Trial Magazine

Theme Article

You must be an AAJ member to access this content.

If you are an active AAJ member or have a Trial Magazine subscription, simply login to view this content.
Not an AAJ member? Join today!

Join AAJ

Blazing a Trail

Audit trail evidence can be central to your medical negligence case, but hospitals won’t make it easy to obtain. Shape your discovery plan accordingly.

Jennifer L. Keel, Matthew R. Laird May 2017

In recent years, more and more lawyers have sought and successfully obtained audit trail evidence in medical negligence cases. This evidence shows who accessed or tried to access a patient’s medical record, as well as what they did in the record if they obtained access. Defendants will do almost anything to avoid disclosing this information.

Under federal law, a health care provider must monitor any electronic medical records (EMR) through ongoing auditing of the software platform (such as Meditech or athenaClinicals) that created the EMR.1 This means the provider must maintain a separate database that tracks every action any user takes within the system, from login to logoff.

Every transaction between the user and the system is recorded in real time in an individual row in a database. The columns contain various information about each transaction, including the date and time, duration of use, computer or device used, user ID, and any actions taken. Even when the user changes nothing in the EMR, such as an unsuccessful login attempt or merely viewing the record, every single transaction is logged. As a result, the audit database grows larger over time.

Understandably, plaintiffs want this evidence. But obtaining the audit trail isn’t as simple as sending a correctly worded discovery request. Audit trail evidence is most useful as part of a comprehensive discovery strategy, beginning with initial disclosures and case management orders and progressing through all phases of discovery.

To avoid disclosing this evidence, defendants’ first strategy is to exploit the fact that many plaintiff attorneys do not understand audit trail evidence, do not know how to ask for it, or do not know when they are being misled by defense responses. When defendants sense you are unsure about what you want or how to ask for it, they will seize that opportunity, hoping to confuse you and stop you in your tracks. Avoid this pitfall by learning what to ask for and how to talk about it in an informed manner.

Understanding Audit Trails

Every EMR software platform is different, but each must collect certain data to comply with federal law. The governing standard, incorporated by regulation, is ASTM Standard E2147-01, which dictates minimum requirements for audit log content.2 Understanding and referring to the ASTM standards will be invaluable as you craft discovery requests, deficiency letters, and motions to compel.

Generally, most audit data is not contained in the EMR. In some cases, bits of audit data may be visible in the medical record—either in an electronic or printed format—but the majority of this data usually is kept in a separate database, invisible to users. So to obtain audit trail data, you must specifically ask for it, and the medical provider must run a query on its audit databases to provide the requested information. Each software product used to enter or process patient information has associated audit databases. Since the provider may use several programs, you may have to request audit data from each component of your client’s EMR. The first step is learning how the facility operates and which software platforms it uses to chart or store patient information.

Next, ask for the data in a way that makes sense to the defendant—or at least in a way the defendant cannot credibly claim not to understand. Don’t ask for the audit trail immediately. Instead, set the stage for electronic discovery as early as possible.

Send a preservation letter that specifies what electronically stored information (ESI) should be preserved, including audit data. At your initial case management conference and in your initial discovery disclosures, identify the ESI relevant to your case, which includes audit trail evidence. As you craft your case management orders and electronic discovery plans and agree to a procedure for disclosing ESI, refer to the Sedona Guidelines for electronic discovery.3 A good electronic discovery plan at the outset will save you much time and frustration later, and it hopefully will ensure you receive your electronic documents—including audit reports—without a fight.

Request Policies and Data Dictionaries Early

You should designate certain policies and procedures as part of your initial disclosures, even though they are not in your possession. They include policies and procedures governing HIPAA compliance, documentation, data security, and EMR systems. Getting these policies is the first step toward obtaining and, more important, using audit data. Designating these policies early will set the expectation that these documents are relevant to your case, and it will obligate the defendants to produce them.

Do not settle for a hospital’s answer that it does not have the requested policies. The Joint Commission, which accredits and certifies health care organizations and programs, requires hospitals to have policies addressing the privacy of health information in compliance with federal law, specifically, the HIPAA privacy and security rules and associated Centers for Medicare and Medicaid Services (CMS) guidelines, before accreditation.4

While hospital policies vary in specificity and usefulness, most reflect the language of federal statutes or CMS regulations, and they can be used to show that the hospital knows its legal obligations and how to comply. Some facilities’ policies include language that you can use in discovery requests and deficiency letters, so it’s best to obtain the policies before crafting your discovery requests, if possible.

For example, we handled a case where the hospital had a standardized request procedure and sample form for requesting audit trail data, intended for hospital personnel to use. This protocol made it impossible for the hospital to argue that it would be difficult or burdensome to provide the information. Sometimes, a hospital will seek a protective order before producing its policies, but you should fight this—future plaintiffs may benefit from your hard work.

You should also request data dictionaries for the EMR software applications to help you understand the record and audit databases’ contents. These dictionaries explain every field in the database and the type of information in each field. For example, the data dictionary may show that the database includes a table containing patient demographic information—the patient’s name, date of birth, address, age, gender, and marital status.

The dictionary also explains how the patient’s age is calculated (based on the date of birth that is entered) and may decode entries in a certain field (indicating, for example, that “M,” “S,” “D,” and “W” in the marital status field mean “married,” “single,” “divorced,” and “widowed,” respectively).

The dictionary also contains information that you may not have known was in the database. For instance, you may see fields that record elapsed times for emergency department care (included so hospitals can use these metrics to measure their performance) or fields that record the reasons a nurse gave for overriding a warning in the system. Finally, the data dictionary will help you tailor discovery requests to specific information you know the database contains and ensure that your request uses the correct field names.

Instead of serving a request for “the entire audit trail kept pursuant to 45 C.F.R. §164.312,” you now can ask for more specific information tailored to the issues in your case, such as a report demonstrating your client’s patient barcode scans. Typically, a patient receives an identification bracelet with a unique barcode when he or she is admitted to the hospital. Each time the patient receives certain care, such as medication, the administrating health care provider scans the barcode. So the report containing your client’s patient barcode scans will show the date and time, user ID, and location of each scan. In addition, if the computer system generates a warning for the provider—medication given too early or medication given despite a documented allergy—the warning will be recorded along with information about overrides for each scan.

If you must file a motion to compel the information, a request for the entire audit trail is much broader and will be more difficult to defend than a request for specific information. And with a more specific request, you can use data dictionaries to show that the data you requested is actually recorded in the database and is available to the defense.

Anticipate Defense Objections

Become familiar with the statutory requirements—these will be your first line of defense when fighting objections. Federal statutes and regulations set forth the types of information that hospitals must record, maintain, and make available.5 They must “implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”6 The provider compliance deadline for this requirement was Apr. 20, 2005, so all hospitals should now be in compliance.7

An audit log must include the following:

  • Date and time of the event. The exact date and time of the access event and the exit event.
  • Patient identification. Unique identification for the patient, to distinguish the patient and his or her health information from all others.
  • User identification. A unique identifier for the health information system user.
  • Type of action taken. Examples include additions, deletions, changes, queries, prints, and copies. It must specify the inquiry and any changes made—and it must show the original, altered, and deleted versions of the entry.
  • Identification of the patient data that was accessed. This should be specific enough to determine whether data requiring special confidentiality protection under federal or state law was accessed. It also should identify the specific category of data—such as demographics, pharmacy data, test results—that was accessed.8
  • Audit logs often include additional elements. ASTM Standard E2147-01 suggests that audit logs also should include data identifying the access device—the terminal, work station, or device from which the user obtained access—and the reason for access.9

Also be aware that EMR software developers are always adding new features to distinguish their products from their competitors’ products. This means that software platforms often record far more data than any statute requires, and a party’s obligation in discovery is to produce the information it has, without limiting its response to the information that must be recorded by law.

Hospitals must use appropriate controls over systems documentation, including “revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.”10 By law, the hospital must also “maintain reasonable and appropriate . . . safeguards” sufficient “to ensure the integrity and confidentiality of the [health] information” and “to protect against any reasonably anticipated threats or hazards to the security or integrity of the information; and unauthorized uses or disclosures of the information.”11 An audit trail must be maintained for six years after it was created or after it was last in effect, whichever is later.12

Despite these statutory requirements—which should defeat most defense objections if you understand them, explain them, and apply them to your case—the defendant still may object to your requests, arguing that the requests call for material that falls within peer review, quality management improvement, or attorney-client privilege. But these are not valid privilege claims.

When facing this objection, consider the fundamental characteristics of audit data: It is automatically recorded as a function of EMR software in the ordinary course of business, because statutes require that it be recorded. Statutes further specify how long the information must be retained. Recording is automated and not subject to any person’s commentary, editorializing, thoughts, or mental impressions, and the data is objective information about accesses to the medical record, unrelated to any peer review proceedings or attorney-client communication, so this information does not fall within any privilege.13

Ultimately, plaintiff attorneys must gain a full appreciation of what an audit trail is—this will allow them to get the relevant evidence and use it to benefit their clients.


Jennifer L. Keel and Matthew R. Laird are shareholders at Thomas Keel & Laird in Denver. They can be reached at jkeel@thomaskeel.com and laird@thomaskeel.com.


Notes

  1. See 45 C.F.R. §164.312(b) (Westlaw 2017); 45 C.F.R. §170.210(h) (Westlaw 2017) (incorporating ASTM Standard E2147-01).
  2. 45 C.F.R. §170.210(h); ASTM Standard E2147-01, Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems, ASTM Int’l (2013), www.astm.org/Standards/E2147.htm.
  3. See generally The Sedona Conference Working Group on Electronic Document Retention & Production, The Sedona Principles: Second Edition, Best Practices Recommendations & Principles for Addressing Electronic Document Production (Jonathan M. Redgrave et al. eds., 2007), http://tinyurl.com/jmlj3z9.
  4. The Joint Commission publishes standards and guidelines that can be purchased off their website: www.jcrinc.com/store/publications/. See also The Joint Com-mission, Comprehensive Accreditation Manual for Hospitals, Information Management Standard IM.02.01.01 (citing applicable CMS guidelines at www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Privacyand SecurityInformation.html. The HIPAA Privacy Rule can be found at 45 C.F.R. pt. 160, 45 C.F.R. §164.102–106, and 45 C.F.R. §164.500–534 (Westlaw 2017). The HIPAA Security Rule is located at 45 C.F.R. pt. 160, 45 C.F.R. §164.102–106, and 45 C.F.R. §164.302–318 (Westlaw 2017).
  5. For examples, see 45 C.F.R. §§164.105, 164.304, 164.306, 164.308, and 164.312; and 45 C.F.R. §170.210.
  6. 45 C.F.R. §164.312(b).
  7. See 45 C.F.R. §164.318(c) (Westlaw 2017).
  8. See 45 C.F.R. §170.210 (e), (h); 45 C.F.R. §170.299 (Westlaw 2017); ASTM Standard E2147-01, supra note 2.
  9. See ASTM Standard E2147-01, supra note 2.
  10. 21 C.F.R. §11.10(k)(2) (Westlaw 2017).
  11. 42 U.S.C. §1320d-2(d)(2) (Westlaw 2017) (internal numbering omitted). The statute defines “health information” as “any information . . . created or received by a health care provider” that “relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual” that either identifies the individual or could be used to identify the individual. 42 U.S.C. §1320d.
  12. 45 C.F.R. §164.316(b)(2).
  13. See ASTM Standard E2147, at §4.1 (“Data that document health services in health care organizations are business records and must be archived to a secondary but retrievable medium. Audit logs should be retained, at a minimum, according to the statute governing medical records in the geographic area.”) (emphasis added). Use this to educate obstructionist defense counsel or a wary judge.