Confidentiality, Privacy and Security

This message has been cross posted to the following Discussions: Health Information Technologies and Processes and Confidentiality, Privacy and Security .
-------------------------------------------
I would like to hear how other facilities are handling employee access to their own medical record.  Is anyone finding that employees are accessing their own medical records to obtain copies rather than going through the Medical Records Department?  How are you handling this?  Isn't this a HIPAA violation?  Do you have a statement within the Non-Disclosure Agreement signed upon employment advising employees they may face disciplinary action by accessing their own electronic medical records?  (Any suggested wording?)  Also, how are you tracking this?  I would appreciate any comments on this subject.  Thank you!

-------------------------------------------
Carol Taber
Health Information Coordinator II
Student Health Center - UNLV
-------------------------------------------

Hello, Carol.

In my previous work in an HMO, employees were made aware during orientation not to access their own or even their family member's health information. Any requests should always be made through the HIM department. There should be a distinction between the person as part of the workforce and as a patient. The staff should only access a patient's record to fulfill his role as employee of the organization. 

Part of the security controls in an EHR is the regulation of access rights to all the users. A system can generate a report based on the audit trail that lists a user's access to records with similar name or address. The compliance team also regularly runs a similar report to check possible violation. And if a staff inadvertently accesses his or a family member's record, he should immediately inform his supervisor.

-------------------------------------------
Anthony Gerald Aldiosa, RHIA, CHDA, CPHIMS, MCP 
HIM Administrator
-------------------------------------------


Original Message:
Sent: 01-12-2015 19:31
From: Carol Taber
Subject: Employee Access To Their Own Medical Record

This message has been cross posted to the following Discussions: Health Information Technologies and Processes and Confidentiality, Privacy and Security .
-------------------------------------------
I would like to hear how other facilities are handling employee access to their own medical record.  Is anyone finding that employees are accessing their own medical records to obtain copies rather than going through the Medical Records Department?  How are you handling this?  Isn't this a HIPAA violation?  Do you have a statement within the Non-Disclosure Agreement signed upon employment advising employees they may face disciplinary action by accessing their own electronic medical records?  (Any suggested wording?)  Also, how are you tracking this?  I would appreciate any comments on this subject.  Thank you!

-------------------------------------------
Carol Taber
Health Information Coordinator II
Student Health Center - UNLV
-------------------------------------------

This is part of our Corporate Compliance policies and associates are trained on this each year during annual Corporate Compliance training and new hires are trained during the orientation process.  This is monitored by the Privacy Officer who runs audit on EMR access based of the associates last name. 

-------------------------------------------
Deloris Farthing
Director, Health Information Management
Hays Medical Center
-------------------------------------------


Original Message:
Sent: 01-12-2015 19:31
From: Carol Taber
Subject: Employee Access To Their Own Medical Record

This message has been cross posted to the following Discussions: Health Information Technologies and Processes and Confidentiality, Privacy and Security .
-------------------------------------------
I would like to hear how other facilities are handling employee access to their own medical record.  Is anyone finding that employees are accessing their own medical records to obtain copies rather than going through the Medical Records Department?  How are you handling this?  Isn't this a HIPAA violation?  Do you have a statement within the Non-Disclosure Agreement signed upon employment advising employees they may face disciplinary action by accessing their own electronic medical records?  (Any suggested wording?)  Also, how are you tracking this?  I would appreciate any comments on this subject.  Thank you!

-------------------------------------------
Carol Taber
Health Information Coordinator II
Student Health Center - UNLV
-------------------------------------------

This has been discussed over the years and debated back and forth.  We do not allow our workforce members to access their own EHRs and this is supported through confidentiality agreements, computer access agreements, and policy.  We also monitor same name access.   While I would agree that accessing your own EHR is not a HIPAA violation, in our organization it is a policy violation and subject to corrective action.   Now with that firm stand, I will admit that we allow providers to access which is the result of a somewhat "political" quagmire so I won't go into it. 

It would seem that a patient portal structure woud make this a moot point.

-------------------------------------------
Nancy Davis
Director of Privacy/Security Officer
-------------------------------------------


Original Message:
Sent: 01-12-2015 19:31
From: Carol Taber
Subject: Employee Access To Their Own Medical Record

This message has been cross posted to the following Discussions: Health Information Technologies and Processes and Confidentiality, Privacy and Security .
-------------------------------------------
I would like to hear how other facilities are handling employee access to their own medical record.  Is anyone finding that employees are accessing their own medical records to obtain copies rather than going through the Medical Records Department?  How are you handling this?  Isn't this a HIPAA violation?  Do you have a statement within the Non-Disclosure Agreement signed upon employment advising employees they may face disciplinary action by accessing their own electronic medical records?  (Any suggested wording?)  Also, how are you tracking this?  I would appreciate any comments on this subject.  Thank you!

-------------------------------------------
Carol Taber
Health Information Coordinator II
Student Health Center - UNLV
-------------------------------------------

We allow employees access to their own medical records through our EHR.  They can access their own, but not other family members, those requests would need to go through our HIM dept.  Agree it is not a HIPAA violation as they have rights to the information anyhow.  The only time we've had issues with it is when a patient/employee was in the hospital and accessing results before the provider and interfering with the care being provided.  At that time, we inactivated their access until they returned to work. We've had this policy in place since I've been working here...15 years and never been an issue, other than the one listed above.

We've always had talks that when the patient portal is fulling working to its capacity, progress notes available, we'd not support this any longer, but we haven't made much headway.

-------------------------------------------
REBECCA BERLING
Manager, Health Information Management
GUNDERSEN HEALTH SYSTEM
raberlin@gundersenhealth.org
-------------------------------------------


Original Message:
Sent: 01-14-2015 07:19
From: Nancy Davis
Subject: Employee Access To Their Own Medical Record

This has been discussed over the years and debated back and forth.  We do not allow our workforce members to access their own EHRs and this is supported through confidentiality agreements, computer access agreements, and policy.  We also monitor same name access.   While I would agree that accessing your own EHR is not a HIPAA violation, in our organization it is a policy violation and subject to corrective action.   Now with that firm stand, I will admit that we allow providers to access which is the result of a somewhat "political" quagmire so I won't go into it. 

It would seem that a patient portal structure woud make this a moot point.

-------------------------------------------
Nancy Davis
Director of Privacy/Security Officer
-------------------------------------------


Original Message:
Sent: 01-12-2015 19:31
From: Carol Taber
Subject: Employee Access To Their Own Medical Record

This message has been cross posted to the following Discussions: Health Information Technologies and Processes and Confidentiality, Privacy and Security .
-------------------------------------------
I would like to hear how other facilities are handling employee access to their own medical record.  Is anyone finding that employees are accessing their own medical records to obtain copies rather than going through the Medical Records Department?  How are you handling this?  Isn't this a HIPAA violation?  Do you have a statement within the Non-Disclosure Agreement signed upon employment advising employees they may face disciplinary action by accessing their own electronic medical records?  (Any suggested wording?)  Also, how are you tracking this?  I would appreciate any comments on this subject.  Thank you!

-------------------------------------------
Carol Taber
Health Information Coordinator II
Student Health Center - UNLV
-------------------------------------------

I don't agree that allowing a employee access to his or her record, especially during work hours is NOT a HIPAA violation. Technically, it is a HIPAA violation and it violates the "need to know" and access controls under the HIPAA Security Rule. The privacy rule states that patients have the right to access records, but it also states that CE's can deny access to records. Allowing a staff to access his/her records dismisses the whole medical records process of verifying the identity of the person viewing the record, violates the need to know if the employee job role doesn't support access to the record, and prohibits the CE from making a determination to deny the request. Just because a person is an employee with the rights to records doesn't mean that they should not follow the same policies and procedures that patients have who are not part of the organizations workforce. Access to records also doesn't mean "full access" to a EHR via a UID and PW unless it is to a patient portal. If an employee wants to access his/her records through a portal that is one thing but CE's don't give out UID/PWs to their systems just because the privacy rule states patients have access to their records. If there is no portal, then as with any patient you don't give them access to the system to view records unless it is part of their job roles and duties. 


-------------------------------------------
Carlyn Choate
SR Policy and Privacy Coordinator
-------------------------------------------


Original Message:
Sent: 01-12-2015 19:31
From: Carol Taber
Subject: Employee Access To Their Own Medical Record

This message has been cross posted to the following Discussions: Health Information Technologies and Processes and Confidentiality, Privacy and Security .
-------------------------------------------
I would like to hear how other facilities are handling employee access to their own medical record.  Is anyone finding that employees are accessing their own medical records to obtain copies rather than going through the Medical Records Department?  How are you handling this?  Isn't this a HIPAA violation?  Do you have a statement within the Non-Disclosure Agreement signed upon employment advising employees they may face disciplinary action by accessing their own electronic medical records?  (Any suggested wording?)  Also, how are you tracking this?  I would appreciate any comments on this subject.  Thank you!

-------------------------------------------
Carol Taber
Health Information Coordinator II
Student Health Center - UNLV
-------------------------------------------

Thank you all for your responses.  I appreciate your input.

-------------------------------------------
Carol Taber
Health Information Coordinator II
Student Health Center - UNLV
-------------------------------------------


Original Message:
Sent: 01-14-2015 21:39
From: Carlyn Choate
Subject: Employee Access To Their Own Medical Record

I don't agree that allowing a employee access to his or her record, especially during work hours is NOT a HIPAA violation. Technically, it is a HIPAA violation and it violates the "need to know" and access controls under the HIPAA Security Rule. The privacy rule states that patients have the right to access records, but it also states that CE's can deny access to records. Allowing a staff to access his/her records dismisses the whole medical records process of verifying the identity of the person viewing the record, violates the need to know if the employee job role doesn't support access to the record, and prohibits the CE from making a determination to deny the request. Just because a person is an employee with the rights to records doesn't mean that they should not follow the same policies and procedures that patients have who are not part of the organizations workforce. Access to records also doesn't mean "full access" to a EHR via a UID and PW unless it is to a patient portal. If an employee wants to access his/her records through a portal that is one thing but CE's don't give out UID/PWs to their systems just because the privacy rule states patients have access to their records. If there is no portal, then as with any patient you don't give them access to the system to view records unless it is part of their job roles and duties. 


-------------------------------------------
Carlyn Choate
SR Policy and Privacy Coordinator
-------------------------------------------


Original Message:
Sent: 01-12-2015 19:31
From: Carol Taber
Subject: Employee Access To Their Own Medical Record

This message has been cross posted to the following Discussions: Health Information Technologies and Processes and Confidentiality, Privacy and Security .
-------------------------------------------
I would like to hear how other facilities are handling employee access to their own medical record.  Is anyone finding that employees are accessing their own medical records to obtain copies rather than going through the Medical Records Department?  How are you handling this?  Isn't this a HIPAA violation?  Do you have a statement within the Non-Disclosure Agreement signed upon employment advising employees they may face disciplinary action by accessing their own electronic medical records?  (Any suggested wording?)  Also, how are you tracking this?  I would appreciate any comments on this subject.  Thank you!

-------------------------------------------
Carol Taber
Health Information Coordinator II
Student Health Center - UNLV
-------------------------------------------

Good morning,

None of what you said makes sense and per the HIPPA rules I'm not sharing my information (i.e. chart) with anyone other myself. Why would I be denied access to my own records? None of this makes sense and has nothing to do with a HIPPA violation. I'm angry about this because I just got an email saying what you said about me accessing my OWN records.

------------------------------
ANTOINE MASON
------------------------------

Original Message:
Sent: 01-14-2015 21:39
From: Carlyn Doyle
Subject: Employee Access To Their Own Medical Record

I don't agree that allowing a employee access to his or her record, especially during work hours is NOT a HIPAA violation. Technically, it is a HIPAA violation and it violates the "need to know" and access controls under the HIPAA Security Rule. The privacy rule states that patients have the right to access records, but it also states that CE's can deny access to records. Allowing a staff to access his/her records dismisses the whole medical records process of verifying the identity of the person viewing the record, violates the need to know if the employee job role doesn't support access to the record, and prohibits the CE from making a determination to deny the request. Just because a person is an employee with the rights to records doesn't mean that they should not follow the same policies and procedures that patients have who are not part of the organizations workforce. Access to records also doesn't mean "full access" to a EHR via a UID and PW unless it is to a patient portal. If an employee wants to access his/her records through a portal that is one thing but CE's don't give out UID/PWs to their systems just because the privacy rule states patients have access to their records. If there is no portal, then as with any patient you don't give them access to the system to view records unless it is part of their job roles and duties. 


-------------------------------------------
Carlyn Choate
SR Policy and Privacy Coordinator

Original Message:
Sent: 01-12-2015 19:31
From: Carol Taber
Subject: Employee Access To Their Own Medical Record

This message has been cross posted to the following Discussions: Health Information Technologies and Processes and Confidentiality, Privacy and Security .
-------------------------------------------
I would like to hear how other facilities are handling employee access to their own medical record.  Is anyone finding that employees are accessing their own medical records to obtain copies rather than going through the Medical Records Department?  How are you handling this?  Isn't this a HIPAA violation?  Do you have a statement within the Non-Disclosure Agreement signed upon employment advising employees they may face disciplinary action by accessing their own electronic medical records?  (Any suggested wording?)  Also, how are you tracking this?  I would appreciate any comments on this subject.  Thank you!

-------------------------------------------
Carol Taber
Health Information Coordinator II
Student Health Center - UNLV
-------------------------------------------

No one is stating that a patient cannot have access to their own records; however, organizations may set the policy that employees cannot access their own health records.  So while it may not technically be a HIPAA violation it can certainly be a violation of policy.  We do not allow and for several reasons:  1) the user may have functionality that would allow for "editing" and could impact the integrity of the record; 2) the user would have to be doing this on "work-time" and it is outside the scope of the duties they are responsible for their job function; 3) the information is available in the portal; 4) the information is available through the ROI process.  Employees as patient have all the same rights as patients - but not MORE rights then patients.

------------------------------
Nancy Davis, MS, RHIA, CHPS
Director of Compliance & Safety
Door County Medical Center
------------------------------

Original Message:
Sent: 01-11-2021 07:51
From: ANTOINE MASON
Subject: Employee Access To Their Own Medical Record

Good morning,

None of what you said makes sense and per the HIPPA rules I'm not sharing my information (i.e. chart) with anyone other myself. Why would I be denied access to my own records? None of this makes sense and has nothing to do with a HIPPA violation. I'm angry about this because I just got an email saying what you said about me accessing my OWN records.

------------------------------
ANTOINE MASON

Original Message:
Sent: 01-14-2015 21:39
From: Carlyn Doyle
Subject: Employee Access To Their Own Medical Record

I don't agree that allowing a employee access to his or her record, especially during work hours is NOT a HIPAA violation. Technically, it is a HIPAA violation and it violates the "need to know" and access controls under the HIPAA Security Rule. The privacy rule states that patients have the right to access records, but it also states that CE's can deny access to records. Allowing a staff to access his/her records dismisses the whole medical records process of verifying the identity of the person viewing the record, violates the need to know if the employee job role doesn't support access to the record, and prohibits the CE from making a determination to deny the request. Just because a person is an employee with the rights to records doesn't mean that they should not follow the same policies and procedures that patients have who are not part of the organizations workforce. Access to records also doesn't mean "full access" to a EHR via a UID and PW unless it is to a patient portal. If an employee wants to access his/her records through a portal that is one thing but CE's don't give out UID/PWs to their systems just because the privacy rule states patients have access to their records. If there is no portal, then as with any patient you don't give them access to the system to view records unless it is part of their job roles and duties. 


-------------------------------------------
Carlyn Choate
SR Policy and Privacy Coordinator

Original Message:
Sent: 01-12-2015 19:31
From: Carol Taber
Subject: Employee Access To Their Own Medical Record

This message has been cross posted to the following Discussions: Health Information Technologies and Processes and Confidentiality, Privacy and Security .
-------------------------------------------
I would like to hear how other facilities are handling employee access to their own medical record.  Is anyone finding that employees are accessing their own medical records to obtain copies rather than going through the Medical Records Department?  How are you handling this?  Isn't this a HIPAA violation?  Do you have a statement within the Non-Disclosure Agreement signed upon employment advising employees they may face disciplinary action by accessing their own electronic medical records?  (Any suggested wording?)  Also, how are you tracking this?  I would appreciate any comments on this subject.  Thank you!

-------------------------------------------
Carol Taber
Health Information Coordinator II
Student Health Center - UNLV
-------------------------------------------

Nancy...you also reminded me that there could also be information in the EHR that the employee/patient may not have access to either under an unreviewable or reviewable circumstance as described in the Access to PHI section of the Privacy Rules.

As you said, you probably can find proponents for or against...but I'm with you...I've always taken the position that whether a patient or an employee/patient...ALL patients should follow the same path to request access.

Again...not saying others with differing or similar positions are right/wrong/etc, etc...just sharing.



Posted: 8:18 PM AZ time

------------------------------
Frank Ruelas
Compliance Professional
Arizona
------------------------------

Original Message:
Sent: 01-11-2021 10:25
From: Nancy Davis
Subject: Employee Access To Their Own Medical Record

No one is stating that a patient cannot have access to their own records; however, organizations may set the policy that employees cannot access their own health records.  So while it may not technically be a HIPAA violation it can certainly be a violation of policy.  We do not allow and for several reasons:  1) the user may have functionality that would allow for "editing" and could impact the integrity of the record; 2) the user would have to be doing this on "work-time" and it is outside the scope of the duties they are responsible for their job function; 3) the information is available in the portal; 4) the information is available through the ROI process.  Employees as patient have all the same rights as patients - but not MORE rights then patients.

------------------------------
Nancy Davis, MS, RHIA, CHPS
Director of Compliance & Safety
Door County Medical Center

Original Message:
Sent: 01-11-2021 07:51
From: ANTOINE MASON
Subject: Employee Access To Their Own Medical Record

Good morning,

None of what you said makes sense and per the HIPPA rules I'm not sharing my information (i.e. chart) with anyone other myself. Why would I be denied access to my own records? None of this makes sense and has nothing to do with a HIPPA violation. I'm angry about this because I just got an email saying what you said about me accessing my OWN records.

------------------------------
ANTOINE MASON

Original Message:
Sent: 01-14-2015 21:39
From: Carlyn Doyle
Subject: Employee Access To Their Own Medical Record

I don't agree that allowing a employee access to his or her record, especially during work hours is NOT a HIPAA violation. Technically, it is a HIPAA violation and it violates the "need to know" and access controls under the HIPAA Security Rule. The privacy rule states that patients have the right to access records, but it also states that CE's can deny access to records. Allowing a staff to access his/her records dismisses the whole medical records process of verifying the identity of the person viewing the record, violates the need to know if the employee job role doesn't support access to the record, and prohibits the CE from making a determination to deny the request. Just because a person is an employee with the rights to records doesn't mean that they should not follow the same policies and procedures that patients have who are not part of the organizations workforce. Access to records also doesn't mean "full access" to a EHR via a UID and PW unless it is to a patient portal. If an employee wants to access his/her records through a portal that is one thing but CE's don't give out UID/PWs to their systems just because the privacy rule states patients have access to their records. If there is no portal, then as with any patient you don't give them access to the system to view records unless it is part of their job roles and duties. 


-------------------------------------------
Carlyn Choate
SR Policy and Privacy Coordinator

Original Message:
Sent: 01-12-2015 19:31
From: Carol Taber
Subject: Employee Access To Their Own Medical Record

This message has been cross posted to the following Discussions: Health Information Technologies and Processes and Confidentiality, Privacy and Security .
-------------------------------------------
I would like to hear how other facilities are handling employee access to their own medical record.  Is anyone finding that employees are accessing their own medical records to obtain copies rather than going through the Medical Records Department?  How are you handling this?  Isn't this a HIPAA violation?  Do you have a statement within the Non-Disclosure Agreement signed upon employment advising employees they may face disciplinary action by accessing their own electronic medical records?  (Any suggested wording?)  Also, how are you tracking this?  I would appreciate any comments on this subject.  Thank you!

-------------------------------------------
Carol Taber
Health Information Coordinator II
Student Health Center - UNLV
-------------------------------------------

I agree 100% with you Carlyn.  Just because you work at a place does not give you the right to access your own records without going to the proper process as everyone else.

------------------------------
Sharley Myrick
Educator
------------------------------

Original Message:
Sent: 01-14-2015 21:39
From: Carlyn Doyle
Subject: Employee Access To Their Own Medical Record

I don't agree that allowing a employee access to his or her record, especially during work hours is NOT a HIPAA violation. Technically, it is a HIPAA violation and it violates the "need to know" and access controls under the HIPAA Security Rule. The privacy rule states that patients have the right to access records, but it also states that CE's can deny access to records. Allowing a staff to access his/her records dismisses the whole medical records process of verifying the identity of the person viewing the record, violates the need to know if the employee job role doesn't support access to the record, and prohibits the CE from making a determination to deny the request. Just because a person is an employee with the rights to records doesn't mean that they should not follow the same policies and procedures that patients have who are not part of the organizations workforce. Access to records also doesn't mean "full access" to a EHR via a UID and PW unless it is to a patient portal. If an employee wants to access his/her records through a portal that is one thing but CE's don't give out UID/PWs to their systems just because the privacy rule states patients have access to their records. If there is no portal, then as with any patient you don't give them access to the system to view records unless it is part of their job roles and duties. 


-------------------------------------------
Carlyn Choate
SR Policy and Privacy Coordinator

Original Message:
Sent: 01-12-2015 19:31
From: Carol Taber
Subject: Employee Access To Their Own Medical Record

This message has been cross posted to the following Discussions: Health Information Technologies and Processes and Confidentiality, Privacy and Security .
-------------------------------------------
I would like to hear how other facilities are handling employee access to their own medical record.  Is anyone finding that employees are accessing their own medical records to obtain copies rather than going through the Medical Records Department?  How are you handling this?  Isn't this a HIPAA violation?  Do you have a statement within the Non-Disclosure Agreement signed upon employment advising employees they may face disciplinary action by accessing their own electronic medical records?  (Any suggested wording?)  Also, how are you tracking this?  I would appreciate any comments on this subject.  Thank you!

-------------------------------------------
Carol Taber
Health Information Coordinator II
Student Health Center - UNLV
-------------------------------------------