Skip to main content

Be Mindful of Pandora’s Box – EHR Audit Trails and Litigation

The physician alleged she spoke with the RN and “reviewed the records from home."  The audit trail revealed her claim was inaccurate. The defense was compromised.

The increasing use of electronic health records (EHR) has resulted in an increased ability to electronically track activities that occur within a specific medical record. This is accomplished by review of the metadata, audit trails, or audit logs. 

On-Demand Webinar: Key Strategies for Ensuring a Profitable Independent Practice
During this one-hour program, practice management expert Debra Phairas discusses how various business models and operational enhancements can increase revenue to help your practice remain successful in today’s competitive marketplace.

Ways that EHR audit trails are used : 

  • Medical malpractice attorneys using audit logs to obtain evidence for use in medical malpractice litigation. Plaintiff’s attorneys request the audit trail of the patient’s EHR to find evidence that the EHR has been altered, thus supporting a claim of spoliation of evidence, fraud, and most recently to prove liability by questioning the practitioner’s truthfulness and credibility; and
  • The Office of the Inspector General (OIG) and Centers for Medicare and Medicaid Services (CMS) are encouraging the use of audit logs for identifying fraudulent coding and billing.

The definitions and technical differences between metadata, audit logs or audit trails, and access logs and reports are as follows:

  • Metadata: Metadata is the computer-generated and computer-stored “data about other data."
  • Audit Logs/Audit Trails: Audit logs/audit trails are a type of metadata that provide documentation of sequential activity within a software application including when the data was created, accessed, revised, etc.
  • Access Logs/Reports: Access logs can be used to create a report of all users who have accessed a specific patient’s medical record within an EHR.

There are many regulatory requirements providing how and why security audit trails are conducted and maintained, including HIPAA, meaningful use, CMS and new e-discovery rules. Because of the volume we will not go into detail on any of these federal regulations.

An audit log/audit trail is a chronological record that provides a permanent record of all user activity, including who accessed the electronic medical record and from where; log on and log off times; what was viewed and for how long, as well as, any changes, additions, or deletions; to enter new data or modify, or delete existing data; printing; and whether alerts or warning were overridden, etc. 

Audit logs, when analyzed properly and within appropriate context, can be useful for incident investigation, clinical workflow, to jog the practitioner’s memory and/or discuss what occurred in the case. But they also are now becoming part of the litigation process.

Here are several examples:

Plaintiff A sued the Defendant hospital on behalf of the Plaintiff’s decedent, who presented at the hospital with nausea, abdominal pain, and vomiting and was released several hours later without being seen by a doctor. The Plaintiff’s decedent collapsed and died the following day. The Plaintiff’s complaint alleges that the Defendant was negligent in its failure to have procedures in place requiring a patient like the decedent to be seen by a doctor before being discharged. The Plaintiff sought production of the audit trail for decedent’s medical records to determine whether a doctor reviewed decedent’s records before she was discharged.

Plaintiff B sued the Defendants for the wrongful death of decedent, an Alzheimer’s patient living in one of the Defendants’ nursing facilities. The facility kept poor, false, or incomplete records of the decedent’s condition, and ultimately, he died of sepsis from untreated wounds. After certain counts were dismissed and others sent to arbitration, discovery began as to the wrongful death claim. With respect to the requests for production, the Plaintiff sought, among other things, a full and complete copy of the audit trail for the decedent’s medical records, including information about when his chart was accessed and by whom. Part of the Plaintiff’s claim rested upon her allegation that his chart was falsely documented, and she asserted that the audit trails were relevant.

Practitioner C indicated in deposition that they were in the room during a cardiac arrest, but the audit trail indicates they were working on another floor or involved in a delivery that day.

With electronic recordkeeping growing continuously more complex, it is critical that practitioners understand the electronic discovery rules and issues. Be aware that every action related to the EHR is recorded.

We offer the following risk management strategies:

  • Understand that all EHRs must have an operational audit trail feature;  
  • Conduct regular audits to track user changes, deletions, or modifications;
  • Establish policies and procedures for coding and documentation; 
  • Realize every keystroke leaves an electronic footprint;
  • Have an office policy that prohibits turning off or overriding the system’s audit features, alerts, and warnings; and 
  • Know your hospital's policy related to accessing a medical record of anyone other than your patient.  


​​Joseph Wager is a Senior Risk Management and Patient Safety Specialist for CAP. Ann Whitehead is CAP’s Vice President, Risk Management and Patient Safety.