New ASTM Audit Trail Production Standard: An Interview with Nursine Jackson
In 2017, ASTM, an international standard organization, withdrew standard ASTM E2147 – 01, the Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems, without any kind of notice or replacement. The standard, defining the minimal elements that must be included in an audit trail, was initially released in 2001 and is still referred under 45 CFR 170.210, which enforces the production of audit trails in cases involving electronic health records. Plaintiff attorneys could no longer rely on the standard specifications and to make matters worse, defense attorneys capitalized on the confusion as a tool for barring the production of the audit trail.
Nursine Jackson became familiar with this issue through her work as a Legal Nurse. Shocked that the standard had been withdrawn with no replacement, she called ASTM. With encouragement from ASTM Director, Pat Picarello, Nursine became the chair of ASTM’s Healthcare Informatics Subcommittee E31.25 on Healthcare Data Management, Security, Confidentiality, and Privacy to update this standard to meet the current state of technology.
For 18 months, Nursine worked with colleagues who shared her passion for improving the integrity of electronic health records (EHRs). Subcommittee members, including doctors, nurses, lawyers, HIT experts, and representatives from organizations including the FDA, ONC, OCR and even EHR vendor engineers, contributed to the standard. Their efforts were successful with the implementation of ASTM E2147 – 18, which now supersedes ASTM E2147 – 01 and should soon resolve the 45 CFR 170.210 conflict.
EMRD had the opportunity to interview Nursine Jackson to learn more about her work on ASTM E2147 – 18.
Lack of Plaintiff Representation in e-Discovery Standards
Nursine’s experience shows that implementing the ASTM standard has been poorly enforced, resulting in plaintiffs commonly failing to obtain access to health information and/or trustworthy information that HIPAA intends. This problem may flow from a defense-oriented faction overwhelmingly influencing eDiscovery. A wellspring of groups, seriously devoid of plaintiff’s advocates, are cranking out standards for eDiscovery then providing their standards to judges and law schools free of charge.
Nursine provided the following groups that are likely having major influence on judges’ opinions:
Institute for the Advancement of the American Legal System (IAALS), University of Denver - eDiscovery Rule One Initiative
George Mason University - Discovery courses
Duke University, Center for Judicial Studies - Creating Practical Resources to Improve e-Discovery & Information Governance
Sedona Conference - see: Diagnosing and Treating Legal Ailments of the Electronic Health Record: Toward an Efficient and Trustworthy Process for Information Discovery and Release by Hon. Ralph Artigliere, Chad P. Brouillard, Dr. Reed D. Gelzer, Kimberly Reich & Steven Teppler
She said that, “This one-sided contribution to judges’ thinking makes it more difficult for plaintiffs to obtain discovery that may be useful, even critical, in litigation”. In Nursine’s opinion, “Plaintiffs’ attorneys must insinuate themselves into these powerful and well-established standard-writing committees to have a voice in developing fair standards to enforce patients’ rights to trustworthy health information. Although there is a new standard for audit trails that should prove to be very useful, there is still much work to be done to level the playing field in terms of e-Discovery.”
Health Information Systems and the Skillset of Data Custodians
Based on her experience with discovery production from healthcare information systems, Nursine found that healthcare IT departments do not have the skillset or training required to understand the standards and production of responsive audit trails. She stated that before her work on ASTM 2147E, she thought that healthcare organizations and personnel were intentionally misusing or incorrectly producing audit trails. She recently learned that in addition to the obstructing and obfuscating defense tactics discouraging EHR users involved in litigation from producing useful audit trails, the staff at the hospitals simply did not know the standards. Even the most knowledgeable IT staff were not well trained in the EHR systems to create proper audit trails. Acting as a liaison, she has helped staff use manuals and communicate with the vendors to learn how to produce requested discovery. From her experience, she believes that more knowledge and training concerning audit trail standards by the EHR vendors and healthcare organizations would help the staff immensely.
Nursine has also found that between the different software EHR companies, and even within the same EHR vendors, the quality of record varies drastically depending on facility and software. Sometimes the same facility that produces a phenomenal record for one case will produce a record with serious omissions for another case. The facility might deny being able to produce sections of the record and/or audit trails that they produced in other cases. Nursine acknowledges, in frustration, that educating judges and calling upon the Office of Civil Rights to enforce production of trustworthy medical records has been sub-optimally effective in ensuring that medical records and their corresponding audit trails are comprehensive, useful, and consistent. Further work must be done in eDiscovery to change this unfairness.
Nursine’s Work in Revising the ASTM 2147 Standard
Nursine explained the details of the superseded ASTM 2147 – 01 standards. An audit trail is the only means to verify the integrity of a medical record. The standard, defining the minimal elements that must be included in an audit trail, was initially released in 2001 by ASTM, an international standard organization, as ASTM E2147 – 01. It is referred to under 45 CFR 170.210, which enforces the production of audit trails in cases involving electronic health records. ASTM E2147 – 01 became “incorporated by reference” in 45 CFR 170.299, which made this standard the law. This 2001 audit trail standard was reapproved in 2009 and again in 2013, but needed a major overhaul to keep up with the evolution of the technology. In 2017, ASTM E2147 – 01, the Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems, was “withdrawn” by ASTM, although it remained incorporated by reference (it remained the law).
Nursine Jackson learned of the “withdrawal” of E2147 through her work as a Legal Nurse in March of 2017 when she tried to send a link of the standard to a colleague. Shocked that the standard had been withdrawn with no replacement, she called ASTM and left a message, never expecting to hear back. Within minutes, the ASTM Director, Pat Picarello, returned her call, echoing her frustration. Numerous phone calls later, Mr. Picarello encouraged Nursine to chair ASTM’s Healthcare Informatics Subcommittee E31.25 on Healthcare Data Management, Security, Confidentiality, and Privacy to update this standard to meet the current state of technology. Nursine turned to her colleagues, who shared her passion for improving the integrity of electronic health records (EHR), to help with this project.
Nursine knew that Jerry Meyer’s passion for this subject reveled her own, in that they shared information about electronic records and audit trails for nearly a decade and she coauthored several articles with him. Jerry Meyers became an integral partner in the project. For eight months, they drew from the experience and insights of long-time subcommittee members. Members included individuals from the Office of the National Coordinator for Health Information Technology (ONC, the organization actually responsible for certifying current standards), as well as industry experts from the FDA, OCR and even EHR vendor engineers. Quickly appreciating that the existing committee members lacked actual clinical experience, Nursine expanded her team of consultants to include clinicians. To craft the new standard, she further expanded the committee to include nurse informatics experts, physicians who were also IT experts, and attorneys advocating for patients.
Early in the audit trail standard-updating process, Nursine’s ASTM subcommittee drew information from dozens of knowledgeable (and opinionated) experts, who were willing to provide insight, but not otherwise participate in the lengthy process of revising and rewriting ASTM E2147. With the aim of gathering information from interested parties, the subcommittee had hour-long meetings one or two days a week for five months. Finally, when they had collected the necessary insights, they met in the mountains for an “audit trail retreat” to prepare the first draft of the updated standard. They spent four eight to ten-hour days re-writing the entire content of the standard. Additional committee members further refined the standard using Google docs, which allowed them to work as a team remotely. Some of the additional members included Stephen Barnes, MD, JD (a Johns Hopkins trained surgeon and Harvard Law educated attorney from Houston, Texas), Jennifer Keel, JD (an attorney with Thomas, Keel, Laird of Denver, CO and one of the industry’s thought leaders on electronic medical records evidence and audit trail use in medical negligence litigation), Roger J. Leslie, (a research scientist and attorney with his own law firm from Seattle, Washington), and Jonathan Lomurro, JD (an attorney with further education as a Master of Law in Trial Advocacy degree (LL.M), author of three books on Legal Practice and Litigation Technology for the Modern Practitioner with the Lomurro Law Firm in New Jersey). It would be remiss not to mention the significate informational contributions by Michael Foley, JD (Scranton, PA).
The main need expressed by experienced EHR consultants was that the updated audit trail standard needed to clarify, in unmistakable language, the minimal data elements that each clinical audit trail should contain. To meet this need in the rewriting, the committee sought to provide enough information for each involved party to fulfill their responsibilities. For example, the software engineers had to understand what auditing abilities they needed to include in their products; the certifying bodies had to know the functionality that properly written software should contain in order to audit and produce audit trails; EHR software users had to know what auditable data they needed to collect, maintain, and produce upon request; representatives of patients involved in litigation had to know what information should accompany electronic records to verify they had a trustworthy medical record.
Many months into the new presidential administration and many months into the process of updating this standard, committee members from the ONC noted that this administration was removing checks and balances from most industries. After spending months of hearing that all consultants wanted more clarity in the updated standards, Nursine received contrary advice telling her not to make standards more stringent. She went with her heart and created a standard that addressed the needs expressed by everyone consulted, including those creating, certifying and using EHRs.
After nearly a year in the making, the new standard went to committee for a vote. The ASTM committee, who would review and give an affirmative or negative vote, was made up of a diverse voluntary membership coming from places one would expect, such as representatives of the software industry, governmental agencies responsible for certifying enforcing, and monitoring, medical schools and universities, and the insurance industry. Surprisingly, there were also committee members from industries and universities in Singapore, Rwanda, China, and many other interested parties from around the world.
Nursine came to learn that there had been prior failed attempts to update ASTM E2147, which were unsuccessful because they could not get more than 60% ballot activity. After Nursine devoted a year of serious efforts to revising this standard, it worried Nursine that it could fail because of inertia. She explained this risk of failure to many colleagues who were true patient advocates. In response, twelve more colleagues joined ASTM and requested to be part of the subcommittee in addition to the people involved in the consultations and the writing responsible for updating E2147. As a result of their efforts and interest, 75% of the committee voted in support of the new standard, with no negative votes.
The involvement of people on the committee from all over the world demonstrates the international importance of a comprehensive audit trail standard. But if it weren’t for the enthusiasm and efforts of a small group of patient advocates, this much needed audit trail standard would not have been passed.
Nursine Jackson’s Background
Nursine first came into the medicolegal industry in 1981. An assistant district attorney in Pittsburgh asked for assistance with medical information and illustrations to understand and illustrate the medicolegal issues in homicide, drug, and alcohol related cases. She soon started helping with personal injury and healthcare cases. Working with a group of individuals that spearheaded the legal nurse consultant profession, Nursine’s first tutorial was on how a legal nurse consultant would assist in developing a failure to diagnose myocardial infarction case.
In 2007, she had her first case in which audit trails were critical in proving the facts of a case involving electronic health records. In 2010, Nursine wrote her first article for AAJ discussing electronic medical record standards which Nursine said was initially accepted, then unceremoniously rejected by Trial magazine editors at the last minute because “this is nothing our attorneys need or would be interested in.” Shortly after this rejection, she resubmitted her article as co-author with Jerry Meyers and Mark Bower and it was published by New York’s state litigation review journal.
To learn more about healthcare information system litigation consulting services, visit