Patient safety issues associated with electronic patient record (EPR) systems – a thematic review

An electronic patient record (EPR) system is software for collecting, storing and managing data about individual patients. EPR systems are used across much of the NHS and their use is increasing with national aspirations for greater digitisation. EPR systems can improve patient care through supporting safety, efficiency and experience. However, EPR systems have also contributed to patient safety incidents.

This report summarises and analyses the findings of HSSIB’s investigations associated with EPR systems. Using a thematic approach, the review aimed to identify what EPR system components had been considered in reports, the problems associated with them, and their impact on patient safety. The review also revisited the safety recommendations and safety observations HSSIB had made that related to EPR systems.

The review found that EPR systems could contribute to the risks of patient care being missed, delayed or incorrect. These risks were persistent despite national recommendations and actions seeking to mitigate them.

Choosing an EPR system capable of meeting the needs of an organisation

• Where EPR systems did not have the functions an organisation needed or did not support the user (patients and staff), they had contributed to patient safety incidents.
• There were inconsistencies in the terms used in the design of health IT systems and their functions, such as usability and functionality, and limited guidance to support understanding of these concepts in EPR system design.
• Organisations did not always have a clear understanding of their requirements/needs for an EPR system, limiting their ability to match requirements to system capabilities (the things a system can do).
• When procuring EPR systems, organisations sometimes faced challenges understanding system capabilities and whether they met required national standards, such as for interoperability (the ability to work with other IT systems) and clinical risk management.
• National and regional support for organisations to identify their local requirements/needs to inform EPR system procurement was limited.
• Some EPR system procurement decisions were perceived by staff to be influenced by factors other than system capabilities, such as cost savings.

Implementing an EPR system that meets the needs of users

• Variation in governance processes for implementing EPR systems at national, regional and organisation levels meant associated risks to patient safety were not always identified and mitigated.
• Implementation of an EPR system was found to be a complex project that did not always effectively engage users to ensure it was safe and successful.
• Local configuration of EPR systems had the potential to introduce new risks to patient safety, with investigations identifying where this had occurred without the organisation recognising and mitigating against these risks.
• Factors contributing to an organisation’s ability to locally configure EPR systems included the capacity and capability of digital teams, the level of involvement of users in testing, support from manufacturers, and awareness and application of digital standards for clinical risk management.
• When users were involved in EPR system implementation they were not always representative of those using the system in practice, with difficulties faced releasing staff from clinical work to contribute to implementation.
• Several organisations faced challenges relating to the availability of working hardware and Wi-Fi connectivity to support the use of EPR systems in different clinical environments.
• Staff training in how to use an EPR system was often perceived to be limited. It did not always reflect how a system would be used in the ‘real world’, nor what to do if the EPR system failed.

Seeking feedback and ongoing EPR system optimisation

• Staff reported limited routes for raising concerns about poor functionality and usability of EPR systems, and limited action when concerns were reported that could impact on patient safety.
• Ongoing management of EPR systems, including upgrades and changes, did not always align with the digital standards for clinical risk management.
• EPR systems were not always kept up to date in line with national guidance and standards, or to reflect changes to internal care processes.
• Factors contributing to limited ongoing optimisation of EPR systems after initial implementation included the need to manage a range of local digital priorities, limited collaboration between digital and clinical teams, cost of upgrades, and limited resourcing for ongoing work and infrastructure.
• There were limited opportunities for organisations to share their experiences of implementing and optimising EPR systems for the benefit of other organisations.

HSSIB makes the following safety observation

Local-level learning prompts

1.1.1 Various terms are used to refer to software that stores and manages electronic healthcare data about individual patients. In England, the NHS commonly uses the term ‘electronic patient record’ or EPR to refer to this software. Other terms include electronic health records (EHRs) and electronic medical records (EMRs).

1.1.2 As shown in figure 1, an EPR system consists of several modules with different functions (NHS England Digital, 2024). A specific piece of software may provide one, some, or all of these modules.

Figure 1 EPR system modules

An EPR can be provided by a single piece of software (A), or by different modules from different developers (B)

Impact of EPR systems on patient care

1.1.3 The benefits of an EPR system include the support it can provide for safe and continuous patient care, decision making, medication management, resource management, co-ordination between services, and research (for example, The Health Foundation, 2025). An EPR can also increase efficiency and save staff time, enabling them to provide more face-to-face patient care (for example, The Health Foundation, 2024).

1.1.4 EPR systems have also been implicated as factors that have contributed to patient safety incidents (for example, Li et al, 2022; Nijor et al, 2022; Tewfik et al, 2024). Examples of harm and potential risks have been summarised by various sources, including by Patient Safety Learning (2024) in their report ‘Electronic patient record systems: putting patient safety at the heart of implementation’. In that report, examples were cited from HSSIB, NHS England, His Majesty’s Coroner and the media. In May 2024, the BBC also published an exploration of problems with EPR systems (Barbour et al, 2024). It identified that nearly half of trusts with an EPR system had reported issues, including three deaths across two trusts.

Digitisation of the NHS

1.1.5 The NHS has long recognised the benefits of digitisation for patient safety, care efficiency and effectiveness. Digitisation is the use of IT systems, data and electronic tools to support the delivery of healthcare. There are national ambitions to further digitise the NHS (Department of Health and Social Care, 2022; NHS, 2019), although EPR systems have long been used in some NHS sectors, such as general practice. Most hospitals also now have at least one EPR module in use.

1.1.6 More recent reports considering the state of care in the NHS in England have reiterated a need for greater digitisation. ‘Fit for the future: 10 year health plan for England’ describes a need to shift from ‘analogue to digital’ and includes recommendations to bring NHS technology up to date. The plan also includes a focus on digital access to care for patients, artificial intelligence, and interoperable health data (UK Government, 2025).

1.2.1 Various terms are used when referring to EPR systems and their modules. In this report, the term EPR system is used when discussing findings relevant to multiple specific modules or an EPR system as a whole. Where a finding is related to a single and specific EPR module, this will be clearly described.

1.2.2 Various terms are also used when referring to the design of health IT systems. The glossary in section 5 summarises how key software terms were defined by this review, such as accessibility, usability, functionality and interoperability.

1.2.3 This report also refers to requirements, capabilities and standards. Requirements are the things an organisation needs from an EPR, while capabilities are what an EPR system is able to do. Standards are technical and operating conditions that software must meet to enable functionality such as interoperability. The NHS has a standards directory, which includes (NHS England, 2025):

• Information standards – ensure data is captured consistently and exchanged digitally. Examples include use of an international standard for clinical terminology via SNOMED (SCCI0034), use of the NHS number as the unique patient identifier in England and Wales (ISB0149), and standards for clinical risk and patient safety (see ‎1.2.4).
• Technical standards – specify how data is structured and transported between health IT systems. Examples include the use of specific messaging standards to exchange information (HL7 FHIR).

1.2.4 Data Coordination Board (DCB) 0129 and 0160 are two digital clinical safety standards (NHS England Digital, 2018a; 2018b); at the time of writing they are under review. They set out requirements for clinical risk management of health IT systems for manufacturers and organisations respectively. The standards refer to the role of clinical safety officers, competencies of digital personnel, risk management plans, issue logs and safety cases. Safety cases are reports that present arguments and evidence that a system is safe for a given application in a given environment (Liberati et al, 2024).

2.1.1 Reports often referred to EPR systems in general. However, on further exploration these investigations had only considered a single EPR module, such as for clinical records (HSSIB, 2024a). Several reports named the EPR module under consideration, such as for diagnostic tests (HSSIB, 2022a) or medications management (HSSIB, 2022b). Reports did not always acknowledge or describe whether the specific module was part of a wider EPR system or a standalone module. Several adjunct (supplementary), ‘bolt on’ or interfacing software programs were also considered; these were separate to but interacted with the EPR system, such as patient portals (HSSIB, 2024b).

2.1.2 Reports considered EPR systems across a range of healthcare sectors. Most investigations were in secondary care (acute hospitals, and urgent and emergency care) (HSSIB, 2025a) and where hospitals interacted with primary care (mostly general practice) (HSSIB, 2019). Investigations had also been undertaken in specific settings such as maternity (HSSIB, 2021a), mental health (HSSIB, 2025b) and prisons (HSSIB, 2025c).

2.2.1 Problems were considered to be factors related to EPR systems that had the potential to cause harm if not recognised and managed. Harm was considered broadly in relation to patients, staff and the organisation where the EPR system was used. The review identified that problems could be grouped under one or more of three high-level themes which are considered in turn below.

Design of the EPR system

2.2.2 Reports commonly described how the design of the EPR module under consideration had the potential to cause harm. ‘Design’ refers to how the EPR looked and functioned, and its capabilities. Problems associated with the accessibility, usability, functionality and interoperability of EPR systems were described; examples are provided in table 1.

Table 1 Examples of EPR system design problems

2.2.3 The EPR systems and modules considered were known to have been developed by national or international developers; a small number were built in house to an organisation’s specifications. Where design problems were identified, these arose at both the initial design stage (HSSIB, 2024b) and when an EPR system had been adapted by a host organisation (HSSIB, 2022b). At organisation level, reports referred to the configuration and ongoing optimisation of EPR systems where digital teams refined a procured software to align with their organisation’s needs.

Implementation of EPR systems

2.2.4 Reports commonly described how the management of an EPR system’s implementation, whether as a whole or for a specific module, had the potential to cause harm. Implementation related to how the system was introduced into an organisation and included consideration of how it was integrated with existing systems and processes, and how the implementation project was managed (HSSIB, 2024b). Local configuration (described in ‎2.2.3) may be considered part of implementation.

Lack of an EPR system

2.2.5 Several reports also described where the absence of an EPR system, module or specific functionality did not support patient safety. Such absences also meant paper and IT systems were used alongside each other for patient care. Examples included where paper clinical notes were used with electronic prescribing and administration systems (HSSIB, 2021b), and where electronic notes were used with paper risk assessments (HSSIB, 2022c).

2.2.6 Where an EPR system, module or functionality was absent, reports were limited in their exploration of why there was an absence. Where factors were noted to be influencing the absence, these included limitations in financial resources, in local engagement with digital priorities and in IT infrastructure. Some reports noted that a module or functionality may exist but was not used because it did not meet the needs of users – for example, an electronic patient care handover system (HSSIB, 2023b).

2.3.1 The impact of problems with EPR systems – that is, the resulting harm – was on patient safety, organisational efficiencies and wider national efforts to digitise healthcare. The safety of patients was put at risk by EPR systems where they created conditions within which a patient did not receive care, their care was delayed, or they received incorrect care including from being misidentified. A small number of reports also described how, once the wrong information was in a patient’s record, it was very difficult to rectify and this created an ongoing risk.

2.3.2 A recurrent scenario contributing to harm was when information needed for patient care could not be found in an EPR system – either because it was not available to the user (HSSIB, 2021c) or the user could not find it (HSSIB, 2024a). Some EPR systems also did not provide controls to mitigate known risks – for example, a lack of functionality to prevent inadvertent prescribing of an overdose of medication on a ward caring for children (HSSIB, 2022b).

2.3.3 Reports commonly described the potential for EPR system problems to cause physical and psychological harm to patients. Several reports showed how the problem had directly contributed to incidents of patient harm. Where harm was evidenced, contributory factors were the design (see vignette A) and implementation (see vignette B) of EPR systems. Further information about the vignettes is available via the cited reports.

2.3.4 A small number of reports described where an EPR system problem had the potential to disadvantage some patients depending on their individual circumstances. Examples included where the introduction of software had limited patients’ access to care, such as with online consultation software (HSSIB, 2024a), and where design and implementation was not inclusive of different local populations by recognising cultural (HSSIB, 2021d) and language (HSSIB, 2022a) differences.

Other forms of harm

2.3.5 From an organisation perspective, EPR system problems had resulted in adaptations where staff had looked to bypass difficult to use or inefficient EPR system design (HSSIB, 2022a). Design problems had also led to some care processes becoming more complex, requiring staff to carry out extra steps or tasks (HSSIB, 2025c).

2.3.6 Executive summaries did not describe the impact of EPR system problems on staff, but the review noted that full reports included examples of harm to staff. Examples included fatigue from the need to be vigilant when working with software and fear of making wrong decisions based on limited information contained within a system (HSSIB, 2024b).

3.1.1 The 50 reports were published between 2018 and 2025. This timeframe must be considered when interpreting the findings as the digital healthcare context has changed. During those 7 years there have been various national projects to transform digital healthcare, with the formation of, and further changes made to, digital oversight bodies. The digital maturity of individual organisations has also evolved (NHS England, 2023).

3.1.2 Despite the national changes and efforts to improve digital healthcare, this review identified that many of the problems described in the following sections have been consistent over the years. Recurrent digital problems included: poor usability and interoperability between different EPR systems and other software; poorly maintained hardware and outdated infrastructure impacting on system use; and limited available resources for the ongoing and safe use of EPR systems.

3.2.1 When procuring an EPR system, organisations may have multiple systems to choose from. For some procurements, national frameworks may help organisations understand the capabilities of the different EPR systems and whether a system complies with certain standards (see ‎1.2.3). Procuring software ‘on framework’ is encouraged because of the assurances provided by the framework – for example, the now expired GP IT Futures framework supported commissioning bodies and general practices to procure various IT systems (NHS England Digital, 2025).

3.2.2 This theme described where organisations had not been enabled to procure EPR systems that provided the capabilities they required. Some organisations did not have a clear understanding of their requirements for an EPR system. Such requirements included the tasks the organisation needed the system to achieve, the current and future needs for interfacing (interoperability) with other organisations’ systems (healthcare and non-healthcare), and the specific needs of local users (staff and patients). With several organisations looking to have a joint EPR system, reports also noted a need to understand requirements across a wide range of settings.

3.2.3 Some procurement decisions were perceived to be influenced by factors other than an EPR system’s capabilities and patient safety, including individual preferences, cost savings and strategic pressures.

3.2.4 This theme also described where, even if organisations knew their requirements, they faced challenges knowing which EPR system to choose where no framework existed, or were restricted to procuring ‘on framework’ systems (see ‎3.2.1) that did not provide the capabilities they needed. The challenges of knowing which system to choose were contributed to by the range available and perceived transparency about their capabilities and compliance with national standards. Some organisations also had limited awareness of the expectations set for software developers to meet digital standards for clinical risk management (see ‎1.2.4) and so this did not always influence their choice.

3.2.5 Several investigations also found that support for organisations to help them make procurement decisions was limited. Where integrated care boards had not been involved in informing decisions, this impacted on wider interoperability across organisations in a region. Reports also described limited national guidance to help organisations make procurement decisions. However, national bodies also expressed concerns that any guidance could potentially endorse one EPR system over another which would be unfair.

3.3.1 Following procurement, an EPR system needs to be implemented. Implementation actions described in reports included configuration of the EPR system, planning to integrate the system into local processes, and the launch of the system. This theme described where actions undertaken by organisations had not always achieved safe and effective implementation of an EPR system.

Configuration

3.3.2 ‘Configuration’ refers to the adaptation of a procured EPR system to meet local needs, aligned with an organisation’s processes and practices. Adaptations described in reports were for functionality and usability purposes, including: building workflows and document templates; refining interfaces to present information in different ways; designing customised alerts; and creating links with other IT systems.

3.3.3 Local configuration of EPR systems had the potential to introduce new risks to patient safety, with several reports identifying where this had occurred without the risks being recognised and mitigated. Factors contributing to the quality of local configuration included the capacity and capability of digital teams, involvement of users in testing changes, and awareness and application of digital standards for clinical risk management (see ‎1.2.4) when adapting an EPR system.

3.3.4 Limited involvement of local users in configuration and testing was a recurrent finding across reports. There was variation in whether users, if involved, were representative of the staff who would be expected to use the EPR system in practice, and whether their feedback was acted on. Factors limiting effective user involvement included difficulty releasing staff from clinical work because of service pressures.

Integration

3.3.5 ‘Integration’ refers to the planning and management of how an EPR system is combined with the processes followed when delivering care. Integration was described in reports as ‘complex’ because of the need for a system to interact with people, processes and other technology (the wider sociotechnical system). Where integration approaches had not sought to understand the various interactions, EPR systems had not provided expected safety benefits, had led to unintended consequences, and had encouraged staff to deviate from expected processes through adaptations.

3.3.6 Associated problems with integration included whether there had been planning for when an EPR system was not working, and whether the supporting infrastructure had been fully considered to ensure it was supportive of a new EPR system. A common problem across the reports was the availability of functioning hardware, Wi-Fi connectivity and physical environments. These resulted in underuse of EPR systems and had contributed to incidents, including when staff had reverted to using paper notes and systems.

3.3.7 Factors contributing to integration problems were similar to those associated with configuration. They included capacity and capability of the teams involved, and the amount of user consultation when seeking to understand the realities and varieties of work in practice. There was under-recognition that healthcare is a ‘complex sociotechnical system’ and the impact of this on integration.

Launch

3.3.8 ‘Launch’ refers to the ‘go-live’ of an EPR system. Various approaches to EPR system launch were described, including ‘big bang’ (whole organisation together) and ‘incremental’ (parts of the organisation in sequence). The safety implications of the different approaches were not considered by the investigations, but it was identified that intended or assumed functionality had not always been available at the time of launch. Intended functionality included that which had been tested but was not included in the final product.

3.3.9 Where assumed functionality – such as to prevent inadvertent prescriptions – was not available, this had contributed to incidents. Assumptions had arisen because similar systems in other organisations had that functionality and because staff ‘expected’ functionality to be present. Several reports also described where added functionality to support patient care was underused because limited engagement with staff meant they were unaware of it.

3.3.10 Reports repeatedly described how limited initial and ongoing training in the use of an EPR system influenced staffs’ assumptions about and engagement with functionality. While it was acknowledged that any design should be intuitive, problems with functionality and usability meant local training was still required. Training did not always represent how the EPR system was used in the real world and was not taught by people with experience of using the system in clinical practice. There was also limited refresher training following introduction of new safety-critical functionality or updates to business continuity processes.

3.3.11 The amount of regional, national and developer support for launch of an EPR system was also explored by some investigations. There was limited guidance found to help organisations understand what they needed to consider for a successful launch, and limited guidance on how to sustain a safe EPR system. Some investigations also identified where there was support available, but it was unclear whether organisations were aware of these offers at regional and national levels.

3.4.1 Following implementation, organisations need to understand the impact of the EPR system, keep it up to date and ensure it continues to meet the needs of users and the organisation. This theme described where organisations had not always explored the impact of an EPR system, managed problems that had been identified, or developed the system through optimisation.

Seeking feedback

3.4.2 ‘Feedback’ relates to the seeking of user perceptions about an EPR system and whether it is working as intended. Several reports found limited proactive efforts to seek and act on feedback, with assumptions being made that a lack of negative feedback meant a system was working safely and effectively.

3.4.3 Several reports described where staff had concerns about the poor functionality and usability of an EPR system but had limited routes to report those concerns. Staff also described not always feeling listened to when they shared such issues. This included a repeated problem across several organisations where temporary staff were unable to gain access to the EPR system they needed to carry out their roles (HSSIB, 2024d).

3.4.4 Formal learning systems for the identification and mitigation of problems with EPR systems were found to not always be available or transparent, with limited sharing of experiences beyond individual organisations. As described in ‎3.3.3 in relation to configuration, organisations were not aligned with the expectations of digital standards for clinical risk management when deploying and optimising EPR systems.

3.5.1 The review found a commonality across the above themes – they relate to the governance of EPR systems. ‘Governance’ refers to the processes and structures within and across organisations that support effective decision making in the design, selection, configuration, implementation, optimisation and oversight of an EPR system.

3.5.2 Governance includes ensuring accountabilities and responsibilities are clear and achieved – such as those described in digital standards for clinical risk management of health IT systems (NHS England Digital, 2018a; 2018b) – and ensuring that user input is sought and applied. Where governance had not been effective, patient safety issues and incidents relating to EPR systems were seen in HSSIB’s investigations.

4.1.1 Several of the HSSIB investigations included in this review made safety recommendations to national bodies to inform change across the healthcare system for the benefit of patient safety. They also made safety observations for the benefit of patient safety to be considered by organisations and bodies at local, regional and national levels.

4.1.2 For this review, these safety recommendations and safety observations were coded to identify where they sought to influence the EPR-related patient safety issues described in section 3; the supporting coding is available in appendix D. Of the 50 reports in the review, 28 included relevant safety recommendations (n=29) and safety observations (n=26).

Safety recommendations

4.1.3 Safety recommendations were commonly aimed at influencing the design of EPR systems and therefore increasing the availability of procurable systems capable of meeting organisations’ needs (see ‎3.2). These safety recommendations suggested that national bodies develop or update standards or specifications to ensure systems can provide the required functionality. A small number were also aimed at supporting procurement decisions.

4.1.4 Some of the safety recommendations aimed to influence how national bodies support local organisations when implementing EPR systems (see ‎3.3). They recommended the seeking of national support for adoption of technology and the providing of guidance for implementation. There were limited safety recommendations aimed at local configuration and optimisation of EPR systems.

4.1.5 Several safety recommendations aimed to influence the safety and risk governance surrounding EPR systems (see ‎3.5). These included recommendations to influence the identification of associated risks with new or changed EPR systems, and to encourage incident/issue reporting. The review noted that some of the safety recommendations referred to existing guidance and standards, suggesting challenges with the implementation of the standards themselves.

4.1.6 HSSIB publishes responses to its safety recommendations. The review noted that some of the bodies the safety recommendations were made to no longer exist and it was also not clear whether some planned actions in response to safety recommendations had progressed. Nationally it has been recognised that the NHS receives multiple safety recommendations from different sources creating challenges for the healthcare system (Dash, 2025). HSSIB is working collaboratively with other national bodies to develop guidance on the creation and implementation of safety recommendations, and to create more formal oversight and management of national recommendations (HSSIB, 2024e).

Safety observations

4.1.7 Safety observations more commonly aimed to influence the way EPR systems are implemented and optimised within organisations. They included learning to inform configuration to meet the needs of users.

4.1.8 Observations also included learning for organisations to consider when they are integrating an EPR system into practice. Considerations included the assessment of local infrastructure and organisational readiness for new technology, and the inclusion of users throughout the integration.

4.2.1 As described in ‎3.5, the governance surrounding EPR systems was a clear theme emerging from this review. From a national governance perspective, HSSIB has launched work to examine aspects of governance for EPR systems through the lens of electronic prescribing and medicine administration functionality (HSSIB, n.d.).

4.2.2 During this review, inconsistencies were identified in what was considered an EPR system and how digital terms – such as usability, functionality and accessibility – were defined. As described in ‎2.1, these inconsistences also meant it was sometimes unclear whether investigations were considering a whole EPR system or a specific module (see figure 1).

4.2.3 The variation in definitions of different digital terms meant that a problem may have been labelled incorrectly in reports. To help with consistency in this report the definitions in the glossary were developed, taking insights from national documents and international standards. However, the review was unable to identify a single source clearly defining each term.

HSSIB makes the following safety observation

Local-level learning

4.2.4 HSSIB investigations often include local-level learning where this may help providers/organisations to identify and think about how to respond to specific patient safety issues at the local level. This review identified learning to help think about and mitigate risks associated with implementing EPR systems into organisations and their ongoing optimisation. These may also be beneficial to consider when looking to enhance wider aspects of quality through digital healthcare, including efficiency and patient experience.