Requesting Audit Trails / Metadata
Filed Under: , Articles, Best Practices
A plaintiff attorney must know what exists, what to request, when to request it, and how to request it.
- Obtain copies of the hospital’s policy & procedure documents, information regarding the EMR system vendor, user EMR training manuals, and list of all software applications to learn what the defendant has and who maintains it
- These manuals contain policies that specifically address data security and auditing capabilities within the EMR systems. Often, these policy manuals also contain additional data about how the facility is organized and what information is available.
- The entity must document the policies and procedures for the required specifications. 45 C.F.R. 164.316
- Armed with this knowledge, tailor the language in your discovery process
- It will be far more difficult for the defense to claim they do not understand your requests when you can refer them to their own internal policies.
- Be prepared to file motions to obtain the audit trail information
- For eDiscovery requests, be as specific as possible and base requests on information derived from HIPPA, HITECH, State Policies and other statutes
- See Appendix A – Audit Trail Requirements
- Specificity in your query search terms will increase your chances of success; the fewer search parameters entered, the wider the inquiry will be
- Seek audit trails from other pertinent software applications with integrations to or outside the main EMR as well as audit trails showing which computer terminals were used by providers to enter information and when
- Focus audit requests on providers without limiting it to your patient; the audit records can be pulled without patient identifiers if the query specifies that, or they simply redact the confidential information, preserving other patient’s HIPAA rights
- Insist that information/documents are provided in their native, usable electronic format
- Although federal law prohibits editing the audit trail records in the EMR system, the information can be altered one it is exported to a spreadsheet; have a forensic expert examine it to ensure no one tampered with it
- Do not accept other formats such as a PDF document, which are limited print versions that are shells of the complete record and void of any audit data
- Understand the danger for defense attorneys and their clients based on their response or lack of a response
- A lawyer cannot hide under the claim that the hospital representative swears that it is the entire record and their failure to provide requested documents subjects them to sanctions.
- By failing to provide documents specifically requested in discovery, the attorney can put their clients at risk for an amendment to the complaint for counts of Fraudulent Concealment of Medical Records
- If the defendant is not forthcoming in producing a truly complete audit trail and the court holds that they had not complied with their agreement, you can move to have the court order the defense to:
- Produce a truly complete audit trail including all software applications excluded from the EMR.
- Permit entry by plaintiff’s expert to conduct a forensic examination of the EMR in order to ensure that a complete audit trail was produced.
- Provide a database manager with knowledge, skills and credentials necessary to assist the plaintiff’s examiner during examination.
- Allow the plaintiff’s forensic examiner a specified amount of time in the defendant’s EMR.
- Bear the cost for providing a database manager to assist the plaintiff’s forensic expert.