Oklahoma Bar Journal
Diagnosing Discovery: A Primer on Discovery in Medical Malpractice Cases
By S. Shea Bracken
It’s official. You filed a medical malpractice lawsuit and are ready to take on the world. You walk out of the courthouse with your fist triumphantly pumped into the air, just like John Bender in the iconic scene where he walks off the football field during the ending of The Breakfast Club. Unlike in The Breakfast Club, this is not the end. In fact, it is the beginning of a long journey through complex discovery in a medical malpractice lawsuit. In order to be prepared for the daunting journey that is discovery in such a complex case, the attorney needs to be familiar with documents and records to support the theory of the case and, on the other hand, objections or hurdles that can stop the discovery of important records or documents. This article is not meant to be an in-depth discussion of discovery issues in a medical malpractice lawsuit; it is, instead, a 10,000-foot view of general discovery conducted in medical malpractice lawsuits. For a more exhaustive summary of discovery in medical malpractice lawsuits, a CLE program would be an excellent resource. It is also helpful to speak with other attorneys who have litigated cases with similar medical malpractice issues because they may be able to assist with discovery requests or discovery responses.
In a medical malpractice case, a party must show 1) a duty owed by the defendant health care provider, 2) a failure to perform that duty and 3) that a plaintiff’s injuries were caused by the defendant’s failure.[1] In order to establish a prima facie case of medical negligence, a plaintiff ordinarily must have medical expert testimony.[2] A medical expert must opine that a health care worker was negligent and that such negligence caused the patient’s injury.[3] For a medical expert to either support or defend a medical negligence case, the expert needs certain documents to determine what occurred during the care and treatment at issue. The key documents to obtain during discovery in a medical malpractice lawsuit are: medical records, policies and procedures, credentialing files and incident/investigation reports (incident reports). Together, these documents can help tell the story of what occurred.
Medical records are the foundation of a medical malpractice action and describe what occurred during the care and treatment at issue. Put bluntly, without medical records, one cannot prosecute or defend a medical malpractice case. The majority of medical records are currently kept electronically, and there are many nuances contained within the electronic medical record system. One could write a thesis on electronic medical records, but part of this article will focus on the medical record audit trail/audit log or a medical provider’s access to the medical record.
Policies and procedures can establish safety protocols or guidelines for health care providers to follow and can help establish how health care providers should act in certain situations. Credentialing files contain documents and information that health care facilities obtain to verify a physician or health care provider is competent to provide medical care. These files are evidence of the health care provider’s training, education and experience. Lastly, incident reports can be factual summaries of an adverse event and can contain pieces of information not contained in medical records. Each of these documents is crucial in medical malpractice cases, and the parties should request and identify whether the documents exist and if the documents are relevant and discoverable.
AUDIT LOGS
Other than meeting with the patient or the health care provider, the quintessential step in a medical malpractice lawsuit is to obtain a complete set of electronic medical records. In today’s health care, medical records are electronic, and because the medical records are electronic, there are numerous types and versions of medical records.[4] In fact, it is not uncommon for a patient, a patient’s attorney or a representative of a hospital to all obtain a different version of the electronic medical record when a copy is requested. It gets even more complicated; beyond the legal medical record a health care facility produces in response to a medical authorization, there are numerous versions of medical records that contain metadata and all kinds of information not contained in the “legal medical record.” One such example, and an important part of the medical record, is the audit log or audit trail.[5]
Audit logs are like a trail of breadcrumbs left by a medical provider in the electronic medical record system. Audit logs maintain a host of information related to medical record access events, including timestamps, user identities and the specific actions taken within a patient’s chart – whether that involves viewing, editing or deleting information. When a health care provider performs an action related to a medical record, that action is maintained in the audit log. For example, if a health care provider orders a radiology exam, the audit log tracks when that health care provider orders the exam and when the health care provider reviews the radiology report from that exam. Because the audit log tracks specific actions of a medical provider, it can confirm key sequences or establish a timeline related to the care and treatment at issue. Further, audit logs are useful in establishing whether documentation was contemporaneous with patient care or altered after adverse events. These audit logs can show patterns of unusual access in a patient’s medical chart or, on the flipside, can confirm a health care provider’s memory of the events that occurred. Either way, the audit log helps confirm the treatment timeline.
Unfortunately, there are no Oklahoma Supreme Court or Oklahoma Court of Civil Appeals opinions regarding the discoverability of medical record audit logs. Additionally, there are no specific Oklahoma statutes governing the discovery of audit logs. Even though Oklahoma appellate courts have not directly addressed production of audit logs, many Oklahoma state district courts have heard this issue and may have orders from other medical malpractice cases to assist with how a court may handle production of audit logs. There are opinions from other state courts[6] discussing the discovery and production of audit logs in medical malpractice cases. While orders from other district courts are not binding, these orders can be helpful to support arguments for the discovery and production of audit logs.
Because there is no binding Oklahoma authority on production of audit logs, the general discovery rules[7] of relevant evidence govern the discovery of audit logs. A strong argument regarding relevance and discovery of audit logs is the federal HIPAA statute.[8] Under HIPAA, patients have a “right of access” to obtain personal health care information, and health care providers are required to maintain a patient’s health care information.[9] Part of the records health care facilities are required to maintain are audit controls or a way to record and examine activity in a medical record system.[10] Notably, HIPAA does not require a specific type of audit log that a health care facility must maintain, only that the health care facility monitors the activity within a patient’s health care information.[11] Therefore, it can be argued that because hospitals are required to maintain audit logs and audit logs are protected health information of a patient/plaintiff, a patient/plaintiff should be entitled to the audit log.
Typically, an audit log is not produced in response to a request for medical records with a HIPAA authorization. Therefore, the audit log must be requested and produced during discovery in a medical malpractice case. The request for the audit log can be made through an interrogatory and a request for production. The interrogatory asks the health care facility to identify specific audit logs the medical record system maintains. The request for production requests all audit records, which include changes, deletions, access and other activity of the patient’s electronic medical record. The request for the audit records needs to be a separate request from the request for a copy of the electronic medical records.
In response to the requests for audit logs, health care facilities/defendants can argue that audit logs are thousands of pages, and not all the information contained within the voluminous audit log is relevant to the specific treatment at issue. Further, it can be argued that there could be protected and privileged information contained in the audit logs, including when a hospital’s attorney, risk manager and/or peer review committee reviewed information in a patient’s medical record. These objections can be overcome by agreeing to limit the scope of the audit log that is requested and agreeing to redact information the health care facility is claiming a privilege.
In Oklahoma medical malpractice cases, audit logs serve as silent witnesses to the creation and modification of the medical record. While courts have yet to establish detailed precedent, Oklahoma’s broad discovery rules and HIPAA’s audit requirements support their use. As electronic records dominate health care, attorneys must become adept at using audit logs to test the integrity of the chart – and the credibility of those who authored it.
POLICIES AND PROCEDURES
Policies and procedures are guidelines of health care institutions to assist staff in providing safe care to patients. In the litigation context, especially in medical malpractice cases, these internal documents may establish what a hospital expects of health care providers in certain situations. For example, a hospital may have a sepsis (infection) protocol that includes a checklist of what health care providers should do when a patient is suspected of having sepsis. In medical malpractice lawsuits, policies and procedures can support a plaintiff’s theory if a health care provider deviates from these guidelines or support a defense if the health care provider follows the guidelines. Therefore, these are important to obtain during discovery to provide a foundation for those claims to be litigated.
Like audit logs, there is no specific Oklahoma Supreme Court or Oklahoma Court of Civil Appeals opinion or statute about the discovery of policies and procedures in a medical malpractice case. Thus, an attorney must rely on the general rules related to the discovery of admissible evidence.[12] Additionally, like audit logs, Oklahoma state district courts that have litigated medical malpractice cases have familiarity with policies and procedures. A party should attempt to obtain prior orders from a trial judge regarding production of hospital policies and procedures.
There are federal district cases and cases from other states regarding discovery of policies and procedures that can assist with arguments regarding discovery of policies and procedures. Courts have held that policies and procedures are relevant as evidence to show what measure of caution may be exercised in certain situations.[13] But courts have cautioned that the policies and procedures alone do not set the standard of care.[14] Therefore, hospital policies and procedures may serve as evidence to show how to perform in certain situations, and if a health care provider deviates from that policy, it can be strong evidence to support negligence. Conversely, health care providers can argue these policies do not set the standard of care and are merely guidelines, and a health care provider’s judgment – including training, experience and education – should prevail over a written policy.
Attorneys seeking discovery of hospital policies should be specific with requests and use targeted language. For instance, instead of requesting “all hospital policies,” tailor the specific request to the issues in the lawsuit, such as “the fall prevention protocol in place for the medical-surgical unit” during the relevant time period. Another approach is to request the table of contents for the policies and procedures related to the issues in the case. For example, if the case involves labor and delivery, then the attorney can request a list of labor and delivery policies and procedures. The attorney can then identify policies and procedures on that list that are relevant to the issues in the lawsuit. Finally, a health care facility may object to policies and procedures based on trade secrets or the confidential nature of the documents. In that instance, the parties can execute protective orders to resolve confidentiality concerns.
CREDENTIALING
Credentialing medical professionals is a core component of health care administration, meant to ensure that practitioners meet the necessary standards to practice medicine. Credentialing files typically include information related to a health care provider’s qualifications, education, licensure, disciplinary history, insurance information, performance reviews and peer evaluations. Essentially, it is the way for a hospital to verify a physician is competent to provide medical care at its facility. In the context of a medical malpractice lawsuit, a plaintiff may allege that the hospital negligently credentialed or retained a provider with a known history of complications, substandard care or patients’ complaints. However, to support these claims, a party will need access to credentialing documents, which can be requested through discovery.
Before a plaintiff can request a health care provider’s credentialing file, they must specifically plead a negligent credentialing claim in the petition. Specifically, under the Oklahoma Peer Review statute, 63 O.S. §1-1709.1(D)(1):
In any civil action in which a patient or patient's legal representative has alleged that the health care entity was independently negligent as a result of permitting the health care professional to provide health care services to the patient in the health care entity, the credentialing and recredentialing data, and the recommendations made and action taken as a result of any peer review process utilized by such health care entity regarding the health care professional prior to the date of the alleged negligence shall be subject to discovery pursuant to the Oklahoma Discovery Code. (Emphasis added.)
Thus, after a plaintiff pleads negligent credentialing,[15] they need to send a request for production, requesting the credentialing file of the defendant health care provider.[16] While the peer review statute allows production of credentialing data, not all documents are discoverable, and health care providers can object to production of the entire files because they can contain peer review and privileged materials – subject to the Oklahoma peer review privilege.[17] Not surprisingly, the text of the peer review statute is confusing, and it is not clear exactly which documents in a credentialing file can be withheld from discovery. Under one section of the statute, credentialing and recredentialing data are “peer review information” that is “private, confidential and privileged.”[18] And in direct contrast to that section, another section states that credentialing and credentialing data are subject to discovery.[19]
This will probably be a shocker given the common theme, but there is no specific Oklahoma Supreme Court or Oklahoma Court of Civil Appeals opinion regarding discovery of credentialing files. Therefore, the parties need to be familiar with how the specific district court has previously ruled regarding the discovery of credentialing files. If a defendant health care provider objects to producing a specific portion of the credentialing file, the parties should conduct a meet and confer, and the plaintiff should request a privilege log[20] to determine the extent of the privilege and whether it applies. Further, the parties can also request the court to review the credentialing files in camera to determine whether the privilege applies or the documents should be produced.
As a general rule, for lack of a better word, the “administrative” credentialing materials – such as the health care provider’s CV or resume, employment history, education history, training, licensure confirmations, criminal history and references – are generally discoverable. These documents confirm a hospital has done its homework to verify a health care provider is educated, trained and licensed to provide medical care. On the other hand, documents related to peer review – such as documents generated during a peer review process,[21] disciplinary decisions and/or internal evaluations – are likely privileged and not subject to discovery.[22] Also, documents and reports related to the National Practitioner Data Bank (NPDB) are confidential.[23] The NPDB is a national archive that includes reports of settlements by physicians in medical malpractice lawsuits.
With that said, there is no blanket privilege to the credentialing and peer review documents, which is why a privilege log should be requested. For example, a peer review’s “recommendations made and actions taken” related to peer review of a physician’s care prior to the incident at issue are discoverable. Further, there are exceptions to the peer review privilege, such as medical records and the identity of individuals with knowledge of the facts.[24]
While there is inherent privilege in the peer review process to allow health care providers to review adverse events without the fear of it being used in litigation, there is also the need for a patient to have these documents when it is alleged that a hospital negligently credentialed a physician. Thus, attorneys need to study the credentialing and peer review statute carefully and approach discovery strategically to craft precise requests that meet the standards for production of credentialing files.
INCIDENT REPORTS
In medical malpractice litigation, access to internal hospital documents – particularly incident or investigation reports – can be essential to a plaintiff's ability to establish liability. Incident reports, often generated shortly after an adverse medical event, may contain firsthand observations, factual descriptions and sometimes admissions of error. These reports can include specific summaries of the medical care at issue that are done shortly after the unexpected event and may contain information not included in a patient’s medical record. For defendant health care providers, however, these reports are viewed as sensitive documents prepared for internal quality assurance and risk management purposes and are, thus, potentially privileged or protected.
In Oklahoma, do not hold your breath, but there is no specific Oklahoma Supreme Court or Oklahoma Court of Civil Appeals decision regarding the discovery of incident reports in a medical malpractice lawsuit. However, the Oklahoma Supreme Court has provided guidance on when investigation reports can be discoverable or privileged.[25] In Hall, the court analyzed the distinction between investigations done in the ordinary course of business or in anticipation of litigation.[26] Without getting into the weeds of the entire opinion, the court basically held that if an investigative report was done during the ordinary course of business, it can be discoverable, whereas an investigative report prepared in anticipation of litigation or trial may not be discoverable.[27] The court provided a more in-depth analysis on this topic and cited opinions[28] from other jurisdictions to support its opinion; therefore, before a party seeks incident or investigative reports, they should read this case, along with the case citations, to become familiar with arguments related to incident reports.
In addition to the Hall opinion, the peer review statute can provide arguments on the discovery or privilege of incident reports. A plaintiff can argue that the peer review statute specifically carves out an exception for incident reports and factual statements.[29] However, the statute does not specifically define an incident report, and a defendant health care provider can argue that the incident report was created as part of the peer review process and is privileged.[30] As such, the plaintiff should send an interrogatory asking whether an investigation was done, whether a report was generated and when the defendant health care provider was in reasonable anticipation of litigation.
The plaintiff should also send a request for production seeking a copy of the investigation/incident report and request a detailed and specific privilege log if a defendant objects to the production of the incident reports.[31] Plaintiffs should also request and be familiar with a hospital’s policies and procedures on adverse or sentinel events[32] and investigations of unexpected outcomes. Sometimes, these policies and procedures can help with the argument of whether an investigation was done in the ordinary course of business or solely in anticipation of litigation.
In Oklahoma, there is an argument that incident reports are not categorically privileged in medical malpractice litigation. The discoverability hinges on why and how the reports were created. If a report was produced in the ordinary course of business, it is generally discoverable. If it was prepared exclusively for litigation or the peer review process, it may be shielded. Ultimately, a fact-intensive analysis of the circumstances related to the creation of the incident report should be done to ensure privilege claims. This approach ensures that anticipation of litigation and peer review protections do not become a catch-all shield for critical evidence, preserving fairness and transparency in medical malpractice proceedings.
CONCLUSION
As you walk out of the courthouse, your fist pump in the air quickly becomes a fist punch into the ground, knowing the daunting task that lies ahead in your new medical malpractice lawsuit. However, with the right preparation and knowledge of how to approach discovery, it can help lessen the burden of discovery and help you prosecute or defend the medical malpractice case so that you, too, can walk out of mediation or the courtroom like John Bender in The Breakfast Club with your fist held high in the air. Good luck!
ABOUT THE AUTHOR
S. Shea Bracken of Edmond focuses his practice on catastrophic injury, medical malpractice, birth injury and products liability cases with the law firm of Maples, Nix & Diesselhorst. A native of Stillwater, he is a decorated U.S. Marine Corps veteran and served on the OBA Board of Governors from 2022 to 2024.
ENDNOTES
[1] Thompson v. Presbyterian, 1982 OK 87, ¶7, 652 P.2d 260, 263.
[2] Jones v. Mercy Health Center, Inc., 2006 OK 83, ¶17, 155 P.3d 9.
[3] See Robinson v. Oklahoma Nephrology Associates, Inc., 2007 OK 2, 154 P.3d 1250.
[4] Helpful hint: If an attorney is not familiar with all the versions of the electronic medical record system, there are experts and companies a party can hire to assist with identifying all the specific types of electronic medical records that are available.
[5] There are numerous titles for audit logs/audit trails; therefore, when requesting, a party should request audit trails, audit logs or similarly titled documents. For purposes of this article, it will be referred to as audit logs.
[6] See Gilland v. Matsuo, 2022 WL 10360434 (Conn. 2022); and Vargas v. Lee, 170 A.D.3d 1073 (N.Y. 2019). The Gilland case cites courts from other jurisdictions that have held that audit logs are relevant and discoverable.
[7] 12 O.S. §3224 et seq.
[8] 42 U.S.C. §1320d, et seq.; see also Holmes v. Nightingale, 2007 OK 15, 158 P.3d 1039.
[9] 45 C.F.R. §164.524.
[10] 45 C.F.R. §164.312.
[11] See id.
[12] See 12 O.S. §3226.
[13] See Therrien v. Target Corp., 617 F.3d 1242, 1256 (10th Cir. 2010).
[14] See id.
[15] Strubhart v. Perry Mem’l Hosp. Trust Auth., 1995 OK 10, 903 P.2d 263 is the seminal case regarding a hospital’s duty to ensure competent physicians are providing care at its facility. This case can help with arguments regarding negligent credentialing.
[16] Attorneys from both sides should also request the physician’s licensure file from the medical board.
[17] 63 O.S. §1-1709.1.
[18] 63 O.S. §1-1709.1(A)(5) and 63 O.S. §1-1709.1(B)(1).
[19] 63 O.S. §1-1709.1(D)(1).
[20] See 12 O.S. §3226(B)(5); see also 12 O.S. §3237(A)(2).
[21] Peer review is a privileged process that typically involves an internal committee or health care provider that reviews and evaluates a physician’s performance to evaluate the quality of care provided to a patient. The committee will review medical records, conduct interviews and review other documents and, based on the committee’s evaluation, will provide what is known as recommendations made and actions taken related to the care and treatment that was reviewed. See 63 O.S. §1-1709.1(A)(6).
[22] 63 O.S. §1-1709.1(B)(1).
[23] 45 C.F.R. §60.20(a).
[24] 63 O.S. §1-1709.1(A)(5)(a-f).
[25] Hall v. Goodwin, 1989 OK 88, 775 P.2d 291.
[26] See id.
[27] See id. at ¶12.
[28] See id. at ¶¶8-11.
[29] 63 O.S. §1-1709.1(A)(5)(b and d).
[30] 63 O.S. §1-1709.1(C).
[31] See supra footnote 19.
[32] Sentinel events are events that result in a patient’s death or permanent harm. See “Joint Commission Policy on Sentinel Events,” http://bit.ly/46KbW26.
Originally published in the Oklahoma Bar Journal – OBJ 96 No. 7 (September 2025)
Statements or opinions expressed in the Oklahoma Bar Journal are those of the authors and do not necessarily reflect those of the Oklahoma Bar Association, its officers, Board of Governors, Board of Editors or staff.