Electronic form
If the provider keeps the record electronically, your client can require it be produced in electronic form — not a paper print-out you re-scan.
Plaintiff-side guide
General information · not legal advice
Medical-Legal · Guide
Use the HITECH Act to get complete medical records — including the audit trail.
The HIPAA right of access — strengthened by the HITECH Act — lets your client obtain their own electronic record at a cost-based fee, not inflated per-page rates. But the audit trail that proves how the chart was really created takes the right discovery language. Here's how the two fit together.
The problem
You're overpaying for an incomplete chart.
Most firms request records the expensive way: a subpoena or authorization routed through the provider's release-of-information (ROI) vendor, billed at state per-page copy rates that can run into hundreds or thousands of dollars for a single hospitalization.
And for that money, you usually get the designated record set — the printable clinical chart. What it leaves out is exactly what wins or loses a documentation fight: the audit trail, prior versions of notes that were later edited, late entries and addenda, and the metadata showing when each entry was actually made.
There's a cheaper path to the records, and a separate, deliberate path to the audit trail. Using the right one for each is the whole game.
The leverage
What the right of access actually gives you.
Under the HIPAA Privacy Rule's right of access (45 CFR 164.524), strengthened by the HITECH Act, your client has a personal right to their own records.
Cost-based fee
A request for the individual's own records carries a reasonable, cost-based fee — typically far below the state per-page ROI rates charged on attorney requests.
Patient-directed delivery
HITECH also lets a patient direct that an electronic copy be sent to a third party — for example, your firm — on the patient's written, signed request.
The limits, stated honestly
- The right of access reaches the designated record set — not the audit trail itself. The audit log generally isn't part of that set, so access alone won't produce it. That's why the audit trail needs its own request (below).
- The reliable cost-based fee applies when the patient requests their own copy. Courts have narrowed the fee limits for records a patient directs to a third party (see Ciox Health v. Azar, 2020), and that third-party directive is scoped to electronic records held in an EHR. The simplest, lowest-fee route is usually: client obtains their own electronic records, then provides them to you.
- Specific fee caps, timelines, and state-law overlays change over time. Treat the figures here as general guidance and confirm the current rule for your jurisdiction.
The audit trail
Ask for it explicitly — in discovery.
Because the audit trail sits outside the designated record set, you compel it through discovery, not an access request. The Security Rule already requires providers to maintain audit controls (45 CFR 164.312(b)), so the logs exist — the request just has to name them precisely. Adapt the language below to your jurisdiction and matter.
For the patient identified above, and for the full date range of the care at issue, produce: 1. The complete audit trail / access log for the electronic health record — every create, view, modify, print, and delete event, with user ID, role, date, and timestamp — as required by the HIPAA Security Rule audit controls standard, 45 CFR 164.312(b). 2. All prior versions of any amended, corrected, or edited entry, together with the amendment, addendum, and late-entry logs showing what was changed, by whom, and when. 3. The metadata associated with each entry (authorship, entry time vs. event time, and any "entered-in-error" or retraction flags). 4. The EHR system's native audit-trail / record-of-access export and the vendor's specification for that export (e.g., Epic, Oracle Health / Cerner, MEDITECH), produced in the system's standard electronic export format rather than as a printed summary. 5. Where the records are subject to FDA-regulated electronic-records requirements (e.g., clinical research records), the corresponding audit-trail data maintained under 21 CFR Part 11.
Naming the EHR vendor's native export specification matters: producers will often offer a printed "audit summary" that omits the structured event data. The request above asks for the system's actual export, which is what makes the findings verifiable.
Why it matters
The audit trail is where the documentation case lives.
Once you have the complete electronic record and the audit trail, the chart stops being a static narrative and becomes evidence you can test. Late entries made after an adverse event, edits to notes that change their meaning, signs of backdating, and quiet deletions all leave traces in the log.
That's the work we do: independent EMR verification and audit-trail analysis — authenticating the record and turning the metadata into declaration-ready findings. If you'd like help scoping a records request or reviewing what's already been produced, get in touch.
Next step
Get a 20-minute intake on the calendar.
Scope the records you need to request, the right language to use, and whether an audit-trail analysis fits the case. No deck. No retainer required to talk.
Disclaimer: This page is general information about medical-records access and discovery, not legal advice, and does not create an attorney–client or consulting relationship. Regulations and fee limits change and vary by jurisdiction — confirm the current rules for your matter before relying on them.