a woman in a white medical jacket works on a computer displaying electronic medical records

Legal Strategies for Discovering EMR Metadata, Audit Trails

Filed Under: , Articles
February 2, 2024 by Elizabeth Bulat

Comperio Legal Services provides skilled attorneys the electronic medical record analysis and expert witnesses they need to win. Do you have an expert understanding of the risk posed by the electronic medical records in your case? Discover the truth. Schedule your FREE, no-obligation case consultation today.

FREE Case Review

Is EMR Metadata Discoverable?

Given modern technology, healthcare practices store medical records electronically. This information can be vital in medical malpractice cases in addition to other lawsuits. Metadata associated with these records is arguably more influential in these types of cases although it is not always discoverable information.

The State of Medical Records and Metadata

An electronic medical record (EMR) is a patient’s digitized medical data recorded by and held by a single healthcare practice. To maintain a practice’s organization and preparedness to provide care, an EMR may include a patient’s treatments, immunizations, prescriptions, and test results from the particular practice in addition to their billing and insurance information, demographic information, and reported medical history. 42 CFR 460.210 sets a statutory standard for the minimum contents of an EMR. Given the required information and the potential for great detail in an EMR, this information is routinely requested in medical malpractice lawsuits. In these cases, an EMR doubles as a legal medical record (LMR) by serving as evidence.

Federal Rule of Civil Procedure 26(a) requires a party to initially disclose “a copy—or a description by category and location—of all documents, electronically stored information, and tangible things that the disclosing party has in its possession, custody, or control and may use to support its claims or defenses unless the use would be solely for impeachment” without awaiting a discovery request. Further, The HIPPA Privacy Rule provides patients and authorized persons access to protected health information (see 45 § CFR 164.524); therefore, discovery requests for an EMR are often granted in medical malpractice cases even if they are not initially disclosed (see also 45 § CFR 164.502).

However, the produced EMR may not be comprehensive of the patient’s healthcare data recorded by the healthcare practice due to its digital nature and consequential potential to be edited. In a medical malpractice case, this editing could result in an incomplete medical record that could be fatal to a plaintiff’s case. For example, a healthcare practice may omit EMR data that is evidence of medical malpractice upon notice of a lawsuit against them. However, metadata can reveal this wrongful conduct.

This relevant metadata can include audit trails that record modifications to an EMR. The National Institute of Standards and Technology defines an audit trail as “[a] chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security-relevant transaction from inception to final result” (see CNSSI 4009-2015). Therefore, audit trails may redeem an incomplete EMR by providing transparent medical care to the plaintiff, including information that may have been omitted by the healthcare provider.

When Is Metadata Discoverable?

Although an audit trail records these specifics, it is not explicitly included in the definition of a “designated record” in 45 § CFR 164.501. However, Federal Rule of Civil Procedure Rule 34(a)(1) implicitly suggests that an audit trail is discoverable by enabling a request for “any designated documents or electronically stored information—including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations—stored in any medium from which information can be obtained either directly or, if necessary, after translation by the responding party into a reasonably usable form.” Given the explicit legislative silence on the matter, courts vary in deeming EMR audit trails discoverable information.

In Gateway Logistics, Inc. v. Smay, 2013 CO 25, P15, “under our balancing test, the trial court must require the requesting party to prove that it has a compelling need for the information, that the information being sought is not available from other sources, and that it is using the least intrusive means to obtain the information” (see also Carlson v. Jerousek, 2016 IL App (2d) 151248, P49).

In Vargas v. Lee, 2015 NY Slip Op 31048(U), 5, the court found “general comments that the audit trail may provide discovery on the ‘timing and substance of plaintiff’s care’ [to be] insufficient” in denying a plaintiff’s request for a defendant’s production of an EMR audit trail. Meanwhile, in Moan v. Mass. Gen. Hosp., 2016 Mass. Super. LEXIS 28, *1, the court ordered the defendant hospital to disclose EMR audit trails in a medical malpractice case upon the plaintiff’s demonstration of its need in hearings and submissions to the court.

To What Extent Are Audit Trails Discoverable?

Although a plaintiff may establish a significant need for an audit trail, federal statutes and case law do not clarify the scope of an audit trail that must be produced. Therefore, reported audit trails vary in depth and may not be comprehensive of edits made by the defendant clinician and/or medical practice. Hence, the production of an audit trail may not mend the deficiencies of the plaintiff’s case. Federal Rules of Civil Procedure limit and enable the discovery of audit trails depending on the circumstances of the particular case.

Amendments to Federal Rule of Civil Procedure 34 limit the extent of discovery if production is unreasonably burdensome or expensive to a party. However, producing a complete EMR is a routine activity for members of the defendant’s Health Information Management (HIM) department and should be neither complex nor inconvenient. Further, Federal Rule of Civil Procedure 26(b) defines the scope of discovery as “[p]arties may obtain discovery regarding any nonprivileged matter that is relevant to any party’s claim or defense and proportional to the needs of the case, considering the importance of the issues at stake in the action, the amount in controversy, the parties’ relative access to relevant information, the parties resources, the importance of the discovery in resolving the issues, and whether the burden or expense of the proposed discovery outweighs its likely benefit. Information within this scope of discovery need not be admissible in evidence to be discoverable.” Therefore, by virtue of the Federal Rules, if the details of the audit trail are related to a party’s claim or defense and outweigh the burdens associated with its production, then a court will deem it discoverable.

We Help You Navigate

Do you have an expert understanding of the risk posed by the electronic medical records in your case? Discover the truth. Schedule your FREE, no-obligation case consultation today.

FREE Case Review


Stay up-to-date with the latest industry updates by signing up for Comperio’s monthly newsletter.


Contact Us

Schedule a Free Initial Case Review

Debating a case theory or stuck on a critical decision point? Our extensive understanding and technical knowledge of electronic medical record systems will help you unravel the complex nature of digital health data and increase the speed and efficiency at which you build a winning case!

Schedule a free case review with one of our experts today!