Physician anesthesiologist at Stanford at Associated Anesthesiologists Medical Group
Richard Novak, MD is a Stanford physician board certified in anesthesiology and internal medicine.Dr. Novak is an Adjunct Clinical Professor in the Department of Anesthesiology, Perioperative and Pain Medicine at Stanford University, the Medical Director at Waverley Surgery Center in Palo Alto, California, and a member of the Associated Anesthesiologists Medical Group in Palo Alto, California.
The Audit Trail in the Electronic Medical Record

A spy lurks within every Electronic Medical Record (EMR), and most doctors have no idea that sentry exists. Every time a healthcare provider clicks his or her mouse on an EMR, that click is recorded by the Orwellian Big Brother of Medical Care, the audit trail. An audit trail can be defined as a “record that shows who has accessed a computer system, when it was accessed, and what operations were performed.” Virtually all EMRs in the United States now track at least four pieces of information about every instance a healthcare provider accesses a patient: 

  1. Who accessed, 
  2. Which patient record,
  3. At what time, and 
  4. The action they performed. 

The audit trail is NOT part of the EMR printout, and it’s not visible on the EMR patient care screen that we healthcare providers see. Lawyers can subpoena the audit trail in malpractice legislation, and the hospital must provide the audit trail if the court decides that the audit trail is relevant. An audit trail will look like an Excel document, with the provider’s name in one column and the information about each click listed in other columns:

In any malpractice legislation, an attorney will most likely have to hire an expert to interpret this audit trail for the judge and jury to understand what the document illustrates.

The audit trail was mandated by the 2005 Security Rule of the Health Insurance Portability and Accountability Act (HIPAA), which required all healthcare organizations to “implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”  Any organization that works with electronic protected health information—which includes patient names, addresses, social security numbers, and other pieces of sensitive personal information—must use audit trails. The purpose of the audit trail was to detect inappropriate viewing of the EMR by someone who was not directly caring for the patient. For example, preventing a healthcare provider from clicking on the EMR of someone else’s patient who is a neighbor, a previous girlfriend, a celebrity athlete, politician, or entertainer. But an audit trail is a roadmap to a physician’s EMR use, and in the case of a malpractice lawsuit, the audit trail can be either redeeming or damning.

Back in the era of handwritten medical records, Samuel Shem described “buffing the chart” in his medical satire novel “The House of God.” 

“Buffing the chart” was a dishonest means of writing medical notes in a patient’s chart to make the patient look well-treated, without the doctor providing that treatment. Buffing the chart, or any other dishonesty, is impossible with EMRs. The audit trail will document whether you provided standard medical care in real time or not. If your patient has a significant complication or an adverse outcome, a lawyer can subpoena the audit trail and hire an expert to interpret it. 

Indeed, the most common use of audit trails is in medical malpractice actions. Let’s look at some hypothetical examples:

  • A 36-year-old woman is scheduled for emergency surgery at 3 a.m. for an ectopic pregnancy. The patient weighs 250 pounds and is 5 feet tall, for a Body Mass Index (BMI) = 48.8. On induction of general anesthesia, the anesthesiologist working alone is unable to successfully place an endotracheal breathing tube and is unable to ventilate oxygen into the patient. The patient develops anoxic brain damage. The family sues the anesthesiologist, and the plaintiff attorney orders an audit trail. The audit trail documents that the anesthesiologist never clicked on an available old anesthetic record which documented that this patient had a difficult airway, in which it took two anesthesiologists twenty minutes to successfully insert an endotracheal breathing tube using both a GlideScope and a fiberoptic laryngoscope. The audit trail also documents that one day after the surgery, the anesthesiologist added a paragraph to his preoperative note claiming that he was aware of the previous difficult airway diagnosis. Once the audit trail results were revealed, the anesthesiologist and his defense lawyer realize that they cannot win, and they pay a malpractice settlement out of court.  
  • A 55-year-old man is scheduled for a left hip replacement. His past medical history is significant only for hyperlipidemia. The EMR shows standard of care anesthetic management for the surgery, but in the Post Anesthesia Care Unit (PACU) the patient develops shortness of breath, chest pain, and needs to be reintubated and sent to the Intensive Care Unit. Cardiologists diagnose an acute myocardial infarction (MI) and congestive heart failure. The patient survives, but the MI leaves the patient with reduced cardiac output and chronic heart failure. The patient sues, and the plaintiff attorney orders an audit trail. The audit trail reveals that the anesthesiologist never looked at the preoperative ECG which showed ischemic changes. The standard of care following this abnormal ECG required a cardiology consult prior to the elective surgery. The plaintiff wins the case as the anesthesiologist and the primary care doctor failed to make the required referral to a cardiologist prior to the hip surgery.
  • A 55-year-old patient on chronic dialysis is scheduled for revision of a left forearm dialysis fistula. The patient receives general anesthesia for the case and has a cardiac arrest mid-surgery. The patient’s family sues, and the plaintiff attorney orders an audit trail. The audit trail shows that the patient’s potassium level prior to surgery was markedly elevated at 8.1, and this lab value was available on the chart 30 minutes prior to the induction of anesthesia, and the anesthesiologist never clicked on the laboratory value to check what the result was prior to the surgery. The plaintiff wins the malpractice lawsuit.

The following are quotations from a legal review article titled “A Pandora’s Box: The EMR’s Audit Trail.”

  1. A subpoena for audit trail information must be for legitimate reasons.  
  2. There is no clear precedent currently on the issue of whether a defendant health care provider must produce an audit trail as a matter of standard course as if it were the medical record itself. Courts surprisingly are deciding the issue primarily on relevance grounds.
  3. Once the audit trail is produced and counsel has had a chance to review it to the care rendered, plaintiff’s counsel may seek to make an issue regarding the truthfulness of the information contained in the EMR at trial including allegations of alteration or wrongdoing.
  4. Simple conjecture or inferences that an EMR record was altered based on a review of the audit trail is not enough, and expert testimony to support that position may be required. Absent expert testimony, a plaintiff patient was not permitted to present evidence to the jury.

The following are quotations from a legal publication “The Utility of Audit Trails Analysis in Medical Malpractice Actions” :

  1. Each time a patient’s EMR is opened, regardless of the reason, the audit trail documents this detail. The audit trail cannot be erased, and all events related to the access of a patient’s EHR are permanently documented in the audit trail. Providers cannot hide anything they do with the medical record. No one can escape the audit trail. It’s easy to see how and why an audit trail could serve as an important piece of evidence in a medical malpractice action. 
  2. In printed form, [audit trails] can look like gibberish to the untrained eye. Fortunately, there’s a simple solution to these problems: the use of an expert trained in understanding and navigating EMR systems and interpreting and explaining audit trails.

The take-home message: the era of “buffing the chart” is over. Whenever we healthcare providers click on any item on the EMR, or whenever we don’t click on an item on the EMR, a Big Brother Audit Trail is watching and permanently recording who accessed the EMR, which patient item was accessed, at what time, and what action was performed.



The most popular posts for laypeople on The Anesthesia Consultant include:
How Long Will It Take To Wake Up From General Anesthesia?
Why Did Take Me So Long To Wake From General Anesthesia?
Will I Have a Breathing Tube During Anesthesia?
What Are the Common Anesthesia Medications?
How Safe is Anesthesia in the 21st Century?
Will I Be Nauseated After General Anesthesia?
What Are the Anesthesia Risks For Children?

The most popular posts for anesthesia professionals on The Anesthesia Consultant  include:
10 Trends for the Future of Anesthesia
Should You Cancel Anesthesia for a Potassium Level of 3.6?
12 Important Things to Know as You Near the End of Your Anesthesia Training
Should You Cancel Surgery For a Blood Pressure = 170/99?
Advice For Passing the Anesthesia Oral Board Exams
What Personal Characteristics are Necessary to Become a Successful Anesthesiologist?