We have a Minimum Necessary/PHI Access policy. Some employees let me know when they are a patient so I can do a chart/PHI access audit. Maybe your EMR can generate a list of employees accessed by 'doctors' and 'nurses', and then investigate to see if they really needed to access the information.
Here is our policy:
Federal regulations on patient privacy and confidentiality limit how health care providers and their workforce members may use and disclose Protected Health Information (PHI). All members of Hospital's workforce are required to understand and adhere to the standards and policies related to use and disclosure of PHI as written in Hospital's Notice of Privacy Practices, and when necessary, to contact the Corporate Compliance & Privacy Officer to resolve questions.
Protected Health Information
The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI). "Individually identifiable health information" is information, including demographic data, that relates to:
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information may include the following common identifiers:
· street address, city, county, precinct, zip code;
· dates directly related to a patient, including birth date, admission date, discharge date, and date of death;
· telephone numbers, fax numbers, and electronic mail addresses;
· Social Security numbers;
· medical record numbers;
· health plan beneficiary numbers;
· account numbers;
· certificate/license numbers;
· vehicle identifiers and serial numbers, including license plate numbers;
· device identifiers and serial numbers;
· web addresses;
· biometric identifiers, including finger and voice prints;
· full face photographic images and any comparable images; and
· any other unique identifying number, characteristic, or code.
Regardless of the employment related function (i.e., clinical or non‑clinical) only the minimum amount of protected health information necessary to perform the work activity can be accessed. In other words, when using or disclosing protected health information, all reasonable efforts must be made to limit the information used or disclosed to what is minimally necessary to accomplish the purpose of the use or disclosure.
This requirement does not apply to the following uses and disclosures of protected health information:
· Disclosures to or requests by a health care provider for treatment purposes;
· Disclosures to the patient whose information is the subject of the disclosures;
· Disclosures to the Department of Health & Human Services for compliance investigation purposes; and
· Uses or disclosures that are required by law.
Patient Chart/Protected Health Information (PHI) Access:
· Hospital staff should use MyChart to access their own medical information and may not access their own medical record through IHIS/EPIC.
· Hospital staff may not edit or make changes to any of their information.
· Hospital staff is not permitted to print any medical record information using Hospital's resources for personal reasons. Staff must use the regular release of information processes via requests to Medical Records.
· Accessing a patient's chart or any patient information is not to occur simply to satisfy a curiosity. It is unacceptable to look up any type of patient information in any data system on patients (including family members, friends or co-workers) unless it is needed to do your job. If you access a patient's chart or a patient's protected health information without a work-related reason to do so, you may be terminated.
· If you access a section of the chart or the patient's protected health information to view information that you don't need to perform your job, you may be terminated. For example, you work in the Sleep Lab but you access the ED doctor's clinical notes because you're curious. Or you work in Med/Surg and you access the ED census list.
· Physicians/APPs may not access a patient's chart/PHI if they are not the current provider of record, unless they have been requested to perform a consult by the patient's current provider (could be patient's current PCP, a hospitalist if the patient is currently admitted, a specialist the patient is currently seeing, etc.).
For example, a specialist treated a patient in February 2019 for a head injury. Three months later, after treatment and follow up, the patient's head injury was resolved. In January 2020, the specialist learns the patient was involved in a skiing accident and is in the ED.
The specialist cannot access the patient's chart/PHI just because he/she wonders if the patient injured his head again because the specialist is not the current provider of record.
However, the specialist may access the patient's chart/PHI if the ED physician requests a consult from the specialist.
· Physicians/APPs may not access a patient's chart/PHI prior to accepting the patient unless the patient has signed a release of information. If there is no signed release, the Physician/APP may still use the screening form that either the front staff or the physician referral staff completes.
Mitigating Misuses of Patient Information:
All employees must promptly notify their supervisor, manager, vice president, the Corporate Compliance & Privacy Officer, or call the Compliance Hotline of any misuses of a patient's protected health information and work to lessen any harmful effects.