Reminder about appropriate access of Epic: If it’s not necessary for doing your job, then don’t access it


The Ballad Health Epic journey has moved us to one electronic health as an organization. We’ve just completed our Epic Phase 2 transition for those services and departments that were not already on the Epic system, which means now is a good time to review some rules about appropriate access to a patient’s medical record in Epic.

Benefits of using Epic

There are plenty of benefits to using Epic, including:

  • Clinicians can see a patient’s complete story.
  • Inpatient and outpatient charts are combined, increasing patient safety.
  • Patients are empowered with Epic’s online health management tool, MyChart.

With one electronic health record, more of the patient’s protected health information (PHI) is now available for access for treatment, payment and healthcare operations, as permitted by HIPAA. PHI is not just the clinical data but also includes demographic information such as name, address, telephone number, birthdate, Social Security Number, email address, visit and medical record numbers, admit/discharge date, etc.

Ballad Health policies: Is access necessary to do your job?

It’s important to remember the HIPAA education you’ve received and the Ballad Health policies related to use, access and disclosure of PHI. Before you search for and/or access information in Epic, ask yourself if you need to access the information to perform your job duties. If the answer is no, then you should not access it. This includes searching for information about yourself, your friends or your family. There must be a job-related, HIPAA-permitted reason any time you search for and/or access information in Epic.

Ballad Health policy prohibits the use of your Epic login and password to access your own record. Login and password information is assigned specifically for you to perform your job duties. Remember, MyChart is the application you should use to access your own health record that may be available in Epic. You may also request a copy of your record from the medical records department or your physician office.

The HIPAA Compliance Office monitors access to patient information, including team members who access their own record. Policy violations and any inappropriate access that results in a HIPAA violation is subject to disciplinary action up to and including termination.

If you have specific questions, please reach out to the HIPAA Privacy and Security Officer.

Frequently asked questions

1. Question: Our department celebrates the birthdays of our department team members with a potluck luncheon. Our department does not have a department secretary. Is it ok for me to use my Epic login and look up the department team members in Epic to obtain their birthdates?

Answer: No, the access would not be a HIPAA-permitted reason for accessing PHI. You should get the information from the team members.

2. Question: The school has requested a copy of my child’s immunization record. Is it OK for me to use my Epic login to access my child’s immunization record to provide to their school?

Answer: No. You should request the immunization record from the physician office, or possibly use MyChart to obtain the information needed.

3. Question: I am working on updating the home telephone numbers and home addresses for our department team member list. Is it OK for me to use my Epic login and look up this information in Epic?

Answer: No, the access would not be a HIPAA-permitted reason for accessing PHI. You should obtain the information from the team members.

If you have a HIPAA question or concern, please contact:

HIPAA Privacy and Security Officer