Medical Malpractice

Audit Trail Discovery in Med-Mal: What Works in 2026

EMR audit logs have moved from contested ESI to baseline discovery in medical-malpractice practice. A look at how plaintiff firms are using them, where defense objections are losing, and how the spoliation analysis has hardened in 2026.

5 min read
Hospital workstation showing an electronic medical record on a clinician monitor

Five years ago, requesting a complete Epic or Cerner audit log in a medical-malpractice case meant a protracted fight over scope, burden, and trade-secret claims. In 2026, that fight is mostly over. Plaintiff attorneys who do not request the audit trail are leaving causation evidence on the table, and defense firms that resist production are increasingly losing those motions.

A Pennsylvania trial court issued one of the more aggressive 2025 orders, compelling production of an entire Epic log across the relevant admission despite the health system's claim that the data was burdensome to extract and partially privileged under peer-review statutes. Similar orders followed in California, Illinois, and Georgia. The shift is procedural rather than doctrinal: courts are now treating audit logs as proportional discovery under Rule 26(b)(1) rather than novel ESI.

What the audit log actually shows

The audit log is the metadata layer behind every chart entry. It captures the user ID, workstation, time stamp, and action type for each interaction with the record. Useful patterns include:

  • Late entries and amendments added after the patient outcome was known
  • Order-entry sequences that contradict the chart narrative
  • Read-only access by attending physicians who later claimed they reviewed nothing
  • Repeated reviews of a specific lab value or imaging study showing the clinician saw the abnormality and did not act
  • Communication tasks that were created, assigned, and dismissed without action

None of this is hypothetical. The Epic audit log records mouse clicks, paragraph expansions, and even the order in which tabs were opened. Cerner Millennium logs capture similar granularity. The forensic value is highest when the chart narrative is clean but the timing does not match the alleged sequence of decisions.

How to write the request

Generic requests for the entire chart do not produce the audit data. The boilerplate response is that the audit log is not part of the medical record under HIPAA, so it is not produced in response to a records request. That is technically correct and tactically useless. The audit log is electronically stored information under Rule 34, and the request should reference it by the vendor's specific log name: the Audit Trail Report in Epic, the Provision of Care report in Cerner, the Activity Log in Meditech.

Effective requests do three things. First, they identify the patient encounter by MRN and date range rather than by chart section. Second, they specify both user-level and patient-level audit data, since hospital responses sometimes produce only one. Third, they include native format as a deliverable, since printed PDFs of audit logs lose the sortable structure that makes the data useful.

Certificate-of-merit and presuit screening requirements still come first in most states. Audit trail evidence rarely informs the initial expert review, since the data is not produced presuit. The data becomes load-bearing later, during deposition prep and at the standard-of-care expert's report stage.

Standard-of-care experts now expect the audit log

Three years ago, a standard-of-care expert who insisted on reviewing audit data was unusual. Now it is the baseline expectation for any case involving timing disputes, especially in emergency medicine, ICU, and obstetrics. Experts who present opinions without reviewing the audit log are vulnerable on cross. A defense expert who concedes that the audit log would have been "helpful but not necessary" loses credibility with a sophisticated jury.

The corollary on the plaintiff side is that retaining an expert before requesting the audit log can backfire. The audit data sometimes contradicts the theory the expert built from the narrative chart alone. Plaintiff firms running med-mal in volume now structure their workups to defer expert sourcing until the audit log is in hand, then brief the expert on both the chart and the metadata together. That changes how case selection works, since the workup is longer before the firm commits to the expert spend.

Spoliation and the new sanction regime

The most consequential change is in the spoliation analysis. When a hospital cannot produce a complete audit log because of retention policies, gaps in vendor logging, or a system migration that purged the data, courts are increasingly treating the gap as sanctionable rather than as the cost of doing business. Some 2025 orders have included adverse inference instructions, default findings on aspects of standard of care, and direct fee-shifting.

The doctrinal hook is straightforward. Under FRCP 37(e), a duty to preserve attaches once litigation is reasonably anticipated. For a hospital with an in-house malpractice claims function, that duty almost always attaches when the incident is internally flagged, which is often months or years before suit is filed. The Pennsylvania order discussed above rejected the hospital's argument that its 90-day audit retention was an objectively reasonable standard, holding that the duty to preserve attached at the time of the sentinel event.

Practical workflow for the plaintiff firm

The following sequence works in 2026 med-mal practice:

  • Preserve at intake. Send a litigation hold letter that specifically names the EMR vendor, the audit log retention policy, and any third-party scribe or transcription vendors
  • Request native format in the first wave of written discovery, paired with a 30(b)(6) deposition notice on retention policies
  • Engage a forensic EMR consultant before disclosing the standard-of-care expert. The consultant translates the raw log into a timeline the expert can read
  • Coordinate with lien resolution early. Hospital liens are harder to negotiate down once the audit log has exposed deviations from the standard of care, since the institution becomes more defensive about the underlying billing
  • Use the audit log to drive the deposition outline rather than treating it as a supplementary exhibit

The audit trail will not save a thin case. A weak liability story remains weak even when the metadata is clean. What the audit log does is convert close cases into provable ones, and it puts pressure on the defense to settle before a jury sees a side-by-side of the chart narrative and the actual click stream.

What to watch in the next twelve months

Two issues are likely to drive 2026 case law. The first is the scope of peer-review privilege over audit data. Hospitals continue to argue that user-level activity tied to morbidity-and-mortality review is privileged, and a clean appellate ruling on that question would meaningfully shift the discovery calculus. The second is whether courts will require production of audit data for non-party providers, including locum tenens physicians and contracted radiology groups whose access shows up in the host hospital's logs but whose employment records are elsewhere.

For practitioners running med-mal dockets at scale, the operational question is no longer whether to chase the audit log. It is how to staff and price the additional forensic workup so the cases that benefit from it are identified before the firm has spent the cost of the expert. Audit log review is now part of underwriting, not an optional extra layer of work. The firms that built this into intake and case selection are the ones still picking up referrals on the back of recent appellate work in the field.

The LawyersTrend Brief · Fridays

One weekly email. Every new article.

Friday mornings — every PI article we publish that week, plus rankings updates and key verdicts. Free. One-click unsubscribe.

More in Medical Malpractice ›