top of page

Audit Trails: The Not-So-Silent Witness

A standard report that takes minutes to generate is increasingly becoming one of the most important pieces of evidence in medical malpractice litigation.


Saira Pasha


Journal of the DuPage County Bar Association


May 2, 2022

Audit Trails: The Not-So-Silent Witness

A standard report that takes minutes to generate is increasingly becoming one of the most important pieces of evidence in medical malpractice litigation.

Want to know when a doctor first reviewed a lab result? How much time was spent viewing a CT scan before a diagnosis was made (or missed)? Whether the patient’s medical records were altered after a bad outcome? What time a vitals-monitoring device was removed from a patient in the ICU? Whether every note generated during the care and treatment of a patient was produced? What emergent, life-saving care a patient received when chart notes were sparse or nonexistent? Which chart notes a physician reviewed before examining a patient? The audit trail can tell you.

When it comes to investigating and evaluating a medical malpractice claim, the power of the audit trail is undeniable. When millions of dollars and/or reputations are at stake, jurors no longer need to solely rely on witness testimony or potentially subjective medical records; the audit trail provides objective data that can serve as a “silent witness.”


An audit trail, or more specifically, the patient’s audit trail, is a report containing time-stamped entries of auditable actions performed by users in a patient’s electronic medical record (EMR). The audit trail (or audit log) displays all recorded auditable actions such as signing of notes, queries, views, additions, deletions, and changes.1

Nearly every EMR system has an audit trail report built into it (pre-programmed). Some allow the health care provider to further customize the report, such as including additional columns of data. Generating a patient’s audit trail typically takes less than 10 minutes from start to finish. Even a patient with a substantial amount of data due to a months-long admission can have her audit trail generated in less than an hour. This applies to all EMR systems, including those used by hospitals, urgent care facilities, physician clinics, and nursing homes/skilled-care facilities.


In medical malpractice cases, an audit trail can be utilized in many ways, such as verifying the integrity of the patient’s chart, making sure all records were produced, filling in gaps in the timeline of care from the printed medical record, identifying witnesses who were involved in the patient’s care but who were not identified in the medical record, and corroborating witness testimony.

While this might initially seem to primarily benefit the plaintiff, the same data can easily be used to bolster the defense of a case, especially when emergent care was required. If a patient suddenly became unresponsive and a code was called, the audit trail shows when and which labs, tests, and procedures were ordered stat and when they were performed and resulted, even if no note was composed until hours later.

A patient’s audit trail also displays information that is typically not included as part of the patient’s legal medical record but is nonetheless discoverable. This can include internal communications between treating physicians and nurses, system alerts that were triggered by the patient’s vitals or lab values (e.g., a sepsis alert), order sets used as part of a formal policy/protocol or clinical initiative, and more. Because the data contained in audit trails often results in supplemental written discovery requests, these reports should be reviewed as early as possible and ideally before depositions are taken.

Outside of litigation, hospitals and medical malpractice insurance carriers can use audit trails to identify health care providers who do not follow mandatory documentation or care protocols, modify records inappropriately, or perform other tasks that increase risk exposure.


There is an abundance of literature about audit trails, but few resources that provide practical instruction on how to use them once produced. Following are two examples of how to analyze audit trails for data integrity and timeline of care.

Example 1: [See Link Below]

In the mock audit trail excerpt above, the data was filtered to show only Dr. John Smith’s note-signing activity. In the “Additional Details” column, there are three distinct numbers in brackets; these correspond to the unique document number, or identifier, for each note. The first note, document #12233445, was signed twice (16 minutes apart). The second note, document #12235631, was pended (saved but not signed) and then abandoned. The third note, document #12247899, was pended at 10:36 p.m. and signed the next morning. The significance of the “pend” action is that a provider can save the note, then modify it again before signing it. It will not be marked as amended/appended on the printed medical record because the changes occurred before the note was signed.

From the defense perspective, a provider may not have time to complete a detailed note after a complicated incident because he was too busy caring for the patient. From the plaintiff’s perspective, the delay in completing a note and its potential modification could signal a physician wanting to see the patient’s outcome or needing more time to carefully craft a note in the hopes of minimizing liability exposure.

The next step would be to obtain the complete document revision history for each of the three documents identified in the audit trail.

Example 2: [See Link Below]

In a case alleging that a nurse failed to monitor a patient, one can look to the audit trail to see if vitals and other critical data were entered contemporaneously or backdated.

This audit trail excerpt is filtered to only show Nurse Johnson’s flowsheet activity. The data shows Nurse Johnson reviewed the patient’s flowsheet several times but did not update it with additional data until 10:30 p.m., then again at 10:45 p.m. and 10:46 p.m. It is not unusual for nurses to not chart contemporaneously as they are busy caring for patients and might not have the opportunity to input data into the system. However, in the example above, if an adverse event occurred at 9:00 p.m., and the flowsheet entries made at 10:30 p.m. were actually backdated entries for 9:00 p.m., those entries would require more scrutiny.


One area of confusion is whether an access log is the same thing as an audit trail and/or if the access log is a good substitute for an audit trail. For most EMR systems, the answer is no.

For example, the EMR system Epic can produce two distinct reports that both contain information about auditable events: the audit trail and the access log. While there is some overlap in the data contained in these reports, the access log does not contain data with which one can verify the integrity of the patient’s medical record. An audit trail distinguishes between adding and deleting a note; an access log will sometimes refer to both actions as an “edit.” An audit trail provides the unique identifiers for documents, orders, alerts, and provider communications; an access log contains no unique identifiers (such as the document ID # in the audit trail excerpt above).


Common defense objections to producing the audit trail include burden, relevance, and privilege. The first two can easily be overcome using the information explained above. Privilege is more complicated and concerns larger policy issues, but there is a solution.

Two protected events under the Illinois Medical Studies Act are peer review and root cause analysis meetings.2 Both events take place after notice of an adverse event is received; they can take place days later or months later. From a policy perspective, the privilege is extended to encourage health care providers to be open and forthcoming with details about adverse events to avoid the same event occurring again, if preventable.

A patient’s audit trail should extend until the date the medical records were printed for litigation. If a meeting covered by this privilege takes place in that time period, the associated line items from the audit trail can be redacted while leaving the column showing the auditable activity unredacted. This way, the plaintiff’s attorney can rest assured that no chart modifications were redacted under the ruse of privilege. It can look something like this:


If any doubt remains about the significance of audit trails in medical malpractice cases, consider a recent order for sanctions entered in Cook County against a hospital which resulted in a default finding of liability in a case potentially worth eight figures. The sanctions were ordered, in part, due to the defendant hospital’s failure to produce the patient’s audit trail, an access log produced instead of an audit trail, and statements made about the ability to produce the audit trail that the court determined to be false.3

We are at the beginning of a major, industry-wide change in how medical malpractice cases are investigated, and attorneys on both sides (and judges) still have a lot to learn when it comes to understanding audit trails and EMR technology. However, as more and more attorneys become educated and skilled at the interpretation of audit trails and see the value of the evidence contained in them, it is just a matter of time before the production and analysis of EMR audit trails become part of the standard workup of every medical malpractice lawsuit.

1. 45 CFR § 170.210 (e), (h); ASTM E2147-18.

2. 735 ILCS 5/8-2101, et seq.; Roach v. Springfield Clinic, 157 Ill.2d 29, 40 (Ill. 1993) (discussing application to peer review); Mnookin v. Northwest Community Hospital, 2018 IL App (1st) 171107, ¶ 40 (discussing application to root cause analysis).

3. Prieto v. Rush University Medical Center, Case No. 2018 L 003531 (Cir. Ct. Cook Cty. Apr. 9, 2018).

Saira Pasha is the owner of Audit Trail Pro, LLC. She previously worked as a medical malpractice claims professional and now serves as a consultant for plaintiffs and defense firms. Ms. Pasha completed her undergraduate degree in operations management (emphasis: information systems) at Northern Illinois University and her law degree at Chicago-Kent College of Law.

The DuPage County Bar Association grants permission to reprint all or part of this article, Audit Trails: The Not-So-Silent Witness by Saira Pasha, Volume 34, Issue 6, May/June 2022 edition of the DCBA Brief magazine. Copyright 2022, DCBA Brief, All Rights Reserved.

This article or media transcript is attributed fully to the author(s) and publishing agency listed above. This work does not belong to the Family Justice Resource Center—it is shared solely for archival and reference purposes. Any citations should include the original publication, found by following the link above. Transcription may be incomplete and/or contain errors. No revenue is generated by works in this archive. The views expressed in this article do not necessarily reflect the views of the Family Justice Resource Center. For any inquiries, revisions, or requests regarding content recorded in this archive, please contact us here.

bottom of page