W. Mitchell Hall, Jr.
The Continuing Battle Over Audit Trails
By W. Mitchell Hall, Jr.
Plaintiffs in medical-related litigation continue to demand production of audit trails and other electronic medical record (EMR) metadata. Litigation over audit trail requests can take on a life of its own, shifting the focus of the case from whether appropriate care was given to allegations that the health care provider is attempting to hide something by refusing to provide an audit trail and the patient’s EMR in its “native” format. The health care provider frequently must retain its own EMR expert to respond to an affidavit or testimony from the plaintiff ’s EMR expert that the patient’s complete EMR has not been produced and that producing the EMR in native format does not impose an unreasonable burden on the defendant. The defendant’s IT employees typically are drawn into these disputes as witnesses, sometimes having to sign affidavits about the EMR capabilities and sometimes even being deposed. Discovery disputes over EMRs and audit trails are time- consuming, expensive, lead to extensive judicial intervention (with corresponding judge frustration), and detract from the standard of care issues that should be the focus of the litigation.
Plaintiffs’ counsel rely on federal regulations under HIPAA and the HITECH Act to support their argument that a plaintiff has a right to inspect all of his or her protected health information (PHI) and that PHI includes everything in the EMR.1 Plaintiffs’ counsel are citing to recent rules proposed under the 21st Century Cures Act as further support for the argument that audit trail data, including metadata associated with a patient’s EMR, is included in the patient’s right of access under federal law.2 In response, defense counsel argue that the language in the federal statutes and regulations demonstrates that an audit trail is not a part of a patient’s “qualified electronic health record” or “designated record set” that must be produced in litigation.3 An audit trail does not contain information about the actual treatment related to a patient, nor does it contain patient health
Healthcare Practice
  1 2
3
See 45 C.F.R. § 164.523(a)(1); 45 CFR § 160.103 (definition of
protected health information).
See 21st Century Cures Act: Interoperability, Information Blocking,
and the ONC Health IT Certification Program, 85 Fed.Reg.
25642, 25697-98, 25794 (May 1, 2020); 45 C.F.R. § 170.315(b)(10). See 42 U.S.C.A § 3000jj (definition of “qualified electronic record
set”); 45 C.F.R. § 164.501 (definition of designated record set).
79
FDCC ANNUAL INSIGHTS 2023