Ten years ago, the courts were satisfied when the defendants stated there were no audit trails and could only produce a limited patient record. Everyone was satisfied with that answer. Now the courts have seen the capabilities of the modern day Electronic Medical Record and have ordered everything from virtual site inspections, in-person inspections aided by the EMR vendor, disclosure of system documentation and forensic audits of systems. Defendants can no longer stand idle or take the position that the data does not exist.

Background on certified Electronic Medical Record (EMR) Systems

In 2011, the Department of Health and Human Services (DHHS) Centers for Medicare and Medicaid Services (CMS) established the Medicare and Medicaid EHR Incentive Program (now known as the Promoting Interoperability Program) to encourage clinicians, eligible hospitals, and CAHs to adopt, implement, upgrade (AIU), and demonstrate meaningful use of Certified Electronic Record Health Technology. Physicians received $67,250 from the Federal Government and Hospitals received at a minimum $1,200,000 as a base payment for implementing a Certified Electronic Medical Record System.

EMR vendors had to go through rigorous testing and evaluation, as well as attest to the Federal Government that they could meet the program requirements. The attestation process was governed by DHHS Office of National Coordinator (ONC) and required that an EMR have transaction level auditing (audit trail) and once the vendor met the requirements their products would be listed on the ONC Certified Health Product List website.

Only a handful of hospitals across the nation serving the Medicare and Medicaid eligible population did not receive funding from the Federal Government.

Did Practitioners and Hospitals attest to the federal government that they were using a Certified Electronic Medical Record System?

Yes. All practitioners and hospitals that applied for government funding to help pay for all or part of their Electronic Medical Record System attested that their system could meet the program requirements. One way the providers of care knew the system could meet the requirements is that the Office of National Coordinator maintained a website of the EMR products that met the requirements. A provider would simply click on the various models and software and determine if the combination of the vendor’s software constituted a certified and complete Electronic Medical Record System. The ONC system would then generate a number similar to a VIN on a car that was needed to apply for government incentives.

Who maintains the EHR Incentive program applications?

Each state was responsible for creating a website to educate the public and practitioners on the efforts of interoperability. Additionally, each state administered the Federal Government’s EHR incentive program and each state maintains the applications for incentives.

What is an Audit Trail?

An audit trail allows for the tracking of an individual’s access to an Electronic Health Record including; any modification, deletion, or additions to the Electronic Health Record. Among other things, an audit trail must include information documenting who accessed the electronic information and what was done during that access period (45 C.F.R § 170.210).

Specifically, the audit trail must provide “the date, time, patient identification, and user identification must be recorded when electronic health information is created, modified, accessed, or deleted; and an indication of which action(s) occurred and by whom must also be recorded” 45 C.F.R § 170.210.

Audit trails are required to include any modifications made to a patient’s medical record, what was changed, what it was changed to, and what it was changed from.

HIPAA Mandates Audit Trails 45 C.F.R § 164.312(b) & 45 C.F.R § 170.210(b)

A health care facility must maintain an audit trail of a patient’s electronic medical record. Specifically, the audit trail must provide “the date, time, patient identification, and user identification must be recorded when electronic health information is created, modified, accessed, or deleted; and an indication of which action(s) occurred and by whom must also be recorded.”

HIPPA Audit Trail Requirements ASTM E2147-18

“Audit reports designed for system access provide a precise capability for healthcare providers, organizations, patients, patient representatives, and advocates to see who has accessed and/or manipulated patient information.

Audit Trail Retention 45 C.F.R. § 164.316

The audit trail must be available for a minimum of 6 years.

Patients Right to Access the Audit Trail 45 C.F.R § 164.24

An individual has a right of access to obtain a copy of his/her protected health information.

Individual Access 45 C.F.R § 164.524(c)(2)(i) & 45 C.F.R § 164.524(c)(2)(i)

A health care facility must provide the individual with access to protected health information in the form or format requested by the individual.

Protection from Alterations 45 C.F.R. §164.312(c)(1)

Providers of care must “implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”

Medical Providers Must Protect records from alteration 45 C.F.R. § 170.210(h)

“Because of the significant risk of medical information manipulation in computing environments by authorized and unauthorized users, the audit report is an important management tool to monitor access and any such manipulation retrospectively. In addition, the access and disclosure logs become powerful support documents for disciplinary and legal actions.”

There are no exemptions from Federal Audit Trail Requirements

The certification criteria are set forth by the Centers for Medicaid and Medicare Services (CMMS) Office of National Coordinator (ONC) and administered by the State Government. The program provides in most cases for the entire cost of adopting, implementing and upgrading a certified EMR. As part of the certification requirements, the practice must have in place transaction level auditing. If a practice is deficient, it would require self-reporting to the Inspector General’s Office and would result in a substantial loss, as the Medicare and Medicaid reimbursement rates are tied to the certification.

Providers of Care and Third-Party Brokers

“Providers of Medical Care,” and are thus “Covered Entities” under applicable law 42 U.S.C. 1395x(s), 45 C.F.R. §170.210(h) (incorporating ASTM Standard E2147-01). “Providers of Medical Care” would encompass “a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s))” 45 C.F.R § 160.103. 42 U.S.C. 1395x(s)’s definition of “health care provider” specifically covers (42 U.S.C. 1295x(s)(3) ) “ex. ____diagnostic X-ray tests__ and ____“X-ray, radium, and radioactive isotope therapy, including materials and services of technicians.” 42 U.S.C. 1295x(s)(4). It should also be noted that as a provider of electronic services to the Defendant “Covered Entities,” most 3rd party vendors of data holders would (at the very least) be deemed a “Business Associate,” bound by the same audit trail requirements (HIPAA and the HITECH act. 45 CFR § 160.103).

Transmission of Health Data requires compliance 45 CFR 160.103

Transmitted “health information” in electronic form (Health information means any information, including genetic information, whether oral or recorded in any form or medium, that:

Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual (45 C.F.R § 160.103).

Can the Plaintiff test the credibility of the Defendants EMR?

Under 45 C.F.R § 164.524(c)(2)(i) a health care facility must provide the individual with access to protected health information in the form or format requested by the individual.

General EMR Audit Trail Elements

Audit Trails consist of many data elements:

User ID; Date of entry; Time of entry; Field that was edited; Whether the entry is a correction to an existing entry; Value or text entered into the field; Display time of the entry; Any notes or annotations entered; ID of the user making any correction; Time that the correction was made; and Iterations of each entry

Are audit trails kept within the Core Medical Record System?

Yes and No. Most EMR’s have various audit trails. Some of the most well-known EMR’s capture access logs; including, every keystroke made into the system to modifications of patient record data. Some systems do not have the proper auditing and compliance modules necessary to constitute a certified system; therefore, multiple vendors modules must be combined. For instance, in many EMR installations the auditing and compliance module within the core software is not robust and therefore hospitals often purchase products such as FairWarning or P2Sentinel, which are auditing programs that capture an extreme amount of data regarding who touched what record and for what purpose.

One of the problems I run into often, is that defendants take the position that the auditing information is not part of the patients record. This defense falls flat as the courts routinely have required the production of these records.

What if you suspect your client has not given you the full medical record?

Disclaimer – if you don’t know what ESI your client has available, you run the risk of sanctions and sometimes independent of your client!

Below is a link to a white paper, although dated, “Spoliation of Evidence and Medical Malpractice” by Anthony C. Casamassima in Pace Law Review that sheds light on some of the dangers.

Spoliation of Evidence and Medical Malpractice

There are numerous regulatory requirements regarding audit trails (metadata) and medical record data. Hospitals and practice groups often have professionals who are responsible for compliance and security. You will often find individuals from the following groups as being key to finding medical record data and auditing information:

Security Group

HIPAA Compliance Officer

Health Informatics

Health Information Management (HIM)

Information Technology

EMR Team

I always advise my clients to gain a full understanding of each department’s role in implementing, managing and maintaining the EMR.

Sample EMR Specific Questions to ask

State the retention policies governing all healthcare data? State the disposition of healthcare data? What metadata exists regarding this patient’s visit on __? What audit trails exist for all healthcare data? What changes to the EMR were made after ____? Have you turned off any of the default section of the EMR? What is your ONC Certification number? What government funds did you receive for adopting, implementing, maintaining or meaningfully using an EMR?

Call my office for an exhaustive list…

Sample Documents to seek

Electronic Medical Record given to the patient when requested Access Log EMR User and Administration Guides (usually can be provided under seal) Training logs for anyone whom has touched the patients record If the patient was on Medicare 837 transmittal forms All billing to the insurance carriers Phone Notes A listing of all auditing reports created in the EMR or systems that query the EMR databases (FairWarning, P2Sentinel). A listing of all medical devices that are submitting data into the EMR Hospital Physical Access logs (security check-in and check-out) Contract between the EMR vendor and the provider of care EMR vendors recommendations for record keeping

Call my office for a more exhaustive list…

Suspect the defendants have not given you the full medical record and audit trail?

Step 1: Ask probing questions?

Step 2: Seek documents and materials

Step 3: Have someone knowledgeable about the EMR and auditing systems review the materials

Step 4: Have someone knowledgeable write a letter detailing the deficiencies

Step 5: Meet and Confer on the deficiencies

Step 6: If unsuccessful, request an on-site inspection of the records

Step 7: If unsuccessful, seek the courts help and rely heavily on your expert to convince the court

Can defendants easily produce the audit trail and show what changes were made to a medical record?

Yes and No. Some EMR’s have great auditing reports that can show what changes were made. Others such as Cerner (17% market share) do not allow you to print the changes and must be captured via screenshot. Seems ridiculous doesn’t it. Why would an EMR allow a practitioner to alter a record months after the fact and those changes are not able to be memorialized in a report? Hence, why I am an advocate of on-site inspections of medical records. I always suggest video recording or at a minimum screen capturing.

Without intimate knowledge of the EMR it would be very difficult to get to the data. For instance, in long-term care settings they call the alterations strike outs and in one of their top EMR’s it takes no less than 25 steps to get to the strike outs and read the data. I recently spoke to a 10-year auditing veteran for the Department of Health and Human Services and showed him how it can be done. He looked astonished, he called me a week later and said that the veil had been lifted and in his first inspection after meeting with me, he used the knowledge and was able to see the changes for the first time.

I’ve also provided a Sample Order for EMR Site Inspection