Healthcare News & Insights

3 legal risks of EHRs – and how to avoid them

Electronic health records can help providers improve care and operate more efficiently. But they can also create new legal risks for organizations that aren’t prepared. 

The switch from paper records to EHRs has created a number of new legal challenges and questions for healthcare providers, according to the American Medical Association. That includes everything from the expanded role of electronic data as evidence in lawsuits to the potential liability for breaches of electronic patient data.

Here are the top legal risks face as they move to electronic records — and the steps they can take to reduce those risks:

1. Medical data breaches

Hospitals and doctors’ offices hold a lot of sensitive information — including patients’ medical and financial data, both of which are highly coveted by cybercriminals. And when patient information is stolen, the provider could be held liability for failing to protect it from attacks.

For example, one health insurer recently paid a $1.5 million settlement after disk drives containing health information were stolen from one of its facilities.

As more health information becomes electronic, more organizations are likely to experience data breaches. To minimize liability for those incidents, providers must take a two-fold approach:

  1. Work to secure systems to prevent breaches, and
  2. Prepare in advance to properly respond if a breach does occur.

Read our earlier posts for more information on protecting patient health information and properly responding after a data breach.

2. E-discovery issues

In 2006, new rules were passed regulating how electronic data can be used in court and what organizations must do to preserve electronic evidence when they’re involved in legal cases. E-discovery is likely to become an especially big issue in health care, experts say, as more records become electronic.

Organizations can get in trouble for failing to properly retain necessary electronic documents. For healthcare providers, that can include electronic health records and lab reports, as well as emails and other files.

To prepare for e-discovery, organizations must well before they’re involved in any legal action. Experts recommend all organizations create record retention policies so they’re consistent about what types of data they hang on to and for how long. The goal should be to only keep what’s necessary, which will make the discovery process easier.

Once a lawsuit begins, organizations must apply a so-called “litigation hold” — meaning that as soon as the organization knows it may be involved in a court case, it must start saving all potentially relevant documents. Preparing for that requires quick communication between all parts of the organization so that whoever is in charge of record retention knows about a legal action as soon as possible.

3. New malpractice claims

Greater use of technology could lead doctors to make some mistakes that could open them up to malpractice lawsuits. Examples might include an incorrect diagnosis that was based on a recommendation from an EHR system, or an error that was made because a doctor accidentally pasted incorrect information into the system.

To avoid those issues, experts recommend organizations make sure all doctors — as well as other staff members — are properly trained to use the EHR system before it’s implemented.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.


  1. Leanna Bowers says:

    After working as an RN for many years and documenting a ‘story/picture’ of what has transpired for my patient, furnishing important information about plan of care for the oncoming staff, I am very disturbed that when you read the EHR, the picture of care is very fractionated/disconnected. RN’s feel that if they complete a flow sheet, they do not have to document anything else. It’s what the EHR training staff tell the nurses. There is no end-of-shift narrative summary. In many cases, newer nurses do not know how to document in a concise, meaninful way to create the picture of what is going on with the patient. They include lots of extraneous infomation in any type of note. You find the flow sheets do not merge into a comprehensive timeline that includes all events/notes in chronological order. You have to go to the VS, then the labs, then the ortho flow sheet, etc. — you get the picture. We are doing our patient a disservice by only documenting on flowsheets that do not communicate to one central document, i.e. like an ED timeline. I have confidence that we use one of the most comprehensive EHRs available and it is still not comprehensive enough for all care givers involved to be able to ‘track events’ and interpret what is actually happening with the patient. EHRs may have arrived but they have not been refined enough to provide the ‘master document’ that allows us to seamlessly care by our patient with all caregiver’s input in one place.