Skip to main content


MPL Liability Insurance Sector Report: 2023 Financial Results Analysis and 2024 Financial Outlook

Wednesday, May 22, 2024, 2:00 p.m. ET
Hear analysis and commentary on 2023 industry results and learn what to watch for in the sector in 2024, including an analysis of the key industry financial drivers.

MPL Association’s National Advocacy Initiative in Full Swing

The MPL Association is shifting its focus toward state policy makers with a new program—the National Advocacy Initiative. This comes at an important time for the MPL community as the deteriorating policy environment in the states is resulting in increasing attacks on established reforms.



Navigating Electronic Health Records Discovery in Medical Professional Liability Claims

By Shahzad Ahmad

In defending medical professional liability (MPL) claims, electronic health records (EHRs) are crucial for defense counsel, in-house counsel for hospitals, and risk managers for MPL insurance groups. MPL claims typically include the review of a set of electronic medical records produced under discovery, as both sides rely on such data to determine the relevant facts and form expert opinions.

The complexity of Health IT systems and the associated data have made eDiscovery steadily more challenging. Increasingly, the exact set of data produced or withheld is the subject of major disputes in the discovery process and, in some extreme cases, has led to sanctions with nine-figure summary judgments.

This article sheds light on key factors and trends in the discovery of EHRs in MPL claims and offers insights into navigating these complexities. Below, we review key considerations for defense counsel in an effort to combat these extreme types of cases.

Key Considerations in Discovery

Discovery has many components, including health information technology laws and regulations, information blocking rules associated with the 21st Century Cures Act, the potential difficulty or burden in accessing the information, and the relevance and importance of the data.

Health IT Laws and Regulations: Plaintiffs often attempt to cite regulations in an effort to compel defendants to produce additional data, such as audit or access data surrounding the medical record. Often, these regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) are incorrectly cited in an effort to gain this type of data.

The Health Insurance Portability and Accountability Act: HIPAA, first introduced in 1996, covers a broad range of topics relating to the flow of healthcare information. Specifically, the HIPAA Privacy rule is miscited in support of compelling defendants to produce audit or access data surrounding the actual medical record.

While the HIPAA Privacy Rule does address the use and disclosure(s) of an individual’s “protected health information” to include the patient's right of access to protected health information in the hospital's designated record set(s), it does not define what specific information must be included in that record set and leaves it up to each healthcare organization to define their designated record set. Industry experts and Health IT professional societies have long held that, “Data such as audit trails, metadata… are not included in the definitions for these record sets.”

Additionally, the Department of Health and Human Services (HHS) has clarified that an individual does not have a right to access PHI that is not part of a designated record set “because the information is not used to make decisions about individuals.” Hospitals are not required to create additional information that is not already in the designed record set.



While HIPAA’s individual right of access rule, along with each institution’s designated record set dictates what information must be shared with a patient when they request their medical record, MPL claims often include discovery requests for information that extends well beyond what is required to be shared with the patient per the right of access rule.

Information Blocking Rule of the 21st Century Cures Act: The 21st Century Cures Act, passed into law in 2016, included the goal of providing seamless and secure access, use, and exchange of health information. To that end, the Office of the National Coordinator for Health IT put forth Information Blocking regulations to discourage any practice that interferes with or discourages the exchange or use of electronic health information. Again, plaintiffs often miscite this rule in support of compelling defendants to produce audit or access data surrounding the actual medical record.

In this case, electronic health information is defined as the designed record set, which the Office of the National Coordinator for Health IT intentionally aligned with the HIPAA e-personal health information definition. While these regulations may offer broader access to certain subcomponents of electronic health information in certain circumstances, they do not go as far as some MPL claims attorneys or experts may assume. For example, many do not realize that audit and access data are not regarded as medical data or e-personal health information. In addition, audit and access data are not in the designed record set. For these reasons, this information is not required to be shared/given access to per HIPAA individual right of access or electronic health information for purposes of information blocking.

Most recently, and in response to the new regulatory concept/definition of electronic health information, a task force of leading informatics bodies including the American Health Information Management Association, American Medical Informatics Association, and the HIMSS Electronic Health Record Association formed an electronic health information task force. They produced a detailed report that specified that audit trail and event logs are not considered e-personal health information, part of a designated record set, or electronic health information.



Burden: A key consideration when responding to production requests is the effort required to produce and analyze the requested information, which is known as the burden. In determining the burden, counsel, along with key hospital stakeholders, should aim to answer the following questions:

  1. What is the software capable of, and what type of data exists?
    It is important to have an understanding of what each healthcare IT system is capable of—as implemented—in regard to generating medical information. Common questions under this general heading include:

    • What EHR system is utilized at the institution, what version, and how long has it been in use?
    • Is the EHR system capable of exporting revision histories that include attribution data, such as who added what line of text and when or if the line of text originated from a copy & paste or a template?
    • Is the EHR system capable of providing redline-type revision histories?
    • What types of events are captured in the EHR and the audit report?
    • Does the EHR integrate outside medical information—such as those from a health information exchange or health information service provider—into the patient’s record? If so, is that data included in the printed or exported medical record?
    • While this is not an exhaustive list of questions, it provides a good starting point to gain an understanding of the capabilities of implemented healthcare IT software. Care must be taken to ensure you understand the specific capabilities of the EHR as it is implemented at your institution.
  2. How can you quantify the burden?

    Although it may be possible for knowledgeable users of the EHR system to generate vast amounts of data related to a patient's medical record, it is important to understand what level of effort it would take to not only generate such data but analyze it as well. Data that is seemingly simple—such as note revisions coupled with audit report data—can be expensive and time-consuming to extract and evaluate.

    Things to consider when quantifying the burden:

    • What period of time is relevant to the case?
    • What type and volume of medical data is relevant to the case? This can be a single laboratory result sent on a single day or a much longer or complex history with multiple visits and thousands of data points.
    • Who has access to the data, and what level of technical effort and skill are needed to extract the data? In some cases, the data can only be extracted by third parties, such as the software or device vendor.
  3. What is the relevance or importance of the data?

    Production requests in MPL claims often include a “give us everything” approach. While it may be technically possible to account for and produce literally every piece of data generated by EHRs, much of this data is often irrelevant to the case. Important considerations regarding relevance, from a technical perspective, are:

    • As a matter of practice, how was such data typically utilized or acted upon by the end user?
    • Was the data ever utilized or seen by the healthcare provider or caregiver?
    • If data isn't viewable or visible to a caregiver, it could be irrelevant or less relevant.

    Notwithstanding the above considerations, care should be taken to ensure relevant data is shared. In conjunction with the burden of generating and analyzing the data, counsel should weigh the relative importance of the data to ensure time and money are spent most efficiently.

Manage Discovery More Effectively

Navigating the complexities of EHR discovery in MPL claims is a challenging task for all parties involved. Understanding the laws and regulations governing Health IT, assessing the burden of data production and analysis, and determining the relevance of the data are critical steps in the process. By considering these factors, defense counsel, in-house counsel for hospitals, and risk managers for MPL insurance groups can more effectively manage the discovery process and ultimately better serve their clients.


Shahzad Ahmad is Senior Biomedical and Healthcare IT Consultant at Quandary Peak.
“Navigating the complexities of EHR discovery in MPL claims is a challenging task for all parties involved.
Understanding the laws and regulations governing Health IT, assessing the burden of data production and analysis, and determining the relevance of the data are critical steps in the process."