What is an EHR? An EHR is defined as a longitudinal collection of electronic health information that provides immediate electronic access by authorized users. An EHR may involve knowledge and decision support tools that enhance safety and efficiency as well as support of efficient processes for health care delivery (e.g., e-prescribing).

On January 20, 2004, President George W. Bush first publicly threw his support behind EHRs. Since then a host of Washington-based policy groups and health information organizations have been working to make widespread, interoperable EHRs a reality through regional record exchange organizations. In mid-2004, Dr. David Brailer joined the government as the National Coordinator for Health Information Technology. Dr. Brailer has given increased focus and coordination to a national policy effort to standardize and implement a network of health information exchanges that will enable electronic health records to be shared widely in real time by physicians and others. The federal EHR vision is nothing if not ambitious.

As is often the case with cutting edge technology, the law lags far behind. To those who have endeavored to implement electronic health records that can be shared with other clinically integrated practitioners, or more widely, it will come as no surprise to learn that many legal barriers to sharing electronic health records must be addressed.

In summary, the main legal barriers to EHRs are:

· Paper-era state regulations that may not permit EHRs.

· The Anti-kickback Statute.

· The Stark anti-referral rules.

· Concerns about enhanced malpractice exposure.

· HIPAA’s privacy and security regulations.

· In some contexts, the anti-trust laws.

All of the above legal issues may or may not be barriers depending upon the circumstances of any implementation of an EHR. For example, if an IPA uses an EHR, it may help with some anti-trust issues and with privacy concerns because the EHR promotes desirable clinical integration. Conversely, because of physician referral patterns within an IPA, the EHR may increase scrutiny under the Anti-kickback and Stark rules.

State regulation of medical records is based upon rules created in the era of paper records. The State Board of Medicine’s rule on records makes no mention of electronic records, or even imaging of paper records. The Department of Health rules applicable to hospital records written in the 1970s neither permit electronic records nor prohibit them, other than to encourage "automation" and microfilming. Thus, none of these rules address the issues of the electronic era such as what is the "original record"or how does one authenticate entries in an electronic record. Notwithstanding these out-of-date rules, Pennsylvania’s Uniform Electronic Transactions Act does authorize electronic records, including medical records. The Act states that a record may not be denied legal effect or enforceability solely because it is in electronic form. It states further that if a law requires a record to be in writing, an electronic record satisfies the law. However, the precise relationship of the Act to paper era regulation of medical records is unresolved at this time.

The Anti-kickback Statute, and its relevant safe-harbors, is a barrier to implementing EHRs because it prohibits remuneration in exchange for referrals in most cases. Thus, when a hospital wants to make its EHR available to its medical staff and offers them equipment and software, there is a concern that the in-kind value of the equipment and software will incline physicians to refer to the hospital in exchange for the EHR technology and systems. The concern is rooted in the well-documented record of the Inspector General voicing suspicion about "free computers" and "free fax machines" or electronic pagers. To date, there is no safe harbor guidance on how a hospital and its medical staff may share the technology to implement the sharing of EHRs. Interesting, under Medicare’s prescription drug benefit, when Congress wanted to encourage the efficiencies and safety improvement thought to be available from e-prescribing, Congress ordered the Inspector General to create a safe harbor to enable hospitals and medical staff to provide very similar technology and training services for it. The intended safe harbor is a hopeful step toward one the will protect the development of EHRs.

The Stark rules present a different set of issues and potential barriers. Many EHRs will facilitate referrals between hospitals and referring physicians and could implicate the Stark rules on compensation relationships. However, the Stark rules offer two interesting exceptions applicable to shared EHR technology. First, the most recent Stark rules state that wholly dedicated hardware is not "remuneration." Thus, if a hospital provides to its medical staff hardware to support access to the hospital’s EHR, and it was wholly dedicated to the use, there would not be a Stark problem. The Stark rules also provide for an exception for community wide health information systems. This Stark exception protects "remuneration" in the form of hardware and software used in these information sharing systems. There are special qualifications. The hardware and software must be necessary in order to participate in the community wide health information system. When provided, the party providing technology and support cannot take referrals into account in terms of who does and does not get support. The community wide system itself must be available to all providers who wish to participate. Finally, the arrangement cannot violate the Anti-kickback Statute. Of course, this final requirement throws the entire exercise back into the unsettled arena of the Anti-kickback Statute.

Many providers, including physicians, believe that use of EHRs will enhance medical liability exposure. The perception is understandable, but not a realistic concern. There are no cases that address liability when a physician uses or does not use and EHR system. Moreover, as with any malpractice suit, a plaintiff must prove through the use of expert testimony that the standard of care would require a general use of an EHR. Current caselaw tends to illustrate that in many instances, the standard of care does not require a physician to obtain or consult a patient’s prior medical records, whether in paper format or electronic. Further, when one examines the interplay between the introduction of a technology and its impact on the standard of care, it is apparent that while the standard of care changes, it changes very gradually. Thus, the better view of the malpractice as a potential barrier to the implementation of EHRs is that it will be no different from the implementation of most medical technology.

HIPAA’s privacy and security standards present one of the more formidable barriers to the deployment of EHRs as envisioned by the federal government; that is, regional networks of record sharing organizations through which completely unrelated physicians can locate, request and obtain the medical records of patients. The clear bias of Privacy Rules favors disclosure and downstream use of medical information along familiar lines of medical practice and health care delivery. Sharing EHRs between a medical staff and a hospital is workable under the Privacy Rule. However, nothing in the Privacy Rules anticipates the kind of wide open, unrestricted sharing of information among completely unrelated health care providers that the federal vision embraces. Add to privacy the challenges of appropriate security safeguards and one can argue that it may take years to make the federal vision workable. The technical challenges of authentication of parties to requested sharing are substantial and maintaining the integrity of vital content cannot be over-emphasized.

One final legal barrier to shared EHRs is seen by some in the anti-trust laws. The anti-trust laws prohibit anti-competitive behavior, including price fixing. In the case of EHRs, the anti-trust issue involves largely the content of EHRs and what is being shared, or is available to be shared. Many proponents of EHRs expect them to include not only clinical information but related payment information. Sharing payment information could enable competing providers to collude on prices and violate the anti-trust laws. Further concerns arise relating to exclusionary agreements among providers. Some anti-trust analysts believe that among competing providers, EHRs will be used to include only those who would seek to dominate a market while also excluding those who are seen as competitors.

The above-described legal issues can play out rather differently depending upon who is sharing an EHR and how the entity is structured that does the sharing. As a general rule, there are three configurations of EHR implementation that face measurably different sets of legal challenges. By far the least problematic is a simple stand-alone implementation of an EHR for use, for example, within a group practice. Privacy, Anti-kickback and anti-trust issues simply do not exist. Although state regulation concerns may linger in this setting, the Uniform Electronic Transactions Act should minimize that risk.

When EHR implementation moves out of the stand-alone model and into sharing EHRs between clinically integrated practitioners and related providers, more legal barriers arise. Here the Anti-kickback and Stark prohibitions become of paramount concern because of the underlying referral relationships. However, these concerns may improve with the development of more realistic safe harbors and exceptions to Stark. Privacy and security issues are far from negligible, but they are manageable in this still relatively closed information sharing system. The federally envisioned world of region-wide sharing of EHRs presents most of the above issues and challenges given the complexity of this as yet-to-be-fully-defined undertaking.

In conclusion, for those contemplating implementation of an EHR system, there will be significant legal issues to resolve that increase in importance as the complexity of the system deployment increases. Most are surmountable, but some are not.