Your browser is unsupported

We recommend using the latest version of IE11, Edge, Chrome, Firefox or Safari.

Metadata – How Technology Has Changed Routine Disclosures

Technology has changed our lives. We can now access any and all information at our fingertips. While technology has affected every individual’s life, it has also affected the medical community. Electronic health records became prominent in the medical community and hospitals in the 1990s[1] and have only expanded since. With the change in technology, came the change of monitoring technology – metadata. Metadata or an “audit trail” can be “envisioned as words in a dictionary – words that describe words.”[2] Moreover, in medical malpractice cases, it is now something that has been routinely requested in discovery. However, there is a dispute for hospitals, medical providers, and attorneys alike – is an audit trail apart of the medical record?

    A. A Look at Federal Statutes Defining Metadata Otherwise Known as the “Audit Trail”

HIPAA logging requirements state that “audit logs are records of events based on applications, users, and systems.”[3] Audit trails “involve audit logs of applications, users, and systems.”[4] Audit trails’ main purpose “is to maintain a record of system activity by application process and by user activity.”[5] Courts have gone a step further to define an audit trail as “‘secondary information,’ not apparent on the face of the document, ‘that describes an electronic document’s characteristics, origins, and usage.’”[6] The information typically in an audit trail includes “a date, time, the name of the person who accessed the record, their user ID and the action that was taken and the items in the record viewed.”[7]

An audit trail is metadata that is unrelated to a patient’s care and treatment and therefore, is not part of the patient’s designated record to which HIPAA’s Privacy Rule and HITECH Act grant the patient and authorized person access.[8] Under 45 C.F.R. § 164.501 “designated record” is defined with no express or implicit meaning of an audit trail. The regulation provides that:

Designated record set means:

(1) A group of records maintained by or for a covered entity that is:

(i) The medical records and billing records about individuals maintained by or for a covered health care provider;

(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or

(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.[9]

The definition of “designated record” affords no suggestion that an audit trail is part of the patient’s medical record. Moreover, the audit trail is not intended to make decisions about the patient.[10]

Likewise, 42 U.S.C.A. § 300jj under a “qualified electronic health record” there is nothing to suggest that an audit trail would be included in the medical record. 42 U.S.C.A. § 300jj provides that:

The term ‘qualified electronic health record’ means an electronic record of health-related information on an individual that–

(A) includes patient demographic and clinical health information, such as medical history and problem lists; and

(B) has the capacity–

(i) to provide clinical decision support;

(ii) to support physician order entry;

(iii) to capture and query information relevant to health care quality; and

(iv) to exchange electronic health information with, and integrate such information from other sources.[11]

There is nothing to suggest that the audit trail would be captured under this regulation, as the audit trail does not contain patient health information, nor does it contain information about the treatment to the patient or health care quality. These federal statutes[12] above are controlling in this matter because federal law, not state law, governs what constitutes a medical record and the accessing of it. Further, federal law preempts state law under the Supremacy Clause of the Constitution.[13] Therefore, under the plain reading of federal statutes, the audit trail would not be considered part of a patient’s medical record.

    B. Disclosures of Audit Trails and Their Effect on Discovery

Based on the plain reading of the statutes above, the issues that arise are whether an audit trail can and should be routinely disclosed during discovery. This article suggests it cannot without reason. That contention is not only based on the statutes above, but well-reasoned case law.  Vargas v. Lee, a case in the Supreme Court of Kings County, New York, made a clear distinction that “a party does not have a right to uncontrolled and unfettered disclosure.”[14] While an audit trail may be pertinent if the authenticity of the documentation is in question, typically the details about the patient’s treatment are already available in the electronic medical records.[15] Further, while the audit trail may contain information on the “timing and substance of the Plaintiff’s care,” it is not sufficient to compel production.[16]

Gilbert v. Highland Hospital took a similar approach, stating that an audit trail is typically not relevant and not disclosed.[17] However, the court noted that “[system] metadata is relevant . . .  if the authenticity of a document is questioned or if establishing who received what information and when is important to the claims of defenses of a party.”[18] Various cases have also stated that while Federal Rule of Civil Procedure 34 allows metadata to be discovered, Federal District Courts have recognized that the request must specifically seek its production.[19] Both case law and federal regulations state that an audit trail is not routinely produced in initial disclosures and is not part of the medical record. The routine production of the audit trail without a specific request is improper and is far from universal.

    C. When Is Production of an Audit Trail Proper?

Audit trails cannot be used in a vacuum, they require an explanation to obtain. In order to obtain an audit trail for discovery, the Plaintiff has the burden of demonstrating that: “(1) there is a compelling need for the information, (2) the information is not available from other sources, and (3) the requesting party is using the least intrusive means to obtain the information.”[20]

Vargas expanded on these elements, stating that an audit trail constituting metadata was not “routinely produced unless the requesting party shows good cause.”[21] An example of “good cause” could be that the audit trail would show the sequence of events related to the use of the patient’s electronic record, in pertinent part, “changes made to the record.”[22] While the court in Vargas allowed for the disclosure on the audit trail, it was only after the Plaintiff met their threshold burden of demonstrating that the portion of the audit trail at issue was reasonably likely to yield relevant evidence and not at initial disclosures.[23]

Similarly, in Gilbert, the court only allowed for the disclosure of the audit trail based on the allegation that the decedent was not seen or evaluated by a medical doctor prior to her discharge.[24] This case again went to the relevancy of the allegations rather than disclosure of the audit trail without good cause. This court also noted that an audit trail is “typically not relevant and therefore, not disclosed” but noted that it is relevant “if the authenticity of a document is questioned or if establishing who received what information and when is important to the claims or defenses of a party.”[25]

However, in the event that Plaintiff meets that burden, the next question is what is required to be produced as part of the audit trail?  While there is very little case law defining the scope of an audit trail’s production, it’s established that the request must still be relevant and proportional.[26] If “the burden or expense of the proposed discovery outweighs its likely benefit …” a party need not produce the documents.[27] This potential problem of the expense of proposed discovery can lead to cost shifting to a Plaintiff, compelling them to seriously consider if the potential gain of the audit trail is worth the expense.[28]

By in large, while an audit trail can be useful and necessary for a Plaintiff’s case when the cause of action relates to changes in the medical records and the alike, audit trails are not a routinely used tool that a Plaintiff can use without good cause – allowing such a ruling for the production of audit trails would burden both the Defendants and provide an unnecessary expense for discovery that is otherwise not relevant to the case.

[1] EMR: The Progress to 100% Electronic Medical Records, The University of Scranton, (explaining that in 1996 HIPAA was introduced in response to growing issues facing healthcare coverage and to follow disclosure and confidentiality regulations, organizations began to shift to electronic systems to comply with the laws).

[2] Allison Viola and Shefali Mookencheery, Metadata and Meaningful Use, Ahima (February 2012),

[3] 45 C.F.R. § 164.312(b).

[4] Id.

[5] Id.

[6] Irwin v. Onondaga Cnty. Res. Recovery Agency, 72 A.D.3d 314, 320, 895 N.Y.S.2d 262 (N.Y. App. Div. 2010).

[7] Hall v. Flannery, No. 3:13-cv-914-SMY-DGW, 2015 U.S. Dist. LEXIS 57454, at *3 (S.D. Ill. May 1, 2015).

[8] See 45 C.R.F. §§ 164.501; 164.524, 42 U.S.C. §§ 300jj et seq.; §§ 17901 et seq.

[9] 45 C.F.R. § 164.501.

[10] See Hall, No. 3:13-cv-914-SMY-DGW, 2015 U.S. Dist. LEXIS 57454, at *3.

[11] 42 U.S.C.A. § 300jj.

[12] See 45 C.R.F. §§ 164.501; 164.524, 42 U.S.C. §§ 300jj et seq.; §§ 17901 et seq.

[13] See Cohen v. McDonald’s Corp., 347 Ill. App. 3d 627, 633, 808 N.E.2d 1, 6 (1st Dist. 2004) (stating that federal statutes and regulations preempt state law in three circumstances “(1) the language of the statue or regulation expressly preempts state law; (2) Congress implemented a comprehensive regulatory scheme in a given area, removing the entire field from state law; or (3) state law as applied conflicts with federal law.”).

[14] Vargas v. Lee, 2015 NY Slip Op 31048(U), ¶ 3 (Sup. Ct.).

[15] See Id. at ¶ 4.

[16] Id. at ¶ 5.

[17] See Gilbert v. Highland Hosp., 52 Misc. 3d 555, 559, 31 N.Y.S.3d 397 (N.Y. Sup. Ct. 2016).

[18] Id. at ¶ 3.

[19] Palar v. Blackhawk Bancorp., No. 11-4039, 2013 U.S. Dist. LEXIS 58082, at *4 (C.D. Ill. Mar. 19, 2013); Chapman v. General Bd. of Pension and Health Benefits of United Methodist Church Inc., No. 1:09-cv-03474, 2010 WL 2679961, 2010 U.S. Dist. LEXIS 66618 (N.D. Ill. July 6, 2010); In re Porsche Cars N. Am., Inc. Plastic Coolant Tubes Prods. Liab. Litig., 279 F.R.D. 447, 449 (S.D. Ohio 2012); Aguilar v. Immigration & Customs Enforcement Div. of U.S. Dep’t of Homeland Sec., 255 F.R.D. 350, 355 (S.D.N.Y. 2006); Romero v. Allstate Ins. Co., 271 F.R.D. 96, 106 (E.D. Pa. 2010).

[20] Carlson v. Jerousek, 2016 IL App (2d) 151248, ¶ 49, 68 N.E.3d 520.

[21] Vargas, 170 A.D.3d at 1074.

[22] Id. at 1076.

[23] Id.

[24] See Gilbert v. Highland Hosp., 31 N.Y.S.3d 397 (Sup. Ct. 2016).

[25] Id.

[26] See Rawat v. Navistar Int’l Corp., No. 08 C 4305, 2011 U.S. Dist. LEXIS 98432 (N.D. Ill. Sep. 1, 2011).

[27] Jemsek v. Jemsek Clinic, P.A. (In re Jemsek Clinic, P.A.), Nos. 06-31766, 06-31986, 07-3006, 07-03008), 2013 Bankr. LEXIS 3120, at *25 (Bankr. W.D.N.C. Aug. 2, 2013).

[28] See Myers v. Riverside Hosp., 2016 VA Cir. LEXIS 53 (Cir. Ct. Newport News 2016) (April 21, 2016).