September 18, 2018
Author: Stephanie P. Ottenwess
Organization: Ottenwess, Taweel & Schenk, PLC
I. Audit Trails - What Are They And What Information Do They Contain?
The increased use of electronic medical records (EMR) is changing not only the way physicians practice medicine but also the way discovery is conducted in medical malpractice lawsuits and how third party payors seek information relative to fraud and abuse allegations. Indeed, data created from the actual use of EMR in rendering health care is becoming increasingly more important as lawyers and governmental agencies are attempting to use components of a patient’s electronic record as evidence in medical malpractice litigation and in prosecuting a claim of fraud, abuse or improper payments.
As will be discussed fully below, automatically generated computer data, once rendered into readable form, is commonly referred to by users and lawyers as an “audit trail” or “audit log”. An audit trial can provide a treasure trove of information which can greatly impact a provider in a number of situations. Unfortunately, few providers understand the significance of this information or that it is even created when he/she is manipulating an EMR. Indeed, in medical malpractice litigation, there is general confusion as to what an audit trail really is, why it may be important and whether a provider is legally compelled to produce it during discovery.
The demands for production and use of audit trails in the legal, peer review and third-party payor setting is only going to grow. Thus, it is imperative that providers fully understand how and why an audit trail is created, what information an audit trail can provide and why an adversary is requesting its production.
Before addressing the who, what, where and why of audit trails, the mystery of metadata that comprises the audit trail must be solved. . . . . or, at least understood to a certain degree.
An EMR, like any other electronic record, generates metadata.1 “Metadata, commonly defined as “data about data,” is an automatically generated computer record that verifies how an electronic document (e-document) has been manipulated” – tantamount to an audit trail for the e-document.2 In other words, every time a user views, edits, prints, deletes, downloads, exports or otherwise manipulates any part of a patient’s EMR, the system makes a contemporaneous record of that activity as it occurs. This is the information that creates what is commonly called the audit trial. This audit trail can provide direct evidence of the specific terminal used to access the record, and the date, time, and author of the change or addition to the EMR. Thus, ultimately, it is imperative for every provider to understand and appreciate that every time the user logs on and/or makes any entry into the EMR, a “digital fingerprint” is left behind. Few users understand this fact. The first step in understanding the importance of metadata and the audit trail it creates is gaining an understanding of the legal basis for its existence.
II. HIPAA & HITECH – The Legal Framework Requiring The Maintenance Of An Audit Trail - The Metadata Of A Patient’s EMR
Together, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)3 Privacy and Security Rules and the Health Information Technology for Economic and Clinical Health Act (HITECH) 4, included as part of the American Recovery and Reinvestment Act of 2009 (ARRA), provide the legal framework that requires an organization or provider using an EMR to track and maintain a log of all access to electronic records.5 What these laws do not make clear, however, is whether a patient is entitled to demand a copy of the audit trail or metadata from their EMR.
HIPAA required the establishment of national standards for electronic health care transactions. HIPAA is comprised of three sets of rules, the HIPAA Enforcement Rule,6 the HIPAA Privacy Rule7 and the HIPAA Security Rule.8 The Privacy and Security Rules are germane to the instant analysis.
In short, the Privacy Rule sets the standards for who may have access to protected health information (PHI) and a patient’s right to access their PHI9, while the Security Rule sets the standards for ensuring that only those who should have access to electronic PHI will actually have access. As their names imply, the rules require adoption of enumerated standards and safeguards so that covered entities protect a patient’s electronic (and paper) medical records from unauthorized access,10 tampering, or destruction.11
HITECH, the OCR enforced the HIPAA privacy rules and the Centers for Medicare and Medicaid Services (“CMS”) enforced the security rules.
1. The Privacy Rule
The Privacy Rule governs the uses and disclosures of individual PHI that may be made without a patient’s explicit authorization and also provides individuals with the right to request to examine and obtain a copy of their health records.12 Per the Privacy Rule, individuals may request to review and obtain a copy of their PHI in a hospital or health care provider’s designated record set.13 Further, the Privacy Rule enumerates the ways to obtain PHI from health care providers during the discovery phase of litigation by the use of written authorization or subpoena.14
In addition, the Privacy Rule grants a patient the right to request an accounting of certain disclosures of their PHI and requires that covered entities have procedures in place to give individuals an accurate accounting of these disclosures of their PHI.15 Notably, this rule does not require that a provider disclose to a patient information detailing who has had access to their PHI. In fact, there are substantial exceptions to a patient’s rights to an accounting of disclosures including disclosures made by the covered entity to carry out treatment, payment and health care operations.16 Clearly, most disclosures within a health care institution or provider’s office would fall under these exclusions.
2. The Security Rule
In contrast, the Security Rule protects only an individual’s electronic PHI (“ePHI”) by ensuring that there are specific rules governing how this ePHI is created, received, used, or maintained by a covered entity. The Security Rule requires that a covered entity “ensure the confidentiality, integrity and availability of all ePHI the covered entity creates, receives, maintains or transmits.”17 The standard specifically defines “confidentiality” as “the property that data or information is not made available or disclosed to unauthorized persons or processes” and “integrity” as “the property that data or information have not been altered or destroyed in an unauthorized manner.”18 The Security Rule also requires various safeguards, including administrative, physical and technical safeguards, to ensure that a hospital or health care provider is protecting the integrity and confidentiality of an individual’s electronic protected health information.19
For the purposes of the instant discussion, the most important of the Security Rules’ safeguards are the technical safeguards, which include access controls, audit controls, integrity controls and transmission security.20 As far as access controls, the Security Rule requires that covered entities must implement policies and procedures which allow only authorized persons to access electronic protected health information.21 Audit controls are required by the Security Rule and mandate that covered entities must implement hardware, software and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use electronic protected health information.22 Finally, integrity controls are required to ensure that electronic protected health information is not improperly altered or destroyed and transmission security is required under the Rule to protect against unauthorized access to electronic protected health information that is transmitted over an electronic network.23
3. Patient Access To Audit Trails Under HIPAA
Importantly, there is no right to patient access under the HIPAA Security Rules. Patient access, as discussed above, is governed by the HIPAA Privacy Rules. However, neither of those Rules, even read together, entitle a patient to access to the audit trail data associated with the EMR. Per the Security Rule, health care providers are required to implement audit controls to safeguard the integrity of electronic protected health information and to ensure that it is not accessed by unauthorized persons.24 An audit trail, in the context of a patient’s electronic protected health information, is maintained solely for the purposes of compliance with HIPAA’s Security Rule. Arguably, an audit trail is unrelated to a patient’s care and treatment and is not part of PHI or a patient’s designated record set to which HIPAA’s Privacy Rule grants the individual patient and authorized persons access. Thus, under HIPAA, audit trail data is not required to be maintained and “accessible on demand” to a patient, rather, it is accessible on demand to a health care provider, physician or HHS, to make certain that a patient’s ePHI has not been compromised.
HITECH was enacted in February 2009 to encourage the adoption and meaningful use of technology as it pertains to health information. It also significantly altered and expanded the HIPAA Privacy and Security Rules to strengthen protections for health information and to improve the workability and effectiveness of the HIPAA rules.
One major change created by HITECH was the expansion of patient rights in relation to their PHI. As detailed above, the HIPAA Privacy Rule requires a covered entity to provide an individual with an accounting of disclosures of PHI upon request, but permits routine disclosures for treatment, payment or health care operations to be excluded from the accounting. The HITECH Act extended HIPAA’s requirement to provide that, if a covered entity maintains an electronic health record for an individual, the covered entity must account for disclosures, when requested by patients, to include disclosures for treatment, payment or health care operations when those disclosures are made through an electronic health record.25
The U.S. Department of Health and Human Services (HHS) Office of Civil Rights issued proposed regulations regarding this accounting requirement on May 31, 2011.26 Notably, the proposed regulations went farther than the statute itself, creating a new right for patients to obtain an \"access report.\" The proposed access report would include the date and time of access, name of person (or the entity accessing PHI if the name is not available), a description of the information that was disclosed and the associated action (e.g., creation, modification, deletion), if available. Thus, this proposed “access report” expanded an entity’s obligation (upon patient demand) to provide an accounting of not only certain “disclosures” but to “uses” of the patient’s EMR. This proposed provision is what could be used to argue that Federal law – HIPAA through HITECH – provides a patient with the right to demand an audit trail. Most of HITECH’s provisions were enacted on January 17, 2013 with the release by HHS of the long-awaited final omnibus rule.27 However, when the final rule implementing HITECH’s sweeping changes was enacted in January 2013, one of HITECHs major provisions was left to be finalized - - the new and expanded accounting for disclosures provision. Instead of enacting this provision, HHS charged the Health IT Policy Committee with providing recommendations on how to implement the HITECH Act’s new and expanded accounting of disclosures. The Committee in turn empowered its “Privacy and Security Tiger Team” with the task. In support of this effort, the Tiger Team held a virtual public hearing to understand the respective positions of the provider community and the patient community. During the hearing, patient representatives testified that patients want the kind of transparency or record access as provided in the May 2011 proposed rule access report. However, the Tiger Team concluded that the weight of the evidence was against such assess, stating:
No testimony supported that the proposed access report was do-able, at least with current technologies. Audit trail technologies are frequently mentioned as a tool for offering greater transparency to individuals, but audit logs, when they are deployed, are designed to track security-relevant system events, not all user activity, and do not easily produce reports designed to be understandable to individuals.
On the provider side, many questions were raised about the potentially significant costs to the covered entity of generating an access report and whether the costs were reasonable given the historical lack of patient request for such reports. The providers urged that the lack of requests supported the fact that patients did not want nor would they find value in, the deluge of information likely to be produced by the access report. Concerns were also raised about providing patients with the names of individual users who had accessed their health information.
After considering both sides, the Tiger Team concluded that it seemed unwise to impose a new access report mandate, given the potential costs and how little evidence they had of whether patients would ask for such reports. Instead, the Tiger Team reasoned that access reports would play an important role in situations of inappropriate access to PHI and the rights that really needed to be protected were patient rights to a full investigation of complaints about inappropriate access: “such an episodic response could be more effective at addressing patient concerns versus building in expensive technology to produce a report that (1) may be less helpful in ferreting out inappropriate access (buried in reams of material) and (2) would be expensive to build for the few occasions where it is needed.”
Accordingly, the Tiger Team provided the following recommendations: Due to the uncertainties and complexities involved in implementing the HITECH requirements to account for disclosures for [treatment, payment and health care operations] made through an EHR (as described above), the Policy Committee recommends that HHS approach implementation in a step-wise or staged fashion, pursuing an initial pathway that is workable from both a policy and technology perspective.
Consistent with this approach, the Policy Committee’s recommendations focus on:
• The patients’ rights to a report of disclosures outside the entity or organized health care arrangement (OHCA) and
• The patients’ rights to an investigation of inappropriate accesses inside (i.e., inappropriate uses) the entity or within the OHCA.
The Policy Committee does not believe the proposed access report defined in the NPRM meets the requirements of HITECH to take into account the interests of the patient and administrative burden on CEs. Instead, the Committee urges HHS to pursue a more focused approach that prioritizes quality over quantity, where the scope of disclosures and related details to be reported to patients provide information that is useful to patients, without overwhelming them or placing undue burden on CEs. By the term “quality over quantity,” the Committee means that HHS should focus, at least initially, on EHR disclosures outside the CE or OHCA.
* * *
In reflecting concerns raised at the public hearing and in the blog, the Committee recommends that the content of the disclosure report be required to include only an entity name rather than a specific individual as proposed in the NPRM.
Technologies to enable individuals to receive an accounting of disclosures (other than those made within an OHCA) must first be piloted by HHS before any new policies can be implemented. The Committee expressly recommends that HHS launch such pilots, and focus initially on provider EHRs. Such pilots should focus on the technical feasibility of disclosure reports, and the accompanying implementation burden on providers as well as on the feasibility and usability of such reports for patients. The content of the report should also be tested in the pilot; such testing should include the option to group similar disclosures together (vs. reporting each one individually), as permitted by the NPRM. The result of the pilot will inform regulations to implement HITECH and enable ONC to assess readiness for a future stage of EHR certification. HHS could then determine how to expand the pilot - such as to additional HIPAA covered entities or to electronic data systems that are not EHRs.28 (Emphasis in original, footnotes omitted).
The Committee adopted these recommendations which are now in the hands of the National Coordinator of the Department of Health and Human Services. Thus, neither HIPAA nor HITECH at this point require the accounting or disclosure of an audit trail to a patient. However, because the health care statutes and regulations are so convoluted and most Courts are unable to properly interpret patient rights under HIPAA/HITECH or the true focus of what these laws are trying to protect and provide, medical record metadata has been treated in litigation like any other type of electronically stored information. Information which has been deemed largely discoverable in Federal Courts and many State Courts under their respective Rules of Civil Procedure.
IV. Is the audit trail discoverable under Federal or State law?
“Metadata has become ‘the new black,’ with parties increasingly seeking its production in every case, regardless of size or complexity.” Aguilar v. Immigration and Customs Enforcement Div., 255 F.R.D. 350, 359 (S.D.N.Y.2008).
A. Federal law:
Metadata is not addressed directly in the Federal Rules of Civil Procedure but is subject to the general rules of discovery. Indeed, under Federal law, metadata has been deemed discoverable in civil trials; meaning that, in general, metadata must be produced on request, if it is relevant to the claim or defense of any party and is not privileged. Fed.R.Civ.P. 26(b)(1). An audit trail falls into the category of “metadata.” United States v. Tutt, 2013 WL 5707791 (ED Mich Oct. 21, 2013). Metadata falls into the broad category of electronically stored information (“ESI”). Aguilar, supra at 354.29 As an electronic analogue to the traditional paper medical record, an EMR is an electronic writing within the meaning of FRCP 34(a)(1)(A). Under Rule 34(b), a party may request ESI production in its native format, i.e., as it is used in the ordinary course of business.
In 2006, the Federal Rules of Civil Procedure (FRCP) were amended to facilitate ESI discovery. The amended FRCP elected to identify ESI expansively to include “writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations – stored in any medium from which information can be obtained either directly or, if necessary, after translation by the responding party into a reasonably usable form.” 30
Rule 34 reinforces Rule 26’s admonition for liberal discovery. Under Rule 34, a party may request any relevant ESI that is in the custody or control of the opposing party.31 Conceptually, Rule 34 provides that the scope of e-discovery requested extends to any ESI, regardless of how it is stored.32 However, while all relevant ESI must be disclosed, not all requested ESI must be produced.33 Absent a court order, a party needs only to produce ESI as it exists in the “usual course of business.”34 With respect to the form in which metadata (as ESI) is produced, Fed.R.Civ.P 34(b)(1)(C) allows the requesting party to specify the form of production. The responding party then must either produce ESI in the form specified or object. If the responding party objects, or the requesting party has not specified a form of production, the responding party must “state the form or forms it intends to use” for its production of ESI. Fed.R.Civ.P. 34(b)(2)(D).
Rule 26 does create two safe harbors for sheltering ESI from discovery. In addition to the safe harbor of privilege, ESI is not discoverable if its production would be overly burdensome.35 Under Rule 26, “the burden or expense of the proposed discovery outweighs its likely benefit, considering the needs of the case, the amount in controversy, the parties’ resources, the importance of the issue at stake in the litigation, and the importance of the proposed discovery in resolving the issues,” the courts must limit the frequency or extent of discovery.36 Many suggest, however, that the massive expensive metadata discovery of commercial litigation in Federal Court contemplated by FRCP 26(b)(2)(B) does not even apply to patient metadata in medical malpractice cases as it is generally limited to one patient and a potentially short time frame of inquiry. Moreover, until the Court’s gain a better understanding of metadata and its relevance with respect to EMR and malpractice cases, they are more likely to allow farreaching discovery.37
B. Michigan State Law:
In contrast to Federal law, State law, which governs most malpractice litigation, varies as to the discoverability and admissibility of metadata. In December 2008, the Michigan Supreme Court adopted amendments to several Michigan Court Rules to specifically address treatment of ESI.38 These rules, which were patterned on the 2006 e-discovery amendments to the Federal Rules of Civil Procedure, became effective January 1, 2009. Because these amendments were based on the provisions of the federal rules, and in light of the limited number of Michigan precedents in this area of the law, Michigan courts are likely to view federal opinions as persuasive authority.39
There are no Michigan cases to date in which the appellate courts have addressed the discoverability or admissibility of metadata or audit trails in relation to medical records. However, metadata has been addressed in the trial courts and would likely be deemed by the appellate courts as discoverable and admissible if proven to be relevant.
V. The Audit Trail’s Role as Part of the EMR: Authentication and Credibility
The audit trail – a record of every change or addition to an EMR - is arguably the gold standard to prove the EMR is authentic and accurate. It also can be used to establish or disprove the credibility of the health care provider who is being scrutinized – documenting the care that was actually provided as opposed to the care that should have been provided.
A. Third Party Payors
The use of EMR can subject providers to heightened vulnerability to Medicare or
Medicaid fraud claims as a result of improved information on the match between services rendered and services billed. Third party payors may try to use metadata as a way to measure quantity and quality of a physician’s actual clinical practice. A good example involves cases of upcoding - when a provider bills for a higher level of services than provided. Conceivably, the metadata from a provider’s EMR could be analyzed to determine if there exists the necessary support, such as the length of time spent with the patient, for the care level that was billed.
B. Medical Malpractice Cases
EHRs, metadata and audit trails are most assuredly affecting the course of malpractice litigation by increasing the availability of information and documentation with which to prove or defend a malpractice case. As discussed thoroughly, metadata provides a permanent electronic footprint that can be used to track physician activity.
However, metadata should not always be viewed as a potential problem for the defense. In some cases, metadata may establish a provider’s culpability, whereas in others it may help mount a defense.
In 2006, the use of metadata in a medical malpractice case almost singlehandedly established how metadata can be dispositive in litigation as documenting the actual care given rather than the care that should have been given. The case involved a patient who awoke as a quadriplegic after a seven hour surgery.40 The initial focus was on the competency of the surgeon. However, during discovery, the plaintiff obtained a copy of the patient’s EMR together with the metadata, and the focus of the case changed. The metadata revealed that the anesthesiologist wrote his postoperative note minutes after the operation began as opposed to when it should have been prepared – after the surgery was completed. In this untimely note, the anesthesiologist asserted that the procedure was uncomplicated. However, the log of administered anesthetic gas contained a ninety-minute gap.41 This appearance of impropriety likely helped the plaintiff secure a confidential settlement with the anesthesiologist. Notably, the hospital later discovered that its anesthesiologists commonly recorded standard notes, such as their presence at the patient’s emergence from anesthesia, during less hectic parts of the procedure.42 In the pre-electronic age, such a practice posed little risk of liability. However, the availability of metadata changed the game.
Conversely, metadata can be used to authenticate the EMR in a malpractice case. Metadata can verify :
? That an EMR was modified at the time of treatment rather than later;
? That key entries were made contemporaneously with treatment and that the provider was at the patient’s bedside during every important event in his or her care;
? That the provider did review the critical lab study or radiographic study prior making a treatment decision
? That the provider spent a significant or at least sufficient amount of time reviewing the record during the treatment in question. Of course, plaintiffs will try to use metadata to disprove all of the above and attack the credibility of the physician.
Metadata can also be used by either side to learn the detailed timeline of a patient’s care, as well as an inventory of witnesses and documents that are not apparent from the medical records alone.
One thing is for certain, as the courts become more comfortable with metadata in healthcare litigation, they may routinely order that EMRs be produced with metadata. This is in large part due to disputes over authenticity and/or credibility.
VI. How to Handle Discovery Requests During Litigation
In medical malpractice cases in Michigan, Plaintiffs’ Counsel are increasingly demanding discovery of audit trails or audit logs. Whether the metadata is truly relevant and discoverable will depend on the facts of the case. However, even in those cases where it is relevant and discoverable, it should not be handed over freely. Although the Plaintiffs’ Bar has argued that audit trails are easily accessible and producible, just the opposite is true.
The format of EMR may differ based on the software system used and the specialty of the medical professional. First, the EMR systems themselves are not standardized. In fact, there are over two hundred electronic medical record programs available; each designed specifically for different medical care providers.43 Moreover, even within healthcare systems, different departments and staff may use different versions of the same electronic medical record system customized for their field, or entirely different and independent systems altogether. In fact, it is common for the radiology department and the laboratory to use a separate electronic medical record system than the rest of the hospital. This too will lead to more than one audit trail in any given hospital with any given patient.
So, how should you respond when you receive that request for the production of the audit trail or audit log? First of all, if there are any issues of authenticity or credibility in the case, no matter how remote, the audit trail should be obtained and scoured prior to any request from the other side coming in. When it does come in, however, it will likely be an “any and all” type of request which must be met with an objection and demand that the request be tailored to a relevant scope of finite information.
The typical request has been something similar to the following: Please produce the Electronic Medical Record Audit Trail Report/Audit Log/Audit Control Information for the X Hospital medical records regarding patient Y from December 1, 2011 to the present. [This material is required to be maintained and must be turned over to a patient pursuant to 45 CFR 164.524(c)(2)(i) and 45 CFR 164.312(b).]
This type of request must be objected to in the first instance as the regulations cited do not entitle requesting party to the production of the audit trail data associated with the electronic medical records and maintained by the Hospital for the purpose of compliance with HIPAA’s Security Rule. Moreover, the request for an audit trail must be fact specific to the case. Force Plaintiff’s counsel to identify the issues and times relevant to your forensic inquiry. For example, where there is a question as to whether an attending physician was aware of certain findings, inquire as to that attending physician’s access to the record during a finite time frame.
Once the scope of metadata and the audit trail are agreed upon, it must be reviewed thoroughly for privileged and confidential information which must be redacted.
? Access to the record for Peer Review and legal purposes
? Personal identifying information for individuals who have accessed the record.
With certainty, the interest in audit trails in medical malpractice litigation and third party payors is growing. Legal counsel and providers must be ready to address each situation and anticipate that the audit trail will be discoverable. In healthcare litigation, the scope of e-discovery often is limited to the EMR of a single patient. Thus, it is less likely that a healthcare provider could successfully argue that production of an EMR with its metadata is overly burdensome. Instead, the courts are likely to issue orders for the production of metadata to facilitate authentication and to resolve patients' issues and questions of credibility. Recognizing the potential for metadata production, prudent health care providers and their attorneys will preserve the relevant EMR with its metadata upon notice of impending litigation.
Under no circumstances, however, should metadata be freely turned over without advice of counsel. Only after limiting the scope of production and after careful review, consideration and redaction of the data should audit trails/audit logs/metadata be produced.
1 Thomas R. McLean, EMR Metadata Uses and E-discovery, 18 ANNALS HEALTH L. 75 (2009).
2 McClean, supra note 1.
3 Pub. L. No. 104-191, 110 Stat. 1936 (1996), codified at 42 U.S.C. § 300gg and 29 U.S.C § 1181 et seq. and 42 USC 1320d et seq.
4 Pub. L. No. 111-5, 123 Stat. 226 (2009), codified at 42 U.S.C. §§300jj et seq.; §§17901 et seq.
5 HITECH was passed as a monetary incentive plan for hospitals and providers to begin converting to electronic health records. The idea was for any provider to be able to access all of a patient’s medical records; however, because of increased concerns associated with electronic records containing protected health information (“PHI”), heightened enforcement and sanction provisions in the HIPAA Privacy and Security Rules were implemented as well. PHI is defined as “individually identifiable health information” which is transmitted by and maintained in “electronic media” or “in any other form or medium.” 45 C.F.R. §164.103. HITECH significantly changes both enforcement and sanctions with regard to health care privacy and security requirements under HIPAA. Prior to HITECH, HIPAA was solely a regulatory scheme promulgated by the Department of Health and Human Services. 45 C.F.R. Parts 160, 162, & 164. Now, portions of the Privacy and Security Rules are codified in the United States Code as a result of HITECH. The Office for Civil Rights (“OCR”) of the United States Department of Health and Human Services (“HHS”) is the primary enforcement authority for HITECH. Prior to
6 45 CFR Part 160, Subparts C-E.
7 45 CFR Part 160 and Subparts A and E of Part 164.
8 45 CFR Part 160 and Subparts A and C of Part 164.
9 PHI is individually identifiable health information and information regarding past, present and future medical care, no matter whether this protected health information is in electronic, written or oral form. 45 CFR §160.103.
10 45 CFR §164.502.
11 45 CFR §164.306
12 See 45 CFR §164.502, 45 CFR § 164.524, 45 CFR § 164.526 and 45 CFR §
13 45 CFR § 164.524. A designated record set is the group of records maintained by a hospital or health care provider that is used to make decisions about an individual’s medical care and treatment. 45 CFR §164.501.
14 See generally, 45 CFR §§164.506, 164.508, 164.510, 164.512.
15 See, 45 CFR § 164.502(a)(2); 45 CFR §164.528; 45 CFR 164.530
16 45 CFR §164.528(a)(1)(i)).
17 45 CFR §164.306(a)(1).
18 45 CFR §164.304.
19 See 45 CFR § 164.308, 45 CFR § 164.310 and 45 CFR § 164.312.
20 45 CFR § 164.312.
1 45 CFR § 164.312(a).
22 45 CFR § 164.312(b). It is important to point out that the Security Rule does not identify data that must be gathered by the audit controls or how often the audit reports should be reviewed. It is up to the covered entity to consider its risk analysis and organizational factors, such as current technical infrastructure, hardware and software security capabilities, to determine reasonable and appropriate audit controls for information systems that contain or use ePHI.
23 45 CFR § 164.312(c) and (e).
24 45 CFR § 164.312(b).
25 HITECH Act, Section 13405(c)(1), codified at 42 U.S.C. § 17935(b).
26 76 FR 31426.
27 78 FR 5565.
28 January 22, 2014 Letter from the HIT Policy Committee to Karen DeSalvo, MD, National Coordinator for Health Information Technology, Department of Health and Human Services, outlining the Tiger Team’s recommendations which were adopted by the HIT Policy Committee on December 4, 2013.
29 Metadata is electronically stored evidence that describes the “history, tracking, or management of an electronic document.” Aguilar, supra. “It includes the hidden text, formatting codes, formulae, and other information associated with an electronic document.”Id.
30 Fed.R.Civ.P. 34(a)(1)(A) (emphasis added).
31 Fed.R.Civ.P. 34(a)(1).
32 Fed.R.Civ.P. 34(a)(1)(A).
33 Fed.R.Civ.P. 34(b)(2).
34 Fed.R.Civ.P. 34(b)(2)(E).
35 Fed.R.Civ.P. 26(b)(2)(B).
36 Fed.R.Civ.P. 26(b)(2)(C). This rule is enforced during pretrial conferences. Fed.R.Civ.P. 16(c)(2).
37 See, for example, Magistrate Judge’s Order (Doc. No. 39) filed January 19, 2012 in Roach v St. Mary Mercy Hospital, et. al, 2:11-cv-10687 (ED Mich), where Defendant Hospital was ordered to “produce. . . to Plaintiff all audit trail data in any form regarding Plaintiff decedent’s treatment in January 2009.”
38 See, MCR 2.302 and MCR 2.310. MCR 2.302(B)(1) includes “electronically stored documents, “other data compilations from which information can be obtained, translated, if necessary, by the respondent through detection devices into reasonably usable form.” MCR 2.302(B)(6) provides the identical protection as the Federal Rules on the discoverability of electronic materials: A party need not provide discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden or cost. On motion to compel discovery or for a protective order, the party from whom discovery is sought must show that the information is not reasonably accessible because of undue burden or cost. If that showing is made, the court may nonetheless order discovery from such sources if the requesting party shows good cause, considering the limitations of MCR 2.302(C). The court may specify conditions for the discovery.
39 See MCR 2.302 staff comment; White v Taylor Distrib Co, 275 Mich App 615, 628 n7; 739 NW2d 132 (2007) (Michigan courts “do not lightly adopt a position at odds with the federal rules, after which our rules are patterned”); Brenner v Marathon Oil Co, 222 Mich App 128, 133; 565 NW2d 1 (1997) (“[I]n the absence of available Michigan precedents, we turn to federal cases construing the similar federal rule for guidance.”)
40 Vigoda MM, Lubarsky DA. Failure to recognize loss of incoming data in an anesthesia record-keeping system may have increased medical liability. Anesth Analg 2006; 102: 1798-802.
41 Id. at 1800-01.
42 See note 37, Supra.
43 John Deutsch, Choosing the EMR system that’s right for you, http://www.healthrechnologyreview.com/viewarticle.php?aid=21. (last visited July 7, 2014).