CA Bill Demands Hospital EMRs Track Users

California legislators have raised the hackles of the state’s hospitals with a new bill demanding that they track EMR usage far more closely.

The bill, which has already passed to state’s Senate, would demand that hospitals automatically track who modifies or deletes EMR records.  More controversially, it would require hospitals to give patients a list of such changes, as well as the authors of said updates, if patients ask for their medical records.

The bill was sparked in part by the case of Diane Stewart, a woman who died abruptly after knee surgery at Stanford University Medical Center.  After Stewart’s death, state investigators found that parts of her file had been erased and that entries had been added postmortem.

Hospitals are screaming bloody murder, arguing that state legislators are pulling out the big guns over a rarely-seen issue.

In her ignorance, your humble blogger had assumed that the hospitals’ complaints were mostly politics and posturing, but maybe not. Kaiser Permanente, owner of perhaps the world’s most expensive Epic installation (a rumored $3 billion plus investment), has gone on record saying that their system can’t meet the proposed standard.

The truth is, it’s actually pretty sad that hospitals can’t generally meet this standard. Seems to me that if you’re handling sensitive medical information — even with out HIPAA to punish you — you’d want to have a super-clear idea of who’s playing with it. But apparently, access log management isn’t what it could be, even in the case of gold-plated top-tier gazillion dollar enterprise EMRs.

So, California hospitals, I’m sorry to see that you actually put systems into place that can’t provide this capability. Not knowing who edits patient records is simply unacceptable, in my mind.

But hey, maybe I’m naive. Are there better places to spend your security bucks than keeping your eye on access controls? Are vendors head-faking you out of demanding these capabilities? Or were you just waiting for the other shoe to drop and you were forced to crack down on access? Just wondering…

About the author

Anne Zieger

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.


  • Interesting post. I remember hearing one SaaS based EHR software vendor tell me that many of the legacy EHR systems that everyone knows about and uses do a terrible job with their audit logs. For example, I think he said that you might be able to see that something saved a record, but you might have no idea what they saved on it. It didn’t track if things were added, deleted, modified or otherwise. You just know that they clicked the save button. They might not have done anything at all.

    I wouldn’t be surprised. Getting audit logs done well is hard work and requires planning from the beginning.

  • Tracking access as well as add/change/delete actions including old/new data values in computerized systems has been a standard feature in many other business applications. Electronic Data Capture systems for Clinical Trials must have this capability by FDA regulation. It stuns me that EMR vendor systems could ‘get away’ with not having this capability – I would have expected purchasing organizations to have demanded it.

  • This is an interesting issue. Perhaps someone should talk with the programmers over at They have the ability to save all changes made to each account and who made the changes. As a user, I can see these changes at the bottom of each record.

Click here to post a comment