As more and more hospitals and medical practices adopt electronic health records (90% by end of 2017) , these organizations must grapple with how HIPAA Privacy and Security rules apply to employee medical records.
Current approaches to Access to Employee Medical Records
Dealing with access to employees’ medical records created and maintained in the electronic medical record application is an issue in virtually all hospitals with electronic health records. Some institutions have strict prohibitions on viewing or accessing employee’s (or their family members) own medical records. Others have virtually unfettered access for employees to their own ePHI. Issues include:
- HIPAA regulations allow the release of PHI in employee medical records to the person who is the subject of the information. How can healthcare organizations control access when employees have access via their EHR user credentials (logon and password)?
- Employees grow to expect access to employee medical records utilizing their EHR user credentials.
- Employees also expect access to family members’ medical records utilizing their EHR user credentials.
For healthcare organizations monitoring access to employee medical records in their EHR system, unfettered access can result in a great deal of investigation to ensure compliance with HIPAA.
Do the HIPAA Privacy and Security Rules cover employee medical records?
Of course they do! The Privacy Rule protects all “individually identifiable health information” (IIHI) held or transmitted by a covered entity (CE) in any form or media, whether electronic, paper or oral. The Privacy Rule calls this “protected health information” (PHI).
IIHI, including demographic data, is information that relates to:
- The individual’s past, present or future physical or mental health or condition,
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual, and
- That identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
The Privacy Rule excludes employment records that a CE maintains in its capacity as an employer, from PHI. A major purpose of the Privacy Rule is to define and limit the circumstances in which PHI may be used or disclosed by CEs. CEs may not use or disclose PHI except either, (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the personal representative) authorizes in writing.
CEs are required to disclose PHI in only two situations, (1) to the individual when they (or the personal representative) request access to PHI; or, (2) to HHS when undertaking a compliance investigation.
CEs are permitted, but not required, to use and disclose PHI, without an authorization to/for:
- The individual (unless required for access or accounting of disclosures); {Note: a CE may disclose PHI to the individual who is the subject of the information without an authorization};
- Treatment, Payment and Healthcare Operations (TPO);
- The opportunity to Agree or Object;
- Incident to an otherwise permitted use and disclosure;
- Public Interest and Benefit activities; and
- A limited Data Set for the purpose of research, public health or healthcare operations.
The “minimum necessary” standard, requires CEs to disclose only the minimum necessary PHI to accomplish the purpose of the disclosure. This does not apply to disclosures to the individual who is the subject of the information. The HIPAA Security Rule (SR) also requires CEs to ensure the confidentiality, integrity and availability of all the ePHI they create, receive, maintain or transmit.
How do the HIPAA Privacy and Security Rules apply to Employee Medical Records?
The Privacy Rule and Security Rule affect the policies on allowing employees to utilize their logon credentials to access their own, or their family members’ PHI as follows:
- Although employees have a right to request access to their own PHI in employee medical records, they do not have a right under HIPAA to utilize their login credentials to access the PHI. Healthcare organizations can impose reasonable requirements to access PHI, e.g., obtaining the information from the HIM department subsequent to a request for access.
- Healthcare organizations have an obligation to ensure the integrity of their ePHI. Since many employees have user rights to add or modify PHI, special care must be taken when access to a person’s own PHI via user credentials is possible.
- The Privacy Rule permits persons to request an amendment to their records for inaccurate or incomplete information. Healthcare organizations should have a policy that requests for amendment to information in a designated record set be made in writing.
- Employees would not typically be involved in providing or documenting their own care or treatment, so access to their own PHI would not be covered by access for TPO reasons, or for Public Interest and Benefit activities.
- The Privacy Rule makes no special provision for access by parents to the records of minor children except as personal representatives. Nor is there any special provision for access by a spouse of another spouse’s PHI.
- States have various laws and regulations that also cover access to employee medical records. Examples include (1) special protections for mental health and substance abuse treatment, and (2) retaining and disclosing genetic information.
What should be the policy on access to employee medical records in an EHR?
- Many healthcare organizations have adopted a policy of prohibiting employees from viewing or accessing their own PHI electronically. Instead, employees must use the same policies in place for all patients to access their PHI. This policy is easier to enforce when there is a useful patient portal available.
- If a healthcare organization will continue to allow employees to access their own PHI, and that of minor children or spouses, using their login credentials, require employees to fill out an authorization for the use and disclosure of protected health information form for themselves, and for each minor child or other family members. Scan and store a copy of the form in the medical record of each person for whom access is authorized. Monitor the access to employee medical records to ensure the organization is protecting the privacy of everyone’s PHI!
This issue is not going away anytime soon. Healthcare organizations should examine their experience and policies. Do it before you have an unauthorized disclosure involving an employee that leads to sanctions. That is not an occurrence that will improve employee morale!
Comments are closed.