Electronic Health Records: An Overview of the Risks and Risk Management Advice



The many benefits of EHRs are evident, including comprehensive and legible records, clinical decision support such as safety alerts, and remote access to records.  These benefits should translate into improved quality of care and improved patient safety, which in turn, should lead to decreased professional liability claims.  However, history has shown that medical innovations are frequently accompanied by new risks.  Accordingly, physicians must keep the potential for harm in mind and must actively manage the potential risks associated with EHRs.


“e-lATROGENESIS”: Patient harm caused at least in part by the application of health information technology
Weiner et al, “e-Iatrogenesis”: The Most Critical Unintended Consequence of CPOE and other HIT, JAMIA 2007; 14:387-388



Note that this article uses the term EHR, which refers to an electronic record system that is capable of easily sharing information electronically with other providers, such as hospitals, laboratories, etc.  The same principles would apply if the physician is seeking an electronic medical record (EMR) system limited to the physician’s practice and not linked with other systems.

The discussion below is far from all-encompassing, but rather is intended to provide an overview of what is currently known, and specific professional liability concerns related to EHRs.  Certainly there are additional practice management and business concerns, as well as legal issues that need to be addressed.  Physicians are encouraged to seek legal advice from personal counsel in addition to considering the information presented below.


Types of EHR Systems

One way to approach the various types that are available is to think about where the data resides, or more specifically, where the servers (on which the data is stored) are located.  Under this analysis, there are basically two main types of systems:

  • Physician hosted system:  Under this system, the EHR data is stored on the physician’s own servers.  In addition to purchasing the hardware (including servers) and software, the physician is responsible for maintenance, security, and data backup.  The data remains under the control of the physician.
  • Remotely hosted system:  Under this system, the EHR data is stored on another entity’s servers.  This other entity is responsible for storing the data and would also be responsible for maintenance, security, and data backup.  The data is under the control of the third party (owner of the servers where the data is stored) rather than under the control of the physician.  Generally speaking, there are the following three types of remotely hosted EHR systems:
    • Subsidized system:  Under this system, an entity with whom the physician has a relationship, such as a hospital, subsidizes the financing for the EHR.  Typically the subsidizing entity’s servers are utilized, rather than the physician’s, so the physician does not have control over the data.
    • Dedicated hosted system:  Under this system, the physician does not store the EHR data on his/her own servers.  Rather, the data is stored on the vendor’s dedicated servers.  While the physician does not have control in terms of data storage, the data is stored on servers in specific, known physical locations.
    • Cloud system (internet-based computing):  Under this system, the physician does not store the EHR data on his/her own servers, but rather the vendor stores the data on the internet (in the clouds).  Such vendors are called “SaaS” (software as a service) providers, which were formerly known as “ASPs” (application service providers).  The physician’s computers do not have the EHR software, but rather the software is accessed through the vendor’s website.  Vendors who offer the online software tend to move the data frequently – so the physician may not know where it is located, other than “somewhere in the clouds.”  The physician does not have control of the data, and does not have control over when it is moved or where it is moved.

While there are many business aspects to choosing an EHR system, the following basic points may be worth considering in terms of minimizing professional liability exposure related to EHRs. 

Potential Risks Common to All EHR Systems

  • Ownership - who owns the data?
  • Operational problems
    • Vendor’s clinical support tools, such as drug interaction alerts, may be based on out-of date information
    • System failures – the vendor may not be able to respond quickly and effectively to recover data
    • Vendor liability – lack thereof under:
      • Learned intermediary theory – legal theory holding physicians rather than vendors responsible for identifying errors that could lead to patient harm
      • Indemnification clauses in contracts - may shift liability to the physician who may not have insurance coverage for the stated liability risk
    • Gag orders in vendor’s contract – prevents physician from sharing concerns, including patient safety concerns, even with other users of the product such as hospitals
  • Termination issues
    • Vendor’s insolvency – what happens to physician’s EHR data and how can it be returned to the physician?
    • Termination of contract with vendor – what happens to physician’s EHR data?
  • Obsolete technology
  • In the event of termination or vendor’s insolvency – is the system compatible with other systems?
  • Confidentiality and security issues
    • Who will have access to the data – and how will only the information that is the minimum necessary be accessed?
    • Will the vendor mine the data and sell it?
    • Breach of confidentiality – need safeguards to ensure the confidentiality, security, and integrity of the clinical record
      • State law requirements for EHRs – can vendor comply?
      • Federal HIPAA requirements – how does vendor comply?
      • Federal HITECH requirements – how does vendor comply?
    • Resource:  HHS’ Health Information Technology website, www.healthit.hhs.gov


Additional Potential Risk with Physician-Hosted Systems

Disabling code – vendors can include this in their software; in event of dispute (such as one involving a price dispute), vendor can hold the data hostage or destroy the data.


Additional Potential Risks with Subsidized Systems

  • Are there any legal concerns (e.g., antitrust/anti-kickback issues), particularly with subsidies from hospitals?
  • What happens to the data if the relationship changes, such as the physician moves, or no longer participates in the health insurance plan?


Additional Potential Risks with Cloud Systems

  • Vendor’s control over the data – during the contract period and after the contract period
  • Where is the data?  When the data is moved, is it permanently removed from the prior location?
  • Is it really free?
  • “Click and agree” online agreements
    • No negotiation on terms
    • Understand what you are agreeing to!
    • Indemnification and other provisions may contractually obligate you to liabilities outside what is covered under medical professional liability coverage
    • Obtain legal advice if you do not understand all of the provisions of the agreement



The AMA has an excellent checklist15 questions to ask before signing an electronic medical record or electronic health record agreement – which is available online at www.ama-assn.org/ama1/pub/upload/mm/472/emragreement.pdf.

Additional resources include:
*  AMA:    www.ama-assn.org (Home >> Physician Resources >> Solutions Managing Your Practice >> Health Information Technology)
*  APA:  www.psych.org (Home >> Psychiatric Practice >> Quality Improvement >> Electronic Health Records)
*  AAFP (American Academy of Family Physicians):  Center for Health IT at the AAFP – www.centerforhit.org
*  AAN (American Academy of Neurology):  www.aan.org (Home >> Practice >> Health Information Technology >> Electronic Health Records)
*  The Joint Commission:  Sentinel Event Alert 42 Safely implementing health information and converging technologies, www.jointcommission.org/SentinelEvents/SentinelEventAlert/sea_42.htm



RISK MANAGEMENT ISSUE:  To ensure physicians are able to meet the obligations to maintain records in a confidential and secure manner, physicians need to understand exactly where their EHR data will be stored (during and after the contract period with the vendor), who will have access to the data, and for what purpose.


  • Ensure the applicable issues addressed above are resolved adequately in the vendor contract.
  • Understand applicable state law requirements for EHRs.
  • Understand the HIPAA regulations, particularly the Security Rule and Privacy Rule.
  • Covered providers under HIPAA should have a Business Associate Agreement with the vendor; non-covered providers should have a similar confidentiality agreement.
  • Understand the specific eligibility requirements for governmental funding assistance under the Recovery Act – “Medicare / Medicaid eligible professionals” must demonstrate “meaningful use” of “certified” EHR technology.  For more information, visit www.healthit.hhs.gov and www.cms.gov/EHRIncentivePrograms.
  • Approach “click and agree” online agreements with caution.
  • Seek legal advice to facilitate compliance and for review of contracts with vendors.



Potential Risks Related to Clinical Support Functions

  • Clinical Alerts
    • May contain wrong information
    • Are being ignored – too many alerts, especially those that clinicians believe are irrelevant will lead to users ignoring alerts
      • Tracking and reminder functions – must be used
      • Interoperability – physicians may be accountable for being familiar with all available information

Potential Risks Related to Documentation

  • Data entry issues
    • Cut and paste functions – author of the entry may not be clear
    • Data entry errors
    • Inappropriate use of templates
  • Too much information – can’t find relevant information


Potential Risks Related to Confidentiality / HIPAA

  • Inappropriate access – unauthorized user accesses the EHR data
    • Internal – employees
    • External
  • Inappropriate disclosure
  • Portable devices are particularly vulnerable to loss, theft, and inappropriate access / breach resulting in the need for breach notification


Potential Risks Related to Data Integrity

  • Authorship
  • Tampering
  • Destruction – intentionally and unintentionally




  • To gain improvements in clinical care and patient safety, the various technology components have to be used.
  • To be used, the various technology components, such as clinical decision support features, have to be relevant to physicians. 
  • The vast amount of metadata created in an EHR could be used against the physician defendant.
  • Information created by an EHR has to be accurate and useful.
  • The confidentiality, security, and integrity of the patients’ electronic records have to be maintained.



1. Utilize appropriate clinical decision support tools, including alerts, guidelines, tracking, and reminder functions.

2. If you choose to override or ignore an alert or reminder, document briefly the clinical justification.

3. Avoid cutting and pasting.

4. Ensure appropriate, applicable templates; understand the automatic populating features and default language.

5. Ensure appropriate data input and retrieval.

6. Periodically print out a patient record and evaluate for adequacy.  Would another clinician (such as a subsequent provider or an expert witness) be able to understand what happened in treatment and why?

7. Understand metadata – and the fact that the user’s every key stroke will be tracked and recorded.

8. Ensure appropriate security protections on hardware (including portable devices) and software; an example is an automatic lock-out after a specified period of inactivity.

9.Ensure compliance with federal and state confidentiality law, including confidentiality agreements with those third parties accessing your EHR.

10. Prevent inappropriate access and disclosure; appropriate employee training is key.

Back to Risk Management Services


Find This Article Useful?

Information Request
Request More Information from The Program!

You can request additional risk management information, as well as coverage information, to be delivered to you at no cost!

Submit Information Request



Do You Know Enough About HIPAA?

To help you learn how HIPAA affects you and your practice, The Psychiatrists' Program offers the HIPAA Help section to make you more familiar with these new regulations.

View HIPAA Help