How to Read an Epic Audit Trail: A Plaintiff Attorney's Guide
An Epic audit trail export lands on your desk as a dense spreadsheet: users, actions, timestamps, workstations. Here is what the columns mean, what a filtered export quietly leaves out, and the patterns worth a second look.
Epic is the most widely deployed EMR in American hospitals, which makes the Epic audit trail the audit trail most plaintiff attorneys will eventually have to read. When a production finally includes one, it usually arrives as a spreadsheet with thousands of rows and a column layout nobody explains. This guide covers what you are looking at: where the data comes from, what the common columns mean, what a filtered export quietly omits, and the patterns that deserve a second look. One caveat up front — report names, column labels, and export formats vary by Epic version and by how each organization has configured its reporting, so treat what follows as the anatomy of the data, not a template every export will match.
Where the data comes from
Epic runs on the Chronicles database, accessed by clinicians through the Hyperspace client (and its newer successor, Hyperdrive). The chart you receive in a records production is an abstracted output of that database. The forensic data lives behind it: access history showing who opened the chart, action-level audit records showing what was done, and note revision history showing how documentation changed over time. For reporting and analysis, organizations typically extract this data through Epic's reporting tools and downstream reporting databases — which matters in discovery, because the answer to 'can you produce this?' often depends on which reporting path the organization uses, not on whether the data exists.
It also matters that Epic's audit data is not one report. An access log (who viewed the record, and when) is not the action audit (who changed what), and neither is the note revision history (what each note said in each version, with save and sign times). A production that includes one of the three is routinely characterized as 'the audit trail.' It isn't — and knowing the three layers exist is the single most useful fact for evaluating what you were given.
Reading the columns
Column labels differ across exports, but most Epic audit and access reports carry the same underlying fields. The ones that do the forensic work:
- User — the account that performed the action, usually with a name and system ID. Watch for service and interface accounts, which represent automated activity rather than a human at a keyboard.
- Role / department — the user's job function and unit. This is how an access event from risk management, patient relations, or health information management stands out from treatment-team activity.
- Action / event type — what happened: the record was opened, a note was filed, an order was placed, an entry was modified, a document was printed. The vocabulary varies; the distinction that matters is view events versus change events.
- Timestamp — when the system recorded the action. This is server time, recorded by the machine, not the clinical time a note claims to describe. The gap between the two is where late entries live. Confirm the time zone and whether any conversion was applied to the export.
- Workstation / device — the workstation ID or device the action came from. A note authored 'at the bedside' that traces to an office workstation, a remote session, or another building is a fact worth understanding.
- Patient / encounter context — which chart and encounter the action touched, which matters when activity spans multiple admissions.
Two timestamp subtleties recur. First, Epic distinguishes when an entry was filed (saved to the system) from when it was signed, and both can differ from the clinical time the author says an event occurred. A note can honestly describe 14:00 events and dishonestly imply it was written at 14:05; the filed time is what settles it. Second, exports assembled across daylight-saving transitions or from systems in different time zones can shift events by an hour — an innocent explanation that should be checked before an apparent discrepancy is treated as meaningful.
What a filtered export hides
An audit export is the output of a query, and the query has parameters: a date range, a set of users, a set of event types, sometimes a single encounter. Every parameter is a place where responsive data can silently fall outside the production. A date range that starts the day of the incident misses the pattern of documentation before it. A user-scoped export misses everyone you didn't know to name. An export limited to change events omits the access history; one limited to access events omits the changes. And an export scoped to one encounter can exclude activity recorded under a related admission or an ambulatory context.
The counter is to treat the export criteria as discoverable facts: ask what query produced the export — date range, users, event types, encounters — and compare it to what you requested. If the criteria were narrower than the request, the gap is now visible and specific rather than invisible. Where completeness matters, request the export in native format and ask the organization to identify which audit reports its Epic version can run, so 'we can't produce that' becomes a claim you can test.
It is also worth asking, in an interrogatory or at a custodian deposition, who ran the export, from which tool, and under what instructions. The person who built the query is a fact witness to its scope — and organizations frequently delegate audit exports to an analyst who was told a date range and nothing else. That testimony, set against the request's actual language, is how a quietly narrowed production becomes a documented one.
Red flags worth a second look
Most audit trails are unremarkable, and most anomalies have innocent explanations. These are the patterns that justify pulling the thread:
- Post-incident access spikes — a cluster of chart-opens in the hours or days after an adverse event, especially from roles outside the treatment team, or activity that intensifies after a records request or notice of claim arrives.
- Late entries — documentation filed hours or days after the clinical time it describes, particularly when the note reads as if written in the moment.
- Addendum patterns — a burst of addenda or corrections to the same note or the same shift's documentation, after the outcome was known. A disclosed, timestamped addendum is legitimate; what matters is what changed, when, and whether the original text was also modified.
- Save-versus-sign gaps — entries signed long after they were saved, or edited between saving and signing, which can make the final version differ from what was first written.
- Print and export events — who printed or exported the chart, and when, which can show what the organization was assembling internally before the production went out.
- Missing layers — an access log produced without the action audit, or either produced without note revision history. The absence is itself a finding: the layer that shows alterations is the one most often left out.
None of these is proof of anything by itself. A late entry after a chaotic code is normal medicine; risk-management access after a bad outcome is often routine event review. The forensic value is in the pattern — timing, clustering, and whether the metadata's chronology matches the story the chart tells on its face.
Cross-checking the audit trail against the chart
The most productive hour you can spend with an Epic export is a reconciliation pass: line the audit data up against the produced chart and check that the two accounts agree. Every note in the chart should have corresponding filed and signed events in the audit trail, at plausible times. Every critical result should have a first-open event by someone on the treatment team, before the decisions that supposedly relied on it. Every order should have an entry event consistent with who claims to have given it. Work the other direction too: events in the audit trail that reference documents you were never given — a deleted note, an earlier version, a scanned outside record — are items missing from the production, identified by name.
Where the reconciliation fails is where the case gets interesting. A note with no corresponding filed event suggests the export is incomplete. A filed time hours after the note's clinical time is a late entry. A modification event on a note whose produced version shows no addendum means there is a revision history you have not seen — and Epic retains note revision history, so it can be requested specifically, with the save-versus-sign times for each version.
When to bring in an analyst
If the export is small and the question is narrow — was this one note filed late? — a careful attorney can often answer it from the spreadsheet. Bring in a forensic analyst when the export runs to thousands of rows, when the produced layers don't line up with each other or with the chart, or when the finding needs to be stated in a declaration or at deposition with the method documented. An independent reconstruction of the record's timeline, drawn from the system's own logs, is considerably harder to argue with than a highlighted spreadsheet — and it tells you what to demand next when the production turns out to be a fraction of what exists.
This article is technical and regulatory information, not legal advice. Epic report names, capabilities, and export behavior vary by version and configuration, and capability should be assessed against the specific deployment.
This article is technical and regulatory information, not legal advice. EMRCheck is not a law firm.