Skip to main content
JamEMR

Trust Center

Audit Logging

Application-level audit logging is live today — chart access and changes are recorded, and every ambient-note draft, edit, and signature leaves an entry. If it touched a record, there is a log line for it.

If it touched the record, it left a trace

An EMR’s audit log is how a practice answers hard questions: who opened this chart, what changed, and when. In an AI-native EMR the bar is higher still — AI-drafted content must be traceable from draft to clinician signature. JamEMR logs both.

What is in place today

Chart access and changes

  • Chart access and changes are recorded at the application level: the acting user, the action, the affected record, and the timestamp.
  • Because logging happens in the application — where roles and identity live — entries are attributable to a specific user in a specific role, not just a database connection.

The ambient documentation trail

Ambient-note activity is fully audited across its lifecycle:

EventWhat is recorded
Draft createdAn AI-generated draft note is produced for an encounter
Draft editedClinician revisions to the draft
Note signedThe clinician’s signature committing the note to the record

This means a practice can always distinguish what the AI drafted from what the clinician approved — the question that matters most when AI participates in documentation.

Supporting controls

  • Service-to-service calls run under registered, revocable API tokens, so machine activity is attributable too.
  • Privileged operational changes pass through explicit human approval, creating a decision record alongside the technical change.
  • Database schema changes ship as versioned, reviewed migrations — the schema itself has a history.

On our roadmap

  • Formal log retention and review policy as part of the documented policy pack now in progress: current logging practice, written down as auditable policy with defined retention periods and review cadence.
  • Customer-facing audit reporting — self-service views for practice administrators and compliance officers, shaped by pilot feedback.
  • Third-party penetration testing before general availability, which we expect to exercise and validate audit coverage.

Why this matters for HIPAA

Audit controls are a required technical safeguard under the HIPAA Security Rule. The logging described above is a core part of how JamEMR supports customers’ compliance obligations — see our HIPAA page for the broader picture. Questions: [email protected].

← Trust Center