Think it’s OK to look at a family member’s medical record?
Most employees are familiar with basic patient privacy rules, but you may not know how broad those rules are, specifically when it comes to chart snooping. Asante director of compliance and privacy officer Andrea TenBrink provides some helpful FAQs.
What is snooping?
Snooping is when an employee or medical staff member intentionally and inappropriately accesses patient paperwork with protected health information or any part of the electronic medical record for a non-work-related reason.
For example, it’s snooping if you see that a neighbor has come to the clinic, and you access that person’s record to learn the reason for the visit. Likewise, accessing medical records, or even demographics of family members, friends, co-workers, a celebrity, politician or any other public figure is snooping, if it’s done for a reason other than work-related.
When accessing a record for a work-related reason, employees must follow the minimum necessary standard. This means limiting access, use, disclosure or requests for protected health information to the minimum needed for the work. The information should be shared only with those who need to know it.
For example, if you’re scheduling an appointment with a patient’s primary care physician, it’s unlikely that you’ll need to access that patient’s clinical records because you’re merely scheduling the patient for a primary care visit.
How will Asante know if someone is snooping?
Asante’s Privacy Program audits patients’ medical records to determine potential snooping. Asante uses FairWarning, an automated auditing solution, which proactively monitors and audits for internal threats. This tool uses Human Resources, medical records, operational and clinical data to identify what patient information was accessed and why. As a HIPAA-covered entity, Asante is required by federal law to deter inappropriate access, use or disclosure of protected health information.
What are the consequences of snooping?
Except for very unusual circumstances, the penalty for snooping is termination of your employment. This zero-tolerance rule applies to intentionally and inappropriately accessing records of:
- Your spouse or domestic partner
- Your siblings
- Your children or grandchildren
- Friends and neighbors
- Public figures or those of media interest
- Any other patient without a work-related reason
How can I prevent inadvertent snooping?
To help maintain patient privacy and confidentiality, follow these guidelines:
- Access patient medical records only when it is required for your job.
- Do not access medical records of co-workers, friends, family members or celebrities unless for a work-related reason.
- Log off and lock your computer whenever you leave your workspace. Employees who leave their workstations without logging off are responsible if another employee or visitor uses their login and password to access medical records. When you step away from your workstation you should always lock your computer screen or log off to prevent unauthorized accesses that could occur under your credentials. Remember this helpful phrase, “Lock before you walk!”
What if someone gave me permission to look at his record?
Employees may not access the medical record of family members, friends, co-workers or anyone else for personal or non-work-related purposes, even if the patient gave written or verbal authorization.
If you are directly involved in that person’s treatment or care (in other words, you’re the patient’s treating provider, medical assistant or nurse):
- You may only access protected health information (PHI) related to your involvement in the patient’s care.
- You may share PHI only with the treatment team.
- You may not share information, including the fact that your family member or acquaintance is a patient, with anyone else who does not have a work-related reason to know.
If you are not directly involved in a family member’s or acquaintance’s treatment or care:
- Do not share even incidental knowledge about that person — including room location and diagnosis — with anyone.
- Do not access the patient’s health information, even out of concern.
- Do not stop by to visit a patient unless the person has made you aware of their medical visit and agrees to see you.
- Do not ask anyone involved in the patient’s care for information.
What if my child or parent is a patient here?
Before any patient information can be disclosed, Asante must first confirm and document that you’re designated as the patient’s personal representative. To get copies of your child’s medical records, you must request the records by visiting Asante Health Information Services or through a MyChart proxy account. You may not access the records directly through Epic.
What if I am involved in a family member’s or acquaintance’s treatment, billing or other activity?
If your job requires you to access the person’s medical information, then you should immediately report this to your supervisor, who will determine whether to assign the task to someone else. Clarify with your supervisor the preferred handling of these situations in the future.
If you have any doubts or concerns about whether to access a patient’s medical record, or if you have other privacy-related questions, please contact the Asante Privacy team at [email protected].