16 Apr Virginia: Medical Malpractice – a Lawyer’s Metadata
The Virginia Trial Lawyers Association filed Brief Amicus Curiae in Support of Appellant in the wrongful death suit, Temple v. Mary Washington Hosp., Inc., No. 131754 in Virginia Supreme Court. The final issue covered by Mr. Waterman in that Brief is the discoverability of metadata, including Audit Trials, which is excerpted here.
A. Post-Riverside electronic recordkeeping.
Riverside Hosp., Inc. v. Johnson, 272 Va. 518 (2006) in 2006 re recordkeeping in 1997 had the Virginia Supreme Court on the cusp of electronic recordkeeping. Patient charts and “hospital records” were handwritten, but incident report and other data from paper records manually was inputted into an electronic database, id. at 530-531; which was upheld as discoverable and admissible. Id. at 532-534.
Temple in 2014 lands the Virginia Supreme Court in the thick of electronic data entry, storage, and revision. Defendant admittedly is emblematic: “Most charting is done electronically, and any paper documents…are scanned and then discarded contemporaneously.” Defendant elaborates on point:
Across the nation health care facilities are largely beginning to store health information electronically. The  American Recovery & Reinvestment Act…includes a provision to encourage health care providers to adopt and effectively use electronic medical records.
PUBLIC LAW 111-5. Via the Act, the Federal government is providing funds to encourage health care providers to adopt a paperless system for the storage of medical records. This part of the bill is called the Health Information Technology for Economic and Clinical Health Act [(“HITECH”)].
It is imperative the Virginia Supreme Court declare patient access to all electronic recordkeeping, including Audit Trails and other metadata.
Nurses, doctors, and others routinely enter data at remote stations, which automatically feeds into central databases. Likewise, staff scanning barcodes on portable carts, apparatuses monitoring vitals/infusions, etc. feed data into the same electronic databases.
Hospitals’ highly sophisticated electronic recordkeeping systems:
1. Separate “incident report” data from “patient chart” data;
2. Store data in “patient chart” under chards;
3. Facilitate seemless deletions and additions of “patient chart” data; and
4. Record the identity, time, and content of each “patient chart” access.
Significantly, however, the paper printout of the “patient chart” does not produce any of the aforesaid metadata; rather, it shows just the final sanitized (potentially edited) versions. Only the complete electronic version of the “patient chart,” including particularly its Audit Trail, will disclose all of the aforesaid accessing, alterations, and other metadata.
B. Va. Code §8.01-413 entitles patient “records and papers”.
Va. Code §8.01-413(B) provides: “Copies of hospital, nursing facility, physician’s, or other health care provider’s records or papers shall be furnished” (emphasis added). That includes copies “from computerized or other electronic storage”. Va. Code §8.01-413(A).
In this modern age of electronic recordkeeping (where paper printouts of electronic record indisputably do not reflect the entire electronic record), see, A, supra, and E, infra; “copies” furnished by healthcare providers must include the entire electronic record in its native form, including the Audit Trail, any other metadata, and even computer “prompts” or “drop-down menus” from which data-inputters selected. At minimum, it must be so on specific patient request.
Otherwise, healthcare providers eviscerate the letter and intent of §8.01-413 by systematically maintaining patient records electronically, but providing only a part on incomplete paper printouts, instead of everything on a disk in their native electronic form. Moreover, healthcare providers simply burning a disk obviously is faster, cheaper, and eco-friendlier.
“Prompts” and “drop-down menus” simply are the modern-day electronic functional equivalent of pre-printed checklists, blanks, etc. on paper-based records, which obviously are provided as part of the print copy, not redacted and withheld. The paper box or blank – the electronic prompt or drop-down – that the healthcare provider did not choose is as or more informative than what it did choose, and in any event adds context, perspective, and contour to what was chosen and completed.
C. Riverside entitles “factual information of patient care”.
§8.01-413 entitles Plaintiff to Defendant’s complete electronic record. However, Riverside also independently entitles her the same, ensuring that healthcare providers cannot interpose §8.01-581.17 to trump §8.01-413.
Riverside held all “factual information of patient care” discoverable, regardless how titled and kept, even if facially seeming within the ambit of §8.01-581.17. 272 Va. at 533. That necessarily extends to healthcare providers’ electronic data/metadata, including Audit Trails; otherwise, electronic recordkeeping affronts, circumvents, and undercuts Riverside.
D. Va. Sup. Ct. Rules entitle all “relevant” electronic records.
Va. Sup. Ct. Rule 4:9(b)(iii)(B) makes Requests for Production applicable to “Electronically Stored Information”. Even if “a request does not specify the form or forms for producing electronically stored information,…a responding party must produce the information as it is ordinarily maintained”. Rule 4:9(b)(iii)(B)(2).
Defendant admittedly maintained “charting…electronically”. And Plaintiff requested “medical records and data electronically maintained on Defendant’s electronic computer system,” but did not get all of it – got only electronic copies of the “charting” – did not get the Audit Trail, any other metadata, “prompts” or “drop-downs”.
Even if arguendo Audit Trails, other metadata, “prompts” and/or “drop-down menus” are not covered by §8.01-413 and/or Riverside, they clearly are covered by the greater breadth of Rule 4:1(b)(1). As discussed, IV(A), supra, 4:1(b)(1) extends to anything “relevant,” anything “reasonably calculated to lead to the discovery of admissible evidence;” regardless whether technically it constitutes the patient’s electronic “charting” record.
Defendants cannot argue seriously that Audit Trails chronicling the access date, identity, and content (including alterations) of patient records do not meet the liberal test of Rule 4:1(b)(1). Likewise, Defendants cannot argue seriously that (other) metadata – actual “hidden” substantive data about the electronic patient record – is not inherently discoverable too.
A decade ago, the Virginia Supreme Court addressed metadata when it was the subject of extensive discovery and admission in business litigation:
‘Metadata,’ which also is referred to as ‘data about data,’ is a relational database that contains information about the data located in a data warehouse. The metadata is accessed through certain tables and indexes [sic], which collectively are known as the ‘schema’.
MircroStrategy, Inc. v. Li, 268 Va. 249, 253 (2004). Metadata also is relevant to personal injury litigation, particularly patient medical records; and there is no principled reason why metadata discovery should turn on whether Defendant is prosecuting business litigation versus defending medical malpractice litigation, especially re patient medical records.
E. Federal data/metadata, including audit trails.
Although the Virginia Supreme Court his not addressed metadata since MicroStrategy, Federal authorities have been involved regularly, very savvy, and increasingly vigilant over the past decade. The Virginia Supreme Court needs be now too.
1. Fed. R. Civ. P. 34(b)(2)(E) and Jurisprudence.
Va. Sup. Ct. Rule 4:9(b)(iii)(B)(2) is modeled after Fed. R. Civ. P. Rule 34(b)(2)(E), which has been applied expansively. As State Judge Thomas D. Horne observed in 2007, “Federal Rules address the emerging role of electronic data in the discovery process by recognizing that ‘electronic information must be treated on equal footing with paper documents’.” Horne, T.D., Electronic Data: A Commentary on the Law in Virginia in 2007, 42 U. Rich. L. Rev. 355, 378-79, 380 (2007)(admiring “beauty of the new federal system” and touting adoption).
A 2010 survey of Federal jurisprudence found virtually all cases held metadata discoverable. One alleged unnecessary surgery and held “the hospital would be compelled to produce all responsive documents in electronic format, along with any metadata.” Annotation, Discoverability of Metadata, 29 A.L.R. 6th 167 (2010)(citing Allen v. Woodford, 2007 WL 309943 E.D. Cal. 2007)).
Metadata discovery is the integral norm in Federal Courts. The issue is more one of which party will pay for metadata discovery, not whether there will be metadata discovery now. E.g., Amdocs (Israel) Ltd. v. Openet Telecom, Inc., 2013 WL 1192947 (E.D. Va. Mar. 21, 2013); Mann v. Heckler & Koch Defense, Inc., 2011 WL 1599580 (E.D. Va. Apr. 28, 2011); Fells v. Virginia Dept. of Transp., 605 F.Supp.2d 740 (E.D. Va. 2009).
2. HIPAA, HITECH, and Code of Federal Regulations.
Trenchant “Introduction” to federally-protected Audit Trails follows:
In the days of the handwritten medical record, it was the job of forensic documents analysts to search for evidence of falsification of records by comparing handwriting, inks, paper stocks, looking for impressions from the writing utensil on pages beneath the subject page, etc. None of this can be done with a record that is newly printed by a computer. At first blush, a printout of [an electronic] medical record will show all of the entries neatly organized in perfect chronological sequence, and there is no way to tell – on the surface – whether the entries are bona fide or not.
The audit trail may be the key to discovering whether an electronic medical record has been falsified, amended or back-dated. The audit trail is a log, which institutions are mandated to maintain by federal statute, that shows the identity of the individual accessing the record, and the time and date of record access, the record or records accessed, the portion of the record accessed, and any modifications made.
Valuable information can come to light through a careful scrutiny of the audit trail’s contents. Audit trails allowed the authors of this paper to discover vital information, e.g., that attendings who denied involvement in the patient’s care had actually accessed a patient’s diagnostics on multiple occasions, and it revealed names of involved radiologists who became key witnesses and who would otherwise have remained hidden. Audit trails helped us establish that even though the nursing flow sheets appeared to be maintained contemporaneously as events unfolded, that the target period had no contemporaneous entries and that late entries and amendments to data occurred long after the key events unfolded. Scrutinizing the audit trail before a deposition resulted in a line of questioning that exposed that late data entries were actually made with the assistance of the risk manager. Audit trails can allow plaintiff’s teams to establish that coincidental-appearing data entries are much more than coincidences.
Bowers, M.R., Jackson, N.S. & Meyers, J.I., Follow the Audit Trail, 2 N.Y. Lit. Rev. 11 (2010)(emphasis added). Amicus commends the Virginia Supreme Court to the article’s ensuing 5-page case expose replete with actual electronic screenshots and informative detailed explanations. Id. at 12-16.
The Federal statutory fountainhead is Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), supplemented by 2009 HITECH. Although referenced mostly in the context of third-party disclosure, HIPAA also controls electronic recordkeeping and patient access. 45 CFR Part 164 (“Security and Privacy”).
Subpart C of Part 164 (45 CFR §§164.302-164:318) is entitled Security Standards for the Protection of Electronic Protected Health Information and features Appendix A, “Security Standards: Matrix,” a concise tabular summary of Subpart C’s “Administrative Standards”. A covered healthcare provider like Defendant must “ensure the confidentiality, integrity, and availability of all electronic protected health information [it] creates, receives, maintains or transmits.” 45 CFR §164.306(a)(1).
Notably, several paragraphs in Subpart C’s “Technical Safeguards” Section are the specific legal and factual basis for Audit Trails:
A covered entity or business associate must, in accordance with §164.306:
(a)(1) Standard: Access Control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to [authorized] persons….
(2) Implementation specifications:
(i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity.
(b) Standard: Audit Controls. Implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
(c)(1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
45 CFR §164.312 (italics in original). Defendant’s systemic compliance produces the following set of metadata, i.e., Audit Trail, re accessing the electronic patient charting that Plaintiff sought: (1) name of each accessing individual; (2) date and time of each access; (3) each part accessed; and (4) each alteration made.
Subpart E of Part 164 (45 CFR §§164.500-164.534) is entitled Privacy of Individually Identifiable Health Information. “[A]n individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set”. 45 CFR §164.524(a)(1). “Designated record set” specifically includes, but is not limited to, patient’s “medical records” and “protected health information,” i.e., includes Audit Trails. 45 CFR §164.501 (Definition. Designated record set). “If the protected health information that is the subject of a request for access is maintained in one or more designated record sets electronically and if the individual requests and electronic copy of such information, the covered entity must provide the individual with access to the protected health information in the electronic form and format requested by the individual.” 45 CFR §164.524(c)(2)(ii).
Hence, Federal law entitles Plaintiff all patient healthcare information, including Audit Trails and all other metadata, in its native electronic form and format maintained by Defendant. Plaintiff requested that, and its objection by Defendant and denial by Judge contravened Federal law; requiring reversal.