In medical malpractice cases, audit trails tell the true story of how a medical record was created. This true story is not just a good idea; its a legal requirement. Since 2005, the Health Insurance Portability and Accountability Act (HIPAA) has required all healthcare organizations to “implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” Since 2014, electronic health records (EHRs) must maintain audit trails adhering to the ASTM E2147 standard for tracking health information technology (HIT) use. Due to these regulations, virtually all EHRs in the United States now track at least 4 pieces of information about every episode of patient record access:
- Who accessed a record
- Which patient record was accessed
- What time the access occurred
- What action was performed, including adding, deleting, or copying information
In the right hands, these 4 pieces of information can be used to identify information in the medical records that was added late or changed, especially following acts of malpractice or other significant events.