HIPAA reminder: Accessing patient information

Compliance

Take this quick HIPAA pop quiz!

In which of the following circumstances are you allowed to look up a patient’s medical records?

  1. You learn that your child’s teacher has been visiting one of our clinics and you are concerned.
  2. Your coworker is out sick, and you want to see if you can help.
  3. You hear about one of our patients in the media and want to make sure they are okay.
  4. A local celebrity is an inpatient and you’re curious why they’re here.
  5. NONE OF THE ABOVE.

The correct answer is 5.

All of the above examples are forms of “snooping.” Snooping means intentionally accessing or viewing anyone’s protected health information (PHI) without a job-related reason to do so. Improperly accessing electronic health records can result in termination of employment and even lead to criminal fines and penalties.

Here are some things to know before accessing patient information.

HIPAA access violations

According to HIPAA: Accessing the health records of patients for reasons other than those permitted by the Privacy Rule, which are for treatment, payment and healthcare operations, is a violation of patient privacy. It is the responsibility of all Ballad Health team members to protect the privacy of patients in compliance with HIPAA (Healthcare Insurance Portability and Accountability Act).

Ballad Health has policies related to use, access and disclosure of PHI in addition to providing HIPAA education to every team member. Before you search for and/or access information in Epic, ask yourself if you need to access the information to perform your job duties. If the answer is no, then you should not access it. This includes searching for information about yourself, your friends or your family. There must be a job-related, HIPAA-permitted reason any time you search for and/or access information in Epic.

Confidentiality is a patient right

At Ballad Health, we take the privacy of our patients’ information very seriously. Patients have the right to have their information kept confidential and there is an expectation of us to protect their records against unauthorized access.

Access is monitored

Access to patient information is monitored by the HIPAA Compliance Office, including for team members who access their own record. Policy violations and any inappropriate access that result in a HIPAA violation are subject to disciplinary action up to and including termination.

Remember: Snooping is prohibited, no matter what the reason!

If you have a HIPAA question or concern, please contact: