Reducing EHR Risk

Reducing EHR risk must be integrated into transition planning, implementation and follow-up in order to avoid EHR failure, according to Dean F. Sittig, Ph.D., professor, School of Biomedical Informatics at the University of Texas Health Science Center at Houston. “The potential consequences of an EHR failure become of increasing concern as large-scale EHR systems are deployed across multiple facilities within a health care system, often across a wide geographic area,” writes Sittig in The New England Journal of Medicine. [1]

Seeking to mitigate risks of EHR failure, Sittig and his research associate Hardeep Singh examined the best practices for safety in other industries. Then they applied the research to healthcare EHR and developed a 5-stage security plan to monitor and evaluate EHR systems. The highlights of their proposal includes,

  • Report electronic health record safety issues
  • Enhance electronic health record certification
  • Encourage self assessment of electronic health record use
  • Conduct unannounced on-site inspections
  • Implement national electronic health record adverse event investigation board


The ECRI Institute recently offered “Risk Managers’ 10 Strategies for Health IT Success.”[2] EHR is unquestionably disruptive to a practice. The shift to digital records shifts processes all across a practice, requires extensive training, and risks input error and infrastructure incompatibilities. Facilities should appoint a risk manager to play an active role in all aspects of the EHR implementation. Here are ECRI’s 10 suggestions for reducing EHR risk:

1. Involve Risk Manager at All Phases – According to their research, ECRI suggests that the top two issues involve system conflicts and data input errors. There are a range of other potential risk areas at other points in the process, it is essential that someone is aware of these risks and making appropriate plans.

2. Consider Risks at Every Level of Organization – In addition to understanding the phases, the risk manager must understand the organization well enough to be able to identify potential areas where problems may occur.

3. Building Relationships Across Lines – A risk manager must help facilitate positive working relations between the clinical and IT side for effective teamwork on solving challenges.

4. Leverage Problem-Solving Skills – An effective risk manager works with each group to solve specific problems related to EHR implementation or resulting from the change in process as a result.

5. Focus on Known Risks – The team should keep an eye out for commonly identified risk areas. ECRI highlights the following issues as common areas of concern:

  • Alert fatigue (causing clinicians to either ignore or override alerts)
  • Drop-down boxes with poor usability (a poor user interface may result in wrong choices)
  • Failure in system interface functionality
  • Insufficient measures to stop system users from opening the wrong electronic record.

6. Don’t Shortcut Documentation – Errors can easily creep into to documentation by shortcuts or inattention to details. For example, cutting and pasting may be a quick way to insert information, but it also may bring errors into a record. Proper and thorough documentation is not only a regulatory/compliance issue, but it also benefits the whole system in the long run.

7. Monitor Rollout, Updates and User Response – Once the EHR system goes live, there are often unforeseen issues that arise. A risk manager must monitor implementation at all levels and be prepared to address potential issues.

8. Recognize Potential Liabilities – Risk managers must be vigilant for potential areas of liability such as missing data impacting care decisions, gaps or errors in documentation, errors replicated in records due to poor notes.

9. Capture Health IT Events – When anyone in the organization notes a potential problem areas/safety concern related to the EHR system, there must be an effective process to capture this information, helping IT improve problem areas and reduce safety concerns.

10. Using the EHR to Improve Care – At the end of the day, the facility must actively try to use the EHR tools at hand to improve patient care. Triggering events could be programmed in the system for potential safety issues (such as helping avoid incompatible medications).

By identifying potential risks and regularly training staff on awareness and responsiveness, the EHR system can help improve patient care and strengthen the facility for the long run.

[1] Dean F. Sittig, Ph.D., and Hardeep Singh, M.D., M.P.H. “Electronic Health Records and National Patient-Safety Goals.” N Engl J Med 2012; 367:1854-1860November 8, 2012DOI: 10.1056/NEJMsb1205420
[2] “Risk Managers’ 10 Strategies for Health IT Success.” ECRI Institute, June 2013. <>