Confidentiality, Privacy & Security

Subject: Access to your own record

1.  Access to your own record

Posted 12-09-2013 12:15
Does your facility allow you (and by you, I mean any employee) access to their own record without going through ROI?  Such as, I'm at home and just want to log into the EMR and take a look?  If so, what about dependents?

-------------------------------------------
Seth Katz
Assistant Administrator, Information Management and Program Execution
-------------------------------------------


2.  RE:Access to your own record

Posted 12-10-2013 05:59
Absolutely not! You must put in a ROI. You are no different then any other person that wants access to medical information. It is immediate termination.

-------------------------------------------
Lisa Tighe
Health Information Coordinator
-------------------------------------------








3.  RE:Access to your own record

Posted 12-10-2013 08:02
Unless you have a patient portal that allows you access to your own record through the portal, I completely agree with Lisa, you wear a dual hat in that regard, and you must separate yourself from the employee to the patient/patient representative.  

-------------------------------------------
Christine Metheny
Program Director
-------------------------------------------








4.  RE:Access to your own record

Posted 12-10-2013 08:47

We allow our employees to view their own personal EMR chart - but first the employee must submit an authorization to be processed by HIIM first. They are not allowed to access any other family members.
-------------------------------------------
Kathleen Cleary
Director, HIM
-------------------------------------------








5.  RE:Access to your own record

Posted 12-10-2013 09:58
Hi Seth, in reality, you have to remember that it is not your record.  The record belongs to the healthcare facility, so you have to abide by the ROI policies that are set in place at that specific facility.  The information is yours, and as a patient you have certain rights to view the PHI, but you must follow the facility rules.  In most places, you have to sign an authorization to view your own PHI.  Never dependents without proper authorization.  Many facilities will seek instant job termination for such actions. 

-------------------------------------------
Ed Sanchez
Regional HIM Director and Privacy Officer
-------------------------------------------








6.  RE:Access to your own record

Posted 12-10-2013 10:10


-------------------------------------------
Viola Swank
Health Information Management Manager
-------------------------------------------
In our facilities, an employee would be given a final written warning if they accessed their records without going through the ROI department. No one is allowed to access their own records or records of anyone else without a business "need to know". We have auditors that monitor this on a regular basis.







7.  RE:Access to your own record

Posted 12-10-2013 10:11
Hi, at this time we do not. An employee who is or was a patient would follow the same process as any other patient. Complete a ROI through the HIS Department.

-------------------------------------------
Elisa R. Gorton, MAHSM, RHIA, CHPS
Assistant Director, Health Information/Privacy Officer
St.Vincent's Medical Center
2800 Main Street
Bridgeport, CT 06606
(T)203-576-5149
egorton@stvincents.org
-------------------------------------------








8.  RE:Access to your own record

Posted 12-10-2013 12:12
We require employees to complete an ROI form which allows them to access their record or HIM can make copies. We require them to complete an ROI form for the following reasons:
using their work related system security access to view personal records is outside the scope of their job and the "need to know" 
accessing records puts them in the position of being a patient, not employee

we also encourage them to signup for the patient portal which allows access anytime

-------------------------------------------
Natalie Novak
Executive Director Corporate HIM Division
-------------------------------------------








9.  RE:Access to your own record

Posted 12-11-2013 10:24
Very interesting information from everyone. We have a portal that we want to direct people to, but that PHR is not an exact copy of our EMR, it has the highlights but not all the meat. We actually do allow users who have EMR access to view their own record. I won't say that this change made - or makes - HIM/Compliance/Legal happy, but it was Leadership directed that while the EMR is the organizations, the information is the patient's. We don't allow people to print or edit their own record (and have software to track such things) but it's a tricky situation when you have C-suite leadership asking for this to occur. They're stance was: don't assume people are evil and will do bad things if they have access, but it's going to be interesting to track. ------------------------------------------- Seth Katz Assistant Administrator, Information Management and Program Execution -------------------------------------------


10.  RE:Access to your own record

Posted 12-12-2013 09:37

Both my current facility and my previous facility it was written into the policy that individuals could view their own EMR within the hospital but it was discouraged, mainly for the fact that if a patient (employee) has any test done or other work ups that in normal course of care a clinical staff member would want to view and discuss with the patient. Some employees are not qualified to determine what results mean, such as administrative staff. But it was allowed for them to look at their own if they deemed it necessary. 
-------------------------------------------
Crystal Anson
Medical Records Manager & Privacy Officer
-------------------------------------------








11.  RE:Access to your own record

Posted 12-13-2013 10:32
That's interesting. That idea - that patient's don't necessarily know/understand their results and what they mean - came up when we talked about should we post everything to our patient portal and how long we should delay and while, at first, providers wanted a long time delay and to not post everything because they were worried that a patient would read/see something and misinterpret it before a provider could contact them, however, we discuss that, at any given time, a patient can go to ROI and get all their information whether a provider reviewed and called them first or not, so we've said just put it out there. ------------------------------------------- Seth Katz Assistant Administrator, Information Management and Program Execution -------------------------------------------


12.  RE: Access to your own record

Posted 11 days ago
​Hi everyone,

So, I read all of this discussion and I think based on it, one could say that allowing employee's who are also patients of the clinic to view their records is not considered a breach of HIPAA because they are entitled to access their own records.  Is that a correct understanding? What about if a person was training for the check in process and thought that they would use their account as a training place and delete the newly created training encounter later?  I know that HR ramifications are our organization's decision, but would this be something that I need to report as a breach?

Thanks,

------------------------------
Nancy Mitchell
Corporate Compliance and Risk Management Coordinator
------------------------------



13.  RE: Access to your own record

Posted 10 days ago

In my Privacy Officer role: No, we did not allow an employee to access their own records without following the proper ROI function. We had a facility policy that said something like 'the use of the facility resources must be related to a current, business related action or need'. This was found in an administrative policy so applied to all staff and all areas. This also disallowed staff from logging onto the system from home unless they were performing currently approved work.

My experience as a HIPAA privacy officer evidenced that accessing your own health records was often a slippery slope that led to other curiosities such as reviewing family and friends health records.



------------------------------
Denise Van Fleet Program Coordinator, Bachelor HIM Rasmussen College
------------------------------



14.  RE: Access to your own record

Posted 10 days ago
From what I understand, there are two different schools of thought.

1.  The patient has a right to their record, so allowing an employee to view their record is the facility's way of accommodating that right.
2.  An employee should only have the access necessary for them to complete their job, as required by the minimum necessary rule.  Since viewing one's own record is not part of their job, it is forbidden.

Our facility goes by the second train of thought.  If an employee needs their record, they can come to HIM and complete the request.

------------------------------
Jesse Floyd, RHIA
------------------------------



15.  RE: Access to your own record

Posted 10 days ago

Strictly not allowed at our facility, nor should they be in their immediate families charts.  If a family member sees the doctor the employee works for, we have them get another medical assistant to do the charting for the appointment.

 

The employee/patient of course has a right to their chart, but must do so like any other patient. Sign an authorization and obtain the information like any other patient.

 

Jan

 

Janet S Brant

Director of HIM

Privacy Officer

South Bend Clinic LLP

211 N Eddy Street

South Bend, IN  46617

(574) 237-9296

Direct Fax (574) 204-6611

 

 



PRIVILEGED AND CONFIDENTIAL: This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.





16.  RE: Access to your own record

Posted 9 days ago

​Hi,
We would not allow employees to look at their record unless they went through the proper channels just as other patients do; requesting access.  Additionally, for us, as a behavioral health agency, there could be information recorded that could meet one of the exception rules for access.
Lynn Boyes, RHIT



------------------------------
Kathryn Boyes
Director of Medical Records
------------------------------



17.  RE: Access to your own record

Posted 6 days ago
​Thank you everyone.

------------------------------
Nancy Mitchell
Corporate Compliance & Risk Management Coordinator
------------------------------



18.  RE: Access to your own record

Posted 5 days ago
​May be late to the game, but here goes.  My interpretation of HIPAA is 1) they do say access to PHI is for a need to perform your tasks (a working need).  2) HIPAA does states that pts. have a right to "get" or "have" access to their PHI.  We do not interpret this to mean they can physically access their PHI on their own.  My facility has a policy in place and employees are NOT allowed to access their own.  They are a patient at that point and need to go through the same channels - pt. portal, request from HIM, etc.  Our EMR is a live environment and under HIPAA Security, we are required to protect the integrity of that information.  Thus we opted not to allow this.  Also, not all our 11,000 employees have access to the EMR, and felt it was not appropriate to only allow some to access.

------------------------------
Barb Beckett, RHIT, CHPS
System Privacy Officer
Saint Luke's Health System
bbeckett@saintlukeskc.org
------------------------------



19.  RE: Access to your own record

Posted 5 days ago
You are never a patient and an employee at the same time. Fill out an ROI and then take a look.

Van M Gill, RHIA, CHPS





20.  RE: Access to your own record

Posted 5 days ago
Since the patient's own privacy is not compromised by him/her accessing their own information, it would not be considered it a breach.  HOWEVER, the provider's responsibility is to maintain the integrity of the information and employee/patients accessing their own information is certainly an HR issue where there should be consequences for not following facility procedures.

As far as using one's own records for training purposes, I would recommend against this.  Create a fictitious/test-type patient for these purposes, or utilize the EHR's test environment.

------------------------------
Dorinda Sattler, MJ RHIA, CHPS, CPHRM
Clinical Asst. Professor, Program Dir. HIT
Indiana University Northwest
------------------------------



21.  RE: Access to your own record

Posted 5 days ago
We do consider it a breach if an employee accesses their own record.  We base this on the "need to know" concepts to perform duties of their job, and that when an employee is a patient they will not be on their own treatment team.  We ask employees to seek access like all other patients, through their EMR portal or request from the HIM department.  We have software that identifies when a user accesses a record with the same name as the user.  This software also identifies if a user's address (their employee home address) is the same as the address of the record they are accessing, which identifies when they might be accessing a family member's records.  These situations are investigated through our Compliance Department with the user's manager as the lead investigator and they are subject to disciplinary action.

------------------------------
Janet Baucom, RHIA, CCS
Director HIM
------------------------------



22.  RE: Access to your own record

Posted 4 days ago
​Most facilities have this (employee access) addressed in policy. It is not a breach, but it is highly likely a policy violation, which could lead to a corrective action.  Refer to facility policies first and the best guidance has already been provided - fill out a ROI request and then you are doing the right thing.

------------------------------
[Susan Lucci]
[Consultant & Chief Privacy Officer]
[Just Associates,Inc.]
------------------------------