alleged wrong-site surgery

ORTHOPEDICS

2017

By Wayne Wenske, Communications Coordinator, and Louise Walling, RN, Senior Risk Management Representative

ALLEGED WRONG-SITE SURGERY PRESENTATION A 35-year-old man came to Orthopedic Surgeon A on referral from his primary care physician. The patient reported pain in his right buttock, thigh, and leg for a period of seven to nine months. The patient had been performing physical therapy exercises at home, but without improvement. PHYSICIAN ACTION Orthopedic Surgeon A ordered an MRI that revealed an extruded intervertebral disc at the L5-S1 level. Approximately six weeks later, Orthopedic Surgeon A performed surgery on the patient. Documentation noted, “a decompression of the right nerve root of S1 by the right laminectomy of L5 and discectomy of L5 sacrum via posterior approach.” It was further documented that the operative level was confirmed via intraoperative x-ray. Initially, the patient’s pain improved; however, recurrent pain later developed. A subsequent MRI, taken approximately two months after surgery showed the same extruded disc at L5-S1 and post-surgery changes at L4-5. Orthopedic Surgeon A diagnosed “recurrent laminectomy herniated disc.” Soon after the MRI was conducted, the patient brought a copy of the MRI report to a follow-up appointment with the

surgeon. The patient asked the surgeon about the report findings, specifically that surgery had been performed at L4-5 and not at L5-S1. The patient later testified that the surgeon told him to “not believe the MRI report.” During the appointment, the surgeon and the patient called the radiologist who performed the MRI via speakerphone. The radiologist supported his report that surgery had been performed at L4-5 only, but when the surgeon informed the radiologist that the patient was in the room, the radiologist stated he would review the films again. The radiologist submitted an addendum to the report stating that surgery was performed at both levels L4-5 and L5-S1. One month later, Orthopedic Surgeon A performed a revision laminectomy on the patient and noted, “widening this and taking part of the S1 lamina.” He further noted an “abundant amount of scar that was adhered to the dura on both its ventral and dorsal surface.” No disc herniation was noted. Four months later, Orthopedic Surgeon A sent the patient to a pain management specialist for treatment of hip bursitis and persistent coccyx pain. The specialist noted in her records, with regard to the patient’s first surgery, “Rt L4-L5 laminotomy, discectomy (was supposed to be L5-S1).” The

This closed claim study is based on an actual malpractice claim from Texas Medical Liability Trust. This case illustrates how action or inaction on the part of the physicians led to allegations of professional liability, and how risk management techniques may have either prevented the outcome or increased the physician’s defensibility. This study has been modified to protect the privacy of the physicians and the patient.

specialist treated the patient with two thoracic epidural steroid injections, one performed soon after the initial consultation and the other performed eight months later. Approximately one year after the revision surgery, the patient consulted with Orthopedic Surgeon B. The patient reported persistent, severe pain in his right buttock down his right leg and pain radiating down his left leg. An MRI was ordered. Upon review of the films, the surgeon noted a “similar L5S1 herniated nucleus pulposus.” He further noted that the MRI revealed a “previous hemilaminectomy at L4-5 on the right, some irregularity of the posterior disk space at L4-5, and Modic changes at L4-5 with irregularity of the disc.” He also noted significant scarring on the right and “some lateral recess stenosis at S-1 worse on the right than the left and significant foraminal stenosis bilaterally at L5-S1. There is bilateral arachnoiditis.” Orthopedic Surgeon B returned the patient to surgery where he performed a hemilaminectomy at L4-5 on the right side and a revision laminomtomy of L5 and S1. He then decompressed the lateral recess at L5-S1 bilaterally, completing bilateral revision foraminotomies at L5-S1 with instrumentation. There was no recurrent disc herniation and the nerve root was completely free. ALLEGATIONS The patient filed a lawsuit against the Orthopedic Surgeon A alleging: • surgery performed at the wrong level; • second surgery performed to “cover up” error of first surgery; and • failure to disclose full list of risks associated with surgery. LEGAL IMPLICATIONS Prior to the first surgery performed by Orthopedic Surgeon A, the patient signed an informed consent form that did not include all of the items listed on the List A disclosure requirements. The procedures performed by Orthopedic Surgeon A were List A procedures.1 In Texas, informed consent is governed by statute (Texas Civil Practice and Remedies Code) and is overseen by the Texas Medical Disclosure Panel (TMDP). The panel determines which treatments and procedures require informed consent and which do not. Procedures and treatments are then assigned to a list based on this determination. • List A procedures require disclosure of all risks and benefits. • List B procedures do not require disclosure of specific risks. • If the procedure or treatment does not appear on either List A or List B, the physician must then disclose all material and inherent risks that could influence the patient in making a decision.2

Other documentation issues were present in this case. The operative report from the first surgery listed Orthopedic Surgeon A’s surgical assistant as the individual who performed the surgery. Additionally, the operative report was generated through an EHR system, instead of dictation by the surgeon. In this case, a surgery center employee created a report that the surgeon electronically signed without reviewing. The report was found to contain many inaccuracies. The report also reflected that disc samples were sent to Pathology for examination, so the surgeon could obtain a clearer understanding of the nature and extent of the degenerative process. However, no pathology reports existed in this case. Along with the documentation issues, there was evidence that Orthopedic Surgeon A performed surgery at the wrong level; that he misled the patient; and that he coerced the radiologist to change the records. DISPOSITION This case was settled on behalf of Orthopedic Surgeon A. RISK MANAGEMENT CONSIDERATIONS It is recommended that any physician performing List A procedures or treatments become familiar with the associated risks or hazards for those procedures or treatments. Since the TMDP regularly reviews and updates List A, it is important to stay informed of any changes in your specialty. Don’t assume that the hospital or institution will disclose the required, up-to-date information to patients. To do so may find you falling short with keeping your patients fully and accurately informed. The operative report must be as accurate as possible, and the surgeon is responsible for all information contained in the report. Therefore, signing an operative report without reviewing the electronic form is not advised and does not provide the surgeon a chance to proofread and edit the report for inaccuracies. When adverse outcomes occur, the goal should be to help the patient understand the situation and to express empathy and compassion. Timely, empathetic, and sincere discussions with patients about what happened can help achieve this goal. Appropriate assistance can also be offered, such as a referral to another physician or for additional testing. SOURCES

1. Texas Administrative Code, Title 25 Health Services, Part 7 Texas Medical Disclosure Panel, Chapter 601 Informed Consent, Rule §601.2 Procedures requiring full disclosure of specific risks and hazards— List A. Available at http://texreg.sos.state.tx.us/public/readtac$ext. TacPage?sl=R&app=9&p_dir=&p_rloc=&p_tloc=&p_ploc=&pg=1&p_ tac=&ti=25&pt=7&ch=601&rl=2. Accessed April 5, 2017. 2. Patterson, Stacy. Shared decision-making: Moving beyond informed consent. the Reporter, March-April 2010. Texas Medical Liability Trust. Available at http://resources.tmlt.org/PDFs/Reporter/ MarApr2010.pdf. Accessed April 5, 2017.

Wayne Wenske can be reached at [email protected]. Louise Walling can be reached at [email protected].

RISK MANAGEMENT

1O1

By Laura Hale Brockway, ELS, Assistant Vice President, Marketing, and Robin Desrocher, BSN, RN, CPHRM, Manager, Risk Management

CASE CLOSED: HIPAA AND PATIENT PRIVACY Cyber security issues continue to be a major burden for physicians and health care facilities. Data breach incidents, including patient identity theft, are on the rise and can be devastating. Below is a case study based on alleged violations of HIPAA privacy rules. This study describes how actions by physicians or their employees led to the allegations, and how risk management techniques may have prevented the violations. The ultimate goal in publishing this study is to help physicians comply with privacy and security standards. PATIENTS IDENTIFIED ON SURGEON’S WEBSITE A plastic surgeon’s website featured “before and after” photos of patients. The patients’ names were not used and the photos were posted in a way that preserved patient anonymity. However, unknown to the plastic surgeon and his staff, the patients’ names had not been properly removed from the meta tags associated with the photos. Meta tags are content descriptors that describe web page content to search engines. Meta tags do not appear on the page, but are found in the HTML code for the page. The issue was discovered when a patient performed a Google search on herself and her images from the plastic surgeon’s site appeared in the search results. Although he was told about the meta tag issue, the plastic surgeon did not immediately remove the photos. Fifteen patients filed lawsuits against the plastic surgeon. The Office of Civil Rights also investigated the plastic surgeon for possible HIPAA violations. RISK MANAGEMENT CONSIDERATIONS When patient photographs are completely de-identified, HIPAA requirements are satisfied. If patient photos are not de-identified, written authorization from the patient is required to post or share the photos. To de-identify a photo based on the HIPAA Safe Harbor de-identification standard, the following identifiers of the

individual or of relatives, employers, or household members of the individual, must be removed: 1. “Names 2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census: a. The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and b. The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000 3. All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older 4. Telephone numbers 5. Vehicle identifiers and serial numbers, including license plate numbers 6. Fax numbers 7. Device identifiers and serial numbers 8. Email addresses 9. Web universal resource locators (URLs) 10. Social security numbers 11. Internet protocol (IP) addresses 12. Medical record numbers 13. Biometric identifiers, including finger and voice prints

14. Health plan beneficiary numbers 15. Full-face photographs and any comparable images 16. Account numbers 17. Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section;* and 18. Certificate/license numbers.” 1

and physical health information. The coverage also includes payment of regulatory fines and penalties and covers the cost of data recovery and patient notification. TMLT also offers fee-based services to help minimize cyber threats, including violations of medical privacy and security laws. Our cyber risk management services include HIPAA risk assessments; IT services; policy and procedure reviews; publications; and customized training.

OTHER RISK MANAGEMENT TIPS • Obtain patient consent to take photographs. Specify how you plan to use the photos (i.e. medical records only, marketing, website, journal article) on the consent form. • Do not name or save photo files with any of the above identifiable information in any publicly accessible area. (Clearly, if you are just adding photos to medical records, they can contain identification.) • Audit photos that have been added to your website. Check the site page for tags, meta tags, keywords, or anything that could be used to identify patients. • Do not store photos of patients in an unencrypted device, such as a camera, cell phone, tablet, or personal laptop.

For more information, please visit the TMLT cyber consulting services website at www.tmlt.org/tmlt/products-services/ cyber-consulting-services.html .

TMLT COVERAGE For incidents alleging violations of HIPAA, TMLT policyholders are protected under Medefense and cyber liability coverage, both offered with every TMLT policy.

SOURCE

Medefense reimburses or directly pays the legal expenses incurred by a physician from a disciplinary proceeding, including violations of HIPAA. Fines and penalties arising out of such disciplinary proceedings are also covered on a reimbursement basis only. Cyber liability coverage protects against claims arising from the theft, loss, or unauthorized access of both electronic

To report a claim under Medefense or cyber liability coverage, please contact the TMLT claim department at 800-580-8658. * “(c) Implementation specifications: re-identification. A covered entity may assign a code or other means of record identification to allow information deidentified under this section to be re-identified by the covered entity, provided that: (1) Derivation. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and (2) Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.1 ”

1. U.S. Department of Health and Human Services. Guidance regarding methods for de-identification of protected health information in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Available at http://www.hhs.gov/hipaa/ for-professionals/privacy/special-topics/de-identification/#standard. Accessed September 1, 2016.

Laura Brockway can be reached at [email protected]. Robin Desrocher can be reached at [email protected].

EDITORIAL COMMITTEE Robert Donohoe | President and Chief Executive Officer John Devin | Chief Operating Officer Sue Mills | Senior Vice President, Claim Operations Laura Hale Brockway, ELS | Assistant Vice President, Marketing

EDITOR Wayne Wenske

STAFF Diane Adams, Stephanie Downing, Olga Maystruk, Robin Robinson

DESIGN Olga Maystruk

ASSOCIATE EDITOR Louise Walling

the Reporter is published by Texas Medical Liability Trust as an information and educational service to TMLT policyholders. The information and opinions in this publication should not be used or referred to as primary legal sources or construed as establishing medical standards of care for the purposes of litigation, including expert testimony. The standard of care is dependent upon the particular facts and circumstances of each individual case and no generalizations can be made that would apply to all cases. The information presented should be used as a resource, selected and adapted with the advice of your attorney. It is distributed with the understanding that neither Texas Medical Liability Trust nor its affiliates are engaged in rendering legal services. © Copyright 2017 TMLT