What the Audit Trail Reveals in GLP-1 Prescriber Negligence Cases

Almost everything written about Ozempic litigation right now is about one thing: the multidistrict litigation against the manufacturers. The federal MDLs consolidating gastroparesis, ileus, bowel-obstruction, and NAION vision-loss claims against Novo Nordisk and Eli Lilly are large, well-publicized, and crowded with intake campaigns. Those are product-liability cases. They turn on the drug label and the failure-to-warn theory, and they largely run through the prescriber by way of the learned-intermediary doctrine rather than against them.

There is a second, quieter track — and it is the one where the medical chart, not the label, decides the case.

When a clinician, nurse practitioner, med spa, or telehealth platform prescribes a GLP-1 receptor agonist and the patient is injured, the question is no longer “did the manufacturer warn adequately?” It becomes “did this provider meet the standard of care, and can they prove it?” That is a state-law medical-negligence question, and the answer almost always lives in documentation: whether informed consent was obtained, whether contraindications were screened, whether a real examination occurred, and whether the provider responded to reported symptoms. Every one of those questions has a metadata signature in the EMR audit trail — and the printed chart that gets produced in discovery is precisely where those signatures are hidden.

This article is for plaintiff-side medical-malpractice and personal-injury attorneys evaluating a GLP-1 prescriber case. It explains where the provider's exposure sits, what the audit trail can confirm or contradict, and what to request before the metadata is gone.

Why the prescriber can be a defendant

The GLP-1 boom of 2023–2025 was built on a fragile prescribing model: high-volume, cash-pay, frequently telehealth-only, and frequently dispensing compounded semaglutide or tirzepatide during the FDA shortage window. That window closed. The FDA declared the tirzepatide shortage resolved in late 2024 and the semaglutide shortage resolved on February 21, 2025, and state medical and pharmacy boards — New York's OPMC and the Medical Board of California among the most active — have since stepped up disciplinary action against prescribers operating outside good-faith-exam and informed-consent rules. The most common citations involve telehealth prescribing without an established practitioner-patient relationship and inadequate contraindication screening.

That enforcement environment maps directly onto civil liability. The recurring prescriber-negligence theories are:

• Failure to obtain informed consent. GLP-1 agonists carry a boxed warning for thyroid C-cell tumors and material risks including pancreatitis, severe gastrointestinal injury, gallbladder disease, and — increasingly in the literature — NAION vision loss. A prescriber has a duty to disclose material risks. With compounded GLP-1s, that duty expands to disclosing that the product is not FDA-approved and that the FDA has issued specific warnings about compounded semaglutide.
• Failure to screen contraindications. Personal or family history of medullary thyroid carcinoma or MEN2, a history of pancreatitis, and pre-existing severe gastroparesis are screening flags. Whether the chart shows the screen happened — and when it was entered — is the case.
• No bona fide examination (good-faith exam). In a telehealth weight-loss model, the question is whether an actual individualized clinical evaluation occurred or whether a templated note was generated to paper a prescription that was effectively automated.
• Failure to monitor and respond. GLP-1s require dose titration and follow-up. When a patient reports severe vomiting, dehydration, or abdominal pain and the provider does not act, the timeline of who saw what message and when becomes dispositive.

Each of these is a documentation question first and a clinical question second. That is what makes the audit trail the center of gravity.

The four documentation failures the audit trail exposes

The audit trail is the time-stamped log of auditable actions inside the EMR — who viewed, created, modified, signed, pended, or deleted an entry, when, and often from which device or IP. It is not part of the produced chart, it is not visible on the clinical screen, and it answers four questions the printed record cannot: who, what, when, and from where. In a GLP-1 prescriber case, four patterns recur.

1. The consent note that was created after the injury

The produced chart shows a clean informed-consent note, signed and dated within the encounter. The audit trail can show something else entirely: that the note was first created hours or days later — sometimes after the patient's emergency-room visit, sometimes after the practice received a demand letter. In Epic-based systems, a note can be pended (saved unsigned) and signed much later, or pended and never signed at all; neither the long delay nor the unsigned status appears in the finalized record an attorney receives. The gap between the documented encounter time and the note's true creation timestamp is the difference between contemporaneous consent and a chart built to defend a lawsuit.

2. The contraindication screen that never happened — or happened too late

A screening note stating “no personal or family history of MTC/MEN2, no history of pancreatitis” is only as good as its provenance. Audit-trail metadata establishes when that note was authored relative to the prescription order. If the prescription was transmitted before the screening entry existed, the screen did not inform the decision. Modern EMRs also carry data-provenance logs that can distinguish typed entries from content that was copied and pasted or auto-populated from a template — the signature of a screen that was checked off by reflex rather than performed.

3. The “examination” that took ninety seconds

In a high-volume telehealth model, the good-faith exam is the soft spot. The audit trail reveals time-on-chart: how long the record was actually open, how long elapsed between opening the encounter and signing the note, and whether the clinical narrative was cloned from a prior patient. A “comprehensive evaluation” note that was open for seconds, populated by copy-forward, and signed in a batch alongside dozens of others tells a very different story than the chart's prose. Provenance and copy-paste detection — well documented in the EMR-integrity literature — turn an attractive-looking note into evidence of a pro-forma encounter.

4. The reported symptom that was seen and ignored

GLP-1 injuries rarely arrive without warning. Patients message the practice about relentless vomiting, abdominal pain, or vision changes. Internal EMR messaging — Epic's In Basket is the common example — and patient-portal logs record when those messages arrived, when the provider opened them, and when (or whether) anyone acted. A provider who testifies they were never notified, in a record showing the message was viewed days before the hospitalization, has a problem the audit trail created.

A fifth pattern overlays all of these: post-incident alteration. Late entries, amendments, and deletions after the provider had notice of a claim are exactly what the audit trail is built to capture. Even when the printed note looks pristine, the underlying metadata records when and how it was modified — and courts routinely treat late or altered entries as evidence of negligence or worse.

The discovery trap: an access log is not an audit trail

The single most common way these cases get quietly defused is the substitution of an access log for the audit trail, and an attorney who does not know the difference will accept it. They are not the same artifact. An access log typically tells you, in a few dozen columns, who opened a chart. A true audit trail — Epic alone exposes thousands of auditable fields — distinguishes adding from deleting a note, carries unique document and order identifiers, captures pend/sign/modify/unchart actions, and lets you verify the integrity of the record rather than merely its access. Defendants frequently produce the thinner artifact, sometimes with date filters applied that conveniently exclude post-incident activity, and represent it as the audit trail.

Three practical consequences follow. Ask for the audit trail, by name, not “the records.” Ask for it in native or delimited (spreadsheet) format, not a flattened PDF, so the data can be sorted, filtered, and reconstructed into a timeline. And ask for logs through the date of production, not just through discharge — the most revealing entries are often the ones made after the patient walked out the door.

Telehealth and med-spa cases have their own fingerprints

The direct-to-consumer telehealth and med-spa channel concentrates the risk. Look for cross-state prescribing without a relationship that satisfies the destination state's good-faith-exam rule; nurse-practitioner prescribing under independent-practice authority without the supervised hours the state requires; RN administration without a prescriber's exam; and batch-signed encounters that betray automated prescribing. The audit trail, read against the practice's stated workflow, is what separates “individualized telemedicine” from a prescription mill — and it is the same metadata the state boards are now using in their own disciplinary investigations.

The compounded-GLP-1 wrinkle

If the product was compounded rather than branded, the case shape changes. There is no manufacturer MDL waiting to absorb it; compounded-semaglutide injury claims are individual matters under state pharmacy-malpractice and negligence law, and the defendant base is fragmented across compounding pharmacies, telehealth platforms, and prescribers. That makes two record sets essential and complementary: the prescriber's EMR audit trail (did they disclose the compounded product's non-approved status and the FDA's specific compounded-semaglutide warnings?) and the compounding pharmacy's dispensing and batch records (what was actually in the vial, and was it contaminated or misdosed?). At least one wrongful-death claim has already alleged a patient died after a compounded semaglutide product contained contaminants — and there, the prescriber's consent documentation and the pharmacy's records are two halves of the same proof.

Audit trails are time-sensitive — move on preservation first

None of this evidence is guaranteed to survive. EMR systems purge or overwrite audit data on retention schedules, and once it is gone it is frequently unrecoverable. The protective move is an early, specific preservation letter — one that names the audit trail, access logs, provenance logs, internal messaging, and metadata, and that puts the provider on notice the moment litigation is reasonably anticipated. Where a provider fails to preserve after that notice, the failure can constitute spoliation, and courts have imposed real sanctions — adverse-inference instructions and, in at least one high-exposure matter, a default finding of liability for failing to produce an audit trail while representing that it could not be produced. A vague request for “the complete medical record” does not trigger those protections. A precise one does.

What to request in discovery

A starting checklist for a GLP-1 prescriber case:

• The complete audit trail (not access log) for the patient's record, in native or delimited format, through the date of production.
• Provenance / data-source logs sufficient to distinguish typed entries from copied, pasted, or template-populated content.
• Pend/sign histories for the consent note, contraindication screen, and any encounter note — creation, pend, sign, and modification timestamps.
• Internal messaging and patient-portal logs (e.g., In Basket), including receipt and read timestamps for any symptom report.
• The prescription order transaction record, with the order's true creation and transmission timestamps.
• For compounded products: the compounding pharmacy's dispensing records, formulation, and batch documentation.
• The identity and title of the person most knowledgeable about the EMR's audit and logging configuration, and the system settings and retention parameters in effect at the time of care.

How EMRCheck fits

EMRCheck performs forensic analysis of EMR audit trails for plaintiff-side medical-malpractice and personal-injury counsel. The work is not reading the chart you were handed — it is reconstructing the timeline the chart was built to obscure: identifying late and back-dated entries, exposing pended and never-signed notes, flagging copy-forward and templated documentation, correlating internal-messaging timestamps against testimony, and verifying whether what was produced is the genuine audit trail or a filtered substitute. We work across the major platforms — Epic, Oracle Health (Cerner), MEDITECH, athenahealth, eClinicalWorks, and Allscripts/Veradigm — and translate the metadata into a clear, defensible timeline your team can use in discovery, deposition, and at trial.

If you are evaluating a GLP-1 prescriber or compounded-semaglutide case and the chart looks cleaner than the outcome suggests it should, the audit trail is where the discrepancy will be. We can help you find it before it is purged.