When the chart looks perfect, the audit trail tells the truth. Electronic health record systems used by nursing homes, including PointClickCare and MatrixCare, keep behind-the-scenes logs that record who did what and when. Those logs often reveal end-of-shift batches, copy-paste entries, and edits after an incident. In neglect cases, that timing can matter as much as the words on the page.
Federal security rules require covered entities to have audit controls that record and examine activity in systems containing electronic protected health information. The HIPAA Security Rule places this duty at 45 CFR 164.312(b). HHS’s Office for Civil Rights publishes guidance and an audit protocol that explain how organizations should log, retain, and review access and change events. The takeaway is simple. Nursing homes must be able to produce audit information for their EHRs.
Sources: 45 CFR 164.312(b); HHS OCR Security Rule guidance; HHS OCR HIPAA Audit Protocol.
While formats vary, certified EHR products must support auditing capabilities such as user identity, event type, date and time, and tamper-resistant storage. ONC’s 2015 Edition certification criterion §170.315(d)(10) Auditing actions on health information sets baseline expectations for vendors that seek certification. In practice, audit reports typically include user IDs, modules accessed, create and edit timestamps, and sometimes the workstation or IP.
Sources: 45 CFR 170.315; ONC 2015 Edition test procedure for §170.315(d)(10).
We request the audit trail for the same date range as turning logs, toileting and hydration records, wound notes, incident reports, and medication records. Then we line up timestamps against staffing assignments, call-light reports, bed or chair alarm logs, and family photos. If an entry claiming a 2 a.m. turn was actually created or batch-entered at 6:57 a.m. for multiple residents, the log exposes after-the-fact charting.
Ask for: the complete audit trail for the resident’s EHR during the key period, including user IDs, event types, timestamps, edits, and deletion metadata; the facility’s audit-logging and late-entry policies; and system time-zone settings. Pair this with the comprehensive care plan and updates, flow sheets for turns and toileting, wound assessments with measurements and photos, incident reports, call-light and alarm logs, and staffing assignments. You are entitled to designated record set information under HIPAA’s Right of Access, and facilities must maintain audit controls under the Security Rule.
Sources: 45 CFR 164.312(b); HHS OCR Security Rule guidance; HHS OCR HIPAA Audit Protocol.
Put the facility on notice to preserve the resident’s EHR, audit logs, surveillance video for the relevant hallways and rooms, bed and chair alarm reports, and assignment sheets. Ask for confirmation in writing. If cooperation stalls, contact your State Survey Agency and the Long-Term Care Ombudsman for help with enforcement and resident advocacy.
Documentation should match the bedside. When the plan calls for two-hour turns, heel off-loading, moisture control, and same-day escalation for early Stage 1 changes, the flow sheets and wound notes should show that work in real time. Audit trails make it possible to test that claim. They turn paperwork into a timeline that juries, judges, and regulators can trust.
Talk with Bedsore.Law for a FREE consultation. We obtain the audit trail, align it with the chart and photos, and show what really happened on the unit.
Links verified on 2025-11-07 America/Los_Angeles.
