Chief Compliance and Ethics Officer Health Care

Employee Access to Own EMR Record

  • 1.  Employee Access to Own EMR Record

    Posted 03-05-2019 05:42 PM
    ​​Good Afternoon!  My organization is considering allowing employees (those who already have access to the EMR system) access to their own medical record.  Current policy states that no one, including employees, should access their own medical record for any reason without getting the appropriate approval first.  If one does, they may be subject to disciplinary action up to and including termination.

    However, practically speaking, it is my understanding, people may be doing this already without recourse.  We also currently do not proactively monitor this type of access.   MyChart will be utilized more in the future but it isn't populated with all the needed information at this time.  Meaning current policy not being enforced and/or applied inconsistently.

    All I have read up to now seems to indicate that allowing this access is not a good idea and employees should be treated the same as patients and should require permission to get access to their record.  Management seems to want to allow employees only to see their own record and again employees who already have this access, not giving it to the entire organization.

    Looking for some more recent insight into what others may be doing and if you are updating your policies/procedures to such.

    Thank you!!

    Sean Love
    Exec Director IA and Compliance

    Sean Love
    Exec Dir Internal Audit & Compliance
    GBMC Healthcare Inc
    2019 HCCA Compliance Institute

  • 2.  RE: Employee Access to Own EMR Record

    Posted 03-06-2019 07:50 AM
    If you go this route I would suggest the following caveats and any others the group may suggest:

    View only;
    no editing;
    no making your own appointments;
    no checking yourself in or out for appointments;
    no messaging the care team --> use MyChart the same as other patients;
    no printing --> use MyChart or go to HIM the same as other patients;
    no signing your own prescriptions

    Brenda Manning J.D., C.H.C., C.H.P.C.
    Compliance Director, Privacy
    Carilion Administrative Services Building, Ste. 1201
    213 S. Jefferson Street
    Roanoke, VA 24011
    (540) 224-5757
    Fax: (540) 510-224-5787
    Integrity Help Line Compliance: (844) 732-6232

    Our Mission: Improve the health of the communities we serve.

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.

    2019 HCCA Compliance Institute

  • 3.  RE: Employee Access to Own EMR Record

    Posted 03-07-2019 08:51 AM

    For all the reason cited by Brenda and more we do not allow employees to access their own electronic medical records nor the records of family, friends, neighbors, etc. If they want to access their own records they do it like any other patient, directly with the HIM department or their patient portal.


    We audit monthly and do find violators.  We also do not allow self-registration or registration of family or friends. Two weeks ago we had an employee register her boyfriend though she had been through training on this issue numerous times. We have also had employees alter their spouse's records.




    Charles E. Colitre, BBA, CHC, CHPC

    Compliance and Privacy Officer

    Crystal Clinic Orthopaedic Center

    3925 Embassy Parkway, Ste 250

    Akron, OH 44333

    330 670-6123


    Note: The enclosed information is STRICTLY CONFIDENTIAL and is intended for the use of the intended recipient only. Federal and Ohio laws protect any patient information that may be disclosed in this e-mail. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, use, dissemination, distribution, disclosure, or copying of the contents is prohibited. If you have received this email in error, please notify the sender immediately and return all printed copies by US Mail to: Crystal Clinic Orthopaedic Center, 3925 Embassy Parkway, Suite 250, Akron, OH 44333, Attention, HIPAA Privacy Officer.

    2019 HCCA Compliance Institute

  • 4.  RE: Employee Access to Own EMR Record

    Posted 03-07-2019 08:52 AM
    Charlie...ALWAYS good to see your posts.  Are you heading to the CI next month?

    ► Study Session Link for CI ◄
    --------Frank Ruelas---------

    2019 HCCA Compliance Institute

  • 5.  RE: Employee Access to Own EMR Record

    Posted 03-07-2019 03:01 PM
    I agree with you Charlie (and essentially everyone else). It's not that much more difficult to just access your own records like every other patient and a lot simpler to monitor on just a need-to-know rather than a need-to-know or own-records. Then if you make it more complex, if accessing own-records, was the access within guidelines. Just don't allow it.

    Carl Russell
    Compliance Analyst
    Delta Dental of Idaho

    Anything I say is my sole opinion and not of my company.

    2019 HCCA Compliance Institute

  • 6.  RE: Employee Access to Own EMR Record

    Posted 03-06-2019 09:01 AM
    We do not allow employees who are also patients to access their own record for any reason.  Reports are run quarterly from our EMR to determine if any employees have accessed their own account.

    Matthew Mayo CHC
    Grants & Compliance Coordinator/Privacy Officer
    North Florida Medical Centers, Inc.

    2019 HCCA Compliance Institute

  • 7.  RE: Employee Access to Own EMR Record

    Posted 03-06-2019 09:19 AM
    I am normally loathe to proffer a "slippery slope" argument, but this case warrants such.  I believe that allowing access to one's own medical record sets a dangerous precedent.  First, there are few, if any, controls preventing a staff member from modifying their record while they are "viewing" it.  This then creates significant concern for data integrity, which is a requirement under HIPAA (accuracy of the data).  Second, once self-access becomes a normalized behavior the next logical step would be accessing one's dependents' medical records.  The argument here being "if I can look at my own and I have a legal right to see my children's' why can I not just access theirs?"  While it may seem like a ridiculous argument to many of us, it is one with which I have seen other healthcare organizations grapple that have followed this road.  As such, I would strongly recommend setting a zero-tolerance policy and auditing to that policy.

    Our organization has a strict prohibition on accessing one's own medical record.  Our policy essentially states that an employee shall not access any medical record that they do not have a business reason to access.  We run regular audits on this and educate staff on this restriction at orientation.​  We have very few instances where employees ignore their training and self-access, and those that do are held to account.  We also audit for VIP and family access (in small community hospitals/offices there is some more flexibility if appropriately documented).  Reviewing for these, I believe, should be the bare minimum in an organizational access control audit.  There are several cases, both settled and litigated, that have been lost due to an organization's lack of an adequate access audit program.

    Thomas Branch, CHC
    Spectrum Health
    Grand Rapids, MI

    The postings on this site are my own views and do not represent Spectrum Health's views, positions, strategies or opinions.

    2019 HCCA Compliance Institute

  • 8.  RE: Employee Access to Own EMR Record

    Posted 03-06-2019 09:50 AM
    We do not allow employees to access their own medical record with supplied credentials for a number of reasons.
    • Record Integrity - making changes, ordering, etc.
    • It is outside of an assigned job duty
    • Can lead to further access of family members, children, etc.

    Staff are trained to this at hire, annually, and this is periodically included in Compliance Reminders throughout the year. I monitor access monthly and still find pockets of unauthorized access.

    This is a hard one.

    Toni Gauger CHC
    Compliance Director
    Rogue Community Health

    2019 HCCA Compliance Institute

  • 9.  RE: Employee Access to Own EMR Record

    Posted 03-07-2019 01:59 PM
    ​I completely agree with Thomas Branch's statements about HIPAA, slippery slope, and policy/audits.

    At New Employee Orientation we explain that as a "USER" they are only to access as job duty requires. as a PATIENT they need to request access same as any other patient.  We provide the "EMPLOYEE USE AND ACCESS" policy and have them sign it for their personnel file.  It defines 4 levels of disciplinary action.

    We too have small rural centers - so family and neighbors are known to staff, plus we encourage our staff to be our patients.  We demand absolute trust of privacy and security, and any intentional access of self or other's records is a "walk them out" event.  We do audits monthly (random selection/time frames) and address suspicious findings up through their chain of command.

    I'd encourage you to find a way to conduct some level of audit- the intentional and unintentional impermissible access occurs more frequently than you'd think!

    Marcia Rasch CHC,PhD
    Compliance Officer
    HealthSource of Ohio

    2019 HCCA Compliance Institute

  • 10.  RE: Employee Access to Own EMR Record

    Posted 03-07-2019 04:14 PM

    Thank you so much Maria!


    Sean M. Love, CPA

    Executive Director of Internal Audit and Compliance

    GBMC HealthCare, Inc.

    6545 N. Charles Street, Suite 201

    Towson, MD  21204

    (P) 443-849-4327



    2019 HCCA Compliance Institute

  • 11.  RE: Employee Access to Own EMR Record

    Posted 03-12-2019 02:28 PM
    Another consideration is that at times a provider may wish to meet with a patient to discuss lab or other results prior to the patient receiving those results.  If an employee has access to their own record, this can be very difficult to manage.

    Emily Roberts CCEP
    Compliance/Privacy Manager
    Morrow County Health District

    The opinions expressed are my own and are not intended to represent the positions, strategies or opinions of my employer.

    2019 HCCA Compliance Institute