Confidentiality, Privacy and Security

Anyone hear this....Access Report

  • 1.  Anyone hear this....Access Report

    Posted 26 days ago
    During a conversation on a HIPAA related online session, one of the topics that came up was how to respond to a patient who believes they have the right to a listing of everyone within the facility that viewed their medical record.

    Some people are under the impression that this type of access report is a right under HIPAA.  Indeed it was proposed as were changes to the Accounting of Disclosures requirements, but to date, no such access report requirement exists.

    Often I find that people are requesting this "access report" in an attempt to identify if someone they suspect that works at the facility, such as a neighbor, relative, or friend, is snooping into their record.  I know it is also frustrating for these folks to then request an Accounting of Disclosures only to see that often it is blank or with very few entries.

    I think most folks probably work with the individual and try to find out if there is someone in particular, by name, they believe has accessed their information.  Then some type of audit log review is done to check for any suspicious access.

    Does this sound familiar with what others have experienced and how they handle it?

    Any feedback is appreciated.

    Hoping that all those affected by the storms are safe!




    Posted: 6:45 AM AZ time

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------


  • 2.  RE: Anyone hear this....Access Report

    Posted 25 days ago
    Hi Frank,

    I recently had a similar situation.  I did not share names and would not for the same reason you shared.  If it was determined that the person/employee they suspected had been in their chart and should not have been, we would handle it as a breach but again, not share staff names in the notification letter.

    ------------------------------
    Lisa Kampa
    Privacy & Information Governance Officer
    ------------------------------



  • 3.  RE: Anyone hear this....Access Report

    Posted 25 days ago
    I will not provide a listing of all access names.  If the patient is suspecting an individual or even a small group of individuals, I will ask for the names and then based on the results of the audit, deal with the issue and only confirm (when appropriate) that an unauthorized disclosure has taken place and corrective disciplinary action has been taken.

    I have always felt that the average patient has no real idea how many healthcare staff members legitimately access their health information.  Most probably think doctor and nurse and do not realize - call center staff, schedule staff, registration, health information, coding, transcription, billing, quality, risk, etc.  So while they may have concerns that a family member or neighbor might be snooping (and I am more than willing  to investigate), they would actually be freaked out to learn that their cousin in HIM, nephew in quality, etc.. have accessed their records.  I do not want to open that can of worms - especially in a small community.

    ------------------------------
    Nancy Davis, MS, RHIA, CHPS
    Director of Compliance & Safety
    Door County Medical Center
    ------------------------------



  • 4.  RE: Anyone hear this....Access Report

    Posted 25 days ago
    Good idea.  That's also a good reason, in my opinion, why its good to know that people realize such an access report is not required because as you mentioned, it could take them to a space that would just be more problematic.

    Better to identify, if the individual is willing, to find out what is the individual trying to accomplish and then work from there.




    Posted: 7:59 AM AZ time

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------



  • 5.  RE: Anyone hear this....Access Report

    Posted 25 days ago
    Thanks Lisa.  Your reality check got my day off to a good start.





    Posted: 7:57 AM AZ time

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------



  • 6.  RE: Anyone hear this....Access Report

    Posted 25 days ago
    We don't provide names on our Breach Notification letters either, I'd echo what Nancy is saying.  But to go one step further, patient requests an Accounting of Disclosures, do you then provide the name, address, etc. in that format?  We are dealing with a case now where we sent a BN letter to a mom, wrong same name person was attached by proxy to the child's portal account.  Mom wants to know who had access to her child's information.  Our process is not to provide it, however if she were to request an Accounting of Disclosures, we believe we are required to share it.

    Thoughts??? We were hoping by now the Accounting would have gotten struck from the regulation.

    ------------------------------
    REBECCA KILEN, MS, RHIA, CHPS
    Privacy Officer
    Gundersen Health System
    rakilen@gundersenhealth.org
    ------------------------------



  • 7.  RE: Anyone hear this....Access Report

    Posted 24 days ago
    Correct...if the mother (let's assume she is the patient's representative for this discussion) requested the Accounting, the name, if known, of the person to whom the disclosure was made would be listed on the Accounting as is required by the regulations under the Accounting of Disclosure section (164.528).





    Posted: Saturday

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------