information (paper and electronic) that may be relevant to a legal action or regulatory investigation. Furthermore, an organization with a well-established information governance program should be able to easily assess and value the risk of a potential case the moment it knows or reasonably should have known of a potential risk to the organization.

Once an organization or provider has established a legal hold (which should always be in writing and issued at the direction of legal counsel, risk management, or corporate compliance as appropriate), a process should also be in place to confirm that all custodians and the IT department have received the legal hold and understand it. Once the legal hold has been issued, the organization must establish a process to routinely review and monitor the legal hold and expand or retract it as the facts of the case or investigation into a potential threat become known.

The Path Forward: A Coming Together of Laws, Rules, and Regulations

The enactment of the American Recovery and Reinvestment Act (ARRA) and the Patient Protection and Affordable Care Act (ACA) laid the foundations of the current healthcare system.

In June 2014, the ONC released a high-level report, created with input from stakeholders, entitled Connecting Health and Care of the Nation: A 10-Year Vision to Achieve an Interoperable Health IT Infrastructure. This document describes the ONC’s broad vision and framework to develop the nation’s healthcare IT infrastructure of tomorrow and to work to establish a clear pathway toward interoperability.⁸² This report was created to invite healthcare IT stakeholders—clinicians, consumers, hospitals, public health, technology developers, payers, researchers, policymakers, and many others—to join the ONC in developing a defined, shared roadmap that would allow the nation to collectively achieve healthcare IT interoperability as a core foundational element of a learning health system.

The healthcare IT infrastructure that has been outlined by the ONC will have a direct impact on local, state, and federal civil procedural rules as the discovery of ESI will be more commonplace than paper discovery and new skills, systems, and processes will be required to access, preserve, and produce relevant health information.

The ONC remains at the forefront of healthcare IT advancement efforts. Meanwhile, the establishment of the eHealth Exchange (introduced in Chapter 13) and the development of standards for interoperability are working to realize the vision set forth in the President’s Council of Advisors on Science and Technology (PCAST) report.⁸³ These forces of federal and non-federal agencies are coming together with a common mission and purpose to improve patient care, streamline disability benefit claims, and improve public health reporting through secure, trusted, and interoperable health information exchange.

The HITECH Act

As part of the ARRA of 2009, the HITECH Act expanded HIPAA Privacy Rule requirements. Section 13402 of the HITECH Act also established a new federal security breach reporting requirement for HIPAA covered entities (CEs) and their business associates (BAs). Section 13402 requires a CE that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information” to “notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach.”⁸⁴

The Health Insurance Portability and Accountability Act

The enactment of HIPAA established a complex and comprehensive federal scheme for the privacy and security of PHI. While federal law takes precedence in conflicts between federal and state law, HIPAA contains provisions that determine when HIPAA will preempt state law in matters relating to privacy and security. Generally, the more stringent rule—federal or state—is the law that will apply in matters related to the protection of health information. HIPAA regulations establish an array of individual rights with respect to the maintenance and access to their health information. For more information on HIPAA, see Chapter 15. For brevity, the information about HIPAA in Chapter 15 will not be repeated here. Instead, salient aspects of HIPAA as they apply to legal record concepts are discussed in this section.

Individuals, agencies, and organizations that meet the definition of a covered entity under HIPAA are responsible for the protection of the privacy and security of health information and must provide individuals with certain rights with respect to their health information, irrespective of in whatever form, format, or location it may exist.

If a CE utilizes a BA to help it carry out its healthcare activities and functions, that CE must also establish a written BA contract or another contractual arrangement with the BA that establishes specifically what the BA has been engaged to do and requires the BA to comply with the HIPAA requirements to protect the privacy and security of PHI. In addition to these contractual obligations, BAs are also directly liable under HIPAA for their actions and may be subject to civil and, in some cases, criminal penalties for making uses and disclosures of PHI that are not authorized by its contract or required by law.

The HIPAA Privacy Rule has always provided individuals with a right to access and copy their health information. Historically, the Health Information Management (HIM) Department or Medical Records Department often served as the central clearinghouse within the organization for the receipt, review, and processing of the requests for health information. Today, however, the widespread adoption of EHRs coupled with changing regulations and care delivery models and settings are demanding that individuals and their agents be given access to their health information not only in a wide variety of forms and formats, ranging from paper to electronic means, but also more quickly, easily, in real time, and on demand.

The OCR maintains that individuals have a basic right to their health information and also believe individuals should be engaged in the healthcare decision-making process. One of the best ways providers and organizations can achieve both is to empower individuals by giving them robust access to their health data.

On January 7, 2016, the OCR took a groundbreaking first step in reducing what some describe as long-standing obstacles and barriers that have hindered individuals and requesting parties in obtaining copies of medical records and other health information from providers, hospitals, and health insurance plans.⁸⁵ The OCR released for the first time a series of frequently asked questions (FAQs) to educate individuals and entities alike about an individual’s right to access their health information under HIPAA and to help them take advantage of this right.

These FAQs have had the practical effect of becoming a first step in transforming the healthcare release of information (ROI) and e-discovery processes as the rules continue to overlap and converge closer to one another—topics we reviewed in the sections regarding the amendments to the FRCP and their impact on the e-discovery and ROI processes. The following sections compare and contrast the ROI and e-discovery processes.

The Convergence of E-Discovery and Release of Information Processes

The discovery of electronically stored information is growing and evolving almost as rapidly as our healthcare information infrastructure.⁸⁶ This has been due in large part to the enactment of the 2006, 2010, and 2015 FRCP amendments, as well as the steady adoption of e-discovery rules in state courts. To date, over two-thirds of the state courts have established some form of e-discovery rules.

“Electronic medical records can overwhelm—and often change—the course of a medical liability lawsuit,” says defense attorney Catherine J. Flynn.⁸⁷ The EDRM previously presented in Figure 17-1 depicts the process by which information is searched, preserved, culled, analyzed, and produced for litigation. As the diagram depicts, a vast amount of information is initially collected and preserved, yet only a very small amount of data is actually produced and presented at trial.

The adoption of EHRs, electronic exchange of health information (interoperability), PHRs, mHealth devices, and health social media, all of which share health information with providers, will make this process even more challenging in the years ahead and will require trained legal and clinical professionals to review the information contained in an EHR and testify before a court of law.

In addition, as previously mentioned, one of the more notable phenomena arising in healthcare today is the overlap and interrelationship between the ROI and e-discovery processes. An examination of FRCP Rules 34 and 45 overlaid against the 2016 OCR HIPAA access requirements demonstrates how and why the e-discovery and ROI processes are now converging and overlapping with one another. These once separate functions have now become closely and inextricably linked and related to one another, and are crucial components of any information governance program. There are six crucial components to any information governance program, each of which builds and depends on the others, as depicted in Figure 17-2 and briefly described here:

Figure 17-2 Information governance program building blocks

•  Tapestry of state, federal, and other regulatory requirements   The foundational state and federal e-discovery rules, along with other state and licensing requirements that healthcare organizations and providers must comply with. They include, but are not limited to, Medicare, Medicaid, and state requirements; regulatory standards required by the Joint Commission, National Committee for Quality Assurance (NCQA), and URAC; and health plan database reporting requirements set forth by the Healthcare Effectiveness Data and Information Set (HEDIS).

•  Compliance, risk management, and litigation response planning   The organization’s ability to measure and assess its risk and to review and respond to risk management occurrences, including but not limited to security breaches, patient safety incidents, unexpected patient deaths, regulatory compliance and litigation matters, and organizational policies for the review and establishment of legal holds.

•  Data quality review and audit   The establishment of internal and external controls on the review of the quality and integrity of documented clinical and financial data, including the existence of a clinical documentation improvement program.

•  Information integrity during data creation and usage   The establishment of standards and time checks to ensure that the information created from the organization’s EHR and other HIT systems is accurate and time synchronized properly.

•  Privacy and security policies and procedures   The establishment of written policies and procedures that describe who has access to the organization’s EHR and other HIT systems, how passwords are used and maintained, and what privacy and security training is required of all individuals within the organization.

•  Information is valued as an asset class   This is the highest tier. It requires leadership and the ability to use information strategically. Organizations with mature information governance programs will have a formal means to place a numeric value on their information to assess risk, establish defensible legal holds, and reduce threats. At this level of operation, the entity can more easily identify a threat (HIPAA or cybersecurity breach or litigation threat) early on in the matter, assign a value to the case, and investigate the matter and readjust the value of the case as the facts become known.

As shown in Table 17-3, historically, the Health Information Management (HIM) Department was designated as the official custodian of the patient’s medical record. As such, most HIM departments are experienced in processing and responding to state and local court subpoenas, as the vast majority of malpractice litigation occurs at those levels. However, in the new and changing health information governance paradigm, organizational procedures related to the access and processing of PHI, processing of subpoenas, and release of information requests are going to change and evolve dramatically as more PHI that providers rely upon for decision making (such as genetic and genomic data) resides in locations outside of the EHR, including but not limited to e-mail, mHealth devices, social media, voicemail, and other digital files and formats.

Table 17-3 Contrast and Comparisons of Release of Information vs. E-Discovery Processes⁸⁸

The Concept of the Legal Health Record

Healthcare providers, attorneys, and the courts all rely upon, utilize, and exchange “relevant” information, whether their case is a clinical one or a legal one. The combination of FRCP Rule 26(b) and the new HIPAA access rules is compelling healthcare and legal providers alike to rethink the nature, composition, and content of the patient’s medical record. The rethinking of the composition of the medical record facilitates setting aside elements of the record included by other designations, such as HIPAA’s designated record set, which is usually of no interest in discovery, to thinking about other aspects of the medical record that were traditionally not elements of a discovery request. Data items such as HIPAA audit trails, clinical decision support functions, or data from biomedical devices may be in scope in a given litigation setting.⁸⁹ These and other considerations are mandating the need for the establishment of new standards, systems, and processes for the culling, searching, processing, and production of health information for both discovery and release of information purposes, along with the establishment of information governance programs which now value data as an asset class and are demanding processes in place to measure and assess risk.⁸⁹

The concept of “relevancy” is an important decision-making factor in both the clinical and legal process. The legal industry has long understood this concept, and for that reason, the concept of relevancy is incorporated into the e-discovery rules. The further challenge the healthcare industry, attorneys, and the courts have before them now is how to rethink and redefine: (1) the form, format, content, and location of the “legal health record” within changing, expanding, and system-to-system variability in the nature and scope of “relevancy,” and (2) aging concepts for defining sufficiency for release of information for disclosure purposes, as in the “legal health record” concept.

To date, there have been many attempts to define or redefine the “legal health record” to bridge from paper to digital environments. The following are representatives of the many definitions and principles surrounding the composition of the “legal health record”:

•  Definition of the legal health record   “A legal health record (LHR) is the documentation of patient health information that is created by a health care organization. The LHR is used within the organization as a business record and made available upon request from patients or legal services.”⁹⁰

•  Defining the legal health record: A guiding principle   “Defining the legal record – A healthcare organization collects a variety of information on individuals (clinical, financial, administrative). Organizations must identify, and declare, in policy the content of the formal health record that will be the official representation of a stay, encounter, or episode of care and disclosed upon request.”⁷⁰

These definitions and principle are now inadequate and passé when measured against the backdrop of the intent of federal, state, and local e-discovery rules that mandate the requester be given access to any/all “relevant” information in today’s mix of paper and digital records. No longer is it appropriate for a provider or healthcare organization to declare what is the “official representation” of a stay, encounter, or episode of care that will be disclosed upon request. Rather, the new HIPAA access requirements now support the concept of allowing an individual access to any/all “relevant” PHI and specifically define a “record” as follows:

Under the new HIPAA access rules, individuals have a right to a broad array of health information about themselves maintained by or for CEs, including medical records, billing and payment records, insurance information, clinical laboratory test results, medical images such as X-rays, wellness and disease management program files, and clinical case notes, among other information used to make decisions about individuals. In responding to a request for access, a CE is not, however, required to create new information, such as explanatory materials or analyses, that does not already exist in the designated record set.⁹¹

This paradigm shift now requires the healthcare industry to rethink the defining characteristics and supporting principles of the HIPAA designated record set, along with a means to assure the quality and veracity of the data for each of multiple designated end uses. Significant rethought is expected in the context of e-discovery rules and OCR access requirements as it is becoming clearer how to establish the associated new information governance and ROI processes that embrace the concept of “relevance” in the context of leveraging the improved capabilities for EHRs to produce outputs designed to meet various end-use requirements and specifications.

Furthermore, as national security and intelligence interests continue to rise, investigators will require access to records, including medical records, for the conduct of lawful intelligence, counterintelligence, and other national security activities authorized by the National Security Act.

The 21st Century Cures Act also lays forth new requirements for the electronic exchange and interoperability of EHR systems (Title IV—Delivery) and calls upon the OCR to establish additional guidance that would further clarify the permitted uses and disclosures of PHI of patients undergoing or seeking behavioral health or substance use disorder treatment (Title XI—Compassionate Communication on HIPAA). This guidance includes requiring HHS to develop model education and training programs to educate stakeholders on the permitted uses and disclosures of such information.²¹

Because of these changing paradigms, it is becoming clear that the concept of the “legal health record” is becoming obsolete because it erroneously conveys the misconception that the provider or entity can establish through policy what is and what is not “legal” for discovery and disclosure purposes. The problematic nature of this concept becomes clear, especially when measured against OCR guidance regarding what covered entities should define as an individual’s designated record set for disclosure purposes under HIPAA.⁹²

No better example of the struggle to define the HIPAA designated record set and concept of relevance can be found than in the evolving field of genomics. As Kannry and Williams state in Integration of Genomics into the Electronic Health Record: Mapping Terra Incognita, “To date, no commercial EHR system has been described that systematically integrates genetic or genomic data, let alone uses this information to translate disease risk into treatment recommendations.”⁹³ As Kannry and Williams find, today, genomic data is not integrated into a patient’s EHR. Therefore, when it comes to a traditional ROI disclosure request for a patient’s medical record, this important, and what could be argued clinically relevant, piece of clinical data cannot be produced as part of the patient’s EHR because these data reside outside of it.

As such, the principle that “organizations must identify, and declare, in policy the content of the formal health record that will be the official representation of a stay, encounter, or episode of care and disclosed upon request⁷⁰ is troubling when measured against the new HIPAA access rules that state that individuals be provided access to “any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.”⁹¹

Healthcare IT and HIM professionals have vital roles in helping legal and compliance professionals preserve, search, cull, and produce information that may be relevant to litigation or regulatory investigations. They may also potentially serve as expert witnesses in litigation and regulatory investigations in helping attorneys and the courts assess and interpret the quality and integrity of the ICD, CPT, SNOMED CT, and LOINC coded information contained in the patient’s medical record. (For more information on these code sets, see Chapter 13.) As the OCR continues to educate consumers on their right to access their health data, it is predicted that new systems and processes will be established to provide individuals with more robust, direct, real-time access to their health information to be used for a variety of purposes, ranging from the management of their health to litigation, all of which point to a need for accessible and trustworthy data. Furthermore, preservation and access rules governing the clinical data contained on PHRs, health social media, and other devices may be of tremendous value to a provider in the face of impending litigation. However, they are often left unaware of the existence of this information because of the lack of standards, rules, and regulations governing the use, preservation, disclosure. and protection of this information.

A New Era in the Nation’s Health Information Infrastructure

On July 1, 1944, President Franklin D. Roosevelt signed the Public Health Service Act⁹⁴ into law. This groundbreaking piece of legislation led the way toward the development of the healthcare delivery system that the nation enjoys today. Many of the federal regulations that govern the nation’s healthcare delivery system stem from the Public Health Service Act. At the time of the signing of the Public Health Service Act, President Roosevelt said:

Over seventy years later, the nation is on the precipice of a new era in the nation’s health information infrastructure. Yet a look back upon President Roosevelt’s statement reveals that many of those guiding principles that motivated the enactment of the Public Health Service Act, such as the goal of improving national health, remain true today.

Cures Act

On December 13, 2016, President Barack Obama signed into law the 21st Century Cures Act, previously discussed. This legislation received wide bipartisan support. The Senate passed the bill by a vote of 94–5, and the House passed an almost identical version of the Senate bill at 392–26.²¹ The Cures Act covers many topics, mostly surrounding new drug discovery and medical devices. The Act also contains provisions to improve behavioral health and substance abuse treatment and to improve patient access to new therapies, and includes new rules and provisions related to HIPAA, PHI, and the interoperability of healthcare IT.

The Act is a milestone piece of legislation in the evolution of the nation’s health information infrastructure and the future of healthcare. There are several provisions in the Act that will further the growth, development, and advancement of healthcare IT, and facilitate providers to utilize EHR data and other relevant information to reduce variations in care, improve outcomes, and better coordinate the care delivery process.

NIST⁹⁶

Founded in 1901, the National Institute of Standards and Technology (NIST) is one of the nation’s oldest physical science laboratories and is part of the U.S. Department of Commerce. Congress established NIST to remove challenges the U.S. once faced from industrial competitors such as Germany, the United Kingdom, and other nations.

Through the establishment of NIST, the U.S. became a leading innovator and maintains a broad and far reaching role in the design, build, and support of the nation’s technological infrastructure. Whether it is the smart electric power grid, atomic clocks, advanced nanomaterials, computer chips, build of the cybersecurity framework, or the development and testing of core healthcare IT standards for EHRs,⁹⁷ the nation relies in some way on the technology, measurement, and standards provided by NIST.

As a new era in the design and build of the nation’s health information infrastructure begins, reliance on NIST standards for EHRs, cybersecurity, and science and medicine all become integral components of the infrastructure and healthcare delivery of tomorrow.

As Figure 17-3 depicts, existing federal health insurance programs such as Medicare, Medicaid, and CHIP and laws such as HIPAA form the foundation of today’s healthcare delivery system. Laws, rules, and regulations serve as their cornerstone, and are supported by the 2015 and 2016 amendments to the FRCP and FRE. The passage of the Cures Act²¹ coupled with development of NIST healthcare IT standards⁹⁸ increased focus on cybersecurity, and, most importantly, President Trump’s executive order “Minimizing the Economic Burden of the Patient Protection and Affordable Care Act Pending Repeal”³⁰ will set forth a new vision and direction for the healthcare delivery system and information infrastructure of tomorrow.

Figure 17-3 A new era in the evolution of the nation’s health information infrastructure is underway.

Chapter Review

The ARRA, ACA, HIPAA, and the HITECH Act laid the foundation for the design and build of the nation’s health information infrastructure. In 2014, the ONC high-level report Connecting Health and Care for the Nation: A 10-Year Vision to Achieve an Interoperable Health IT Infrastructure provided further direction and vision for the nation’s health information infrastructure.⁸² The recent passage of the Cures Act²¹ and the signing of the executive order “Minimizing the Economic Burden of the Patient Protection and Affordable Care Act Pending Repeal”³⁰ have begun a new era in the evolution of the nation’s healthcare delivery system and information infrastructure of tomorrow.

Local, state, and federal rules governing the discovery of ESI play an important role in the discovery of health information contained in EHRs and other devices as evidence in a court or law. The healthcare industry is at a critical juncture in reshaping the health information infrastructure of tomorrow. It is important, then, that all healthcare professionals understand the structure and sources of law in the United States and how the EHR serves not only as an important tool for providers in care delivery, but also as evidence in a court of law or to aid in a regulatory investigation.

Questions

To test your comprehension of the chapter, answer the following questions and then check your answers against the list of correct answers that follows the questions.

    1.  Which of the following is not one of the four goals of the HITECH Act?

         A.  Savings

         B.  Investment in HIT infrastructure

         C.  Government oversight

         D.  Establishment of the Health Insurance Marketplace

    2.  The OCR published a new series of FAQs in 2016 to educate individuals about which of the following?

         A.  Procedures for enrollment in the Health Insurance Marketplace

         B.  How to file a discrimination complaint

         C.  Individuals’ rights to access their health information

         D.  Fines and penalties for HIPAA violations

    3.  What is the name of the agency that oversees the privacy and security of health data collected by entities not regulated by HIPAA?

         A.  FTC

         B.  CMS

         C.  FDA

         D.  No federal agency has been designated to oversee the privacy and security of health data collected by entities not regulated by HIPAA.

    4.  What is the name of the federal agency that is responsible for oversight of certified healthcare IT?

         A.  AHRQ

         B.  ONC

         C.  No federal agency is responsible for assuring that certified healthcare IT systems are safe and secure.

         D.  FDA

    5.  Which is the principal investigative agency in the fight against healthcare fraud?

         A.  FBI

         B.  HHS

         C.  OIG

         D.  HFPP

         E.  OIG

         F.  All of the above

    6.  The political doctrine of constitutional law in which the three branches of government are kept separate to prevent an abuse of power is known as which of the following?

         A.  Common law

         B.  Executive powers

         C.  Separation of powers

         D.  Judicial powers

         E.  All of the above

         F.  None of the above

    7.  The passage of the 21st Century Cures Act lays forth which of the following?

         A.  Interoperability and healthcare IT standards

         B.  A new era in the evolution of the nation’s healthcare delivery system and information infrastructure

         C.  HIPAA provisions for access to PHI in research

         D.  All of the above

         E.  None of the above

    8.  Which two of the following choices accurately describe differences between paper-based medical records and EHRs?

         A.  Paper records are easier to change than EHRs.

         B.  EHRs are easier to change than paper records.

         C.  Paper records exist in substantially greater volumes than EHRs.

         D.  EHRs exist in substantially greater volumes than paper.

    9.  A medical record is generally admitted as evidence into a court of law under the ______________.

         A.  HIPAA rule

         B.  Hearsay rule

         C.  Federal Rule of Civil Procedure 37(e)

         D.  Federal Rule of Evidence 803

         E.  All of the above

         F.  None of the above

Answers

    1.  D.   The establishment of the Health Insurance Marketplace is not one of the four goals of the HITECH Act. The four main goals of the HITECH Act are government oversight, investment in HIT infrastructure, savings, and the establishment and enforcement of stricter federal privacy and security laws.

    2.  C.   The OCR published the new set of FAQs to educate individuals about their rights to access their health information. The Privacy Rule generally requires HIPAA covered entities (health plans and most healthcare providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more designated record sets maintained by or for the covered entity.

    3.  D.   At the present time, oversight gaps exist between HIPAA covered entities that collect health date from individuals and entities that are not regulated by HIPAA but also collect health data. There is no federal agency with oversight for the latter group.

    4.  C.   There is no federal agency responsible for regulating or overseeing healthcare IT system design or safety standards.

    5.  A.   The FBI serves as the principal investigative agency involved in the fight against healthcare fraud and maintains jurisdiction over both federal and private healthcare insurance programs.

    6.  C.   The three branches of government operate under a concept known as the separation of powers. Under this concept, as established by the framers of the Constitution, no branch of the government shall have more power or control than the other two branches in the exercise of its functions and activities.

    7.  D.   The Cures Act is a milestone piece of legislation in the evolution of the nation’s health information infrastructure and the future of healthcare.

    8.  B, D.   As outlined in Table 17-1, EHRs are easier to change than paper-based medical records and EHRs exist in substantially greater volumes than paper-based medical records.

    9.  D.   Although medical records are considered to be hearsay in the eyes of the court, they generally are admitted as evidence on other grounds. The most common way in which medical records are admitted as evidence into a court of law is through FRE 803, which is titled Exceptions to the Rule Against Hearsay.

References

    1.  Definition of “law.” Law.com. Accessed on February 4, 2017, from http://dictionary.law.com/Default.aspx?selected=1111.

    2.  Definition of “regulation.” FreeDictionary.com. Accessed on February 4, 2017, from http://legal-dictionary.thefreedictionary.com/regulation.

    3.  The White House. (2017). The Executive Branch: The President, the Vice President, Executive Office of the President, the Cabinet. Whitehouse.gov. Accessed on January 30, 2017, from https://www.whitehouse.gov/1600/executive-branch.

    4.  The President’s Advisory Commission on Consumer Protection and Quality in the Health Care Industry. (1998). Quality first: Better health care for all Americans—final report. Accessed on January 30, 2017, from https://archive.ahrq.gov/hcqual/.

    5.  Federal Register, National Archives and Records Administration. (2017). Reader aids: Insight into FR publications–Executive orders. (2017) Accessed on February 28, 2017, from https://www.federalregister.gov/executive-orders.

    6.  U.S. Constitution, art. II, § 3, Constitutional Powers of the President. Accessed on January 30, 2017, from http://law2.umkc.edu/faculty/projects/ftrials/conlaw/prespowers.html.

    7.  Youngstown Sheet & Tube Co. v. Sawyer, 343 U.S. 579 (1952). Accessed on January 30, 2017, from www.casebriefs.com/blog/law/constitutional-law/constitutional-law-keyed-to-stone/the-distribution-of-national-powers/youngstown-sheet-tube-co-v-sawyer-2/.

    8.  Dry, M. (1967). The separation of powers and representative government. Political Science Reviewer 3, 43. Accessed on February 28, 2017, from https://isistatic.org/journal-archive/pr/03_01/dry.pdf.

    9.  Wolters Kluwer Editorial Staff. (2016, Dec. 19). Trump’s win expected to bring significant legal and regulatory changes. Accessed on January 31, 2017, from https://lrus.wolterskluwer.com/.

  10.  NPR. (2017, Jan. 18). Transcript Senate Health Committee questions Rep. Tom Price in HHS confirmation hearing. Accessed on March 1, 2017, from www.npr.org/2017/01/18/510472472/senate-health-committee-questions-rep-tom-price-in-hhs-confirmation-hearing.

  11.  The White House, Office of the Press Secretary. (2017, Feb. 27). Remarks by President Trump in listening session with health insurance company CEOs. February 27, 2017 Accessed on March 1, 2017, from https://www.whitehouse.gov/the-press-office/2017/02/27/remarks-president-trump-listening-session-health-insurance-company-ceos.

  12.  Kang, J. (2017, Feb. 28). Three priorities for Seema Verma as she nears CMS confirmation. HealthcareDive. Accessed on February 28, 2017, from www.healthcaredive.com/news/three-priorities-for-seema-verma-as-she-nears-cms-confirmation/437083/

  13.  NPR. (2017, Feb. 28). Trump’s address to joint session of Congress. Accessed on March 1, 2017, from www.npr.org/2017/02/28/516717981/watch-live-trump-addresses-joint-session-of-congress.

  14.  U.S. Constitution, art. 1, § 1. Accessed on July 10, 2016, from https://www.law.cornell.edu/anncon/html/art1frag1_user.html#art1_hd4.

  15.  U.S. Constitution, art. 1, § 8, clause 18. Accessed on July 10, 2016, from http://press-pubs.uchicago.edu/founders/tocs/a1_8_18.html.

  16.  U.S. Department of Health and Human Services (HHS). (2016). HHS.gov. Accessed on July 25, 2016, from https://www.hhs.gov/.

  17.  Centers for Medicare and Medicaid Services. (2016). CMS.gov. Accessed on July 25, 2016, from https://www.cms.gov/.

  18.  HHS, Office for Civil Rights. (2016). HHS.gov. Accessed on July 25, 2016, from https://www.hhs.gov/ocr/.

  19.  Office of the National Coordinator for Health Information Technology. (2016). HealthIT.gov. Accessed on July 25, 2016, from https://www.healthit.gov/.

  20.  Office of the National Coordinator, Office for Civil Rights, Federal Trade Commission. (2016, July 19). Examining oversight of the privacy and security of health data collected by entities not regulated by HIPAA. Accessed on July 25, 2016, from https://www.healthit.gov/sites/default/files/non-covered_entities_report_june_17_2016.pdf.

  21.  21st Century Cures Act, H. R. 34, 114th Cong. (2016, Dec. 13). Accessed on January 30, 2017, from https://www.congress.gov/bill/114th-congress/house-bill/34/text.

  22.  Federal Policy for the Protection of Human Subjects, 82 Fed. Reg. 7149 (2017, Jan. 19). Accessed on February 5, 2017, from https://www.gpo.gov/fdsys/pkg/FR-2017-01-19/pdf/2017-01058.pdf.

  23.  Federal Trade Commission (FTC). (n.d.). Competition in the health care marketplace. Accessed on July 25, 2016, from https://www.ftc.gov/tips-advice/competition-guidance/industry-guidance/health-care.

  24.  FTC. (n.d.). Health breach notification rule. Accessed on July 25, 2016, from https://www.ftc.gov/system/files/documents/plain-language/bus56-complying-ftcs-health-breach-notification-rule.pdf.

  25.  FTC. (n.d.). Mobile health applications interactive tool. Accessed on July 25, 2016, from https://www.ftc.gov/tips-advice/business-center/guidance/mobile-health-apps-interactive-tool.

  26.  U.S. Food and Drug Administration (FDA). (2016). FDA.gov. Accessed on July 25, 2016, from https://www.fda.gov/.

  27.  Internal Revenue Service (IRS). (2016). IRS.gov. Accessed on July 25, 2016, from https://www.irs.gov/.

  28.  Patient Protection and Affordable Care Act, H. R. 3590, 111th Cong. (2010), Pub. L. No. 111-148. Accessed on July 10, 2016, from https://www.congress.gov/bill/111th-congress/house-bill/3590.

  29.  National Federation of Independent Business et al. v. Sebelius et al., 132 S. Ct. 2566 (2012, June 28). Accessed July 12, 2016, from www.casebriefs.com/blog/law/health-law/health-law-keyed-to-furrow/health-care-cost-and-access-the-policy-context/national-federal-of-independent-business-et-al-v-sebelius/.

  30.  President of the United States. (2017, Jan. 20). Executive Order: Minimizing the economic burden of the Patient Protection and Affordable Care Act pending repeal. Accessed on February 3, 2017, from https://www.whitehouse.gov/the-press-office/2017/01/2/executive-order-minimizing-economic-burden-patient-protection-and?

  31.  HHS, Office of Inspector General. (2016). OIG.HHS.gov. Accessed on July 25, 2016, from https://oig.hhs.gov/.

  32.  Federal Bureau of Investigation (FBI). (2017). FBI.gov. Accessed on February 2, 2017, from https://www.fbi.gov/.

  33.  Healthcare Fraud Prevention Partnership (HFPP). Accessed on February 2, 2017, from https://hfpp.cms.gov/.

  34.  National Health Care Anti-Fraud Association (NHCAA). (n.d.). Who we are. Accessed on February 2, 2017, from https://www.nhcaa.org/about-us/who-we-are.aspx.

  35.  U.S. Department of Justice (DOJ). (2016). Justice.gov. Accessed on July 25, 2016, from https://www.justice.gov/about.

  36.  HHS and DOJ. (2017). Stop Medicare fraud: Health Care Fraud Prevention and Enforcement Action Team (HEAT) task force. Accessed on February 2, 2017, from https://www.stopmedicarefraud.gov/aboutfraud/heattaskforce/.

  37.  DOJ. (2016, Nov. 11). Jury convicts home health agency owner in $13 million Medicare fraud conspiracy. Justice.gov. Accessed on February 3, 2017, from https://www.justice.gov/opa/pr/jury-convicts-home-health-agency-owner-13-million-medicare-fraud-conspiracy.

  38.  USA.gov. (2016). Branches of government. Accessed on February 28, 2017, from https://www.usa.gov/branches-of-government.

  39.  DOJ, Offices of the United States Attorneys. (2017). Justice 101: Introduction to the Federal Court System. Accessed on February 3, 2017, from https://www.justice.gov/usao/justice-101/federal-courts.

  40.  U.S. Courts. (2017). Comparing federal and state courts. Accessed on February 4, 2017, from www.uscourts.gov/about-federal-courts/court-role-and-structure/comparing-federal-state-courts.

  41.  Definition of “common law.” Law.com. Accessed on July 12, 2016, from http://dictionary.law.com/Default.aspx?selected=248.

  42.  Marbury v. Madison, 5 U.S. (1 Cranch) 137 (1803). Accessed on July 25, 2016, from https://supreme.justia.com/cases/federal/us/5/137/case.html.

  43.  Definition of “case law.” Law.com. Accessed on July 11, 2016, from http://dictionary.law.com/Default.aspx?selected=148.

  44.  Seidman, J., & Garrett, P. (2011, Jan. 4). EMR vs. EHR: What is the difference? HealthITBuzz. Accessed on February 28, 2017, from https://www.healthit.gov/buzz-blog/electronic-health-and-medical-records/emr-vs-ehr-difference/.

  45.  HealthIT.gov, National Learning Consortium. (2017). What is a Personal Health Record? FAQs: The basics. Accessed on February 28, 2017, from https://www.healthit.gov/providers-professionals/faqs/what-personal-health-record.

  46.  Berlin, J. (2015). Physicians work with TMB to usher medical records rules into the electronic age. TexasMedicine, 11(7), 53–58. Accessed on July 27, 2016, from https://www.texmed.org/Template.aspx?id=33909.

  47.  Ventola, L. C. (2014). Social media and health care professionals: Benefits, risks, and best practices. Pharmacy and Therapeutics, 39(7), 491–499, on 520. Accessed on July 25, 2016, from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4103576/.

  48.  Powell, R. E. (1961). Admissibility of hospital records into evidence. Maryland Law Review, 21(1). Accessed on February 4, 2017, from http://digitalcommons.law.umaryland.edu/mlr/vol21/iss1/4/.

  49.  Texas Medical Board. (2015, April). EMR position statement: The medical board’s position statement on maintaining accurate electronic medical records. Accessed on July 26, 2016, from www.tmb.state.tx.us/idl/1FDE72F2-F7E7-781B-986A-B5F1AD32BC3D.

  50.  Dimick, C. (2010, Sept. 24). EHRs prove a difficult witness in court. Journal of AHIMA. Accessed on July 26, 2016, from http://journal.ahima.org/2010/09/24/ehrs-difficult-witness-in-court/.

  51.  Brouillad, C. P. (2015). EHR audit trails might reveal more than you think: Hall v. Flannery, a sign of the times. Inside Medical Liability (third quarter), 18–20. Accessed on July 27, 2016, from www.mgma-gkc.com/wp-content/uploads/2015/10/IML-3Q-2015-pp-18-20.pdf.

  52.  Kumar, S., Nilsen, W., Abernethy, A., Atienza, A., Patrick, K., Pavel, M., … Dallas, S. (2013). Mobile health technology evaluation: The mHealth evidence workshop. American Journal of Preventative Medicine, 45(2), 228–236. Accessed on July 26, 2016, from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3803146/.

  53.  Kannry, J. L., & Williams, M. S. (2013). Integration of genomics into the electronic health record: Mapping terra incognita. Genetics in Medicine, 15, 757–760. Accessed on July 25, 2016, from www.nature.com/gim/journal/v15/n10/full/gim2013102a.html.

  54.  U.S. Department of Health and Human Services, Health Information Privacy. (2017). Individuals’ right under HIPAA to access their health information. 45 CFR §164.524. Accessed on March 1, 2017, from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/

  55.  AHIMA (American Health Information Management Association). (2016). Information governance basics: AHIMA’s commitment to healthcare–Information governance. Accessed on July 25, 2016, from www.ahima.org/topics/infogovernance/igbasics?tabid=overview.

  56.  The Health Insurance Portability and Accountability Act: Uses and disclosures for which an authorization or opportunity to agree or object is not required, 45 C.F.R. 164.512(f) (2002). Accessed on February 4, 2017, from https://www.law.cornell.edu/cfr/text/45/164.512.

  57.  Intelligence Authorization Act for Fiscal Year 2002, Pub. L. No. 107–108, 50 U.S.C. § 501(a)(1) (2002). Accessed on February 4, 2017, from https://www.congress.gov/bill/107th-congress/house-bill/2883/text?overview=closed.

  58.  HL7 International. (2016). EHR Records Management and Evidentiary Support (RM-ES) project overview. Accessed on July 11, 2016, from http://wiki.hl7.org/index.php?title=EHR_RM-ES#Project_Overview.

  59.  HL7 International. (2016). EHR RM-ES functional profile. Accessed on July 11, 2016, from http://wiki.hl7.org/index.php?title=Product_EHR_RMES_FP.

  60.  HL7 EHR RM-ES Workgroup wiki. Accessed on January 9, 2017, from http://wiki.hl7.org/index.php?title=EHR_RM-ES.

  61.  Conn, J. (2014, Nov. 14). Vital Signs: Researcher projects $78 billion cost savings on EHRs. Modern Healthcare. Accessed on July 26, 2016, from www.modernhealthcare.com/article/20141124/blog/311249995.

  62.  Harrison, M. I., Koppel, R., & Bar-Lev, S. (2007). Unintended consequences of information technologies in health care: An interactive sociotechnical analysis. Journal of the American Medical Informatics Association, 14, 542. Accessed on July 25, 2016, from https://academic.oup.com/jamia/article/14/5/542/719675/Unintended-Consequences-of-Information.

  63.  Burkett v. Advocate Lutheran General, “Hospital agrees to pay 8.25 million in baby’s death from overdose.” CBS Local News, April 5, 2012. Accessed on September 28, 2016, from http://chicago.cbslocal.com/2012/04/05/babys-death-yields-record-settlement-of-more-than-8m/.

  64.  Definition of “discovery.” Law.com. Accessed on February 21, 2017, from http://dictionary.law.com/Default.aspx?selected=530.

  65.  Definition of “admissible evidence.” Law.com. Accessed on February 21, 2017, from http://dictionary.law.com/Default.aspx?selected=2339.

  66.  Federal Rules of Evidence. Accessed March 7, 2017 from https://www.law.cornell.edu/rules/fre

  67.  U.S. Courts. (n.d.). Amendments approved by the Standing Committee. Accessed on January 30, 2017, from www.uscourts.gov/rules-policies/pending-rules-and-forms-amendments.

  68.  U.S. Courts. (2016, Sept. 28). Judicial Conference of the United States. Accessed on January 30, 2017, from www.uscourts.gov/file/20238/download.

  69.  Definition of “hearsay.” Law.com. Accessed on January 30, 2017, from http://dictionary.law.com/Default.aspx?selected=858.

  70.  Baldwin-Stried Reich, K., Ball, K., Dougherty, M., & Hedges, R. (2012). E-discovery and electronic records, p. 162. AHIMA Press.

  71.  Federal Rule of Evidence 803: Exceptions to the rule against hearsay. (n.d.). Accessed on January 30, 2017, from https://www.law.cornell.edu/rules/fre/rule_803.

  72.  Wakefield, W. E. (1981). Physician-patient privilege extending to patient’s medical or hospital records. Annot., 10 A.L.R.4th 552.

  73.  Tibbs v. Bunnell, 448 S.W.3d 796 (Ky. Aug. 21, 2014), as corrected (Sept. 10, 2014), petition for certiorari filed 83 U.S.L.W. 3772 (Mar. 18, 2015). Accessed on July 25, 2016, from www.chpso.org/sites/main/files/file-attachments/tibbs_petition_3_18_15.pdf.

  74.  Allred v. Saunders, 342 P.3d 204 (Utah Oct. 21, 2014). Accessed on July 26, 2016, from www.utcourts.gov/opinions/supopin/Allred20141021.pdf.

  75.  Hammond v. Saini, 766 S.E.2d 590 (N.C. Dec. 19, 2014). Accessed on July 26, 2016, from https://scholar.google.com/scholar_case?case=17380717623516984806&hl=en&as_sdt=6&as_vis=1&oi=scholarr.

  76.  Federal Rules of Civil Procedure, Rule 26: Duty to disclose; general provisions governing discovery. (n.d.). Accessed on February 5, 2017, from https://www.law.cornell.edu/rules/frcp/rule_26.

  77.  Allman, T. Y. (2014, Jan. 1). E-discovery in federal and state courts: The impact of rulemaking – Past and future. Accessed on February 11, 2017, from www.americanbar.org/content/dam/aba/events/criminal_justice/midyear14_Document_Management_EDiscovery_Rules.authcheckdam.doc (note: automatic file download).

  78.  Brouillard, C. (2009). Not a bang, a whimper: The silent e-discovery revolution in state court practice. Massachusetts Bar Association—Section review. Accessed on August 1, 2016, from www.massbar.org/publications/section-review/2009/v11-n1/not-a-bang,-a-whimper.

  79.  U.S. Courts. (2015). Federal Rules of Civil Procedure. Accessed on February 28, 2017, from www.uscourts.gov/sites/default/files/rules-of-civil-procedure.pdf.

  80.  Duke Law News. (2016, Aug. 24). Duke Law acquires e-discovery standards organization, EDRM. Accessed on February 4, 2017, from https://law.duke.edu/news/duke-law-acquires-e-discovery-standards-organization-edrm/.

  81.  Zubulake v. UBS Warburg, LLC, 220 F.R.D. 212 (S.D.N.Y. 2003) (Zubulake IV), pp. 3–4. Accessed on February 28, 2017, from http://smu-ediscovery.gardere.com/Zubulake%20IV.pdf.

  82.  The Office of the National Coordinator for Health Information Technology. (2014, June 5). Connecting health and care for the nation: A 10-year vision to achieve an interoperable health IT infrastructure. Accessed on February 28, 2017, from https://www.healthit.gov/sites/default/files/ONC10yearInteroperabilityConceptPaper.pdf.

  83.  President’s Council of Advisors on Science and Technology (PCAST). (2010, December). Realizing the full potential of health information technology to improve healthcare for Americans: The path forward. Accessed on August 8, 2012, from www.whitehouse.gov/sites/default/files/microsites/ostp/pcast-health-it-report.pdf.

  84.  American Recovery and Reinvestment Act of 2009, 111th Cong. (2009), Pub. L. No. 111-5, 42 U.S.C. 17932 § 13402 (notification in the case of a breach). Accessed on August 8, 2012, from https://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf.

  85.  HHS. (n.d.). OCR release of public information re HIPAA. Accessed on July 28, 2016, from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/#newlyreleasedfaqs.

  86.  Kohn, P. (2014, June 1). E-data explosion in business law: Growth in electronic information drives new costs and approaches to litigation. ColumbusCEO. Accessed on February 4, 2017, from www.columbusceo.com/content/stories/2014/06/08/e-data-explosion.html.

  87.  American Medical News. (2012, Mar. 5). Legal risks of going paperless. Amednews.com. Accessed on February 5, 2017, from www.amednews.com/article/20120305/profession/303059945/4/.

  88.  Artigliere, R., et al. (2017, forthcoming). Diagnosing and treating legal ailments of the electronic health record: Towards an efficient and trustworthy process for discovery and release of information. Sedona Conference Journal, 17. Accessed on February 3, 2017, from https://s3.amazonaws.com/IGG/EHR.pdf.

  89.  Bock, L. J., Demster, B., Dinh, A. K., Gorton, E. R., & Lantis, J. R., Jr. (2008). Management practices for the release of information. Journal of AHIMA, 79(11), 77–80. Accessed on July 27, 2016, from http://bok.ahima.org/doc?oid=85544#.V3mZnrgrLP4.

  90.  TechTarget Network. (n.d.). Search HealthIT: Definition of legal health record. Accessed on July 27, 2016, from http://searchhealthit.techtarget.com/definition/legal-health-record.

  91.  HHS. (2016). Individuals’ right under HIPAA to access their health information, 45 CFR § 164.524. Accessed on July 4, 2016, from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/.

  92.  Haugen, M. B., Tegen, A., & Warner, D. (2011). Fundamentals of the legal health record and designated record set. Journal of AHIMA, 82(2), 44–49.

  93.  Kannry, J. M., & Williams, M. S. (2013). Integration of genomic into the electronic health record: Mapping terra incognita. Genetics in Medicine, 15, 757–760. Accessed on July 25, 2016, from www.nature.com/gim/journal/v15/n10/full/gim2013102a.html.

  94.  42 U.S. Code Chapter 6A, Public Health Service, Pub. L. No. 114-38. Accessed on March 1, 2017, from https://www.law.cornell.edu/uscode/text/42/chapter-6A.

  95.  Roosevelt, Franklin D. (1944, July 1). Statement of the President on the signing of the Public Health Service Act, July 1, 1944 American Presidency Project. Accessed on March 1, 2017, from www.presidency.ucsb.edu/ws/?pid=16528.

  96.  National Institute of Standards and Technology (NIST), U.S. Department of Commerce, (2017). About NIST. Accessed on March 1, 2017, from https://www.nist.gov/about-nist.

  97.  NIST, U.S. Department of Commerce (2017). Healthcare: Standards and testing. Accessed on March 1, 2017, from https://www.nist.gov/itl/ssd/systems-interoperability-group/healthcare-standards-testing.

  98.  NIST, U.S. Department of Commerce (2017). Healthcare IT. Accessed on February 28, 2017, from https://www.nist.gov/topics/healthcare-it.