The ultimate goal of a medical malpractice lawsuit is destroying the credibility of the defendant. Simply put, proving that the defendant is a liar concerning a pivotal issue in the lawsuit. What is the best way to do this? Proving that the defendant altered the medical records with a CYA (Cover Your Ass) entry in the record. If you can do this, the defendant loses every ounce of credibility and you win your case.
The audit trail is the complete historical record of the electronic medical records (EMR). The audit trail sets forth the date, time, name, and substance of changes for every entry in the electronic medical records. The audit trail might reveal that an entry was made 19 days after the death of a patient or that a physician’s assistant added a CYA notation after the lawsuit is filed that exonerates her for failing to diagnose and treat a life-threatening condition. This, my friend, is how you will win your next case.
The Power of the Audit Trail
Auditing captures everything that touches a record, even things that don’t change it. Every single transaction is recorded—all the activity for every single patient—all the time. Auditing equals surveillance. This is evidence just like any other record.
The audit trail shows all of the electronic activity of a nurse or doctor during a certain shift, even if that involves other patients (with appropriate redaction). If you want to see where the nurse was (e.g., was the nurse really beside the patient’s bedside), you can get an audit of her activity during a shift.
Your Client’s Legal Right to the Audit Trail
Your client has a legal right to the audit trail, both before and during litigation. 45 C.F.R. section 160.103. The audit trail is automatically collected and generated as entries are made in the electronic medical record. The audit trail is created at the same time as the EMR and is essential to confirm the authenticity of the EMR.
The audit trail is part of the medical record. The audit trail can be produced within minutes, if not seconds. 45 C.F.R. section 160.103 defines “Health information” as data in any form or medium that is created or received by a health care provider that is relevant to their past, present or future physical or mental health or condition of an individual. Furthermore, 45 C.F.R. section 164.501 includes audit trails as part of the patient’s “Designated Record Set”
All hospitals and healthcare providers have audit trails, as they are mandated by federal law. 45 C.F.R. section 164.312. Audit trails must be generated as a matter of law, and they are ordinary business records and routinely accumulated information. Zenith v. Texas Instruments, (Texas 2018), 328 F.R.D. 157 [152].
The Law is on Your Side
There is a strong federal policy of patients having access to their electronic medical records. 45 C.F.R. section 164.312(b). Pursuant to 45 C.F.R. section 164.524, entitled “Right of Access”, “An individual has a right of access to inspect and copy [electronic medical records including the audit trail].”
Metadata contained in and associated with the audit trail is discoverable. Peterson v. Matlock; Hall v. Flannery, (2015 Illinois)(audit trail is part of the medical record); Prieto v. Rush University, 003531 (Cook County, Illinois, 2022)(court struck the hospital’s answer for refusing to provide the audit trail).
There is no peer review privilege for an audit trail. ASTM E2147-18 (4.3) (Audit trails “are not privileged actions and musts also be fully transparent and disclosed.” Audit trails are not considered peer review privileged or attorney-work product. Without exception, patients are entitled to the Audit Trail.
You might also cite the hospital’s website wherein it states that patients will have complete access to their medical records. Failing to provide patients with their medical records, including the audit trail, is consumer fraud.
In cases involving imaging studies, the PACS Audit Trail will show who viewed the radiology image and how long the radiologist viewed the image. This can be vital evidence in showing that the radiologist spent virtually no time viewing images that contained a suspicious mass on a mammogram or chest x-ray.
How Hospitals will Try to Evade Disclosing of the Audit Trail
Hospitals will cleverly try to evade disclosing the audit trail by disclosing something entirely different, namely, the Access Log/Report. The Access Log/Report shows each access to the EMR, including what was accessed, what was done, who logged in and when. The Access Log is forensically nearly useless. An access log is a subset of an audit trail.
Defendants will refer to Access Data as the Audit Trail, but they are not the same thing. The Access Log/Report is not nearly as helpful as the Audit Trail. The Audit Trail will show a modification or change in the EMR. If there is any confusion as to what an audit trail is, you can cite Picco v. Glenn, (Colorado 2015)(details what an audit trail is).
The Best Way to Destroy the Defendant’s Credibility
Once you establish your client’s legal right to the audit trail and the court grants your motion to compel the audit trail, you should follow these 4 simple steps.
Step #1: Conduct an On-Site Inspection of the EMR
You should review the EMR in its native format. There could be color versions of the EMR, e.g., symptoms were in red and bolded. EMR has to be produced in the format that it was requested, namely, in its native format. EMR is subject to the same preservation and discovery requirements as other relevant information. (“The Sedona Principles”, 19 Sedona Conf. Journal, 1, 3rd Edition, 2018).
During the on-site inspection of the EMR, you can review the revision history from the EMR. Click “View Details Report” to see the MR Note on each occasion that it was modified.
Step #2: Serve a Discovery Demand for the Audit Trail
As part of your standard discovery demands, demand the production of the audio trail from the defendant hospital:
Produce all audit records maintained pursuant to the requirements of 45 C.F.R. section 164.312 showing:
- The EMR access and charting activity of [insert name of doctor and/or nurse] from [insert dates of treatment]
- Any and all actual or attempted changes, additions, deletions or modifications of any kind or nature whatsoever to [insert name of patient] electronic medical record made by any person, entity, computer program or through any other means between [date of treatment].
- Every actual or attempted access made to [insert name of patient] electronic medical record from [initial date of treatment] to present.
- Every actual or attempted print, transmit, or delete activity by any user at any time between [insert date of treatment] and the present.
- Every instance in which [insert name of patient] patient bar code was scanned by any user or care provider.
Step #3: Get the User Manuals to Decipher the Meaning of the Audit Trail
You should get the user manuals and technical documents from electronic medical records vendor (Cerner, Meditech, Epic); if necessary, you can subpoena them from the EMR vendor. The user manuals will show that there is a mechanism for producing the audit trail. The user manuals will brag about the value of their software (fetal heart tracings provide warnings/audible alarm warnings).
The user manual might show that the software had alarm settings (e.g., external fetal heart monitor) with factory default settings for alarms. In a birth injury case, you should inspect the external fetal heart monitor to determine whether there were alarm settings on the device.
Step 4: Depose the Hospital’s Chief Informatics Officer
Depose the records custodian of the audit database to show who viewed the records and when. This is the only real witness to everything that occurred with the records.
You should ask the chief informatics officer to explain who modified the EMR and when:
- Was the EMR modified?
- How was the EMR modified?
- What was added to the note?
The Hidden Secrets within the EMR
You are just getting started with the audit trail. Additionally, there are best practice advisories, patient portals and internal messaging within EMR that the hospital/healthcare provider will not disclose.
Best Practice Advisories: BPAs are a pop up for providers/nurses and the provider has to acknowledge it. You won’t see a BPA in the EMR. With Epic software, the best practice advisories will be referenced in the audit trail. The BPA may be identified on the Audit Trail as “BPA #100023”; each BPA has a #.
Patient Portal: Communications with patients are protected health information. There is an audit trail for patient portal communications, including whether a message was opened and when it was opened.
Internal Messaging Systems: Internal messaging systems within a hospital/healthcare provider that provide a log with a date and time, content of message and who sent it.
Proximity Card Data: Cards for getting in and out of a room, will show where a provider was and when. This can be invaluable to show how much time that the provider spent with the patient.
Cell Phone Invoice: When there is a question about cell calls made to the defendant physician, get both the caller and receiver’s cell phone invoice. This will show when the call was made and how long the call lasted.
How to Stand Out from Every Other Law Firm
Most law firms don’t do any of this. They simply accept the EMR as is, and don’t press further for the audit trail, on-site inspection of the EMR or depose the chief informatics officer. These lawyers are not serving their client well and they are missing out of a lot of data/information that they are entitled to.
This doesn’t have to be difficult. An EMR expert will guide you through this process. And with a little effort, you might discover that the defendant physician altered the records in ways that you would otherwise have never known. This is how you destroy the defendant’s credibility and win your case.
