HIPAA

access to employee information

  • 1.  access to employee information

    Posted 08-03-2020 09:46 AM
    I'd like to get some thoughts on this situation to see how others would approach this.

    Had an employee (EE #1) of a nursing home ask a nurse practitioner (who is not a nursing home employee but that of the contracted medical director) to access another's nursing home employee's (EE #2) record in the hospital "to see if EE#2 was admitted." The NP accessed the portal system and brought up EE #2. They did not delve into the record per their statements. They only looked to see if she was there. The portal gives name, MRN, Sex, DOB, and address. Another employee (EE #3) found out about the activity and accessed the portal herself to show EE#2 that this had happened. Apparently the system will show the last patient accessed by the nursing home. EE#3 took a photo of the screen and sent it to EE#2 to show EE#2 "proof" someone looked at EE#2's information. We are not certain of the identity of EE#3 but based on logs we believe have a good idea of who it was. EE#2 contacted our regional nurse to report the situation and reportedly wanted it investigated. EE #2 will not return calls from compliance or HR to discuss.​ The Regional Nurse believes that EE#2 may have contacted the IT department of the hospital (but we have no verification of that).

    The nursing home is not affiliated with the hospital.
    The hospital gives access to this portal for admission purposes but it appears you can access any patient name (even if they are not a referral).
    EE #1, #2, #3 and the NP all have logins to the portal. EE#1 asked the NP it appears because while EE#1 has access, EE#1 doesn't use it and said they "were curious" as to the whereabouts of EE#2 and said they were not sure if EE#2 was telling the truth about being absent.
    Both EE#1 and the NP admit to the access according to the person conducting the interviews.

    Would you report the situation to the hospital privacy officer?
    If this is not our patient data (it is that of an employee), where does this fall in regards to HIPAA for the nursing home?
    What steps would you take?

    Any thoughts are appreciated.

    ​​​​

    ------------------------------
    Bethanne VanderMolen
    Chief Compliance Officer/Director of Risk Management
    Choice Health Management Services, LLC
    HICKORY,NC
    ------------------------------
    19th Annual CEI Virtual Conference


  • 2.  RE: access to employee information

    Posted 08-03-2020 03:29 PM
    Based on what your stated, I'd say it's an impermissible use by the nursing home staff and the NP.  I'd contact the hospital privacy officer since the access/use is to the hospital's PHI.

    ------------------------------
    David Garrison
    Compliance/Privacy Officer
    SEARHC
    Juneau,AK
    ------------------------------

    19th Annual CEI Virtual Conference


  • 3.  RE: access to employee information

    Posted 08-04-2020 09:20 AM
    ​I agree with David.
    and there's a lot going on in this scenario!  Here are my thoughts:

    It is impermissible access because they accessed PHI/medical record without a direct and immediate BUSINESS REASON. They were curious. That's called snooping, and they abused (and potentially damaged) the professional relationship you have with that hospital.  I'm guessing you  have a policy about that.
    Yes, I'd report it to privacy officer of hospital so they can investigate (and they'd do the notification to individual if appropriate).
    BTW, It is a terminable offense at my agency for EE #1 and NP.

    EE #3 should be instructed on why they cannot take pics of PHI and send it- it's a security issue - and also ask why they took it into their own hands instead of reporting it to Compliance. - That'd call for discipline as well.
    EE #2 needs to know they must comply with any compliance investigation, especially if its about them!

    I hope that helps.




    ​​​

    ------------------------------
    Marcia Rasch
    Compliance Officer
    HealthSource of Ohio
    Loveland,OH
    ------------------------------

    19th Annual CEI Virtual Conference


  • 4.  RE: access to employee information

    Posted 08-04-2020 09:27 AM
    Thank you for the thoughts and help.
    As the onion peels.....
    This morning EE#2 finally responded to our calls. She reports having talked to "IT" at the hospital (not privacy or compliance). They told EE#2 that the NP did access the clinical records. This story is trickling out like syrup. We are going to try to validate this because it conflict with the NP and EE#1's statements.



    ------------------------------
    Bethanne VanderMolen
    Chief Compliance Officer/Director of Risk Management
    Choice Health Management Services, LLC
    HICKORY,NC
    ------------------------------

    19th Annual CEI Virtual Conference


  • 5.  RE: access to employee information

    Posted 08-04-2020 09:48 AM

    Good luck!

    Sounds like the hospital IT staff need some training too ��

     

    Hope that Onion doesn't have TOO many layers!!! Yikes.

     

     

    Marcia

    X4021

     




    19th Annual CEI Virtual Conference


  • 6.  RE: access to employee information

    Posted 08-05-2020 07:39 AM
    There's a lot going in this scenario so I'm not quite sure I'm following. I work for an academic medical center and my team grants Epic Care Link to external entities with mutual patients. To me this sounds like an abuse of portal access. As the team with a hand in granting that access, I would want to know about that because it's a violation of our access agreements. Users who abuse their access are subject to having that access revoked.

    ------------------------------
    Brenda Manning J.D., C.H.C., C.H.P.C.
    Privacy Director
    Interim Privacy Officer
    Carilion Clinic

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    19th Annual CEI Virtual Conference


  • 7.  RE: access to employee information

    Posted 08-04-2020 05:46 AM
    ​Good Morning -

    Unless there was a 'need to know' and from you presented it doesn't appear so, I would agree with David that it is in impermissible use and would continue an investigation.

    Jan

    ------------------------------
    Jan Walton
    Director, Corporate Compliance
    Oaklawn Hospital
    Marshall,MI

    jwalton@oaklawnhospital.com
    ------------------------------

    19th Annual CEI Virtual Conference