Written by: J. David Sims, CHITSP, CHMSP, Board Member of AIHC
J.David Sims is a Managing Partner at Security First IT, LLC; Speaker & HIPAA Instructor; Help Me with HIPAA Podcast Host; Contributor with the Federal HICP 405(d) Task Group & HIC-TCR Task Group; Founder & CEO of HIPAA for MSPs
The Health Insurance Portability & Accountability Act (HIPAA) has provisions to protect the contents of medical records. At a recent AIHC HIPAA training event, this topic came up. We would like to share some resources to the question that was asked. The information contained in this article is not consulting or legal advice and is provided for educational purposes only.
We have a problem with certain members of our workforce accessing their own medical records. These are people with fairly high levels of security and can access most records. I am a Certified HIPAA Compliance Officer (CHCO) through the AIHC organization and a compliance specialist. Our compliance committee wants the “industry standard” of this statement and evidence that this is industry standard. Do you have an idea of where I should look or any additional resource I can use to support that an employee should not access his/her own records? We want to institute a policy prohibiting this behavior.
This is one of those areas that you won't find specifically mentioned (as HIPAA can't address every possible scenario). Therefore, we must look at what HIPAA does say and how does that fit into this scenario.
First, there should be a proper process for any patient (employee or otherwise) to request their medical records and have them presented within 30-days of request. Allowing employees to bypass this process could cause some issues. For example:
- Do you have a current policy regarding restriction of access according to the employee’s work-related duties? Is accessing his/her own records outside of this policy? It most likely should be.
- Will bypassing this process bypass documentation of the request, documentation of the records retrieval and documentation of the record controls?
- Will they have access to notes that a "regular" patient would not and should not have access to?
Keep in mind that when I say documentation, I mean proof of the proper action that can stand up to an audit or investigation. So, if an entity is planning to allow this action, there should be a documented policy and procedure of how this will be handled.
Now, although it is possible that an employee can access and review their own medical records, let's look at two specific parts of HIPAA to see if this action will pass.
- Minimum Necessary Requirement: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html
For uses of protected health information, the covered entity’s policies and procedures must identify the persons or classes of persons within the covered entity who need access to the information to carry out their job duties, the categories or types of protected health information needed, and conditions appropriate to such access.
- I've underlined what I believe to be a key in this sentence. Would it be part of the employee's job duties to access their own records?
Let's assume the answer is "yes." Here's what else is given in this guidance: Where the entire medical record is necessary, the covered entity’s policies and procedures must state so explicitly and include a justification.
Another portion of the text identifies "non-routine disclosures or requests." I think a case could be made that an employee accessing their own records would be a non-routine disclosure. Here's what they say about this: “For non-routine disclosures and requests, covered entities must develop reasonable criteria for determining and limiting the disclosure or request to only the minimum amount of protected health information necessary to accomplish the purpose of a non-routine disclosure or request. Non-routine disclosures and requests must be reviewed on an individual basis in accordance with these criteria and limited accordingly.”
So, if your practice can make a case for this type of access, there must be a review of this activity every single time. I don't know about you, but it seems following the normal patient record request would be less strain on the practice at this point. But let's keep going.
We can wrap up with the Minimum Necessary Requirements portion. However, it is obvious that any PHI access has to be for the purposes of a job function or role. I do not see any way to interpret employee access to their own medical records as part of their job or role. But maybe some Covered Entities can make that case.
- Next, let's look at Uses and Disclosures: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html
There are 3 distinct areas in which the use or disclosure of PHI is permitted... for treatment... for payment... for healthcare operations or “TPO” as we call it. If to this point a Covered Entity (CE) has determined that it is ok for an employee to access their own medical records, let's then pass this through the test of TPO.
The employee can access the PHI if the employee is involved in their own treatment. It would be unusual and rare that an employee is allowed to treat themselves and realize that Medicare and other insurances will not reimburse a provider when treating him/herself or a family member – so these circumstances cannot be billed. Aside from HIPAA, there can be other liabilities, risks, and legal problems if this is allowed.
The employee can access the PHI if the employee is involved in the payment activities. Allowing an employee to manage their own payments, adjustments, eligibility, coverage, claims, bills, justification of charges, utilization review, collections, etc., would likely not be recommended by most lawyers or accountants... not to mention insurers. In fact, it creates a “nightmare” from a compliance standpoint.
The employee can access the PHI if the employee is involved in Health Care Operations. “Health care operations” are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These activities, which are limited to the activities listed in the definition of “health care operations” at 45 CFR 164.501.
Ok, now that we've taken our scenario and passed it through the filter of Minimum Necessary Requirements and TPO, your committee can determine how they would like to proceed with this decision.
Two final things I'll say about it:
First, if they choose to allow the action, I highly recommend a specific policy and procedure for it and a "mini" risk assessment to identify what the risks are to the CIA of the PHI and developing a risk management plan for things that are identified.
Second, this is such a low priority compliance matter that I would not necessarily spend a lot of time on it. I don't see OCR spending resources to investigate an employee accessing their own records, but I certainly can't say it won't happen. With all the activities and actions that carry a much higher likelihood and impact to the patient and the organization, this carries a very low probability of impact. Is the employee going to look at their records and then file a complaint with HHS that their PHI was improperly disclosed? People can be crazy, so maybe... lol.
This is one of those areas where technically you can make a case for or against it. Although, I see the case against it as being stronger. It really would be easier to just follow the same patient record request process for everyone. If you're a patient, you're a patient (even if you're an employee too). OCR investigators have a lot of leeway in their investigations so if this matter were to come up in an investigation, it can really depend on the investigator and whether they want to push this issue or make an example of the organization.
Personally, I just don't like taking the risk of potential issues that my organization can easily avoid. If there is a question of right or wrong, I'm going to lean toward what is easier to prove as being the right thing to do rather than fight like hell to make a case that the wrong thing was right.
Need HIPAA support? Contact J. David Sims, Managing Partner of Security First IT, LLC and Contributor with the Federal HICP 405(d) Task Group & HIC-TCR Task Group.
Want more great training information on HIPAA privacy and security compliance? Register for the online HIPAA course today!
No classes to attend. Course materials are on-demand and available to you for 3 months. Training is for experienced health care consultants, business associates, HIPAA Privacy or Security Officers, IT Consultants, Practice Administrators, Office Managers, Compliance Officer Executives, and Administrators involved in developing and enforcing confidentiality and privacy and security as a Covered Entity or Business Associate.