Chief Compliance and Ethics Officer Health Care

 View Only
  • 1.  Accessing Colleagues Medical Records

    Posted 05-12-2022 02:33 PM
    Many of our employees are also patients. Do you have a policy/procedure that dictates how providers and medical staff can access the medical records of colleagues and/or snooping? Mind sharing? What kind of security do you use for medical records of employees who are also patients?

    I.T. has installed a 'break the glass' feature on the employee medical records in the EMR. If I try accessing an employee's medical record, a pop up appears that asks me to indicate why I'm accessing the chart. Providers have been entering one-word responses like "doctor" or "nurse" in the field. I'm trying to determine if this is enough. This feature does not stop the employee from accessing their coworker's medical record. Theoretically, the employee can enter any info into the field and quickly gain access.

    Any help would be appreciated.


    Christian Garcia. CHC, CHPC
    Compliance Manager
    Los Angeles, CA
    Default Blank

  • 2.  RE: Accessing Colleagues Medical Records

    Posted 05-12-2022 03:19 PM



    We have a Minimum Necessary/PHI Access policy.  Some employees let me know when they are a patient so I can do a chart/PHI access audit.  Maybe your EMR can generate a list of employees accessed by 'doctors' and 'nurses', and then investigate to see if they really needed to access the information.


    Here is our policy:



    Federal regulations on patient privacy and confidentiality limit how health care providers and their workforce members may use and disclose Protected Health Information (PHI). All members of Hospital's workforce are required to understand and adhere to the standards and policies related to use and disclosure of PHI as written in Hospital's Notice of Privacy Practices, and when necessary, to contact the Corporate Compliance & Privacy Officer to resolve questions.


    Protected Health Information


    The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI).  "Individually identifiable health information" is information, including demographic data, that relates to:

    • the individual's past, present or future physical or mental health or condition,
    • the provision of health care to the individual, or
    • the past, present, or future payment for the provision of health care to the individual,


    and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.  Individually identifiable health information may include the following common identifiers:


    ·         names;

    ·         street address, city, county, precinct, zip code;

    ·         dates directly related to a patient, including birth date, admission date, discharge date, and date of death;

    ·         telephone numbers, fax numbers, and electronic mail addresses;

    ·         Social Security numbers;

    ·         medical record numbers;

    ·         health plan beneficiary numbers;

    ·         account numbers;

    ·         certificate/license numbers;

    ·         vehicle identifiers and serial numbers, including license plate numbers;

    ·         device identifiers and serial numbers;

    ·         web addresses;

    ·         biometric identifiers, including finger and voice prints;

    ·         full face photographic images and any comparable images; and

    ·         any other unique identifying number, characteristic, or code.


    Minimum Necessary:

    Regardless of the employment related function (i.e., clinical or non‑clinical) only the minimum amount of protected health information necessary to perform the work activity can be accessed. In other words, when using or disclosing protected health information, all reasonable efforts must be made to limit the information used or disclosed to what is minimally necessary to accomplish the purpose of the use or disclosure.


    This requirement does not apply to the following uses and disclosures of protected health information:

    ·         Disclosures to or requests by a health care provider for treatment purposes;

    ·         Disclosures to the patient whose information is the subject of the disclosures;

    ·         Disclosures to the Department of Health & Human Services for compliance investigation purposes; and

    ·         Uses or disclosures that are required by law.


    Patient Chart/Protected Health Information (PHI) Access:

    ·         Hospital staff should use MyChart to access their own medical information and may not access their own medical record through IHIS/EPIC. 

    ·         Hospital staff may not edit or make changes to any of their information.

    ·         Hospital staff is not permitted to print any medical record information using Hospital's resources for personal reasons.  Staff must use the regular release of information processes via requests to Medical Records.

    ·         Accessing a patient's chart or any patient information is not to occur simply to satisfy a curiosity. It is unacceptable to look up any type of patient information in any data system on patients (including family members, friends or co-workers) unless it is needed to do your job.  If you access a patient's chart or a patient's protected health information without a work-related reason to do so, you may be terminated. 

    ·         If you access a section of the chart or the patient's protected health information to view information that you don't need to perform your job, you may be terminated.  For example, you work in the Sleep Lab but you access the ED doctor's clinical notes because you're curious.  Or you work in Med/Surg and you access the ED census list.

    ·         Physicians/APPs may not access a patient's chart/PHI if they are not the current provider of record, unless they have been requested to perform a consult by the patient's current provider (could be patient's current PCP, a hospitalist if the patient is currently admitted, a specialist the patient is currently seeing, etc.). 

    For example, a specialist treated a patient in February 2019 for a head injury.  Three months later, after treatment and follow up, the patient's head injury was resolved.  In January 2020, the specialist learns the patient was involved in a skiing accident and is in the ED.

    The specialist cannot access the patient's chart/PHI just because he/she wonders if the patient injured his head again because the specialist is not the current provider of record.

    However, the specialist may access the patient's chart/PHI if the ED physician requests a consult from the specialist.

    ·         Physicians/APPs may not access a patient's chart/PHI prior to accepting the patient unless the patient has signed a release of information. If there is no signed release, the Physician/APP may still use the screening form that either the front staff or the physician referral staff completes.


    Mitigating Misuses of Patient Information:

    All employees must promptly notify their supervisor, manager, vice president, the Corporate Compliance & Privacy Officer, or call the Compliance Hotline of any misuses of a patient's protected health information and work to lessen any harmful effects.



    ******************************************* This message and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

    Default Blank

  • 3.  RE: Accessing Colleagues Medical Records

    Posted 05-13-2022 09:18 AM
    Typically an organization will have a policy that outlines acceptable use for accessing patient records. In combination with that staff or nonworkforce members who have access to your EHR typically sign an attestation acknowledging their understanding of the parameters. This is typically renewed on an annual basis.

    As for BTG that is an appropriate safeguard. If your EHR permits you may want to consider a drop down menu with some common reasons that users can select from as well as a free form field if a use does not fit into one of those categories.

    Brenda Manning J.D., C.H.C., C.H.P.C.

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.

    Default Blank

  • 4.  RE: Accessing Colleagues Medical Records

    Posted 05-16-2022 07:53 AM
      |   view attached
    Good morning - Our policy/procedure is virtually identical to the one provided by Cinda's. A copy of the newly updated confidentiality statement is attached. The topic is addressed during new employee orientation by our Privacy Officer, and is also part of the annual HIPAA Privacy module for all employees on our web-based education portal.

    Adele Hodlin
    AVP for Quality/Risk/Compliance
    Adirondack Health
    Saranac Lake,NY

    Default Blank

  • 5.  RE: Accessing Colleagues Medical Records

    Posted 05-16-2022 12:41 PM
    Thank you all for your help. This is great stuff! I just reviewed HR's Confidentiality Statement and it does not refer to patients at all so I'll be making some changes. Thanks again for all your help. Invaluable!

    Default Blank