HIPAA

 View Only
  • 1.  Breach Reporting- Courtesy access to EMR

    Posted 07-21-2022 08:45 AM
    Good Morning!!

    I was wondering how everyone else is handling inappropriate accesses to the EMR by non-employees (not BAA or vendor related), i.e. individuals that either use the EMR after receiving it as a donation type scenario and when access is given to non-employees of non-affiliated clinics for the purpose of treatment of their own patients.

    For example, a clinic that is not affiliated with a health system receives access to the EMR for the treatment purposes of their own patients. EMR access monitoring  by the health system that owns the EMR identifies inappropriate accesses that are confirmed by the non-affiliated clinic management as non-work related and ultimately a reportable breach.   In this scenario, who is responsible for reporting the breach? The non-affiliated clinic since it is their employee that caused the breach, or the health-system since they own the EMR and monitors the accesses?

    I look forward to hearing from others on this. If you'd rather discuss offline, you can email me directly at erica.brinkman@infirmaryhealth.org

    Thank you!


    ------------------------------
    Erica Brinkman, MJ, CHPC
    Director, Corporate Compliance
    Infirmary Health Systems
    Mobile, AL
    ------------------------------
    Default Blank


  • 2.  RE: Breach Reporting- Courtesy access to EMR

    Posted 07-21-2022 09:43 AM
    Hello and I'm posting the following because from my vantage point this is a very straightforward situation and I've seen situations like these morph into situations that are way more complex than they need to be.

    So in my opinion, the answer to your posting is simply related to the following question, "Who is maintaining the ePHI that was the involved in the impermissible access, acquisition, use, or disclosure?  There is you answer.

    Good luck!

    Posted: 7:38 AM AZ time

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    ------------------------------

    Default Blank


  • 3.  RE: Breach Reporting- Courtesy access to EMR

    Posted 07-21-2022 11:18 AM
    Edited by Ann Dunham 07-21-2022 11:18 AM
    This type of situation is why I strictly limit what entities can have access to our EMR.  We have had several entities wanting access and I strictly limit the granting of access knowing they would have access to info they do not need.

    I agree with Frank, you are the entity to report any breach.

    ------------------------------
    Ann Dunham
    MBA, SPHR, CHC, CHRC
    Compliance Officer
    Hannibal Regional Healthcare System
    Hannibal, MO
    ------------------------------

    Default Blank


  • 4.  RE: Breach Reporting- Courtesy access to EMR

    Posted 07-21-2022 11:25 AM

    Ann that is the same here . I just denied a request yesterday to a  group.

     

    Thank you,

    Sharon Taylor, BSN, MS, CIC, CPHRM, CHC, CHPC        

    Director Risk Management/ Accreditation Services

    Burgess Health Center

    1600 Diamond Street

    Onawa, IA 51040

    Tel: 712-423-9248

    Fax: 712-423-9322

    E-mail: staylor@burgesshc.org

    Website: www.burgesshc.org

     

     

    image017.jpg@01CD7F97.28704CD0

     

    Quality Care You Can Believe In

    Electronic Mail Confidentiality Notice:

    This electronic mail message and all attachments may contain confidential information belonging to the sender or the intended recipient. This information is intended ONLY for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution (electronic or otherwise), forwarding or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please immediately notify the sender by telephone, facsimile, or email to arrange for the return of the electronic mail, attachments, or documents.

     

     




    Default Blank


  • 5.  RE: Breach Reporting- Courtesy access to EMR

    Posted 07-22-2022 10:35 AM
    Edited by Erica Brinkman 07-22-2022 10:35 AM
    Thank you, Everyone for the responses! Really appreciate the information.

    ------------------------------
    Erica Brinkman, MJ, CHPC
    Director, Corporate Compliance
    Infirmary Health Systems
    Mobile, AL
    ------------------------------

    Default Blank


  • 6.  RE: Breach Reporting- Courtesy access to EMR

    Posted 07-22-2022 11:54 AM

    We do allow access to community providers through Epic CareLink. Each site has to sign an agreement with us indicating certain controls are in place and they agree to abide by HIPAA and confidentiality requirements. I certainly have my reservations about it, and we make every effort to limit to the care team versus non-licensed providers. Would welcome to hear how others handle this process who do allow.



    ------------------------------
    Jill McCormack, MSHA, CHC
    Chief Compliance & Privacy Officer
    VCU Health System
    Richmond, VA
    ------------------------------

    Default Blank


  • 7.  RE: Breach Reporting- Courtesy access to EMR

    Posted 07-25-2022 12:29 PM
    HI all,
    I am adding, as we've had concerns from both sides - our staff accessing others' systems (ie. Epic CareLink)- and externals requesting access to ours (not Epic!)
    The Health System who controls access SHOULD be vetting and tracking the persons who have access to their Db's - auditing for activity and use, limiting access to only certain roles, deactivating accounts for non-use and terminations/changes of roles, and requiring some kind of agreement by the users that they understand and will limit their use to only business purposes.
    We do the same for when others want access to ours.
    This is no "one and done" situation.  We actually created a position last year that is the primary liaison to manage all access requests, and monitoring our staff for role based allowances, rules, special requests, audits, etc.  It's a big deal - and we don't want any impermissible access - due to ignorance nor malfeasance to jeopardize our patient information - nor our reputation with other Health Systems!  ...and yes, this was born out of 2 different very unfortunate "bad actor" scenarios! :(
    I hope this helps!

    ------------------------------
    Marcia Rasch
    Compliance Officer
    HealthSource of Ohio
    Loveland,OH
    ------------------------------

    Default Blank