DTCI: Hot on the audit trail 

By Gaius G. Webb and Caitlin R. Jared  

In medical malpractice litigation, there has been an increase in requests for the audit trail associated with a patient’s electronic medical records (EMR). However, with these requests comes several questions. First, what is an audit trail? The answer is actually more complicated than it seems because audit trails appear incomprehensible at first glance, because they often vary depending upon the type of EMR and because there is also some confusion as to exactly what an audit trail actually does. Second, is an audit trail discoverable under Indiana law? Third, if audit trails are discoverable, what is a practical approach to understanding and reviewing them before they are produced?

What is an audit trail?

Audit trails from a health care perspective are best defined as a generated chronological report that monitors the who, what, when and where of all users’ behavior in a set of medical records. In other words, it compiles the metadata (the data that describes and defines information about other data) of a patient’s medical records. Audit trails are primarily used by information technology professionals to secure and comply with the Health Insurance Portability and Accountability Act (HIPAA). Pursuant to HIPAA, medical providers who use an EMR are required to have systems in place to review and audit access to the records, as well as prevent unauthorized access. 45 C.F.R. §164.312(b) (2022). Audit trails do this by tracking information required by HIPAA and providing a mechanism for determining if there has been a security breach. Notably, HIPAA’s definition of “designated records” does not include audit trails. 45 C.F.R. §164.501 (2022). Audit trails do not include the health information found in the EMR and are not used by health care practitioners to make decisions about a patient’s care. In other words, audit trails are entirely separate from the EMR that physicians and other health care practitioners use on a daily basis.

Audit trails and the discovery process

The request for an audit trail, like any other discovery request, is subject to Indiana Trial Rule 26(B)(1) requiring that the request be “reasonably calculated to lead to the discovery of admissible evidence.” Indiana’s discovery rule was designed to allow a liberal discovery process. Rivers v. Methodist Hosp., Inc., 654 N.E.2d 811, 813 (Ind. Ct. App. 1995). Unless there is an applicable privilege or exception, a document may be relevant if it is related to the subject matter of the litigation. Ind. T.R. 26(B)(1). Although Indiana’s discovery standard is broad, an argument may be made that audit trails should not be automatically produced as they are not part of a patient’s medical record and, thus, not produced on a simple request for production of a patient’s chart. Instead, the request for an audit trail must be specific and, once such a specific request is made, the validity and scope of the request must be analyzed on a case-by-case basis.

Indiana has a dearth of caselaw pertaining to whether audit trails are discoverable and, if so, under what circumstances. Although technically unsettled in Indiana, it likely is discoverable. However, other jurisdictions have tackled this issue and appear to be split as to whether there should be barriers to the production of an audit trail. For example, in Vargas v. Lee, the New York trial court found that a defendant hospital did not have to produce an audit trail associated with its electronic records without a higher standard showing of good cause from the plaintiff. 96 N.Y.S. 3d, 587, 589 (2nd Dep’t 2019). Conversely, in Borum v. Smith, the court was not swayed by the defendant hospital’s objections to comply with plaintiff’s request on the ground that the plaintiff had not raised any issues of completeness or accuracy of the previously produced medical records, and that there were statutory and contractual barriers preventing its compliance with the request. The court found that there were no contractual or statutory barriers to comply with the request to inspect the defendant hospital’s EMR and ordered the defendant to provide a complete printout of the audit trail. 2017 WL 3014487 (W.D. Ky. July 14, 2017).

In addition, the circumstances in which the audit trail’s production warrants additional consideration for its cost, size and the difficulty in sorting through the information have also been contemplated. For example, requests might be limited to the specific time frame and practitioners involved in the care and treatment at issue. In Heinrich v. State, the court found that plaintiff’s request for 12 discrete entries in the EMR that identified which provider had what information about the patient, when they had it and what modifications to several entries were made, based upon the differences between deposition testimony and the medical records, was narrow enough to limit the burden placed upon the defendant. 155, N.Y.S. 3d. 671, 676-677 (NY Claims Ct., 2021). Another consideration is whether portions of the audit trail are privileged under peer review, as the audit trail may reveal the individual names of the peer review committee members or the names of those that investigated on the committee’s behalf. Accordingly, the producing party may redact the identities and activities from the audit trail and submit a privilege log. Moan v. Massachusetts Gen. Hosp., 2016 WL 1294944 (Mass. Super. Ct. 2016).

When the requesting party attempts to justify the request for an audit trail, they may argue that the audit trail will tell them exactly who accessed the medical records, when the records were accessed and what information was modified. However, the story told by an audit trail is not always straightforward; it does not always answer these questions. For example, audit trails do not provide the substance of every action taken by a provider and do not provide the prior version of the document before it was edited. It is also important to keep in mind that audit trails can make poor “evidence,” as they are indecipherable to most people, inconsistent between medical practices and can be unreliable, as audit trails do not account for the day-to-day practice of health care providers. For example, there are situations where it is not always practical to record events contemporaneously as providers must prioritize patient care. Additionally, if a physician and a nurse are in the emergency department examination room at the same time, they may both enter information into the computer, but use only one person’s login information. In other words, audit trails generally do not evidence a “smoking gun” that will implicate the credibility of the provider and call the record’s reliability into question. Ultimately, audit trails were not designed with discovery or litigation in mind and, thus, the requesting party has a duty to articulate why the audit trail might provide admissible evidence under the circumstances and issues of their particular case.

A practical approach to audit trails

Once the decision to produce an audit trail is made, the producing party should consider the impact, if any, upon the case and client. The producing party should first become familiar with audit trails to understand how to discuss the request with the client. In general, health care providers are unfamiliar with an audit trail and will need a clear explanation of what is being requested. There are a variety of different vendors of EMRs and, thus, a variety of different formats for audit trails. An audit trail from Hospital X may not look like or contain the same information as an audit trail from Hospital Y. If your client is a hospital, you will likely be discussing the audit trail with the hospital’s IT department. However, if your client is a medical office, you will likely be discussing the audit trail with the office manager who may not know what an audit trail is or how to obtain it. Alternatively, you may be directed to speak with an employee of the EMR company in order to obtain a copy of your client’s audit trail.

After receiving the audit trail from the client, the producing party should carefully review it to fully understand the information in it. Specifically, the producing party should understand the terms used in the audit trail, such as modify, delete, modify copy, etc. For example, the producing party will have to determine whether modify means edit or whether it simply means that the document was viewed by the user. The definitions may well differ from audit trail to audit trail, as each EMR provider may have differences in their audit trails. It cannot be assumed that the terms used in each audit trail are the same, nor that identical terms necessarily mean the same thing. Indeed, even audit trails from the same EMR provider can differ. Thus, each audit trail must be approached with caution and without predetermined assumptions. The best practice is to ask the pertinent IT professional for assistance in interpreting these terms.

In addition, audit trails differ between a hospital and a doctor’s office. As a general rule, an audit trail from a doctor’s office will be smaller, have fewer people accessing it, have fewer periods of activity and fewer documents to track. But a hospital’s audit trail can cover every minute in a 24-hour period or every minute in a 10-day hospitalization, have numerous users, track a wide range of documents and may have more features than other audit trails.

The best way to review large and complex audit trails is to keep the information in an Excel spreadsheet so the information can be sorted and organized in a manner that makes it easier to review and understand.

Understanding the information provided in an audit trail is critical. Once you understand the terms, the next step is to look at the critical dates, times and practitioners in each column to see if the audit trail matches up with the medical records and determine whether it is reliable. In doing so, you should look for any credibility issues that may exist. If there are parts of the audit trail that appear to call into question “the credibility of the record or your client,” then one must engage the services of an IT professional for an explanation of the mechanics of the audit trail in further detail. Keep in mind that smaller medical practices may not have an employee who is knowledgeable enough about the audit trail to provide an explanation, so you may need to locate a consulting IT professional to serve as an expert witness for your particular EMR software. The failure to inquire further into potential areas of concern may result in some surprises at a deposition or trial that could have been avoided with proper preparation.

Conclusion

Audit trails are complicated as they present information in a manner that differs from the evidence that attorneys typically review. Notably, there is some support for the position that an audit trail is not always relevant in every medical malpractice case unless it pertains to certain rare subissues of medical malpractice litigation. Therefore, a requesting party must demonstrate good cause prior to the production of the audit trail to establish its relevance to the specific facts and issues of the case. The scope of the audit trail must be established as well. Depending upon the depth and extent of an audit trail, consideration should also be given to whether to request costs and expenses associated with producing an audit trail and/or testifying about it. When an audit trail must be produced, the producing party should educate themselves and the client by discussing the audit trail with an IT professional. An attorney that understands an audit trail will be able to sort through and understand the information, know whether there are any “issues” raised in the audit trail and be prepared for the increased scrutiny of opposing counsel.•

Gaius G. Webb and Caitlin R. Jared are associates at Schultz & Pogue and are members of DTCI. Opinions expressed are those of the authors.