I get several questions from folks about various information security, privacy and compliance issues. I answer all I can. Most of them are great, thought-provoking questions that help to spawn a nice discussion!
I recently got a very good and interesting question from a healthcare provider that all organizations really need to put some thought into. With this in mind, the following is the de-identified message I recieved, along with my slightly edited reply…
“Good Afternoon Rebecca,
A question that frequently arises at our organization is: “why can’t I use my employee access to get copies of my own medical record? There’s nothing about this topic that is specifically addressed in the HIPAA Privacy or Security Rules. ”
The compliance department’s response is, of course, is: “how does using your employee access to get copies of your own medical record fall into treatment, payment or healthcare operations (TPO) requirements?” Additionally, there is an explanation attached that employees do have a right to their own medical record, like any other patient does; but employees must follow the same procedures that any other patient has to follow.
Is there any more guidance that you could direct me to about this topic? It is a great source of frustration for our department as well as our employees. Any information you could provide would be helpful.
Respectfully,
[Name]
[Medical Center Name]
Compliance Specialist”
Here is my reply to the Compliance Specialist…
Thank you for your message. It is a good and often debated question!
I was responsible for information security and privacy at a large financial (including a mortgage unit) and insurance (including health insurance) enterprise for several years, and this was an issue I dealt with on more than one occasion, even before HIPAA or GLBA existed. A couple types of situations pointed out the need, back in the first half of the 1990’s, to establish a strong policy to not allow employees to view their own, or their co-workers’, records at their discretion, and establish small groups of employees who were specifically trained and given carefully monitored access to employee records, but still with the goal of disallowing them unfettered access to their own records.
- There were some instances where employees in the mortgage area looked at their own, and other employees’, records when they were trying sell or buy a house and used that information for leverage in doing home purchase offers, or used the information to help their friends with house dealings.
- There were some instances where employees in the health insurance area looked at their own, and other employees’, health insurance, claims and associated medical records. Some then tried to use the information for their advantage during divorce cases, some tried to change the information in the files to get better insurance rates, and one even tried to change the records in the attempt to get more prescription drugs.
This is just the tip of the iceberg for the types of activities personnel with malicious intent could do with access to their own, and to co-workers’, records.
Giving employees, who are also customers/patients of the employer, access to their own, and to coworkers’, records without following established and documented policies and procedures is generally a bad idea for many reasons.
While many specific topics are not directly addressed within the HIPAA Security Rule or Privacy Rule it is important to know that the most important directive, that is probably most often overlooked by business leaders within HIPAA covered entities (CEs), is that organizations must determine administrative, technical and physical controls that are appropriate based upon the risks to protected health information (PHI) within their own organization. This is an important precursor of understanding for all involved to having a good discussion with your business leaders. It would be impossible for HIPAA, or any law or regulation, to explicitly name every type of risk that could be present in the vast array and types of organizations that exist. Therefore, the Department and Health and Human Services (HHS) directs the CEs to evaluate risk and, as a result of the findings, implement the administrative, technical and physical controls that are appropriate for the required and addressable topics within the regulations.
With this in mind then, it is good to ask similar types of questions as your compliance department has posed, in addition to others.
Your compliance folks have a good point about how peeking at your own medical records for the purposes of curiosity is not a TPO activity.
Here are some other questions to consider, to help to determine the risks involved with employees looking at their own medical records:
- HIPAA requires that only personnel who have a business need to access medical records and PHI must be given access to the medical records and PHI. Do your employees have a business need to access their own personal medical records and PHI records? Is it part of their job responsibilities?
- What are some of the potential consequences of employees accessing their full medical records, with regard to their own medical care, insurance claims, and so on? What could happen if the employees could change their own medical records? How could the care of that employee, as a patient, be impacted if they were able to look at their own medical records whenever they wanted? Could it endanger their health in some way?
- What are some of the potential consequences of employees accessing their full medical records, and then subsequently, somehow as a result of their access, having others obtain their medical records? Perhaps because of information left on their computer screens, in the printer, and so on? How could this be explained? Consider, how could the medical provider could be held liable?
- Etc…
Another important point for medical center employees to know is that the information within medical records and files goes well beyond the 18 items listed as PHI within the HIPAA regulations. There are many situations in which, and reasons why, it may not be appropriate to provide ALL information in medical records and files to patients.
It is important to note that CEs must establish policies and supporting procedures, based upon risk, to allow individuals access to their corresponding PHI, but not necessarily to their full medical records and files.
Yes, all personnel should follow one set of procedures that apply to all patients. Even if they, themselves, are patients.
I co-authored the book “The Practical Guide to HIPAA Privacy and Security Compliance;” it may be helpful for you to have as a reference within your hospital.
This is an important discussion that all healthcare providers should have.
The following is the specific text within the HIPAA Privacy Rule that addresses the requirements involved with “disclosure”…giving access to PHI.
“¬ß 164.502 Uses and disclosures of protected health information: general rules.
(a) Standard. A covered entity may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part
160 of this subchapter.
(1) Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows:
(i) To the individual;
(ii) Pursuant to and in compliance with a consent that complies with § 164.506, to carry out treatment, payment, or health care operations;
(iii) Without consent, if consent is not required under § 164.506(a) and has not been sought under § 164.506(a)(4), to carry out treatment, payment, or
health care operations, except with respect to psychotherapy notes;
(iv) Pursuant to and in compliance with an authorization that complies with § 164.508;
(v) Pursuant to an agreement under, or as otherwise permitted by, § 164.510; and
(vi) As permitted by and in compliance with this section, § 164.512, or § 164.514(e), (f), and (g).
(2) Required disclosures. A covered entity is required to disclose protected health information:
(i) To an individual, when requested under, and as required by §§ 164.524 or 164.528; and
(ii) When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the covered entity’s compliance with this
subpart.
(b) Standard: minimum necessary.
(1) Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered
entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of
the use, disclosure, or request.
(2) Minimum necessary does not apply. This requirement does not apply to:
(i) Disclosures to or requests by a health care provider for treatment;
(ii) Uses or disclosures made to the individual, as permitted under paragraph (a)(1)(i) of this section, as required by paragraph (a)(2)(i) of this section,
or pursuant to an authorization under § 164.508, except for authorizations requested by the covered entity under § 164.508(d), (e), or (f);
(iii) Disclosures made to the Secretary in accordance with subpart C of part 160 of this subchapter;
(iv) Uses or disclosures that are required by law, as described by § 164.512(a); and
(v) Uses or disclosures that are required for compliance with applicable requirements of this subchapter.
.
.
.
§ 164.514 Other requirements relating to uses and disclosures of protected health information.
.
.
.
(d)(1) Standard: minimum necessary requirements. A covered entity must reasonably ensure that the standards, requirements, and implementation specifications
of § 164.502(b) and this section relating to a request for or the use and disclosure of the minimum necessary protected health information are met.
(2) Implementation specifications: minimum necessary uses of protected health information.
(i) A covered entity must identify:
(A) Those persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties; and
(B) For each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions
appropriate to such access.
(ii) A covered entity must make reasonable efforts to limit the access of such persons or classes identified in paragraph (d)(2)(i)(A) of this section to
protected health information consistent with paragraph (d)(2)(i)(B) of this section.
(3) Implementation specification: minimum necessary disclosures of protected health information.
(i) For any type of disclosure that it makes on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard
protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.
(ii) For all other disclosures, a covered entity must:
(A) Develop criteria designed to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which
disclosure is sought; and
(B) Review requests for disclosure on an individual basis in accordance with such criteria.
(iii) A covered entity may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated
purpose when:
(A) Making disclosures to public officials that are permitted under § 164.512, if the public official represents that the information requested is the
minimum necessary for the stated purpose(s);
(B) The information is requested by another covered entity;
(C) The information is requested by a professional who is a member of its workforce or is a business associate of the covered entity for the purpose of
providing professional services to the covered entity, if the professional represents that the information requested is the minimum necessary for the stated
purpose(s); or
(D) Documentation or representations that comply with the applicable requirements of § 164.512(i) have been provided by a person requesting the information
for research purposes.
(4) Implementation specifications: minimum necessary requests for protected health information.
(i) A covered entity must limit any request for protected health information to that which is reasonably necessary to accomplish the purpose for which the
request is made, when requesting such information from other covered entities.
(ii) For a request that is made on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols)
that limit the protected health information requested to the amount reasonably necessary to accomplish the purpose for which the request is made.
(iii) For all other requests, a covered entity must review the request on an individual basis to determine that the protected health information sought is
limited to the information reasonably necessary to accomplish the purpose for which the request is made.
(5) Implementation specification: other content requirement. For all uses, disclosures, or requests to which the requirements in paragraph (d) of this
section apply, a covered entity may not use, discloses or request an entire medical record, except when the entire medical record is specifically justified
as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request.”
Tags: awareness and training, HIPAA, Information Security, insider threat, IT compliance, patient privacy, policies and procedures, risk management, security awareness, security training