Database, Tell it to the Judge

Litigation is not on the schedule of any caregiver facility, but it occurs all too often. And it often is a humiliating, expensive lesson in data management and information technology planning, according to C. Matthew Curtin, an I.T. forensics investigator and founder of Interhack Corp.


Litigation is not on the schedule of any caregiver facility, but it occurs all too often. And it often is a humiliating, expensive lesson in data management and information technology planning, according to C. Matthew Curtin, an I.T. forensics investigator and founder of Interhack Corp.

"Information from database-driven applications does not look like a paper record," Curtin said, noting that a simple data point such as a height of 5'10" would be stored as 70 (inches) in a database. "In terms of litigation, providers have to understand what kind of care records they can produce. It's a critical task, because it often becomes a million dollar question during lawsuits. You have to remember that databases don't just store information, they perform computations on that information and often change that data in significant ways."

Curtin used his presentation at the HIMSS 2010 Conference in Atlanta to give the blow-by-blow account of a lawsuit he was involved in that had dire consequences for the hospital defendant. A patient who had undergone a hemodialysis session began having complications soon after the treatment. Six days later, the patient was dead, and his family decided to sue the doctor and hospital for wrongful death.

The initial treatment record was pulled from a hospital database. As the case dragged on the hospital was asked to submit another copy of that same record. This time, however, the record had a critical difference: In the first version, a procedure was listed as being performed by a nurse under a physician's order. The second version, however, had the physician's signature next to the procedure, which seemed to indicate the physician himself performed the procedure.  No explanation was forthcoming from the physician: he died during the course of the legal proceedings.

The hospital said that during the time between record extractions they had performed an I.T. upgrade, but didn't provide further details. At this point the court became extremely interested, Curtin said. When the defense declined to explain the discrepancy, the judge issued a sanction and ordered the hospital to let a forensics investigator (Curtin, working for the plaintiff) go to the data center, extract the data and account for the discrepancy.

When Curtin showed up at the data center, the defense attorney told him he would not be allowed to access the databases. At this point, the judge was extremely, extremely interested, a well as furious his order had been ignored. "There's a chance that records discrepancy was due to the upgrade and the use of a new script that interpreted the procedure code as 'doctor's signature,' or was the result of some other technological glitch. But we'll never know."

The conclusion: A multimillion dollar judgment against the hospital, and the defense attorney made sure the settlement was an amount above what the hospital's insurers would pay. "The plaintiff's attorney wanted to make sure that hospital had to write a check to the family, and he got them to do just that," Curtin said.

Curtin's advice on how to protect against similar nightmares is straightforward: have a team comprising clinical, I.T. and legal focus on how information coming in will be displayed and interpreted coming out; ensure you maintain data integrity during upgrades and data migration; plan for litigation and conduct drills to unearth vulnerabilities.

"Everything done now will be judged with 20/20 hindsight, and the question that needs to be asked is 'How will this play back if it's made into a movie?'" Curtin asked. "Defensibility of the process is key, as well as focusing during litigation on what question you're trying to answer.

--Greg Gillespie