Privacy Officer's Roundtable

access to employee information

  • 1.  access to employee information

    Posted 08-03-2020 09:46 AM
    I'd like to get some thoughts on this situation to see how others would approach this.

    Had an employee (EE #1) of a nursing home ask a nurse practitioner (who is not a nursing home employee but that of the contracted medical director) to access another's nursing home employee's (EE #2) record in the hospital "to see if EE#2 was admitted." The NP accessed the portal system and brought up EE #2. They did not delve into the record per their statements. They only looked to see if she was there. The portal gives name, MRN, Sex, DOB, and address. Another employee (EE #3) found out about the activity and accessed the portal herself to show EE#2 that this had happened. Apparently the system will show the last patient accessed by the nursing home. EE#3 took a photo of the screen and sent it to EE#2 to show EE#2 "proof" someone looked at EE#2's information. We are not certain of the identity of EE#3 but based on logs we believe have a good idea of who it was. EE#2 contacted our regional nurse to report the situation and reportedly wanted it investigated. EE #2 will not return calls from compliance or HR to discuss.​ The Regional Nurse believes that EE#2 may have contacted the IT department of the hospital (but we have no verification of that).

    The nursing home is not affiliated with the hospital.
    The hospital gives access to this portal for admission purposes but it appears you can access any patient name (even if they are not a referral).
    EE #1, #2, #3 and the NP all have logins to the portal. EE#1 asked the NP it appears because while EE#1 has access, EE#1 doesn't use it and said they "were curious" as to the whereabouts of EE#2 and said they were not sure if EE#2 was telling the truth about being absent.
    Both EE#1 and the NP admit to the access according to the person conducting the interviews.

    Would you report the situation to the hospital privacy officer?
    If this is not our patient data (it is that of an employee), where does this fall in regards to HIPAA for the nursing home?
    What steps would you take?

    Any thoughts are appreciated.


    Bethanne VanderMolen
    Chief Compliance Officer/Director of Risk Management
    Choice Health Management Services, LLC
    SCCE Membership

  • 2.  RE: access to employee information

    Posted 08-03-2020 04:53 PM
    Yes I would report it. Marti Arvin 

    Sent from my iPhone

    SCCE Membership