Executive Summary

Electronic health records (EHRs) pose significant threats to patient safety. Risk managers are encouraged to take the lead in identifying the threats and reducing patient harm.

  • The IT department might not be best suited to addressing the safety risks of EHRs.
  • The Joint Commission and many medical societies have expressed concern about the problem.
  • The plaintiffs bar is ready to establish de facto safety standards if the healthcare industry doesn’t.

Hospitals and health systems are rapidly adopting electronic health records (EHRs) in response to promises of efficiency, improved accuracy, and support for the data collection that drives so many healthcare initiatives not to mention government incentives for meaningful use of EHRs. But is patient safety getting lost in the shuffle?

Disturbing patterns are emerging in which adverse events can be traced back to EHRs that have inherent design flaws or were used improperly by clinicians. Some experts in healthcare IT and malpractice law are warning that the healthcare community is embracing EHRs without the same skepticism and oversight they would apply to any other critical technology used for patient care.

EHRs pose the greatest technological threat, and one of the greatest threats of any type, to patient safety, says Scot M. Silverstein, MD, adjunct faculty in healthcare informatics and IT at Drexel University’s College of Computing and Informatics in Philadelphia, PA. He also is a consultant and independent expert witness in healthcare informatics, and he testifies on behalf of plaintiffs who claim malpractice related to EHRs.

“If risk managers are truly interested in minimizing risk to patients, and of course that minimizes the threat of litigation, they need to educate themselves and throw away the industry memes that health IT is a completely benevolent and beneficial technology,” Silverstein says. “Realize that it is an experimental technology that poses significant risks, especially if implemented poorly, which is often the case.”

The danger is gaining more attention in the healthcare community, though action to address the problem is lagging. The Joint Commission (TJC) has warned of patient safety issues related to EHRs, and representatives from 27 medical societies recently sent a joint letter to the national coordinator for health information at the Department of Health and Human Services (HHS). The authors of the letter expressed their “growing frustration with the way EHRs are performing. Many physicians find these systems cumbersome, do not meet their workflow needs, decrease efficiency, and have limited, if any, interoperability. Most importantly, certified EHR technology (CEHRT) can present safety concerns for patients.” (For more on the TJC warning and the letter to HHS, see the story in this issue.)

There also have been cases of nurses complaining to hospital leaders about patient safety risks from EHRs, including faults such as inaccurate drop-down menus, inaccurate calculations, inability to enter medications, and multiple prompts that could not be overridden in an emergency, Silverstein says.

Silverstein’s passion in fighting the patient safety threat from EHRs stems in part from his own mother’s death, traced to the failure of a hospital’s electronic record to properly document a heart medication she should have continued receiving after admission. (See the story in this issue for details on the EHR-related malpractice case involving Silverstein’s mother.) Silverstein had even warned the hospital in writing just a month earlier that its EHR could make such an error.

Healthcare leaders have been misled by rhetoric on the benefits and safety of EHRs, Silverstein says. That rhetoric is based not on any reliable studies, he says, but on optimistic guesses about what they could achieve if the technology is developed and implemented correctly. None of that has been proven, he says.

Silverstein says risk managers optimally are suited to lead the safety oversight of EHRs by relying on a strong sense of skepticism and demands for proof. Contrary to what risk managers might have heard about needing to become best friends with their colleagues in IT, to facilitate cooperative patient safety efforts, Silverstein says that department is to blame for much of what’s wrong with EHR implementation.

“Risk managers need to take control of these systems from the technologists, who have no real understanding of medical risk and also have no accountability when these systems cause clinicians to embark on medical misadventures,” says Silverstein, who has worked with IT professionals in many hospitals. “They are technologists whose main skill is taking shrink-wrapped software and installing it, instead of actually making it work.”

The prevailing wisdom in the healthcare IT community is that training and degrees are not as important as experience in the school of hard knocks, Silverstein says. That approach to hiring has been endorsed by IT leaders for more than a decade, he says.

“In the culture of medicine where education is mandatory and so is confirmation of one’s competence, the IT world is the exact opposite. There, anybody can be a leader with no education at all,” says Silverstein, who says the problem is the same with vendors as it is with hospital IT departments. “They are not safety’s friend. They have their schedules, they get bonuses on how fast they complete projects, and they don’t understand medicine.”

Silverstein warns risk managers, however, that healthcare IT departments have been flattered and funded so much in recent years that they consider themselves on par with most hospital leaders and superior to some. He points out that he has worked in hospitals and has been teaching healthcare IT for a combined 20 years, so he speaks from experience.

“If anyone considers the culture of medicine arrogant, they ain’t seen nothing compared to the culture of IT. In my own college, I see this every day,” he says. “The increasing computerization of healthcare means the people who control healthcare these days are the IT departments. It has evolved that way, and it’s wrong.”

Doctors and EHRs

The hospitals that do best with integrating EHRs have physicians driving the process, says Robert Fuller, JD, who headed a 199-bed acute care hospital in Los Angeles from 2001 to 2013, when he joined the law firm of Nelson Hardiman in Los Angeles. He agrees with Silverstein that risk managers must not let the IT department run the show.

EHRs can become dangerous when they conflict with the thought processes that go into providing medical care, he notes. A system designed by an IT expert is not necessarily going to use the same decision-making process that a doctor would, he says.

“These devices now have more and more ability to default to decision-making by exception, rather than how doctors are taught,” Fuller says. “Doctors are taught to use very extensive differential diagnoses and treatment protocols, and what’s in their head is not necessarily captured on the EHR. There’s a gap between what they’ve been trained to do and what the computers offer as options, or what they assume and then expect the doctor to make exceptions.”

On the other hand, some physicians, particularly younger ones, might over-rely on the EHR and not fully exercise their critical thinking skills, Fuller notes. “It’s convenient. Some people like technology, and there can be pressure to get things done,” Fuller says. “That computer button can look pretty attractive when clicking it means you get the order spun out, even if you didn’t do the full workup on the patient that you should have done.”

De facto standards

Liability from EHR-related claims could be significant, says Marion Munley, JD, an attorney in Scranton, PA, who has studied the threat to patient safety posed by flawed EHR systems. A plaintiff’s attorney would argue that the hospital subjected patients to faulty technology without proper vetting or that it failed to train clinicians on its use and monitor their compliance, she suggests.

Expect a plaintiff’s attorney to subpoena all correspondence between the vendor and the hospital, with hopes of finding complaints about bugs, outages, or any experience in which the EHR failed to perform as desired. Repairs or modifications will be studied for any relevance to the case. (For more on the different ways a flawed EHR can threaten patient safety and increase liability risks, see story in this issue.)

It is not uncommon for EHR vendors to absolve themselves of any liability, Munley notes. “I don’t know how closely risk managers read these contracts, but if anything goes wrong, they are putting it on the healthcare provider,” Munley says. “There’s little oversight in the healthcare community but a lot of financial incentives and other pressure to adopt EHRs, and that is not usually a good combination.”

EHRs and malpractice

Fuller and Munley say they are seeing EHRs cited in more malpractice allegations.
A direct tie to a flaw in the EHR, as Silverstein claims in his lawsuit regarding his mother’s death, is not as common as a claim that the EHR exacerbated a clinician’s error or failed to alert staff about an error, Fuller says.

The healthcare community has been lax in addressing EHR safety issues, and plaintiffs’ attorneys are taking up the slack, Silverstein says. His frustration with healthcare’s slow response, and his mother’s experience, led to his willingness to testify on behalf of plaintiffs who claim malpractice related to EHRs.

“I am pursuing that aggressively and encouraging the plaintiffs bar to become the de facto regulators of the safety of health IT through fierce litigation, since there has been no action in that regard from the healthcare industry,” Silverstein says. “Risk managers need to be aware that there are people like me who are taking hospitals to task for being cavalier about a danger that’s been known in my field for two decades.”


  • Robert Fuller, JD, Nelson Hardiman, Los Angeles. Telephone: (310) 203-2803.
    Email: rfuller@nelsonhardiman.com
  • Marion Munley, JD, Munley Law, Scranton, PA. Telephone: (570) 983-3846. Email:mmunley@munley.com.
  • Scot M. Silverstein, MD, Adjunct Faculty in Healthcare Informatics and IT, College of Computing and Informatics, Drexel University, Philadelphia, PA. Telephone: (215) 661-0491. Email: sms88@drexel.edu.