AUDIT TRAIL FAQs

FREQUENTLY ASKED QUESTIONS

An audit trail, or more specifically the patient’s audit trail, is a report containing time-stamped entries of auditable actions performed by users in a patient’s electronic medical record (EMR).

How long does it take to generate an audit trail?

The amount of time required to run the report can vary from seconds for one day of data to about 20-30 minutes for multiple dates and/or an exceptionally long admission.

Does every EMR system have an audit trail?

Nearly every EMR system and medical device can produce an audit trail. This includes EMR systems for hospitals, physician clinics, urgent care centers, specialty providers like chiropractors and physical therapists, and nursing homes. Each EMR system is unique and may have different titles for their reports and may separate the various required auditable data into multiple reports.

What is an audit trail required to show?

The audit trail (or audit log) displays all recorded auditable actions such as signing of notes, queries, views, additions, deletions, and changes. 45 CFR § 170.210 (e), (h), ASTM E2147-18

Is the audit trail a comprehensive list of all data about the patient in the EMR?

No. The audit trail is a report that displays specific fields of data that the EMR system and/or the healthcare organization chose to include in their standard audit trail report. EMR system databases store significantly more information than what is displayed in the patient’s audit trail. The patient’s audit trail should be seen as a starting point when it comes to ediscovery. In addition to the patient’s audit trail, there are document audit trails and revision histories, order audit trails, image audit trails, and more.

Is an access log the same thing as an audit trail?

For most EMR systems, the answer is no. The answer to this question lies not in the name of the report but in the content of the document. For the most popular EMR system, there is some data overlap between the two reports, but the audit trail provides critical information regarding data integrity and care provided to the patient that the access log does not include.

Can every audit trail be produced in Excel?

For most of the major EMR systems, Excel ( or .csv) is either the default output format or is an output forma choice available to the user requesting the report. If Excel is an option, it is the preferred format because it allows for efficient data analysis and ensures no data was obscured by the process of converting the original Excel file into PDF, which is a common occurrence.

For which dates should I request the audit trail?

Audit trails should begin at the start of care at issue (or relevent admission) and extend to the date the records were printed for litigation. This is the only way to confirm the integrity of the printed record. Although uncommon, last minute changes to the patient’s chart can and have occurred right before records are sent to the patient’s attorney.

What kind of evidence can I extract from the audit trail?

Audit trails contain a wealth of objective data about the care provided to a patient and also allow one to verify the integrity of the patient’s medical record. The specific types of evidence contained in an audit trail will depend on how data-rich that particular EMR system’s audit trail is. At the very least, audit trails can be used to construct a tighter timeline of care, corroborate (or refute) deposition testimony, and reveal policies, alerts, and internal communications about the patient that are not typically considered part of the patient’s legal medical record but are nonetheless relevant to the care provided and, more often than not, is stored in a database and is discoverable.

How much time does it take to analyze an audit trail in a medical malpractice case?

This varies greatly on the duration of the patient’s admission or care at issue, the number of providers involved, the number of defendants, the complexities of the allegations, and whether there is a “mystery” to solve. An audit trail for a simple emergency room visit might require only 1 hour of review. A more complex case with multiple audit trail files and multiple EMR systems and devices involved could easily require 20+ hours of review.