The vendor of an electronic health record faces a lawsuit alleging software faults hurt a patient. Hospitals could become embroiled in such litigation.

• Contract negotiations are key to minimizing potential liability.

• Proper training on use of the EHR also reduces the risk.

• Hospitals could sue the EHR vendor for providing a faulty product.

An electronic health record (EHR) vendor is facing a class-action lawsuit claiming that faults in the product’s software threaten patient safety, and hospitals using the EHR could become entangled in the litigation. The case illustrates how healthcare organizations can face liability for defects in their EHRs.

In 2017, eClinicalWorks in Westborough, MA, agreed to a $155 million settlement to resolve a False Claims Act suit that claimed it falsified meaningful use certification and gave customers kickbacks to publicly promote its products. Now, it is being sued in a class-action complaint led by the estate of Stjepan Tot. The complaint filed in the U.S. District Court in the Southern District of New York asks for $999 million in monetary damages for breach of fiduciary duty and gross negligence. (The complaint is online at: http://bit.ly/2Hle9Sr.)

Before Stjepan Tot died of cancer, the complaint claims “he was unable to determine reliably when his first symptoms of cancer appeared [as] his medical records failed to accurately display his medical history on progress notes.”

More than 850,000 healthcare providers use eClinicalWorks software, and millions of other patient records have been compromised, the lawsuit claims. The complaint also alleges that eClinicalWorks software did not meet meaningful use and certification requirements laid out by the Office of the National Coordinator for Health Information Technology (ONC), as the company claimed.

The complaint alleges numerous problems with the software, including failure to reliably record diagnostic imaging orders, insufficient audit logs, issues with data portability, and noncompliance with certification criteria.

State Law Guides Case

The eClinicalWorks case raises several important issues for healthcare risk managers, says John C. Ivins Jr., JD, partner with the Hirschler Fleischer law firm in Richmond, VA. Among them are the potential exposure of a hospital or physician where the EHR system fails to accurately reflect medical information critical to the treatment of a patient, and the risk of a medical malpractice case arising out of faulty EHR systems.

Questions of liability, possible legal theories that can be advanced against a healthcare facility, system or practitioner, and the defenses that can be asserted in response all are going to be a function of state law, Ivins says. However, in general, many of these issues arise out of the vendor contract that typically is heavily negotiated and ultimately entered into between the EHR provider and the healthcare entity seeking to acquire the EHR system.

“Generally, the healthcare entity who acquires an EHR system is ultimately responsible for the system, including ensuring that all its healthcare personnel are properly trained and understand how to use the system,” Ivins says. “Moreover, the ‘learned intermediary’ doctrine generally states that a manufacturer who provides a properly functioning EHR system has fulfilled its legal duty of care once it has provided all necessary information to the healthcare professional — the learned intermediary — who, in turn, interacts directly with the patient.”

Knowing that, the vendor will seek to negotiate terms based on these concepts which relieve the vendor from as much liability as possible, he explains. The hospital, healthcare system, physician practice, or other healthcare provider must negotiate a contract that addresses as many of these issues as possible, and provides indemnification from the vendor for matters such as privacy and HIPAA breach-related damages and third-party claims for injury, Ivins says.

As a general rule, where the EHR system is systematically faulty, the odds are in the hospital’s favor, Ivins says. He notes that in the 2017 FCA settlement, the Justice Department did not pursue the physician practices that received “meaningful use” payments based on their false attestations because of their inability to know the attestations were false under those circumstances.

“On the other hand, a suit filed by a physician practice in December against eClinicalWorks alleged that, under the same scenario, it had to forfeit certain meaningful use payments already collected,” Ivins explains. “The practice said it was further damaged by having efforts to collect meaningful use payments thwarted by a Medicaid official who advised that because the practice used the same EHR system that was the subject of the FCA settlement, implementation of that system could not serve as a basis for such payments.”

Hospital Can Be Involved

It is possible that a hospital can be sued or drawn into litigation based on a defect that lies solely with the EHR vendor, Ivins says. However, the key to considering any liability claim arising out of an EHR system issue is determining the cause of any alleged harm giving rise to such a claim, he says. (See the story in this issue for scenarios in which hospital liability is possible.)

The best defense against such liability is to take the time and effort to thoroughly vet and select the EHR vendor and system best suited for the hospital and its needs, Ivins says. Next, with the involvement of experienced healthcare counsel, a hospital must seek to negotiate the most favorable EHR vendor contract possible.

“Hospitals will want to establish a contract-specific performance criterion against which the performance of the EHR system can be measured and address the various liability and indemnification issues discussed above,” Ivins says.

There are many other contract and vendor issues that also should be addressed, and Ivins suggests referring to the key issues provided by several ONC publications, including “EHR Contracts Untangled: Selecting Wisely, Negotiating Terms, and Understanding the Fine Print” and the “Health IT Playbook.” (Those resources are available online at: http://bit.ly/2dWxmwz and: http://bit.ly/2h0vFBH.)

Train Users Well

Once an EHR system is developed and ready for implementation, the hospital must take steps to ensure that all users are well-trained and that the implementation and transition processes do not negatively affect patient care, Ivins says. Hospitals must ensure that all systems are maintained and updated regularly, and that all users understand the systems and any updates or changes, he says.

There are a number of legal issues triggered when EHR software is inaccurate and, depending on the technology involved, they can come from many different places, says Sara H. Jodka, JD, an attorney with the law firm of Dickinson Wright in Columbus, OH.

Some issues come from mistakes and information gaps, such as voice-recognition software that drops words, typographical errors that lead to medication or prescription errors, misinterpretation of drop-down menus or other display functionality, reliance on old/outdated records, discrepancies in what appears electronically vs. what is printed, and errors inserted because of patient status issues.

Another issue is triggered when EHR technology is not compliant or miscommunicates regarding its compliance status, Jodka says. Any EHR must meet certain compliance standards, particularly to take advantage of the Medicare and Medicaid EHR Incentive Programs that provide financial incentives for the meaningful use of certified EHR technology.

The ONC enforces the standards and certification criteria and the final rule specifies the necessary technological capabilities EHR technology must include to be certified by an ONC-Authorized Testing and Certification Body. Additionally, it sets forth how eligible healthcare providers will need to use the EHR technology to meet these standards, Jodka explains.

When the EHR company fails to meet those standards or otherwise threatens patient safety, there is potential for patient-based lawsuits including claims for negligence (which, in some states, could include gross negligence) and breach of fiduciary duty.

“The EHR software company could also face lawsuits from their clients, which would be the hospitals, clinics, and other providers that license their software for claims including fraud, breach of contract, and promissory estoppel,” Jodka says. “These types of claims would certainly be likely in cases where there were also allegations that users relied on the EHR tech company’s statements that the software did and would satisfy the certification criteria of the meaningful use program.”

Hospital Blamed First

If a patient is improperly diagnosed or treated, the hospital or physician usually are the first ones blamed for the error, whatever the cause, Jodka says. Hospitals using a faulty EHR can expect to be involved, at least initially, in any litigation in which the software is later determined to be primarily responsible for the error, she says.

“The difficult issues for patients and hospitals is determining where the error occurred. This leaves hospitals as the first stop in the named defendant list in a lawsuit. Typically, the patient will not know the issue was the result of an EHR software issue, but will think it is a doctor medical malpractice issue,” she says. “In most cases, the EHR software issue will not shake out until later, leaving the patient and the hospital engaging in even more litigation to get the EHR included in the suit.”

In such a scenario, the hospital is likely to cross-sue the new EHR provider co-defendant for breach of contract, fraud, and whatever else may fit the circumstances, and potentially seek indemnification for the costs of its defense and any losses based on the terms of the contract language between the hospital and the EHR provider, Jodka says. In many cases, it will not be until depositions when it is determined what exactly happened and what was the exact cause of the misdiagnosis or mistreatment, she says.

“The simple fact is that there is and will continue to be a complex interplay between technology and medical practice, which has a human component that is necessarily prone to individual judgment, interpretation, and error,” she says. “Technology training, installation, and other issues can also sometimes drive the issue.”

So far, there have not been many suits against hospitals or medical professionals that have triggered these types of issues, Jodka says, but the rise of technology and EHR database breaches likely will spur more such litigation.

Whether a hospital can be held liable for any resulting harm depends on the nature of the claim, Jodka says. If the injury is truly the fault of the EHR, the vendor likely will be responsible without the hospital incurring direct liability, Jodka says. But that might not be the case if the contract was poorly vetted and the language allows the vendor to shift some or all responsibility to the product user.

“EHR vendor contracts cannot and should not be rubber-stamped, as they favor the EHR vendor, leaving the hospital with little legal recourse in a breach scenario. Competent healthcare counsel should be consulted early on in the negotiation stage to ensure fairness, legal compliance, and accountability,” Jodka advises.

“Also, opt for short-term contracts so new contract negotiations can occur and can address any issues that might have arisen during that last contract term,” she adds. “A vendor that knows it’s up for review tends to provide better service to close that next contract to avoid losing to the competition.”

Keep EHRs Clean

Healthcare organizations also must ensure they are properly recording software issues and reporting them to the vendor. It also is important that the hospital properly train employees on the use of the EHR so the vendor can’t blame any problems on human error.

“The hospital can take on the human factor by providing all employees proper and detailed training on EHR software to try to avoid the human/technology conundrum,” Jodka says. “To the extent healthcare professionals are properly using the software, ensuring notes are clear and correct, typographical errors fixed, if there comes a time during litigation when finger-pointing between the hospital and the EHR vendor occurs, this could help the fault stick with the vendor rather than the hospital.”

Jodka also recommends remaining vigilant for software issues regarding the EHR you’re using. Watch the news and industry sources for problems other hospitals may be having with EHRs so you identify issues to avoid or proactively address in your own organization.

It is possible for a hospital to be found liable in a case alleging faulty EHR software, says Romaine Marshall, JD, partner at the law firm of Holland & Hart in Salt Lake City. In the eClinicalWorks litigation, the primary legal question is whether the vendor misrepresented the functionality of its EHR software in a manner that caused failures leading to the death of the patient, he says.

The plaintiff is alleging, among other things, that the company’s software failed in spite of promises that it would reliably record diagnostic images, maintain accurate treatment logs, meet certain portability requirements, and satisfy certification criteria enabling healthcare providers to qualify for government incentive payments.

“A hospital is responsible to provide reasonable care to a patient, and from the patient’s view, their relationship is directly with the hospital, not the vendor providing the EHR software,” Marshall says. “Thus, the potential liability for a hospital for an EHR product that is faulty is high if the functionality of the product requires intervention by a hospital, if there has been harm to a patient caused not only by faulty software but also by the improper use and application of that software.”

Due Diligence Is Crucial

A hospital should use all available options and tools to protect itself before engaging an EHR software vendor, says Rich Spilde, JD, partner at the law firm of Holland & Hart in Boulder, CO.

Due to the inherent risks associated with software platforms — computer systems and their networks — careful diligence is required before diving into contract discussions, Spilde says. The diligence process should include both internal diligence, where a hospital conducts its own risk assessment, reviews its own operations to determine its challenges and the type of solution to address them, and then evaluates the marketplace to determine what is most likely to meet their needs.

“Two of the biggest impacts on this process are costs and time. Everyone wants the best solution they can get for the least amount of money,” Spilde says. “But the danger with these objectives is when a potential vendor offers a deal to move things along faster and the due diligence effort is minimized. The effort expended as part of the vendor selection process should be tied to the risk the contract and the solution exposes a hospital to, not merely the dollar value of the deal.”

Don’t Overlook Implementation

The part of the process that is most often overlooked is implementation, Spilde says. This is where details matter. It is critical to reach agreement on and to document the implementation process, each party’s tasks and responsibilities, relevant milestones, and perhaps most important, testing of the solution, Spilde says.

“While the initial presentation of software has been impressive, can the same be said about the migration process for the software to the hospital’s computer systems and networks? Did the hospital work through and confirm that all key record information is accurately transferred and displayed?” Spilde says. “Does the solution show the hospital the information they need?”

As for the contract itself, the risk allocation provisions, such as representations, warranties, indemnification, and liability limitation provisions demand close scrutiny, he says. Carefully address compliance functions, audits (both for compliance and information security), performance standards (measuring key metrics such as solution availability, response to problems, but also accuracy) and the effect of changeover. Finally, consider what happens if the agreement expires or is terminated.

Marshall and Spilde agree that a hospital may be held liable for any resulting patient harm. A patient who is injured or harmed as a result of a problem relating to EHR software may assert a negligence claim against the hospital in the same way they can against a physician.

In the case of EHR software, an injured party might assert that the hospital failed to use reasonable care in its selection of EHR software based on a product’s known problems or limitations. An injured party may also assert that a hospital failed to properly maintain its facilities and train staff, failed to properly oversee the EHR software vendor, overly relied on the EHR software instead of sound professional medical judgment, or failed to maintain accurate records in the software, whether due to input errors by the hospital or due to problems in the software itself.

“The question then becomes whether a hospital actually will be held liable,” Marshall says. “If a hospital conducts reasonable due diligence about the EHR software, reasonably relies on representations about the EHR software by a vendor, and has no basis to doubt these representations, then the potential liability for a hospital when an EHR product is faulty is lower.”


• Sara H. Jodka, JD, Dickinson Wright, Columbus, OH. Phone: (614) 744-2943. Email: sjodka@dicksonwright.com.

• John C. Ivins Jr., JD, Partner, Hirschler Fleischer, Richmond, VA. Phone: (804) 771-9587. Email: jivins@hf-law.com.

• Romaine Marshall, JD, Partner, Holland & Hart, Salt Lake City. Phone: (801) 799-5922. Email: rcmarshall@hollandhart.com.

• Rich Spilde, JD, Partner, Holland & Hart, Boulder, CO. Phone: (303) 473-4808. Email: rdspilde@hollandhart.com.