Metadata can be released inadvertently when providing other data from electronic health records. There are ways to prevent this disclosure.

  • Metadata can include privileged information.
  • Plaintiffs may use metadata for an unfair advantage.
  • Patients may be harmed and hold the healthcare organization responsible.

Information from electronic health records (EHRs) can contain metadata that are not immediately recognizable to the user, but could contain specific protected health information (PHI) about patients. Inadvertently providing this metadata could provide useful information to the opposition in a malpractice case, and could create other problems for the patient.

Metadata, in simple terms, are data that provide information about other data. The data often are embedded in a way that is not immediately visible, such as when a digital photo includes information about where the photo was taken, the date, exposure, and the shutter speed.

In healthcare, metadata can provide information such as medical conditions, treatments, and prescriptions. This PHI can inadvertently be included when providing information from the EHR for a legitimate purpose, such as responding to a subpoena. (See the story in this issue for more on risks from responding to subpoenas.)

Metadata present yet another challenge for healthcare professionals to ensure they avoid unintentionally releasing confidential information, says Frank Negro, senior managing consultant with NTT Data Services in Plano, TX.

“One potential issue with the release of metadata could be physician scrutiny. For example, if a patient had two admissions for the same health concern and was treated by two different physicians, the metadata could show that one ordered a particular set of tests while the other did not,” he says. “By analyzing this data, physician treatment patterns and related treatment quality conclusions could be derived.”

It is incumbent on health systems to engage their risk and security teams before releasing PHI from EHRs, and those teams need to clearly understand what metadata are included, Negro says.

Inadvertent Release Can Damage Defense

The inadvertent release of metadata can potentially damage the defense in a malpractice case, says Bill Fox, JD, chief strategist for global healthcare, life sciences, and insurance at MarkLogic, a database company in San Carlos, CA.

“If, for instance, the information shows a certain result from a blood test, then it might be interesting if the metadata show when the doctor accessed the EHR or didn’t access the EHR after that test result. What did the doctor know, and when, and was there a dereliction in duty in not accessing the data that were available?” Fox says. “If the doctor says he didn’t know this information, the metadata might show that he actually did. That kind of information can be important in litigation.”

But that kind of metadata disclosure should not happen if the data are properly safeguarded, Fox says. IT professionals should establish a data security plan that strictly controls access to metadata rather than including it with any EHR disclosure, he says.

Once metadata have been released, the healthcare organization is potentially liable for any damages. The data are no longer under the healthcare organization’s control and are subject to the security of the party that possesses, says Dominic Sartorio, chief technology officer with Protegrity, a data security company based in Stamford, CT.

“There is a general concern whenever data must be shared: How can one be sure the third party has security controls as good as you do? Do lawyers, courts, and other counterparties have good data protection in place?” Sartorio says. “If metadata leak, harm could come to a person with pre-existing conditions, such as not being able to find employment, being unable to get insured, or the details can be used for identity theft. Secondarily, custodians of PHI are vulnerable to the financial and reputational consequences of not taking their data responsibilities seriously enough.”

The best approach is to know exactly what information is supposed to be released and ensure that only those data are included, Sartorio says. Granular protection can protect this sensitive data while still leaving case-relevant data in the clear, he says. Also, if sensitive data are what the courts need, then one can set up a system where these data are protected and only staff authorized on a “need-to-know” basis can see it unprotected, he says.

Metadata Can Give Advantage

When protected metadata are outside the scope of the subpoena, the healthcare organization may be providing information the other party should not see, says Brian Hedgeman, JD, a law clerk with admission pending at Epstein Becker Green in Washington, DC.

“Some information contained within the metadata might be privileged. Thus, your clients may be at risk of losing their dispute because opposing counsel has acquired information that bolsters their case. Additionally, client representatives may have disclosed something to opposing counsel that they were unaware of,” he explains. “For instance, if metadata related to care and clinical decision guidelines were obtained, opposing counsel would have an opportunity to identify deviations from those standards, which may bolster his case.”

However, some courts today generally require that parties who request metadata during litigation show “a particularized need for the metadata,” as opposed to a generalized view of its importance, Hedgman says.

Also, proprietary or privileged information contained within the metadata would compromise the individual’s economic or personal interests. Hedgeman notes these best practices for avoiding improper release of metadata:

  • Converting a document into another format so that it does not preserve the original metadata;
  • Transmitting the document via email or fax;
  • Using scrubbing technology to remove metadata from various materials;
  • Developing plans for disposing of metadata in the system when no longer needed;
  • Restricting staff and third-party access to multiple systems where metadata can be accessed by allowing read-only permission levels.

However comprehensive the cybersecurity measures, there still is a need to transfer risk with cyberinsurance as a tool to manage exposure, as cyber is excluded on most current general liability policies, notes Dan Hanson, CPCU, senior vice president of management liability and client experience for Marsh & McLennan Agency in Minneapolis.

“Healthcare organizations are beginning to look to insurance or cyberrisk transfer programs as a way to shift the risks, not just as a solution for balance sheet protection but also for contractual evidence and compliance,” Hanson says.

“Prompted by the wave of high-profile attacks and new data protection rules, annual gross written cyberinsurance premiums have grown by 34% per annum over the past seven years. The European Union Agency for Network and Information Security has also found a positive correlation between cyberinsurance take-up and the level of preparedness, and healthcare organizations are only beginning to recognize this.”

Soon, organizations will find that legacy systems and the current way in which sensitive data are stored in the EHR are no longer sufficient for maintaining health data, Hanson says. Patients are likely to continuously integrate health devices, such as adding Fitbit information, downloading genetics information, and feeding additional personal data through wearable and implantable technologies.

“In the future, they could all make up a part of a medical record. It is also not likely to be just about health records on the server or cloud of a hospital, but also health data held on our private phones,” he says. “The introduction of 5G networks will contribute to the high potential for compromise. Other emerging technologies will also lead the healthcare system to evolve into a more data- and analytics-driven one that can enable healthcare organizations to translate data into information that we can base decisions on.”


  • Bill Fox, JD, Chief Strategist for Global Healthcare, Life Sciences, and Insurance, MarkLogic, San Carlos, CA. Phone: (650) 655-2300.
  • Dan Hanson, CPCU, Senior Vice President of Management Liability and Client Experience, Marsh & McLennan Agency, Minneapolis. Phone: (763) 548-8599. Email: dan.hanson@marshmma.com.
  • Brian Hedgeman, JD, Epstein Becker Green, Washington, DC. Phone: (202) 861-1387. Email: bhedgeman@ebglaw.com.
  • Frank Negro, Senior Managing Consultant, NTT Data Services, Plano, TX. Phone: (800) 745-3263.
  • Dominic Sartorio, Chief Technology Officer, Protegrity, Stamford, CT. Phone: (203) 326-7200.