Most plaintiffs’ attorneys now request audit trails immediately with the first contact for e-discovery, and risk managers often groan when they think of the work involved. However, there is a reason to seek the audit trail for your own benefit: It might show more exculpatory evidence than a paper printout of the same file.
Even with an automated auditing system, it may be time-consuming and burdensome to request the audit trail from the IT department and verify the facts of the case. However, it is almost always worth the trouble, says Catherine J. Flynn, JD, an attorney with the law firm of Carroll McNulty Kull in Basking Ridge, NJ.
An audit trail provides a record of every time the document was accessed or transferred, and it can be the best defense to claims of incomplete or misleading e-discovery. While sometimes burdensome to put together, the audit trail can be invaluable, she says.
“We’re finding that the audit trail is more friend than foe in litigation, especially if there is a charge that the file has been amended or altered,” Flynn says. “The audit trail will establish, for example, that the charting was done contemporaneously, in real time. It gives us valuable information and helps us establish that the documentation is as it should be.”
That position is particularly important when electronic records are inconsistent with paper records, which is quite common in hospital litigation, says Michael A. Moroney, JD, also an attorney with the law firm. The information on the paper record may not necessarily conflict with the electronic health record (EHR), but it is likely to be incomplete and less clear.
“What the clinician is entering and reading on the electronic record is often vastly different from what we see on paper,” Moroney says. “Information on a computer screen often does not translate well to a printed form, so even when you take that electronic record and print it out, you’re not likely to get an exact copy of what the nurse or doctor was working with.”
Audit Trail Saves Doctor
Flynn recalls a case a few years ago in which the plaintiff’s attorney requested the client’s record directly from the medical records department of a hospital before any lawsuit had been filed. The patient’s record consisted of only one visit to the ED, and the medical records department had only the hard copy printout of the electronic record because that was what the ED routinely sent for filing.
The medical records department provided a copy of the printout to the attorney, and later the hospital realized that the printout omitted a key piece of information: that the patient did not comply with treatment and was discharged against medical advice (AMA), after being advised that doing so could result in paralysis. The doctor properly documented the AMA and warning in the electronic record, but it did not print on the hard copy.
The patient was paralyzed from the waist down a week after the ED visit. He sued the physician and told his attorney that he had complied with treatment and wanted to be admitted to the hospital. When the doctor received a subpoena, he went into the electronic record to confirm that he had properly documented the AMA and warning about paralysis. He couldn’t understand why the patient was suing and why the plaintiff’s attorney took the case. The doctor printed the medical record as proof of his actions, made sure that the AMA and warning appeared on the printout, and gave that hard copy to his attorney.
File Shows No Alteration
During interrogatories, the doctor’s attorney provided the new printout showing the AMA.
“It appeared that the doctor had altered the medical record, adding the perfect defense to being sued,” Flynn says. “The doctor swore that he entered that information before the patient ever left the building, but the first printed record was a pretty good argument that he had added that later.”
Flynn obtained the audit trail for the patient’s record, which clearly showed the date and time the information was entered, which was before the time a nurse entered the time of discharge AMA. The plaintiff still resisted, so Flynn’s firm had to convince a representative of the EHR vendor to give a deposition about how the system works and why the audit trail was conclusive proof that the doctor had entered the information at that time.
“The case was dismissed, but only after a lot of time and expense because on the first look, the situation did look very questionable,” Flynn says. “At first blush, it did look like there was an addition to the chart two days after the physician was served. The lesson learned is that audit trails are not the enemy, even though they are sometimes perceived as onerous to put together.”
Helpful with HIPPA
Audit trails also can be helpful addressing the new challenges and pitfalls of e-discovery. Previous policies and procedures on discovery may not be sufficient for complying with e-discovery, and risk managers should develop the necessary guidelines immediately, Flynn says.
E-discovery can be challenging, in part, because there are competing interests, Flynn says. The Health Insurance Portability and Accountability Act (HIPAA) requires hospitals to safeguard protected health information (PHI), but complying with e-discovery can sometimes involve that PHI.
“It puts the provider in a difficult position, trying to figure out how to satisfy all these compliance dictates,” Flynn says. “There has to be a process by which you compile e-discovery, evaluate it, and make sure every step of the way that you’re abiding by both the court rules, while still maintaining the HIPAA protection. Providers really struggle to make the marriage between the two a happy one.”
The tension arises because evidence rules essentially require turning over all electronic documents related to the case, Moroney says. That requirement applies to all cases, but healthcare cases bring the HIPAA conflict.
“You have to turn over all evidence to your adversaries, and if you don’t, both the client and the attorney can be in trouble,” Moroney says. “You could be facing an amendment to a plaintiff’s complaint alleging failure to turn over necessary medical records. So you have that on the one hand and, on the complete opposite side, is HIPAA saying you can turn over protected information only in limited circumstances.”
Audits Show Compliance
Protecting PHI has become even more important in recent years as it became known that medical records are among the most sought-after documents for identity thieves, Moroney notes. At the same time, the adoption of EHRs greatly increased the amount of electronic PHI that any healthcare provider must protect.
Healthcare providers already have HIPAA compliance programs, but many need to assess those policies and procedures to makes sure they include the risk management department and e-discovery procedures, Flynn says. HIPAA education and compliance should address e-discovery and how to comply with both requirements, she says. In particular, emphasize that the e-discovery is not just about the EHR, but all documents involving patient care.
“There are documents that pertain to a patient but are not considered a specific part of the medical record, but are still maintained electronically and stored separately,” Flynn says. “You must have specific e-discovery policies and procedures in place so that everyone knows these are the steps we take once e-discovery is undertaken.”
Releasing information can be tricky, but hospitals also must preserve information that might be requested later. Once a lawsuit is filed, or there is a reasonable belief that there is a claim, most jurisdictions require the healthcare provider to maintain all documents and electronic information related to the case so that the evidence is available as the litigation proceeds.
Educate staff members about the need to preserve such information because their focus is likely to be on HIPAA compliance rather than evidence rules, Flynn says.
If there ever is an allegation that the hospital violated HIPAA — either as part of e-discovery or otherwise — an audit trail can be the best defense, Moroney says.
“Compliance with HIPAA is all about reasonableness, whether you took reasonable steps and established reasonable safeguards to protect patients’ PHI,” Moroney says. “The audit trail is like a history of your compliance efforts. It can show what you did and when you did it, who accessed a certain file and when. If you were reasonable in your compliance efforts, the audit trail can help prove that.”
SOURCES
-
Catherine J. Flynn, JD, Carroll McNulty and Kull, Basking Ridge, NJ. Telephone: (908) 848-6300. Email: [email protected].
-
Michael A. Moroney, JD, Carroll McNulty Kull, Basking Ridge, NJ. Telephone: (908) 848-6300. Email: [email protected].
