The increased use of electronic medical records (“EMR”) is changing not only the way physicians practice medicine but also the way discovery is conducted in medical malpractice lawsuits. Plaintiffs’ attorneys seek to discover not only the contents of the medical records created by defendant healthcare providers, but also seek audit logs and access reports which are related to the EMR.
I. Plaintiff attorneys have the capability to manipulate, organize and sort the raw data to generate chronologies supportive of their theory of the case
Persons responding to discovery requests should understand the objectives of the plaintiff attorneys who make such requests. Plaintiff attorneys see the Audit Log as a supplement to the printed medical record which may contain vital clues to support their theories. Plaintiff attorneys have become knowledgeable about how various EMR systems operate and use that information to study records produced in discovery and to prepare for depositions. Plaintiff attorneys seek to obtain raw data in a format that can be manipulated to support theories of provider negligence.
II. What does the Audit Log data prove
EMRs are required by federal regulations to contain an audit log. The audit log must track information about who accessed the record, when the record was accessed, and some basic indications about what was done. Different vendors have different reporting features. The data is primarily used for HIPAA security compliance, but could be discoverable in litigation. Use of the Audit Log and Access Report data includes the capability of detecting who accessed the EMR for any length of time, regardless of whether a corresponding entry was made in the record. A physician who viewed a medical record may now be identified, and even become subject to deposition, when no record was created by the physician.
Additionally, Audit Log information is used to track when a physician viewed certain test results, such as lab reports or radiology studies. Plaintiff attorneys seek to determine if there was appropriate follow-up action after the provider obtained certain clinical information. If, for example, plaintiff contends there was a failure to timely follow-up on a worrisome lab result, the underlying data generated by the EMR can be used to support such a claim.
III. Audit Log: privacy versus litigation uses
Defense attorneys involved in discovery disputes in malpractice cases will argue that Audit Logs are required by law in order to monitor privacy violations, and not for use as a forensic weapon in litigation. Most judges are not familiar with the inner workings of various EMR systems, as the technology is still evolving. Providing the courts with memoranda of law pointing out the essential statutory requirements of Audit Logs, such as (1) who accessed a patient’s record, (2) when the user accessed the record, and (3) some basic information about what was done, can be helpful in the attempt to keep the Audit Log discovery within reasonable bounds. (See, 42 C.F.R., §495.6(d)(15)(i) (2010); 45 C.F.R. §164.308(a)(1) (2012); 45 C.F.R. §170.210(b), as adopted in 2010.)
IV. Providers should anticipate Audit Log discovery requests early on, even before litigation
The use of “preservation letters” (a letter requiring maintenance of all the EMR data) is becoming more prevalent in malpractice cases. Such a letter may be the provider’s first notification that a lawsuit is being contemplated. As soon as a provider receives any notification that the provider may be the object of a malpractice suit, it should immediately notify its insurance carrier, and upon designation of defense counsel, the provider should comply with counsel’s instructions regarding preservation of records, limiting further access to the records, and running an Audit Log report showing access to date.
The increased use of electronic medical records will make the discovery process more complex for all parties involved.