Trial Magazine

Audit trails—or records of who accessed a patient’s record, when, and for what purpose—are vital evidence in answering many fact questions at the heart of medical negligence lawsuits. Audit trails can provide answers to many important questions, such as:

• How much time did the radiologist spend looking at the film before they diagnosed (or failed to diagnose) your client?
• Did your client’s primary care provider (PCP) look at the lab results before noting them as normal?
• Did someone add to or change your client’s records after a bad outcome or after a lawsuit was filed?

These questions led standard-setting organizations, such as ASTM, to describe audit trails as “an indispensable part of the medical record because it is clinically relevant and does not appear in certain iterations of the record.”¹ They are designed “to see who has accessed and/or manipulated patient information.”² As a result, federal law declares: “the access and disclosure logs become powerful support documents for disciplinary and legal actions.”³ They are a part of a patient’s medical record, and the defense should produce them.

Discovery Requests

To get audit trails, you need to request them. Since audit trails are part of a patient’s medical records, they should be included in response to a request for medical records. However, the defense doesn’t always provide them, so targeted discovery may be helpful. I use the following medical records request:

The original medical or health records concerning [plaintiff]. This request is intended to include the electronic medical record and paper medical record, combined. This request includes documentation of all types of health care services provided to an individual, in any aspect of health care delivery. It includes individually identifiable data, in any medium, collected and directly used in and/or for documenting health care. The term includes records of care in any health-related setting used by health care professionals while providing patient care services, to review data or document their own observations, actions, or instructions. The health record includes all handwritten and computerized components of the documentation. The term also includes the administrative record: any record pertaining to the administrative aspects involved in the care of the patient, including demographics, eligibility, billing, correspondence, and other business-related aspects. This request is further intended to include health summaries, progress notes, consult reports, discharge summaries, operative notes, admission records, and orders (whether current or discontinued). And this request is intended to include any audio or video dictation recordings created by any medical provider concerning or related to any plaintiff.

Then, I send a request for production for the audit trails specifically:

For [plaintiff’s] medical or health records reflecting care and treatment between [date] and [date], please produce audit data. This request includes records that document the date, time, patient identification, and user or medical provider identification when electronic heath information is created, modified, accessed, viewed, or deleted and all records that indicate which action(s) occurred and by whom. This request is also intended to include any documents recording audit trails, records of changed values, records of receipt of notifications, alerts, and of all record changes, and deletions as well as records of all disclosures that have been made. Next, this request includes the clinical audit report as defined by ASTM E2147-18, at 3 §3.1.9 and 3.1.9.1; privacy and security audit reports as defined by ASTM E2147-18, at 4–5 §3.1.18 and 3.1.18.1. And it further includes “access report,” “audit logs,” and “audit trails” as referenced in ASTM E2174-18 §3.1.9.1.

A supplemental request for the data dictionary—a detailed guide that defines the structure, relationships, and content of the data in an electronic health record database—may also be helpful:

The “data dictionary” for your electronic health record (EHR) database, as defined by ASTM E2147-18, at 3 §3.1.11.

Finally, I will send requests for policies related to audit trails:

Policies, procedures, protocols, checklists, posters/signs, and operating instructions, including table of contents, that applied to, were in effect, or used at [medical facility] during [time] that concern or are designed to comply with the standards, implementation specifications, or other requirements of [medical facility’s] hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. This request includes policies, procedures, standard operating protocols, instructions, or manuals that concern the [medical facility’s] audit access systems, audit trails, or access reports. Further, the request includes policies, procedures, standard operating protocols, instructions, or manuals that concern any policy or procedure promulgated to satisfy the requirements of 45 C.F.R. §164.316 or 45 C.F.R. §164.530.

Common Defense Objections & How to Respond

Defense objections to an audit trail request are common, and the defense will often attempt to exclude audit trails from evidence. Here are ways to respond to those objections.

Objection 1: Audit trails don’t exist. The defense might say that it has no audit trails. In that case, ask for a declaration from the defendant’s IT staff that supports this claim. Also ask for the name of the software vendor, the EHR product, and version of the software used.

Then, search for that EHR software on the website for the Office of the National Coordinator for Health Information Technology (ONC).⁴ This website shows whether the software meets 45 C.F.R. §170.315 audit trail requirements. Once you know the software vendor, get the software manual, which will detail how to access the audit trails and verify that you have all the data.

The most potent tool in audit trail discovery is a Rule 30(b)(6) corporate representative deposition.⁵ In the context of discovering information on medical record audit trails, consider including such topics as:

• The maintenance and retrieval of audit trails or audit logs of the patient’s medical records at the hospital, including records of who accessed the medical records and when; if the records were changed or altered; and, if so, what changes were made. This topic includes any policy, procedure, protocol, or software created to comply with 45 C.F.R. §§170.210 and 170.315.
• The “data map” of the hospital’s electronic health system. A data map shows where an organization stores its electronic medical information, physically and virtually; in what format it is stored; backup procedures in place; how the electronic medical information moves and is used throughout the organization; information about accessibility of the electronic medical information; retention and lifecycle management practices and policies; and the identities of records custodians.
• The meaning of the entries on the audit trail, including abbreviations, symbols, codes, times, and dates. This is sometimes referred to as the health care facility’s “data dictionary.” It is a collection of descriptions of the data objects or items in a data model for the benefit of programmers and others who need to refer to them.
• How to retrieve the native health record file, including any audit trails or audit logs.
• How the hospital and its employees use audit trails, apart from producing them in lawsuits.
• How the facility accessed, created, and produced the audit trail.
• How the facility’s specific EHR system logs phone calls, pages, and any other direct communication between health care professionals.

Depending on what the defense has produced so far in discovery, you may need to tailor these requests to your case. During the deposition, make sure you thoroughly address these topics and lay the necessary groundwork for any subsequent motion to compel production of complete audit trail data.

For example, if there’s a conflict brewing on the ability to get audit trails, establish during depositions the ease of getting these records. Often, getting these records is a matter of a few keystrokes and hitting “print.” Also establish that the audit trail is kept in the ordinary course of business and that making those records is regular business practice. Together, this evidence refutes arguments as to the difficulty of production and the admissibility of the data.⁶

A site visit is another useful tool. The Federal Rules of Civil Procedure allow you to visit the defendant’s hospital and inspect its medical record terminals to see the patient’s records as a provider would.⁷ They state that a party may “inspect, measure, survey, photograph, test, or sample the property or any designated object or operation” in the hospital.⁸ A sample site visit request may include the following language:

Defendant shall allow representatives of Plaintiff to view, inspect, and sample the mobile devices, pagers, or other electronic equipment (or similar exemplar devices) that were used/carried by nurses and/or physicians and/or other [hospital] staff while providing medical care to [plaintiff] on [date of negligence]. As a part of this inspection, Defendant shall allow representatives of Plaintiff to view, inspect, and photograph the non-mobile devices at [hospital] that [hospital] uses to monitor patient care and [hospital] staff activities, such as doorway sensors and code alarms. Additionally, as part of this inspection, Defendant shall provide Plaintiff’s representatives access to the [electronic health record software] system so counsel for Plaintiff can access and view [plaintiff’s] records (and only [plaintiff’s] records) directly in the [electronic health record software] system. Plaintiff’s counsel may take photographs. Plaintiff’s counsel will cooperate with defense counsel to ensure that no patient’s information other than [plaintiff’s] will be accessed or photographed.

Often, you can combine the site inspection and the Rule 30(b)(6) deposition. When you send your deposition notice, request a concurrent inspection requiring the health care facility to walk you through the plaintiff’s medical record and the facility’s EHR program and audit trail in person. Remote depositions, with the use of screen-sharing, make this job significantly easier. In sum, this hands-on approach helps you understand how the EHR system records data, often revealing the nuances of the system and gaps or inconsistencies in the record.

Objection 2: Someone else has the audit trail. Once you’ve established that an audit trail exists, the defense might argue that a third party has the data and that it can’t get access. Subpoena the third party immediately.⁹ Additionally, request that both the defendant and the third party produce contracts or other service agreements.

When there is a contractual relationship, the law supports requiring the defense to provide information that its contractor possesses. For example, the Southern District of New York has ruled that a defendant has to at least try to get information from the hands of a third party.¹⁰

A federal court in Florida likewise ruled that a party can control a document that it does not own or physically possess.¹¹ That court found that control is broadly construed as “the legal right, authority, or practical ability to obtain the materials sought on demand.”¹² The court said that “inherent in the ‘practical ability’ test is some legal right of control over the information possessed by a non-party.”¹³

And in a District of Connecticut case, the defendant argued that documents the plaintiff sought were not in its possession and that another corporation with an agency relationship had them.¹⁴ Holding that “control” should be construed very broadly, the court required production of those documents.¹⁵

Objection 3: The audit trail is not discoverable. The defense might say that the audit trail exists, but that it’s “privileged, proprietary, and not discoverable.” Audit trails do not get special consideration under the discovery rules. They are discoverable evidence, just like text messages, crash reports, or any other relevant information about your case.

The Federal Rules of Civil Procedure provide that “parties may obtain discovery regarding any nonprivileged matter that is relevant to any party’s claim or defense and proportional to the needs of the case.”¹⁶ Information stored electronically, such as audit data, must be produced because it is “kept in the usual course of business.”¹⁷

The defense usually argues that this data is privileged—for example, that allowing plaintiff counsel to see what the defendant’s risk manager or consulting experts accessed reveals the defense’s impressions or other thoughts made in anticipation of litigation. But like documents that a witness reviews before a deposition, the defense does not get to shield documents simply because a lawyer handed them to a witness. Courts generally agree that audit trails are not protected by privilege.¹⁸

Patients have a right of access to audit trails under federal and state statutory law. Under federal law, audit trails are part of the patient’s medical record, and, even if they were not, state law often gives a patient access to them.

At the federal level, HIPAA, the 21st Century Cures Act, and the Health Information Technology for Economic and Clinical Health (HITECH) Act work together to give patients the right to access audit trails and to inspect and copy protected health information in the designated record set.¹⁹ There are only two exceptions: Patients may not have access to psychotherapy notes or information compiled in anticipation of litigation.²⁰

Further, the C.F.R. defines “designated record set” to include medical and billing records, case or medical management record system records, or any record that is used at least in part to make decisions about individuals.²¹ Audit trails should be considered a case or medical management record system that is used—at least, in part—to make decisions about individuals.²²

The defense may still argue that a designated record set does not include audit trails. This is not true: HIPAA incorporates by reference ASTM E2147-18, which is an industry standard for audit trails²³ that states that an audit trail is “an indispensable part of the medical record because it is clinically relevant and does not appear in certain iterations of the record.”²⁴

In fact, the standard states, “Audit logs and healthcare information shall be provided when specifically requested by authorized healthcare providers; the patient, his personal representative, advocate, and/or designee.”²⁵ Further, “a patient has a right to know who has accessed their patient information and what occurred during such access. Access . . . by attorneys, risk management, or similar individuals or entities are not privileged actions and must also be fully transparent and disclosed.”²⁶

Even if audit trails are not part of the designated health set, HIPAA is a floor, not a ceiling.²⁷ That is, even if a designated record set doesn’t include audit trails, they are still discoverable.

Importantly, HIPAA preempts contrary state law—unless the state law is more stringent28—and it also preempts any state privilege law that prevents the disclosure of audit logs.²⁹ Many states, such as Montana, Texas, and Wyoming, have broad rights of patient access.³⁰ So, for added support, look to your state’s definition of health care information or records and your state’s law governing the patients’ right to access their health record.

Objection 4: Authentication and expert witnesses are required to present the audit trail to the jury. Finally, even after getting the audit trail and defeating these objections, the defense may pose evidentiary objections to try to keep audit trails from the jury.

Authenticity is an evidentiary requirement,³¹ and it is a low bar. The proponent of the evidence must simply “produce evidence sufficient to support a finding that the item is what the proponent claims it is.”³² This is the “some evidence” or “scintilla of evidence” standard needed to affirm a jury verdict.³³

Federal Rules of Evidence 902(11), (13), or (14)—which concern self-authenticated business records—may take you a long way in any authentication fight. Also pay attention to your local rules, as many contain presumptions of authenticity.³⁴

The defense may also argue that the plaintiff needs expert testimony to present the audit trail to the jury. But, if the medical records themselves are admissible without expert testimony, why would audit trails need it? After all, audit trails are medical records.³⁵

---

In a Rule 30(b)(6) deposition, you can lay the groundwork that audit trails are authentic and self-explanatory under the rules of evidence.

---

In the Rule 30(b)(6) deposition, you can further lay the groundwork that audit trails are authentic and self-explanatory. If you have access to the audit trail before the deposition, confirm the key facts that the audit trail reveals with the witness, and that testimony will then become admissible as an admission by an opposing party.³⁶ It does not hurt to have your liability expert cite the audit trail data and discuss it in their report or deposition.

Audit Trail Contents

After the initial production, make sure you have received the entire audit trail. If you have requested the EHR user manual or technical manuals, compare them to the production to determine whether you have the full audit trail. Also compare the production to the Rule 30(b)(6) deposition testimony you obtained.

Since federal law specifically governs the contents of an audit trail, HIPAA, HITECH, and related regulations apply to health information technology such as EHRs, which produce the audit trails.³⁷ That includes hardware, software, and related technologies sold and designed for health care entities to store patients’ electronic health information.³⁸ The audit trails must comply with these regulations, which state that EHRs, as a default rule, must be set to audit medical records.³⁹ Once written, an audit log cannot be deleted.⁴⁰ The regulations also require that EHRs must indicate whether an audit trail has been altered.⁴¹

Generally, federal regulations require that the “date, time, patient identification, user identification, and a description of the disclosure must be recorded for disclosures for treatment, payment, and health care operations.”⁴² Specifically, the regulations incorporate by reference the industry standard published in ASTM E2147-18.⁴³

The regulations also require that audit data be kept “for as long as the medical record is maintained, and may not be destroyed before the medical record may legally be destroyed, and in any event, for at least 10 years or for two years after the legal age of majority, unless a longer period of record retention is prescribed by state, federal or other law or regulation.”⁴⁴

In sum, “Audit data memorializes actions (for example, queries, views, additions, deletions, changes, copy, print, and copy and paste) performed on patient medical information by users.”⁴⁵ Importantly, “an explanation for every late entry shall be documented.”⁴⁶

Audit trails help prove medical negligence. Mastering the request process and overcoming defense objections are essential steps to ensure that you obtain this powerful evidence.

---

Tom Jacob is a partner at National Trial Law in Austin and can be reached at tjacob@nationaltriallaw.com.

---

Notes

1. ASTM E2147-18 3.1.2.1. ASTM International (formerly known as the American Society for Testing and Materials) publishes industry standards. And federal law has specifically incorporated by reference ASTM E2147-18. 45 C.F.R. §§170.210, 170.229. The standard is available online: www.astm.org/e2147-18.html.
2. ASTM E2147-18 4.3.
3. Id.
4. Office of the Nat. Coordinator for Health Info. Tech., Certified Health IT Product List, chpl.healthit.gov/#/search.
5. See Fed. R. Civ. P. 30(b)(6).
6. Fed. R. Evid. 803(6) (business records exception to hearsay); Fed. R. Civ. P. 26(b)(1) (standard for discoverable evidence).
7. See Fed. R. Civ. P. 34(a)(2).
8. Id.
9. See Fed. R. Civ. P. 45.
10. E.g., Exp.-Imp. Bank of the United States v. Asia Pulp & Paper Co., 233 F.R.D. 338, 341 (S.D.N.Y. 2005) (“If the party from whom production is sought does not actually have the document in hand, courts look to see whether the party has control of it, construing the word ‘control’ broadly.”).
11. In re Disposable Contact Lens Antitrust, 329 F.R.D. 336, 430 (M.D. Fla. 2018).
12. Id. (internal citations omitted).
13. Id. at 431; see also Lidey v. Moser’s Rides, SRL, 2018 WL 6308012, at *3 (M.D. Fla. 2018) (practical ability control test satisfied by employment relationship); Auto-Owners Ins. Co. v. Am. Yachts, Ltd., 2006 WL 8435483, at *5 (S.D. Fla. Aug. 3, 2006) (control may be “based on the existence of an agency relationship”) (citing McKesson Corp. v. Islamic Rep. of Iran, 185 F.R.D. 70, 78 (D.D.C. 1999)).
14. Scott v. Arex Inc., 124 F.R.D. 39, 41 (D. Conn. 1989).
15. Id.
16. Fed. R. Civ. P. 26(b)(1).
17. Fed. R. Civ. P. 34(b)(2)(E)(i).
18. Zenith Ins. Co. v. Tex. Inst. for Surgery, LLP, 328 F.R.D. 153, 170 (N.D. Tex. Sep. 14 2018); Hall v. Flannery, 2015 WL 2008345, at *3–4 (S.D. Ill. May 1, 2015) (“[T]he audit trail/metadata . . . is neither covered by the peer review privilege nor the work product doctrine.”); Baker v. Geisinger Community Medical Center, 2017 WL 1293251 (Pa. Ct. Com. Pl. Apr. 7, 2017) (“Since the audit trail is relevant to the claims at issue and may be secured and produced without significant cost or hardship, it is discoverable under the proportionality standard governing discovery requests for electronically stored information.”); Fernandez-Rajotte v. Dartmouth Hitchcock Med. Ctr., 2014 WL 12540494 (N.H. Super. Ct. June 30, 2014) (audit trail not shielded by privilege and is subject to discovery as it is relevant to subject matter of suit).
19. 45 C.F.R. §164.524(a)(1).
20. Id. §164.524(a)(1)(i)–(ii).
21. Id. §164.501.
22. Through Rule 30(b)(6) depositions, you can establish that audit trails may be used in part to make decisions about individuals, such as billing issues.
23. 45 C.F.R. §§170.210, 170.229.
24. ASTM E2147-18 3.1.2.1 (emphasis added).
25. Id. at 1.2.
26. Id. at 4.3 (emphasis added).
27. State ex rel. Putnam v. State Bd. of Registration for Healing Arts, 641 S.W.3d 250, 257 (Mo. Ct. App. 2021).
28. 45 C.F.R. §§160.203, 160.203(b).
29. See Id. §§164.524(a)(1), 170.210 (requiring disclosure to patient).
30. E.g., Osborne v. Billings Clinic, 2015 WL 1412626, at *4 (D. Mont. Mar. 26, 2015) (holding Montana law requires disclosure of audit trails as a part of the medical record because Montana law is more stringent); Wiese v. Riverton Mem. Hosp., LLC, 520 P.3d 1133, 1140–41 (Wyo. 2022) (audit trails are “health care information” as defined by Wyoming statute); Tex. Health & Safety Code §241.154 (“health care information” means information in “any form or medium” that “relates to the history, diagnosis, treatment, or prognosis of a patient”).
31. Of course, audit trails are not hearsay for many reasons. First, they are not hearsay because they are machine hearsay. E.g., United States. v. Hamilton, 413 F.3d 1138, 1142 (10th Cir. 2005) (metadata created by a computer is not hearsay) (citing cases). And any statements made by a defendant hospital are not hearsay because they are statements of an opposing party. See Fed. R. Evid. 801(d)(2); Tex. R. Evid. 801(e)(2); Ky. Guardianship Admin., LLC v. Baptist Healthcare Sys., Inc., 635 S.W.3d 14, 27 (Ky. 2021) (affirming exclusion of audit trails for failure to authenticate).
32. Fed. R. Evid. 901(a).
33. Fed. R. Evid. 104(b).
34. E.g., Tex. R. Civ. P. 193.7 (production of documents self-authenticating); W.D. Tex. Local Rule CV-26 (same).
35. Lankford v. Reladyne, LLC, 2016 WL 1444307, at *3 (S.D. Ohio Apr. 8, 2016) (“[D]efendant’s argument that the medical records may not be introduced unless a medical expert testifies is not well-taken.”).
36. See Fed. R. Evid. 801(d)(2)(A), 806 (excepting (d)(2)(A) statements from the usual rule implicating expert testimony).
37. 45 C.F.R. §170.101.
38. Id. §170.102.
39. Id. §170.315(d)(2)(ii).
40. Id. §170.315(d)(2)(iv).
41. Id. §170.315(d)(2)(v).
42. Id. §170.210.
43. Id. §§170.210(e)(1)(i), (h), 170.299(c)(1). ASTM E2147-18 7 sets forth the minimum data elements that the logs must contain.
44. ASTM E2147-18 4.1.
45. Id. 5.1.
46. Id.