The problem: you're paying for an incomplete chart
Records obtained through a subpoena or a release-of-information vendor usually arrive as the designated record set — a printed or PDF version of the chart as it currently reads. Prior versions of notes that were later edited, late entries, addenda, and the access log are not part of that standard production. You can overpay per page and still be missing the evidence that shows how the record was assembled.
The leverage: what the right of access gives you
The HIPAA Privacy Rule grants every patient a right of access to their records (45 CFR 164.524), strengthened by the HITECH Act. Used deliberately, it gives a plaintiff firm three advantages over a routine request:
- Electronic form. When the record is maintained electronically, you are entitled to an electronic copy — not a paper printout that strips structure and metadata.
- Cost-based fees.Fees for a patient's own records must be reasonable and cost-based, typically well below state per-page rates.
- Patient-directed delivery. The patient can direct a copy to a third party, including counsel — subject to the fee-cap limits set by Ciox Health v. Azar (2020).
The audit trail: ask for it explicitly, in discovery
Because the audit trail lives outside the designated record set, demand it in discovery with language tuned to the system — by function, not by a report name the provider can say “doesn't exist.” A workable template:
- The complete audit trail and access log for the patient, including user ID, role, action type, date, and system timestamp for every event.
- All prior versions of any amended, corrected, or addended entry, together with the change logs that show what was modified and when.
- Metadata for each entry, including authorship, the time the entry was created versus the clinical time it documents, and any late-entry or amendment flags.
- A native export from the EHR (e.g., Epic, Oracle Health/Cerner, MEDITECH) in its system format, not a printed or PDF summary.
- For any device- or instrument-generated record, the data retained under FDA electronic-records requirements (21 CFR Part 11), where applicable.
Platform behavior differs — the system-specific discovery guides cover what each EMR actually produces and where productions fall short.
Why it matters
The metadata is where late entries, post-event edits, backdating, and deletions become provable rather than merely suspected. Once you have a complete electronic record and the audit trail, independent audit-trail analysis reconstructs the documentation's real timeline — the foundation of the case. Related federal leverage: the Cures Act information-blocking rules.
Frequently asked questions
Can I get the audit trail through a HITECH records request?
Usually not. The individual right of access under 45 CFR 164.524 covers the designated record set — the chart used to make care decisions — which generally does not include the system's internal audit log. Audit trails are typically obtained in discovery. The value of the pre-suit access request is getting a complete electronic copy of the record and building leverage and a completeness argument before you file.
What does the HIPAA right of access actually give a plaintiff?
Three things worth more than a routine subpoena: the record in electronic form when it is maintained electronically (not a paper printout), cost-based fees that are usually below state per-page rates, and the ability to direct a copy to a third party. It is the patient's right, so it is exercised by the patient or their personal representative with proper authorization.
How much can a provider charge for a right-of-access request?
Fees must be reasonable and cost-based for a request the individual makes for their own records. Note that Ciox Health v. Azar (D.D.C. 2020) vacated the broader fee cap as applied to records the patient directs to a third party, so patient-directed-to-attorney requests may not get the same capped rate. Scope and routing matter; plan the request accordingly.
Why request records before filing rather than waiting for discovery?
A pre-suit access request lets you evaluate the merits on a complete electronic record, scope the case accurately, put the provider on notice (which supports preservation and a later spoliation argument), and avoid paying inflated per-page ROI-vendor charges for an incomplete chart.
Does HIPAA require providers to keep an audit trail at all?
Yes. The HIPAA Security Rule's audit-control standard (45 CFR 164.312(b)) requires providers to implement mechanisms that record and examine activity in systems containing electronic protected health information. That obligation is why the audit trail exists — and why a 'we don't keep that' objection rarely holds up.
How does the Cures Act fit with a records request?
The 21st Century Cures Act information-blocking rules (45 CFR Part 171) prohibit providers and their EHR vendors from interfering with access, exchange, or use of electronic health information. They reinforce the access request and undercut stalling or stripping of electronic records. See the Cures Act / information blocking guide for how to use that leverage.
This page is educational information, not legal advice. EMR Check provides consulting and analysis services, not legal representation, and using this site does not create an attorney–client relationship.