Audit trail vs. access log: what attorneys must demand in discovery

Two phrases get used interchangeably in medical-records discovery, and the slippage between them quietly defeats more cases than any outright spoliation. An access log and an audit trail are not the same record, do not answer the same question, and producing one is not producing the other. When a request asks loosely for 'the audit trail' and a provider responds with an access report, the production can look complete while the evidence that matters never arrives.

What an access log actually shows

An access log answers a single question: who opened this chart, and when. It is the privacy-monitoring layer that hospitals rely on to detect snooping — an employee viewing a celebrity's record, or a clinician looking at a family member's chart. It places users in the record at points in time.

That is genuinely useful. It can corroborate who was present around a disputed event and contradict testimony that a provider never reviewed a result. But it is fundamentally a record of viewing, not of changing. An access log can show that a nurse opened a chart at 23:47; it does not, by itself, tell you whether anything in that chart was created, edited, or deleted.

What an audit trail adds

An audit trail is the action-level record: entries filed, modified, and deleted, each with a user and a timestamp. It is where the integrity questions live — late entries, backdating, after-the-fact additions, and silent edits to finalized notes. The audit trail is the difference between knowing someone was in the room and knowing what they did there.

• When a note was first saved versus when it was signed — the gap that exposes late entries.
• Whether content was added or changed after an event the documentation describes.
• Whether a finalized note was edited silently or corrected through a disclosed, timestamped addendum.
• Whether entries were authored on the visit date or days later and dated to appear contemporaneous.

Why the distinction decides cases

The substitution is rarely dramatic. A request asks for 'audit trail/access logs,' and the production includes a clean access report. Nothing looks withheld. But the access report cannot show that a critical note was authored eleven hours after the patient coded, or that a vital sign was edited the morning after a bad outcome. Those facts live only in the audit trail, and if no one asks for it by function, no one produces it.

Rule of thumb: an access log answers 'who looked?' An audit trail answers 'who changed what, and when?' A complete production needs both, requested by function, not by a single ambiguous label.

How to write the request so the gap closes

• Ask for both, separately: the access/view log and the action/modification audit. Do not let one stand in for the other.
• Specify the native export, not the printed chart or release-of-information output, which omit audit data entirely.
• Request note revision history, including the save-versus-sign timestamps and any addenda.
• Ask the provider to identify its EMR and version and the audit reports it is technically able to run, so 'not available' can be tested against the system's documented capability.

The systems differ in how they label and store this data — Epic, Oracle Health (Cerner), MEDITECH, athenahealth, eClinicalWorks, Veradigm (Allscripts), and NextGen each handle it differently. But the underlying discipline is constant: name the function you want, distinguish viewing from changing, and refuse to let an access report close the question that only an audit trail can answer.