If it touched the record, it left a trace
An EMR’s audit log is how a practice answers hard questions: who opened this chart, what changed, and when. In an AI-native EMR the bar is higher still — AI-drafted content must be traceable from draft to clinician signature. JamEMR logs both.
What is in place today
Chart access and changes
- Chart access and changes are recorded at the application level: the acting user, the action, the affected record, and the timestamp.
- Because logging happens in the application — where roles and identity live — entries are attributable to a specific user in a specific role, not just a database connection.
The ambient documentation trail
Ambient-note activity is fully audited across its lifecycle:
| Event | What is recorded |
|---|---|
| Draft created | An AI-generated draft note is produced for an encounter |
| Draft edited | Clinician revisions to the draft |
| Note signed | The clinician’s signature committing the note to the record |
This means a practice can always distinguish what the AI drafted from what the clinician approved — the question that matters most when AI participates in documentation.
Supporting controls
- Service-to-service calls run under registered, revocable API tokens, so machine activity is attributable too.
- Privileged operational changes pass through explicit human approval, creating a decision record alongside the technical change.
- Database schema changes ship as versioned, reviewed migrations — the schema itself has a history.
On our roadmap
- Formal log retention and review policy as part of the documented policy pack now in progress: current logging practice, written down as auditable policy with defined retention periods and review cadence.
- Customer-facing audit reporting — self-service views for practice administrators and compliance officers, shaped by pilot feedback.
- Third-party penetration testing before general availability, which we expect to exercise and validate audit coverage.
Why this matters for HIPAA
Audit controls are a required technical safeguard under the HIPAA Security Rule. The logging described above is a core part of how JamEMR supports customers’ compliance obligations — see our HIPAA page for the broader picture. Questions: security@jamemr.com.