In medical malpractice we rely on the integrity of medical records as the foundation for understanding our client’s case. As more clinicians and hospitals move toward electronic medical records, lawyers must know what kind of information is available from those records and how to access it.
In the world of paper medical charts there is nothing wrong with a clinician making a late entry in a chart, as long as it is clearly marked as a late entry; but, it is an offence for a clinician to go back and alter medical records. Although it is possible in some cases to identify alterations to a medical record made after the fact, there is a chance that an alteration could go unnoticed. In the world of electronic medical records however, there is an audit trail that tracks all changes made to a medical record. There will also be an access log that identifies who has viewed a patient’s records, and which part of the record they looked at. Audit trails and access logs can provide a detailed timeline that for the most part cannot be altered and in some cases, that audit trail will be critical to understanding the nature of the wrongdoing.
The question is no longer “How can I figure out who saw these records or if somebody changed these records after the fact.” Now the question is “How do I get a copy of the access log or audit trail, and how do I figure out what it means?”
Patient Privacy and Security
Most of the legislation that applies to medical records is aimed at ensuring the privacy and security of patient health care information. Although there is less regulatory content aimed at ensuring that these records are not altered after the fact, the health regulatory colleges are beginning to address this issue. For example, the Bylaws of the College of Physicians and Surgeons mandates that a physician’s medical record system must, among other things, contain the patient’s demographic information, the patient’s presenting complaint, the results of the medical history and physical examination, what investigations were ordered, the provisional diagnosis or diagnosis, treatment recommendations, medications prescribed and the follow-up plan. This information must be capable of being reproduced promptly in a hardcopy and the system must audit or record any subsequent changes made.
An example of a long established electronic health record system is British Columbia PharmaNet that in 1995 was the first such system implemented in Canada. Since its inception, PharmaNet not only has been capable of logging every prescription dispensed in all community pharmacies British Columbia in a common database, it also has ensured the availability of access logs and the maintenance of audit trails. Consequently, any patient can request a print-out of their own PharmaNet profile, as can a third party authorized by the patient. That profile contains a record of all prescriptions dispensed for the person, back to the inception of PharmaNet. From a legal point of view, perhaps more importantly, the PharmaNet record also includes an ac-cess log – a record of the names of anyone who has accessed that patient’s PharmaNet profile other than at the time of dispensing a prescription and the date of access. For instance, every time you request a copy of your client’s PharmaNet profile, there will be an access log recorded of the date that the system administrator accessed your client’s PharmaNet profile to prepare the report you requested. There may also be other accesses recorded – if a patient attends at a physician’s office or an emergency room their profile may be accessed to assist in patient care.
But there is much more information available about each pre-scription than you see on the PharmaNet record. The computer system of the pharmacy where the prescription was dispensed will include every detail of the prescription, including the specific directions that were on the patient’s medication label, the initials of the pharmacist and the technician involved in dispensing the prescription, and the price charged to the patient. There also is an audit trail of every change that has been made to a prescription showing the original version of the label and if any changes have been made to that label. The system records what change was made, who made the change, and the date and time the change was made.
There is electronic medical record information everywhere technology is used in health care. Some departments in a hospital, for example, diagnostic imaging, may have electronic records that must be requested separately. Similarly, community health workers and outreach therapists may have their own versions of electronic records that are not integrated into a larger comprehensive health care record for a patient. Even medical equipment such as infusion pumps may record information about when an infusion was started, what the volume of the syringe was, and at what rate the infusion was running, although this information will not be found in the patient’s chart. Vital signs monitors used in hospitals and medical clinics often include a log of the results for a patient, although those results may be handwritten into a patient’s chart if a paper-based system is in use. Even the now common home blood glucose moni-tor or blood pressure cuff likely retains a log of the data.
How do you Access Data?
But, if you need this data to effectively represent your client, how do you access it? How can you recover audit trails of the electronic records? Firstly, to avoid missing crucial information, you need to make your request as specific as possible. For example, you may want to ask for all entries made, changed and deleted over a particular period of time in a particular system. You may also want to ask for screenshots of the electronic medical record if you need to know, for example, what information a particular physician had available to them when they were reviewing the lab results at a particular time?
You may want to know who accessed a certain report, when they accessed it and even where they were when they did it, as well as for how long they had access to it. Technical specifications can also be important. For instance, you might want to know what the systems settings are for automatically logging off a user if there has been no activity. Although each hospital will have procedural guidelines that instruct system users to ensure they log off before they leave a computer, no doubt there will be potential that a defendant might claim that a record has been altered in their name because they didn’t log off.
Distance medicine facilitated by electronic health information is becoming more common. For example, it is possible that there may be a CT scan ordered by a physician in one small hospital, conducted by a radiology technician in another hospital, then reviewed by a radiologist in a third hospital. If your client was injured as a result of a problem related to diagnostic imaging it may be important to gather information from audit trails and/or access logs about the CT requisition, the CT scan itself, the timing of the radiologist’s access to the imaging, the radiologist’s inter-pretation and recommendations, if any, and when and how the radiologist sent that information to the treating physician. This information can be critical to create a time-line of when events unfolded, the events themselves, and to determine if changes were make to the records after a bad outcome became known.
Screen shots can also be useful when many individuals are involved. For example, if the issue you are investigating relates to the possibility of an error in processing a tissue sample in a laboratory, it will be vital to understand which laboratory tech-nician was involved in each step of the process. If a department relies on an electronic system for tracking the sample, screen shots that show the date, time, initials of the laboratory staff member, identification of the patient, and the processing number of the sample, might be the best or only way to determine who was involved in each step. These screen shots would not be available through the medical records department, and would need to be requested through the specific department involved and possibly the information technology department.
Hospital Staff May Need to Assist
The medical records department of a hospital is not necessarily the department that can produce an audit trail or access logs. Generally medical records departments deal with requests for the records themselves, but it is likely to be the health information technology department that will produce audit trails and access logs. The hospital may need to enlist the assistance of the hospital’s information technology staff to access the audit trails and confirm how much detail is available through the system in use at the hospital.
If the information of interest comes from a specific piece of medical equipment, the vendor for the equipment may be able to help you understand what information should be available and how to access it. Still, it will likely be necessary for the hospital’s biomedical engineering department to obtain that data.
The information available through access logs and audit trails of a patient’s medical records can be critical in helping you fully understanding your client’s case. There is no single entry-point for accessing this information. Of course, once the action is started, if the hospital is one of the defendants it will be necessary to make requests for these records through counsel. Regardless of where you direct your request for records, make sure you understand what information could be available beyond the medical record that would routinely be produced, so you can create a detailed and complete timeline for your case that includes a thorough understanding of who accessed your client’s records, and what, if anything, they did to those records.