Removing Patient Data - Illegal/Unethical?
July 10, 2009 12:44 PM Subscribe
Need some assistance on possible unethical (maybe illegal) business practices with patient medical records. HIPPA.
I work for a medical software company as a support analyst. I am responsible for handling customer complaints/problems from practices that are using specific software that records patient visits and medical record information.
I am concerned about a current practice our support team has with handling edits on patient records we receive from our clients, below are some scenarios that take place and how we address the problem.
Practice calls in and requests data to be removed from a patient chart because the provider accidently documented on the wrong patient.
• Support will go in behind the scenes within a database and manually remove this data from the system so it does not display on the incorrect patient.
• The data that is removed is saved in a document (word document via screen shot or excel file) and is saved into a case tracking system that records such client requests. There is no audit/record that is saved within the actual application that such a removal is done.
• This is a very manual process.
Practice calls in and is getting a system error when processing a certain workflow, needs to have this repaired so it can be useable again.
• Support will go in behind the scenes within the database and determine the problem, sometimes this is caused by data such as special characters. Special characters are removed from area to restore system and allow users to continue to use error-free.
• The data that is removed is saved in a document (word document via screen shot or excel file) and is saved into a case tracking system that records such client requests. There is no audit/record that is saved within the actual application that such a removal is done.
• This is a very manual process.
The software I work with is relatively young and is still going through major transformation, we try to make accommodations, enhancements to the system when there are areas that do not allow users to correct/edit mistakes but much of this is governed by HIPPA regulations. However often when the application does not allow for changes clients will request this to be done of Support team.
I have a personal conviction of such requests that I am doing on patient records is an unethical for my company to partake in (These are not billable requests, all are done under a maintenance contract) and I question if some of these practices are illegal.
I enjoy my job and the company I work for; I have brought this up SEVERAL times to my manager and next management tier, have even just requested to know what are the guidelines and even what rights we have for such edits—but I have received nothing. I am not a whistle-blower and do not intend to be one – however I am considering looking for other positions outside the company or within the company that do not deal with this type of work.
My questions is: Is it appropriate for our customers to request such patient chart edits and is it appropriate for my company to comply with such requests.
I want to get my ducks in a row so if I have to be forced to give my employer an ultimatum I want to make sure I am even on the right track.
Thank you,
I work for a medical software company as a support analyst. I am responsible for handling customer complaints/problems from practices that are using specific software that records patient visits and medical record information.
I am concerned about a current practice our support team has with handling edits on patient records we receive from our clients, below are some scenarios that take place and how we address the problem.
Practice calls in and requests data to be removed from a patient chart because the provider accidently documented on the wrong patient.
• Support will go in behind the scenes within a database and manually remove this data from the system so it does not display on the incorrect patient.
• The data that is removed is saved in a document (word document via screen shot or excel file) and is saved into a case tracking system that records such client requests. There is no audit/record that is saved within the actual application that such a removal is done.
• This is a very manual process.
Practice calls in and is getting a system error when processing a certain workflow, needs to have this repaired so it can be useable again.
• Support will go in behind the scenes within the database and determine the problem, sometimes this is caused by data such as special characters. Special characters are removed from area to restore system and allow users to continue to use error-free.
• The data that is removed is saved in a document (word document via screen shot or excel file) and is saved into a case tracking system that records such client requests. There is no audit/record that is saved within the actual application that such a removal is done.
• This is a very manual process.
The software I work with is relatively young and is still going through major transformation, we try to make accommodations, enhancements to the system when there are areas that do not allow users to correct/edit mistakes but much of this is governed by HIPPA regulations. However often when the application does not allow for changes clients will request this to be done of Support team.
I have a personal conviction of such requests that I am doing on patient records is an unethical for my company to partake in (These are not billable requests, all are done under a maintenance contract) and I question if some of these practices are illegal.
I enjoy my job and the company I work for; I have brought this up SEVERAL times to my manager and next management tier, have even just requested to know what are the guidelines and even what rights we have for such edits—but I have received nothing. I am not a whistle-blower and do not intend to be one – however I am considering looking for other positions outside the company or within the company that do not deal with this type of work.
My questions is: Is it appropriate for our customers to request such patient chart edits and is it appropriate for my company to comply with such requests.
I want to get my ducks in a row so if I have to be forced to give my employer an ultimatum I want to make sure I am even on the right track.
Thank you,
This post was deleted for the following reason: poster's request -- cortex
From what you describe, it is not obvious to me that any of the actions are necessarily illegal or unethical. They need to manage patient records. They do this through a service. Some aspects of that service are provided by computers without human intervention, other aspects of the service are provided by humans, including support analysts such as yourself.
I don't see any problem with that.
On the other hand, to the extent humans have access to this HIPPA-protected data, those humans need to be trained in the requirements for handling and protecting such data. Have you had that training? Do you feel you have the guidelines you need? If not, that is what I would be asking for.
posted by alms at 12:59 PM on July 10, 2009
I don't see any problem with that.
On the other hand, to the extent humans have access to this HIPPA-protected data, those humans need to be trained in the requirements for handling and protecting such data. Have you had that training? Do you feel you have the guidelines you need? If not, that is what I would be asking for.
posted by alms at 12:59 PM on July 10, 2009
First: it's HIPAA.
Second, IANAL/IANYL, but one of the most important reasons for having electronic medical records is to have a way in which every single aspect of the electronic record--creation, modification, accession, deletion--is auditable. (That's how hospital employees have been terminated for accessing the medical records of celebrities like Britney Spears; even if they have access to their institution's EMR system, they have to have a legitimate, provable reason for looking at a particular person's EMR, and the system administrators can tell who's been looking.) So, yeah, if someone's been tampering with a medical record without there being an audit trail, that's probably illegal, and certainly unethical.
Put it another way: if a doctor puts incorrect information in the EMR, and that results in the patient receiving incorrect treatment that results in an adverse outcome (e.g. death), and you help them remove that information, you've assisted in a cover-up.
posted by Halloween Jack at 1:15 PM on July 10, 2009
Second, IANAL/IANYL, but one of the most important reasons for having electronic medical records is to have a way in which every single aspect of the electronic record--creation, modification, accession, deletion--is auditable. (That's how hospital employees have been terminated for accessing the medical records of celebrities like Britney Spears; even if they have access to their institution's EMR system, they have to have a legitimate, provable reason for looking at a particular person's EMR, and the system administrators can tell who's been looking.) So, yeah, if someone's been tampering with a medical record without there being an audit trail, that's probably illegal, and certainly unethical.
Put it another way: if a doctor puts incorrect information in the EMR, and that results in the patient receiving incorrect treatment that results in an adverse outcome (e.g. death), and you help them remove that information, you've assisted in a cover-up.
posted by Halloween Jack at 1:15 PM on July 10, 2009
alms has it, your company needs to have HIPAA-mandated security and privacy mechanisms in place to safeguard the PHI that you are handling. If they don't that's an issue.
posted by IanMorr at 1:20 PM on July 10, 2009
posted by IanMorr at 1:20 PM on July 10, 2009
I have no idea about HIPPA, but I have lots of GMP experience. I can not believe that it is illegal or unethical to correct error in a patient's data file.
Looking at the scenario Halloween Jack suggests, if a doctor puts incorrect information in the EMR, realized his mistake and requests a correction but the correction wasn't made and that results in the patient receiving incorrect treatment that results in an adverse outcome (e.g. death)... Hell, I don't know, IANAL, but I suspect it's going to involved a protracted court battle and wouldn't want to be the doctor who got the wrong information, the doctor who created the wrong information or your employer in this scenario. Or the dead guy.
If I were your employer, I'd be looking at a change request system where some sort of audit trail was kept on data changes - who requested the change, who made the change, what was changed and when. I'd have each request verified and signed off on by a second employee.
To be honest, this ought to happen EVERY time a patient record is changed. It ought to be part of an automatic system and it ought to have a SHA2 driven digital signature. (Let me tell you about the instrument vendor I want to punch. Just saying.)
posted by Kid Charlemagne at 2:13 PM on July 10, 2009
Looking at the scenario Halloween Jack suggests, if a doctor puts incorrect information in the EMR, realized his mistake and requests a correction but the correction wasn't made and that results in the patient receiving incorrect treatment that results in an adverse outcome (e.g. death)... Hell, I don't know, IANAL, but I suspect it's going to involved a protracted court battle and wouldn't want to be the doctor who got the wrong information, the doctor who created the wrong information or your employer in this scenario. Or the dead guy.
If I were your employer, I'd be looking at a change request system where some sort of audit trail was kept on data changes - who requested the change, who made the change, what was changed and when. I'd have each request verified and signed off on by a second employee.
To be honest, this ought to happen EVERY time a patient record is changed. It ought to be part of an automatic system and it ought to have a SHA2 driven digital signature. (Let me tell you about the instrument vendor I want to punch. Just saying.)
posted by Kid Charlemagne at 2:13 PM on July 10, 2009
Having worked in health-care, I can assure you that information being recorded to the wrong file happens pretty frequently. In a manual system you just remove it from one file and put it in the correct one - usually without recording how and why it got to the wrong place in the first place or why it was subsequently removed. There are very real liability issues involved with not correcting that kind of error ASAP.
Your company definitely needs to ensure that everyone who is exposed to patient information understands their legal obligations. Whether or not your company is even legally allowed to make a copy of the information which has been changed/removed is an interesting question and one which you might want to get clarified - I can see why you would want to, but something that's convenient for the purpose of your company covering its ass might not be an allowable use of that information.
Sounds like your company needs to develop some pretty stringent policies on handling these kinds of requests and check the legality of those policies before implementing them.
posted by Lolie at 2:18 PM on July 10, 2009 [2 favorites]
Your company definitely needs to ensure that everyone who is exposed to patient information understands their legal obligations. Whether or not your company is even legally allowed to make a copy of the information which has been changed/removed is an interesting question and one which you might want to get clarified - I can see why you would want to, but something that's convenient for the purpose of your company covering its ass might not be an allowable use of that information.
Sounds like your company needs to develop some pretty stringent policies on handling these kinds of requests and check the legality of those policies before implementing them.
posted by Lolie at 2:18 PM on July 10, 2009 [2 favorites]
Not an HIPAA expert, but work for an organization that does have privacy requirements. You're getting good feedback I think. Your two examples seem very different though. The first is a client data entry error and the second is a product problem (although you could argue that the software shouldn't allow the first to happen).
I would think that the first example should be part of the record - like the wikipedia revision history. Clients should be able to edit and all edits should be tracked.
Second example seems much more like a bug. Your database should be able to handle special characters (e.g. via utf-8) and escape those it doesn't.
That said, your organization has software with bugs. All software has bugs. It's normal and you need to deal with it. The organization is tracking changes it makes, which seems to me is covering its butt. If a question comes up, it can point to the case tracking. Also, having the process documented internally seems important to me. The longer-term solution is to have cases tied to bug-tracking and to fix the bugs.
posted by idb at 2:30 PM on July 10, 2009
I would think that the first example should be part of the record - like the wikipedia revision history. Clients should be able to edit and all edits should be tracked.
Second example seems much more like a bug. Your database should be able to handle special characters (e.g. via utf-8) and escape those it doesn't.
That said, your organization has software with bugs. All software has bugs. It's normal and you need to deal with it. The organization is tracking changes it makes, which seems to me is covering its butt. If a question comes up, it can point to the case tracking. Also, having the process documented internally seems important to me. The longer-term solution is to have cases tied to bug-tracking and to fix the bugs.
posted by idb at 2:30 PM on July 10, 2009
Kind of reiterating what people above have said: your service performing the change isn't the problem; the conditions of your accessing the data and tracking the change are. By all means, I don't think (IANAL, but worked for an insurance company) fixing an incorrect record in a database has anything inherently wrong with it - greater damage would occur from leaving the incorrect information present. Your company, because it is a third-party gaining access to patient records, needs to be in HIPAA compliance. Now, is this the kind of access that HIPPA intends to prevent? No, not at all - the software company should be able to implement a number of changes to make themselves compliant without having to stop doing the service for the doctor's offices exactly how you have been, and there are probably a narrower band of requirements, given the limited scope of contact with the records you have (you're not storing or in charge of maintaining the data itself, just isolated record reads for specific reasons). This involves documenting and tracking the software company's read/change events, and possibly the doctor's office making sure their HIPAA forms inform their patients that a third party may have access to their information. Largely, this would be fixed if your company would change the software to be HIPAA compliant; you would be in the clear if you were able to advise the Dr's office on how to make the changes, without having access to patient records, and it would definitely be a selling point. In the meantime, since you're manually doing things the software should do, you'll need to manually do the HIPAA compliance as well. A lawyer and a HIPAA consultant (I'm sure that's a booming business now) would be the short track to fixing the hole that's there now.
posted by AzraelBrown at 2:32 PM on July 10, 2009
posted by AzraelBrown at 2:32 PM on July 10, 2009
IANAL, but I work in a similar situation, and work with data privacy issues in software.
There are really two issues. First one is privacy. Second one is computerized audit trails.
ISSUE ONE:
Our company has data protection contracts and customer-auditable safeguards in place with our customers so that we are held to the same standards regarding data privacy as HIPAA imposes on them.
We do this because our customers insist, because otherwise THEY are at least liable if we act on their behalf and publish the data all over the place. THEY are the ones subject to HIPAA, and are subcontracting to us to change the data for some reason. Or even to look at it in the event of inspecting a database to hunt down a bug.
Basically, whatever HIPAA imposes on the healthcare organization, they should also impose on us. They can't devolve responsibility, but they can at least sue us under the contract if they get sued because of something that happened while we were working for them.
Through the contract (and through their audits of us), the customer wants to make sure they can sue us if we accidentally / deliberately publish personal data.
ISSUE TWO:
There is another question as to whether the system is subject to regulations requiring that data should be audit-trailed within the system. In my situation, the system IS subject to regulations, but occasionally things break, and if we ever DO need to make manual edits, then the information / circumstances surrounding the edits are done subject to the customer's change control procedure, fully documented and stored by us (because we want to cover ourselves) and BY THE CUSTOMER in their system change control log, so that they can explain it all to an auditor.
So, it's not inherently unethical, and not inherently illegal to edit patient data on a customer's behalf. But your customers could be opening themselves up to liability issues if they do not verify and hold you to standards that are required of them.
Your best bet is to get your company to put an SOP in place around the process, and to suggest to your management that the issue is covered in customer's contracts.
posted by blue_wardrobe at 2:35 PM on July 10, 2009
There are really two issues. First one is privacy. Second one is computerized audit trails.
ISSUE ONE:
Our company has data protection contracts and customer-auditable safeguards in place with our customers so that we are held to the same standards regarding data privacy as HIPAA imposes on them.
We do this because our customers insist, because otherwise THEY are at least liable if we act on their behalf and publish the data all over the place. THEY are the ones subject to HIPAA, and are subcontracting to us to change the data for some reason. Or even to look at it in the event of inspecting a database to hunt down a bug.
Basically, whatever HIPAA imposes on the healthcare organization, they should also impose on us. They can't devolve responsibility, but they can at least sue us under the contract if they get sued because of something that happened while we were working for them.
Through the contract (and through their audits of us), the customer wants to make sure they can sue us if we accidentally / deliberately publish personal data.
ISSUE TWO:
There is another question as to whether the system is subject to regulations requiring that data should be audit-trailed within the system. In my situation, the system IS subject to regulations, but occasionally things break, and if we ever DO need to make manual edits, then the information / circumstances surrounding the edits are done subject to the customer's change control procedure, fully documented and stored by us (because we want to cover ourselves) and BY THE CUSTOMER in their system change control log, so that they can explain it all to an auditor.
So, it's not inherently unethical, and not inherently illegal to edit patient data on a customer's behalf. But your customers could be opening themselves up to liability issues if they do not verify and hold you to standards that are required of them.
Your best bet is to get your company to put an SOP in place around the process, and to suggest to your management that the issue is covered in customer's contracts.
posted by blue_wardrobe at 2:35 PM on July 10, 2009
one of the most important reasons for having electronic medical records is to have a way in which every single aspect of the electronic record--creation, modification, accession, deletion--is auditable.
From Lutzla's description it sounds like they are trying to manually create an audit trail. I am not an expert in medical business systems but I know that adding audit trail functionality with flags for improper access to an ERP can be an huge, expensive project, like millions of dollars expensive. In my compliance experience (non-HIPAA though), companies can determine their own controls, and there is nothing wrong with manual ones. The company may well have put in place temporary controls while medical record standards shake themselves out.
Is it appropriate for our customers to request such patient chart edits
Neither of the examples you cited seem malicious; I'd think a provider would have to be able to correct records routinely. Googling "altering medical records" brings up lots of advice from trial lawyers not to do so after a lawsuit has started, but nothing saying that it's illegal.
I'd be interested to see someone with with HIPAA or medical ethics expertise weigh in on this.
posted by txvtchick at 2:40 PM on July 10, 2009 [1 favorite]
From Lutzla's description it sounds like they are trying to manually create an audit trail. I am not an expert in medical business systems but I know that adding audit trail functionality with flags for improper access to an ERP can be an huge, expensive project, like millions of dollars expensive. In my compliance experience (non-HIPAA though), companies can determine their own controls, and there is nothing wrong with manual ones. The company may well have put in place temporary controls while medical record standards shake themselves out.
Is it appropriate for our customers to request such patient chart edits
Neither of the examples you cited seem malicious; I'd think a provider would have to be able to correct records routinely. Googling "altering medical records" brings up lots of advice from trial lawyers not to do so after a lawsuit has started, but nothing saying that it's illegal.
I'd be interested to see someone with with HIPAA or medical ethics expertise weigh in on this.
posted by txvtchick at 2:40 PM on July 10, 2009 [1 favorite]
Speaking only from my experience in the medical IT field, specifically in radiology....where the technologists sometimes send the images (x-rays etc...) to the wrong patient and ask our team to move them to the right patient. This is done regularly and within the law. What can't be done is DELETING images and or records. My understanding of the law is that once something is in the system, it stays there. You can move it if it's not supposed to be there but a record of it has to be attached. If your company's software doesn't allow for an audit trail of who did what, then that's another issue. As far making sure that the correct patient's information/data is in the correct patient's records, then that's acceptable. That's what we have a whole team hired to do, to keep the integrity of patient records intact.
Deleting records or information is not acceptable.
posted by eatcake at 2:44 PM on July 10, 2009
Deleting records or information is not acceptable.
posted by eatcake at 2:44 PM on July 10, 2009
There are ways to legally correct misinformation in a patient's chart.
WhiteOut is not one of them.
In a manual record, one must draw a single line throught the infcorrect info, and date and initial the corrections.
In the EMR at my hospital, the software allows revisions. But the original versions are kept in the chart, accessible via the "click here to see previous version" link. There is also software that allows any entry to be flagged as "error-entered in wrong chart" or something to that effect.
My IT dept would no more revise a patient record than they would slit their own throats.
You company is opening itself up for all kinds of trouble. Best of luck in resolving this.
posted by SLC Mom at 3:28 PM on July 10, 2009
WhiteOut is not one of them.
In a manual record, one must draw a single line throught the infcorrect info, and date and initial the corrections.
In the EMR at my hospital, the software allows revisions. But the original versions are kept in the chart, accessible via the "click here to see previous version" link. There is also software that allows any entry to be flagged as "error-entered in wrong chart" or something to that effect.
My IT dept would no more revise a patient record than they would slit their own throats.
You company is opening itself up for all kinds of trouble. Best of luck in resolving this.
posted by SLC Mom at 3:28 PM on July 10, 2009
I have worked on EMR systems. Software that does not allow corrections and revisioning (as SLCMom explained) or journaling/version control from the user interface is bad software.
I can't think of any justifiable reason to need to sneak into the raw data to fix that other than "this software isn't finished", since that strikes me as core functionality. Bad character data getting into the database is also scary: that data should be cleaned on input. The application shouldn't be allowing those characters in there in the first place. This is software 101 stuff.
If you wish to solve this, I would take a technical tack, rather than a legal one: "we should have proper journaling instead of this nickel and dime hackery."
An employee interested in fixing tech problems and making the product better scares managers a lot less than an employee who mumbles about "this is illegal".
(Problems that require lawyers are scary and expensive. Geeks are cheap.)
posted by rokusan at 5:38 PM on July 10, 2009
I can't think of any justifiable reason to need to sneak into the raw data to fix that other than "this software isn't finished", since that strikes me as core functionality. Bad character data getting into the database is also scary: that data should be cleaned on input. The application shouldn't be allowing those characters in there in the first place. This is software 101 stuff.
If you wish to solve this, I would take a technical tack, rather than a legal one: "we should have proper journaling instead of this nickel and dime hackery."
An employee interested in fixing tech problems and making the product better scares managers a lot less than an employee who mumbles about "this is illegal".
(Problems that require lawyers are scary and expensive. Geeks are cheap.)
posted by rokusan at 5:38 PM on July 10, 2009
I'm not understanding part of your question. Are your clients asking you to remove erroneous entries from one chart without putting them in the correct chart? If that's the case, then, yeah it seems unethical.
On the other hand, having worked with an EMR every day, I can tell you that accidentally entering in the wrong chart happens all the time. In my 5 doctor, 15 support staff office, it happens at least once a day. We have something like 75 pairs of patients with the same name. Because we're specialists, they share the same diagnoses and most of the same meds as well. Because our specialty tends to focus on a certain age group, most of these people were born withing 10 years of each other. One set of these patients have the exact same date of birth. If I type a note into John Q Smith's chart that should have gone into John R Smith's chart, I'll call my EMR and ask them to move it into the correct chart. Otherwise, someone else will come along and read the R note in Q's chart and not notice the addendum stating it's the wrong patient, and assume that Q has taken a turn for the worse. Hilarity will not ensue. I don't see anything unethical about asking for a chart correction- I think it's good practice to make sure mistakes are rectified.
posted by dogmom at 7:44 AM on July 11, 2009
On the other hand, having worked with an EMR every day, I can tell you that accidentally entering in the wrong chart happens all the time. In my 5 doctor, 15 support staff office, it happens at least once a day. We have something like 75 pairs of patients with the same name. Because we're specialists, they share the same diagnoses and most of the same meds as well. Because our specialty tends to focus on a certain age group, most of these people were born withing 10 years of each other. One set of these patients have the exact same date of birth. If I type a note into John Q Smith's chart that should have gone into John R Smith's chart, I'll call my EMR and ask them to move it into the correct chart. Otherwise, someone else will come along and read the R note in Q's chart and not notice the addendum stating it's the wrong patient, and assume that Q has taken a turn for the worse. Hilarity will not ensue. I don't see anything unethical about asking for a chart correction- I think it's good practice to make sure mistakes are rectified.
posted by dogmom at 7:44 AM on July 11, 2009
« Older How can I work towards more consumer transparency? | Help me overcome my terror of my art history... Newer »
This thread is closed to new comments.
posted by Blazecock Pileon at 12:53 PM on July 10, 2009 [1 favorite]