View Only
  • 1.  Employee access when not employed by the facility

    Posted 11 days ago
    Good morning,
    I work for a management company that is contracted to oversee some SNF's. Our IT team sent me a request from a regional consultant to give E.H.R. access to a facility employee for 5 additional facilities. The person is employed only by one facility. The facilities are "LLC" and separate NPI but have common ownership.

    The regional consultant basically wants this facility employee to assist her with some audits and training. The facility employee would be paid from her own SNF.

    Can we "share" the E.H.R. of facilities that this employee does not work for? I feel uncomfortable with the request. I do understand we are a bit short handed and the facility employee is actually more of an expert than the consultant and probably better at the audit. But she would have access to all resident information.

    The employee is in admissions. Our E.H.R. doesn't have the best security set-up so I can't change specifically what she can access.

    Any thoughts?

    Bethanne VanderMolen
    Chief Compliance Officer/Director of Risk Management
    Choice Health Management Services, LLC
    Default Blank

  • 2.  RE: Employee access when not employed by the facility

    Posted 11 days ago

    We have two separate LLC's under one ownership and about 40 NPI numbers. I grant access to some information across locations for employees if their job duties require it. Everyone receives the same HIPAA training and signs off on the same acknowledgements. My view is that we are one covered entity and access of information should be based on need. I have, at times, asked IT to move or create new folders on our servers in order to limit access to only particular information.


    Michael Scudillo, OTR, CHC, CBIS 
    Chief Compliance Officer/Privacy Officer

    This email and any attachments may contain information that is confidential, proprietary and/or privileged. It is intended only for the use of the person(s) and entity(ies) to whom it is addressed. If you are the intended recipient, further disclosures are prohibited without proper authorization. If you are not the intended recipient, any disclosure, copying, printing or use of this information is strictly prohibited and possibly a violation of the health insurance portability and accountability act (HIPAA) and other federal and state laws and regulations. If you have received this information in error please contact Universal Institute at 973-992-8181 ext. 7018 or via email at michael.scudillo@uirehab.com<mailto:michael.scudillo@uirehab.com> and delete the material from all computers. </mailto:michael.scudillo@uirehab.com>

    Default Blank

  • 3.  RE: Employee access when not employed by the facility

    Posted 10 days ago
    the employee in question is providing a service as an outside vendor on behalf of each of the covered entities. Wouldn't that person then be either:
    1: a member of the workforce through an outside contract or 
    2: a business associate needing a BAA?

    Personally, I would be more inclined to sat "1" 
    In either case documentation establishing appropriate access, confidentiality, required training etc. would be needed. 

    Just my $0.02 (probably worth about $0.15 as of 8 AM this morning. 
    Alexander I Slosman, MHA, CHC, CHPC

    Default Blank

  • 4.  RE: Employee access when not employed by the facility

    Posted 9 days ago
    Since the facilities are under common ownership, have you determined if they meet the definition of an organized health care arrangement? If so, then as an employee of one of facilities, he/she can be given access, as needed, to other records. In a similar situation, we have used a confidentiality agreement with the employee as an additional control. Our EHR allowed us to limit access.

    Shubha Lakshmanan
    Senior Director of Compliance and Privacy
    Waud Capital Partners

    Default Blank