THE ELECTRONIC HEALTH RECORD “EHR” AUDIT TRAIL AND WHY YOU MAY WANT IT
Melanie Carpenter, ESQ
Special Counsel, ChartSqad
January 12, 2023
Almost all medical providers are now using Electronic Health Records (EHR) to manage the recording of patient care. With this technology comes additional information in what is called an EHR Audit Trail. An Audit Trail is a record of who accessed the patient’s health record when the record was accessed, and what actions that person performed. The Audit Trail can provide solid proof of whether the records were altered at all and by whom. This information is highly valuable in any case where you need to know the details of certain care. For example, in a case where the defense has a record that is inconsistent or includes more, or less, data than the records the plaintiff has, an EHR Audit Trail associated with each record set will show who made the alteration, deleted any information, or accessed the record set at all and when. The “when” may be an imperative key in why these changes were made. Often, we see records where a doctor signed off on the treatment plan, but was the doctor involved in the patient’s care? The Audit Trail can tell you whether the actual doctor accessed the records at all: meaning, did the doctor open the records and look at test results, diagnostic imaging, or have any play in the actual care of the patient on each date of treatment.
Consider the laws of evidence in your state: most states require medical records to be authenticated before being admitted into evidence. For the records to be admissible, a party must show the records were made “at or near the time of the entry.” The Audit Trail is a means of authenticating this evidence and is more economical than testimony from the custodian of records.
HIPAA requires providers to maintain an EHR Audit Trail. 45 C.F.R. §§ 164.308(a)(1)(ii)(D), (a)(3)(i), 164.312(1)(b). Further, providers are required to release the Audit Trail if specifically requested. Failure to release this information may be considered “information blocking” under HIPAA as defined under the 21st Century Cures Act 114‐255 (2016). Information Blocking is a practice that interferes with, prevents or materially discourages access, exchange, or use of electronic health information. In Angela Preito v. Rush University Medical Center Case No. 2018 L 003531 (Cir. Ct. Cook Cty. Apr. 9, 2018) Hon. James N. O’Hara states:
“In sum, federal law says that Audit Trail data, including metadata associated with a Patient's EHR, is included in the patient’s right of access and that it constitutes information blocking to refuse to produce such data.”
“The term ‘Audit Trail’ refers to the part of the patient’s EHR that displays any person logging in to the record to modify the record, correct the record, add to the record, alter the record, revise the record, complete the record, put finishing touches on the record, and any other entry or access into the medical record, or any other name synonymous with the reflection of who, when and what a person did in relation to the Electronic Health Record.”
Judge O’Hara continued to quote the rules of HHS in regard to a patient’s EHR Audit Trail production:
“‘Individually identifiable health information” is further defined as information created by a health care provider that relates to the provision of health care to an individual, among other things, that can be used to identify the patient. Id. In sum, Audit Trail information is included in the patient’s right of access if it is created or used by the healthcare provider, can be used to help treat or identify the patient, relates to the provision of health care to the patient, and is maintained in electronic media.”
Judge O’Hara issued severe sanctions and a default judgment against Rush University for its failure to release the EHR Audit Trail.
To request an EHR Audit Trail, you must specifically state that is what is being requested. A request or authorization for records alone will not get you an Audit Trail. Watch out for those providers that claim to not have an Audit Trail or claim they do not maintain such records. Again, the provider is required by law to maintain an Audit Trail if they have an electronic record system at all. Just because they are ignorant of their obligations, does not make them right!
If you need any more information on this topic or need any help obtaining any health information, please do not hesitate to reach out!