Confidentiality, Privacy and Security

Patient request report of all access into EHR

  • 1.  Patient request report of all access into EHR

    Posted 07-08-2019 12:05
    ​​I've had this question in the past, would like to find out how other facilities respond. Scenario is a patient has a concern that an employee of the hospital may have inappropriately accessed the patient's electronic health record. The patient prefers to not name the employee, but would like a list of all access by hospital employees into his/her record for a specific time frame.
    Patients may request copies of their records and may request a disclosure report from the hospital. My understanding is when a patient has a concern that an employee inappropriately accessed records, an access audit is conducted by the hospital security and privacy department. Access that is appropriate to job role is verified. Access that is inappropriate would be reported to the hospital privacy officer with breach notification to the patient when appropriate as well as corrective actions regarding the employee per hospital policy.
    Do other facilities provide a listing of all employee access into a patient electronic record? That would not appear to be appropriate for the access that occurred due to treatment, payment or operations. Thank you for input.

    ------------------------------
    Vicki Dunn,RHIT,CHPS,CCS-P,MPA
    Him Director
    Mary Greeley Medical Center
    dunn@mgmc.com
    ------------------------------


  • 2.  RE: Patient request report of all access into EHR

    Posted 07-08-2019 14:48
    Hi Vicki,

    This is interesting in that the patient has a concern but does not want to name the employee of who she believes inappropriately accessed her records?  Is there something more to the story? Does the patient know the employee personally?  I would not give the names of the employees who have access to the records as we are accidently exposing them as well.  I don't believe that providing employee access falls under Accounting of Disclosure...as the employees who are accessing the record fall under TPO and that could be a lot of people...and a lengthy audit trail.

    We had a similar complaint but asked the patient be more specific as it is hard for the privacy officer to even determine who entered the record inappropriately...what if the employee job was to register the patient but we have not idea if that employee was just doing their job or being malicious without a name...



    ------------------------------
    Sherri Turner-Burton
    Director of Him/Hipaa Privacy Officer
    ------------------------------



  • 3.  RE: Patient request report of all access into EHR

    Posted 07-09-2019 08:09
    This has been a problem many sites have dealt with for for years. Typically I recommend that the employee or person (the requester) asking who accessed their records should be asked what and who they are concerned about. Then a refined search can be made and possibly, but not always, the person(s) they have concern with would be the only parties who's access would be under review and might be shared with the requester. But an in-depth listing of all the parties who accessed their record should not be given to the requester. There is no federal requirement to do so and I doubt any state mandate either, typically as you know these listings can have many users and it is very difficult to map what they were doing against the audit log. There is no mandate I am aware of that would require any information on those who accessed the requester's records be given to the requester, unless there is a formal breach and then they would be notified. But to be transparent as possible the Privacy Officer should balance how much is given and that is another reason face to face meetings may be advisable. Be sure to well document the entire process and get the requester to make the request in writing. .

    ------------------------------
    Kelly McLendon, RHIA, CHPS
    Managing Director
    CompliancePro Solutions
    kmclendon@complianceprosolutions.com
    321-268-0320
    ------------------------------



  • 4.  RE: Patient request report of all access into EHR

    Posted 07-09-2019 08:10

    I do not release audit logs to patients.....I try to get the patient to tell me who they are suspicious of.......I let them know I will be sending the audit log to the appropriate managers to verify their employee's access and will let them know the outcome.....an audit log would result in a gillion questions........

     

    Wendy Mangin, MS, RHIA

    Executive Project Director – Regulatory Compliance/Privacy Officer

     

    Good Samaritan 

    520 S. Seventh St. | Vincennes, Indiana | 47591

    Hospital: 812.882.5220 | Direct: 812.885.3487 

    Fax: 812.885.3912 | wmangin@gshvin.org 

    b326b5f8d23cd1e0f18df4c9265416f7  images   Website | Videos | News | Events

     






  • 5.  RE: Patient request report of all access into EHR

    Posted 07-09-2019 08:57
    I do not provide audit reports.  I will confirm inappropriate access if an individual is named.  If they do not want to name the individual then I will review the audit reports for suspicious activity and refer to department leaders for secondary reviews if needed.  We are not obligated to provide these reports and my fear is that it will open a new can of worms as patients do not realize how many individuals are truly involved in their care and have access to their records.

    ------------------------------
    Nancy Davis, MS, RHIA, CHPS
    Director of Compliance & Safety
    Door County Medical Center
    ------------------------------



  • 6.  RE: Patient request report of all access into EHR

    Posted 07-09-2019 09:25

    We are consistent with Nancy's process.

     

     

     

    Becky Kilen, MS, RHIA

    GHS Privacy Officer | Manager of Privacy

     

    GUNDERSEN HEALTH SYSTEM 

    1900 South Avenue | Mail Stop:  AVS-001

    La Crosse, WI  54601

    Phone:  (608) 775-3549 | Pager: 3863

    Fax:  (608) 775-4706 | rakilen@gundersenhealth.org

     

    Privacy Office: (608) 775-7439 | PrivacyOffice@gundersenhealth.org

     

    http://connect.gundluth.org/hipaa/home

     

     

    CONFIDENTIALITY NOTICE:

    This is a transmission from the Privacy Office at Gundersen Lutheran Health System and may contain information which is privileged, confidential, and protected under attorney-client or attorney work product privileges.  This email, including all attachments, is for the sole use of the intended recipient(s).  If you are not the intended recipient, you may NOT use, disclose, copy or disseminate this information.  Please contact the sender by reply e-mail immediately and destroy all copies of the original message including attachments.

     






  • 7.  RE: Patient request report of all access into EHR

    Posted 07-09-2019 09:54
    ​Hi Vicki, we do not allow access directly to the EMR nor will provide a list of all who accessed an account.  We follow the process just as you described.

    ------------------------------
    Barb Beckett, RHIT, CHPS
    System Privacy Officer
    Saint Luke's Health System
    bbeckett@saintlukeskc.org
    ------------------------------



  • 8.  RE: Patient request report of all access into EHR

    Posted 07-09-2019 10:19
    ​Thank you all so much, I think I just needed some validation. I am very grateful that this community is so responsive to these day to day issues.

    ------------------------------
    Vicki Dunn,RHIT,CHPS,CCS-P,MPA
    Him Director
    Mary Greeley Medical Center
    dunn@mgmc.com
    ------------------------------



  • 9.  RE: Patient request report of all access into EHR

    Posted 07-09-2019 10:28
    A facility's staff members also have a right to privacy, and their names should not be provided in response to this inquiry. If the patient has a real and actual concern, then the specifics of a name should be provided to facilitate a proper investigation.
    Our legal counsel also advised that our employee's pictures and photos were private and assisted us in developing a policy that indicated that employees could only be photographed/videotaped with specific employee permission.
    A healthcare employee does not forfeit their right to privacy, and a facility should respectfully protect them.

    ------------------------------
    Denise Van Fleet, Program Coordinator, Bachelor Him Rasmussen College
    Former HIPAA Privacy Officer
    ------------------------------



  • 10.  RE: Patient request report of all access into EHR

    Posted 07-09-2019 10:38
    ​Ditto to Denise.  A few years back we even had a subpoena for an access listing.  A motion to quash was filed and when in court and an in-camera session, the judge honored the motion and we did not have to disclose to either attorney.

    ------------------------------
    Barb Beckett, RHIT, CHPS
    System Privacy Officer
    Saint Luke's Health System
    bbeckett@saintlukeskc.org
    ------------------------------