Electronic Health Records: Patient Safety and Liability Concerns

August 17, 2021

Reading time: 15 minutes

Health information technology (HIT) has significantly shaped the landscape of modern healthcare. At the forefront of the burgeoning HIT industry are electronic health records (EHRs), which arguably represent the most consequential technological advance for healthcare in recent decades.

EHRs have revolutionized the documentation of patient care. For the majority of healthcare organizations and practitioners, paper records are a relic of the past, replaced by exam room computers and digital interfaces. Virtually all hospitals in the United States use EHRs, and almost 90 percent of office-based physicians have adopted these systems.1 The shift from paper to electronic records has been slower in dentistry, but the number of dental practices implementing EHRs continues to grow.

The promise of EHR capabilities has been ambitious and perhaps borderline utopian — these systems have been lauded as a way to vastly improve patient safety, efficiency, care coordination, and information sharing. However, the reality of EHRs has been a complex intertwining of incremental improvements, risks, and frustrations. Many benefits have been tempered by negative effects or outcomes. For example:

  • Increased access to patient data has resulted in information overload and data dumps.
  • Enhanced clinical decision support and patient alerts can cause alarm fatigue.
  • The convenience of electronic prescribing and referrals has been moderated by system glitches and human factors that result in errors or oversights.
  • The elimination of issues associated with clinician illegibility can be offset if printed electronic records contain coding gibberish or massive amounts of meaningless data.

These examples illustrate the figurative seesaw that the healthcare community has experienced with EHR technology. As a result, feelings about EHRs often are mixed, and many providers cite EHR issues as a key contributor to clinician burnout.

In addition to clinical and operational issues, EHRs also have introduced a new dynamic in malpractice liability. A survey from the Medical Professional Liability (MPL) Association (formerly PIAA) found that more than half of member companies had EHR-related malpractice litigation.2 Major contributing factors in this litigation included problems with documentation, system functionality, metadata, record format, vendor support, and more. Further, a review of malpractice claims facilitated by CRICO Strategies showed that claims involving EHR factors were costly and almost half resulted in high-severity outcomes (i.e., permanent disability or death).3

This article focuses on a number of areas in which EHR-related risks may occur due to time constraints, inexperience, oversight, system usability, or other factors. Risk strategies also are presented for each area covered, with the hope that they will lay the groundwork for more thorough discussions within healthcare organizations about how to manage risks associated with complex EHR systems.


Moving from paper records to an EHR system or converting from one EHR system to another is inherently risky because data can be lost or misplaced, workflow processes change, and new skills and knowledge must be obtained. Implementation/conversion is a multistep process that should involve identifying organizational needs, performing due diligence of vendors and products, strategic planning, and ongoing assessment and adjustment once the system is in place.

The Office of the National Coordinator for Health Information Technology (ONC) notes that successful implementation requires a two-phase approach: pre-implementation and implementation.4 The first phase focuses heavily on the ”big-picture” strategy, including establishing an overall implementation plan, developing governance processes, and designing workflow patterns.

The pre-implementation phase also includes communicating with providers and staff about the new system and the conversion process as well as providing ample training opportunities. Careful evaluation of workflow processes and an open dialogue with staff may help identify potential issues early, so effective strategies can be developed and applied.

The second phase involves more detailed evaluation and adjustment, such as tailoring the system to meet the specific needs of the organization, establishing a change-management process, and determining how to transfer information and reconcile legacy data with data in the new system, so as not to misplace important records or overlook critical health information.

The implementation phase also involves providing overall support for the new system and encouraging adoption of the system among providers and staff. Workforce cooperation and compliance are critical during the implementation phase. For those managing the process, it is important to realize that some providers and staff may welcome the new technology, while others might resist the change.

In some instances, provider/staff resistance has led organizations to maintain both paper and electronic systems to meet everyone’s preferences. However, research has shown that hybrid systems decrease efficiency and increase the risk of errors.5 Although it might be tempting to try to satisfy everyone, it also can be counterproductive and, ultimately, it does not support a culture of safety or environment of cohesive teamwork.

Strategies for Implementation/Conversion

  • Include providers and staff members who will be using the EHR system in initial research and planning activities.
  • For paper-to-electronic conversions, develop a plan for how your organization will handle paper records once the EHR system is implemented. Will paper records be scanned into the new system? Will scanned documents be searchable? What are the expectations for providers to reconcile old records with new ones during patient encounters?
  • For conversions from one EHR system to another, determine the previous vendor’s and new vendor’s roles in information transfer (i.e., contractual obligations and requirements). Does the data need to be optimized prior to conversion? What are the deadlines for data transfer between systems? Will your organization have access to the old system after the conversion, and for how long?
  • Seek provider/staff input on developing policies and workflow processes that align with their needs as well as the functionality of the new system.
  • Support providers and staff throughout the pre-implementation and implementation phases by (a) including them in the decision-making process, (b) maintaining transparent communication; and (c) establishing firm, yet reasonable expectations related to EHR use.
  • Be realistic about the cost (both in external resources and staff time) that it will take to implement the new system.
  • Provide training and education during pre-implementation and implementation — as well as after the system is in use — to help providers and staff acclimate to the EHR’s interface and functionality, recognize potential process or system problems, and work toward achievable solutions.

For in-depth information about implementing an EHR system and valuable tools to assist in the process, see Section 1 of the ONC’s Health IT Playbook and the American Medical Association’s (AMA’s) STEPS Forwardâ„¢ Electronic Health Record (EHR) Implementation module.


Accurate and thorough documentation is the backbone of risk management; it provides essential patient information, historical details about the course of patient care, and a record of services provided.
EHRs are intended to streamline the documentation process, while at the same time capturing more information than was previously possible with paper records. Although this may result in more substantive patient information, it also presents opportunities for error due to EHR-specific functions, such as copy and paste; structured and standardized content; and metadata and audit trails.

Copy and Paste

The practice of copy and paste is one of the most common and problematic documentation issues associated with EHRs. Both the MPL Association’s and CRICO Strategies’ malpractice analyses cite this practice as a top trend in EHR-related allegations.6

Copy and paste — also called cut and paste, cloning, or carrying forward — refers to electronically lifting information from a previous entry in a patient’s record and placing it in the current entry. It also refers to copying information from one patient record to paste into another, such as through the use of boilerplate language.

Automated functions within EHR systems facilitate the cloning of information because of the ease with which users can grab and move content. Practitioners who feel crunched for time may find the copy and paste function enticing because it’s quick and easy. Although the level of convenience is clear, ”Less clear is the line between efficiency and note quality.”7 Copying and pasting content can result in the proliferation of incorrect or non-consequential information throughout electronic records, which can lead to patient harm if treatment decisions are based on erroneous or old information — or if practitioners are so overwhelmed by ”note bloat” that they miss critical information.

Copy and paste also can affect healthcare providers’ credibility, both in litigation and with patients. In a special report about copy and paste, ECRI Institute relays the story of a physician who, while talking with a comatose patient’s family, stated that the patient had only recently had surgery (within the previous days). In reality, the patient had undergone surgery more than a month prior, but the phrase ”postoperative day 2” had been copied and pasted in the progress notes for weeks.8

Additionally, the use of copy and paste can have serious corporate compliance implications. When information is carried forward from encounter to encounter without careful review by the healthcare provider, the organization might end up billing for services that did not occur. Even though this type of billing error might be a simple oversight, it could lead to allegations of fraud, which may jeopardize reimbursement from Medicare and other payers.

Copy and paste also can have a negative effect on data integrity. One of the broad goals of EHR systems is to facilitate the electronic exchange of health information and collection and submission of clinical quality measures. Inaccurate data that result from poor practices like copying and pasting may have long-term implications for population health studies, disease tracking, and data mining.9

Strategies for Copy and Paste

  • As part of documentation policies, establish guidelines for when copy and paste is prohibited and when it may be used with extreme care.
  • In situations in which copy and paste is allowed, ensure that organizational policy stipulates the need for practitioners to carefully review any information carried forward in records.
  • Reinforce practitioners’ responsibility for updating/revising copied information as appropriate and electronically signing each record to verify their review and approval of the information.
  • Include in documentation policies a requirement that providers note the source of any information they copy and paste in records.
  • Encourage providers to revise copied and pasted material to remove redundancy and extraneous details.
  • Routinely audit records to check for errors that may have resulted from copying and pasting patient information.
  • Educate staff about the dangers and consequences of using poor documentation practices and shortcuts, such as misinformed treatment decisions and fraudulent billing.

To assist healthcare organizations and providers, the Partnership for Health IT Patient Safety released a toolkit for the safe use of copy and paste, which included four core safe practice recommendations: (1) provide a mechanism to make copy and paste material easily identifiable; (2) ensure that the provenance of copy and paste material is readily available; (3) ensure adequate staff training and education regarding the appropriate and safe use of copy and paste; and (4) ensure that copy and paste practices are regularly monitored, measured, and assessed.10

Structured/Standardized Content

One of the purported benefits of EHRs is structure and standardization, which is accomplished through functions such as data entry fields, check boxes, drop-down menus, auto-fill, and templates. When used appropriately, these elements can help generate consistent documentation across providers. However, standardization also presents new dilemmas.

For example, inaccuracies in the records might occur if:

  • The data entry fields don’t match the clinical situation.
  • Patient identification issues cause a provider to enter data in the wrong patient record.
  • The system automatically defaults to a selection of ”normal.” If all options are not carefully reviewed, the record might indicate a normal value for a condition that was never evaluated.
  • The auto-fill function populates incorrect information in a field, and the provider accepts the information without review.
  • The provider selects the wrong template, check box, or menu item, which can easily happen when multiple options are presented and time is scarce.
  • The provider is unaware of how taking an action within the EHR ultimately affects the physical output of the record.

Undoubtedly, data entry fields, check boxes, drop-down menus, auto-fill, and templates can create efficiencies, but they also can contribute to the domino effect of replicating inaccurate information. An article about EHR liability in For the Defense explains that ”if one provider puts in a wrong medication, a wrong diagnosis, or an incorrect medical history, the systems are typically designed to keep repopulating and disseminating the erroneous information. Keep in mind that one wrong entry might not stay in the system of origin, but it might find it way to a separate pharmacy, specialist, or outside primary care system.”11

Further, overreliance on structured/ standardized content can result in records that lack specificity. Without the unique patient narratives that were customary in paper records, it might be difficult to distinguish one patient encounter from the next, creating uncertainty about critical thinking, clinical reasoning, and diagnostic- and treatment-related decision-making.

Strategies for Structured/Standardized Content

  • Ensure that the EHR product you select can be tailored to the clinical situations that are relevant to your organization.
  • Be aware of whether your system automatically defaults to a normal setting. If so, carefully review the record at each encounter to ensure it doesn’t misrepresent clinical information.
  • Provide a final quality control review of all data you enter and boxes you select in the EHR.
  • Occasionally print out records to ensure information is presented in a logical, accurate format.
  • In addition to using data entry fields, check boxes, drop-down menus, and auto-fill, provide patient-specific notes and comments in the record, as appropriate and necessary.

Metadata and Audit Trails

As mentioned previously, EHRs present an opportunity to collect more data than was ever possible with paper records — and not just data that reside within patient records. A distinguishing characteristic of EHRs is their ability to collect metadata, or ”data about data.” The metadata generated by an EHR leave an audit trail that may show information such as:

  • Who accessed a record, when they accessed it, and the machine on which the information was accessed
  • The date and time that test results were reviewed
  • The data and time that a record was modified
  • How long a provider had a record open and how quickly he/she selected various options
  • How a provider responded to system-generated alerts or advisories

Simply stated, metadata and audit trails provide ”a permanent electronic footprint”12 that tracks ”each access, update, and action performed by each user . . .”13 This information can play a pivotal role in malpractice litigation — either by confirming a healthcare provider’s recollection of events or showing discrepancies in a provider’s statements.

Consider the following scenario: A provider claims to have entered documentation at the point of care, but the EHR audit trail reveals that the majority of documentation was not entered for several weeks. Even if the documentation is accurate, the discrepancy in timing might cast doubt on the provider’s credibility.

For some practitioners, metadata might necessitate a change in workflow. For example, providers who have typically entered some information into patient records prior to the actual patient encounters will need to adjust their processes. Otherwise, metadata might show inconsistencies in the timing of events. Further, providers should be cognizant of following organizational policies related to documentation timeframes and protocols for amending records.

Strategies for Metadata and Audit Trails

  • Learn how your EHR system’s metadata function works, and develop documentation policies around that knowledge.
  • Ensure that providers and staff in your practice are mindful of the type of metadata that the EHR system collects.
  • Adjust workflow processes as necessary to eliminate inconsistencies in metadata.
  • Develop guidance for how to appropriately amend or update electronic records. Without a defined policy, changes to a record may raise questions about the validity and integrity of information.
  • Be aware of your state’s laws or rules related to e-discovery. Consider hiring an outside party to perform an annual audit of your EHR system and provide feedback about the quality of documentation, adherence to regulatory standards, and billing/coding compliance.

Alert Fatigue

Perhaps one of the most powerful patient safety capabilities of EHR systems is their potential to analyze patient data, provide clinical decision support, and send providers auditory or visual safety alerts (e.g., reminders that patients are due for screening tests or notifications about possible contraindications, such as dangerous drug—allergy interactions). These tools are valuable, but only when they are efficiently implemented and used.

Unfortunately, ”in the current highly computerized clinical environment, an individual clinician interacts with many different alert-generating devices—meaning that every day, clinicians are on the receiving end of a staggering number of alerts.”14 Systems that bombard providers with an overabundance of alerts can be frustrating and lead to a phenomenon known as ”alert fatigue” or ”alarm fatigue,” in which providers — pressed for time and exhausted by the sheer number of notifications — ignore or override alerts without verifying their clinical significance.

A survey of primary care providers from the Department of Veterans Affairs showed that almost one-third of those using EHRs reported that they missed or did not follow up on alerts about patient test results, and almost 87 percent thought the quantity of EHR alerts was excessive.15 Another study noted that clinicians ignore safety notifications between 49 percent and 96 percent of the time.16 Although many of these dismissed notifications do not result in patient harm, alert fatigue has contributed to various adverse outcomes and is considered a significant patient safety hazard.17

These study results suggest that when providers are inundated with massive numbers of noncritical or nonrelevant notices, the likelihood that important information will be overlooked increases. After receiving a number of unhelpful alerts, a clinician might bypass the next alert based on the assumption that it is another ”false alarm” — when, in fact, it might contain critical information.

To complicate matters, not all alerts that are overridden are the result of providers ignoring the system. Many times, alerts are overridden for valid clinical reasons. However, metadata that capture overrides likely will not distinguish between the two. If metadata are used as evidence in a malpractice lawsuit, a healthcare provider might have to defend why he/she overrode a system alert.

Addressing alert fatigue requires consideration of the human and systems factors that contribute to the issue ”as the problem fundamentally arises from both the technology itself and how busy human beings interact with the technology.”18

Strategies for Alert Fatigue

  • Determine whether your EHR system’s alert function can be tailored for your healthcare organization, your overall patient population, and specific patient characteristics (e.g., patients who are at high risk for potential adverse outcomes due to certain diseases or conditions).
  • If your organization is in the process of purchasing an EHR system, include questions about the alert capabilities in your initial research and assessment of products.
  • Ask your vendor whether the system’s alerts can be classified based on severity or other factors, and make sure the different types of alerts are presented in different ways.
  • Limit interruptive alerts to only those that are classified as severe.
  • Determine whether alerts that are clinically nonconsequential can be turned off or minimized to reduce alert burden.
  • Provide documentation and support for overriding clinically significant alerts.

Take-Away Message

EHRs represent the present and future of health record documentation. When used properly and with careful consideration, EHRs offer opportunities to streamline processes, enhance quality of care, and support patient safety efforts.

However, like all types of technology, EHRs aren’t without problems and risks. Changes in workflow, poor system design and usability issues, lack of understanding about these systems and their capabilities, user errors and system errors, and lack of defined protocols can all lead to process breakdowns and errors.

Awareness of the potential risks that EHRs present can help healthcare organizations, providers, and staff proactively address them through ongoing staff training, workflow evaluation, and development of comprehensive policies and procedures.


Additional Risk Tips content

Risk Tips

Discharging a disgruntled or dissatisfied patient from a chiropractic practice is a delicate process that requires careful consideration of the…

Risk Tips

The internet and social media have fundamentally changed the ways in which healthcare consumers gather and exchange information. More and…

Risk Tips

Improper patient handling may injure patients and employees. Unsafe patient lifting may result in falls, skin tears, joint dislocations, fractures,…

This document should not be construed as legal or medical advice and should not be construed as rules or establishing a standard of care. Because the facts applicable to your situation may vary, or the laws applicable in your jurisdiction may differ, please contact your attorney or other professional advisors if you have any questions related to your legal or medical obligations or rights, state or federal laws, contract interpretation, or other legal questions.

MedPro Group is the marketing name used to refer to the insurance operations of The Medical Protective Company, Princeton Insurance Company, PLICO, Inc. and MedPro RRG Risk Retention Group. All insurance products are underwritten and administered by these and other Berkshire Hathaway affiliates, including National Fire & Marine Insurance Company. Product availability is based upon business and/or regulatory approval and may differ among companies.

© MedPro Group Inc. All rights reserved.