Know how HIPAA applies when employees become patients

Accreditation Connection, March 8, 2004

Tucson (AZ) Medical Center is a 600-bed acute care hospital with a self-funded health insurance program. "We have economic incentives for employees to come into our hospital for their healthcare," says John B. Harrison, corporate compliance officer for Tucson Health Care. "As we began staff training for the Health Insurance Portability and Accountability Act of 1996 (HIPAA), we started to get feedback indicating that people were reluctant to come to our hospital for their healthcare. They were afraid that their health information might be improperly accessed by their bosses or fellow employees."

Executives at Tucson Medical Center are currently trying to sort out rules and find a system for disciplining infractions. "We're not trained investigators," Harrison says. "We are concerned about how to differentiate between a 'friendly interest' that would motivate a coworker to go visit when they don't have a direct care relationship and malicious intent. How do you discover the smoking gun?"

Harrison recently posted a message with some of these concerns on the Health Ethics Trust's online discussion group, "Talk About Compliance," and received some useful answers to his query. Responses ranged from focusing on need-to-know access during HIPAA training to developing a system to track record access.

A responder from a medical practice with 22 providers described keeping employee charts in a separate locked file cabinet. That practice has restricted access to these files to its lead medical records staff member. That staffer also has sole responsibility for placing dictation, lab reports, and other documents in the charts. Every chart has the word "employee" in bold letters on the outside. Providers are asked to note the employee status and give the chart directly to the lead medical records person.

Another responder gave Harrison several ideas for improvement, including creating a HIPAA matrix (describing by job type exactly what information an employee needs access to), developing procedures to ensure that employees don't receive more information than they need, encrypting e-mail containing patient information, strictly controlling all paper records, and developing a good system for dealing with infractions that could convince employee/patients that the hospital is serious about protecting their rights.

Easier said than done
Harrison stressed his desire to develop a disciplinary system in which penalties differentiate between an honest mistake or compassionate concern and a truly malicious infraction of the rules. That's hard to do, says Christine Jensen, corporate compliance director for Denver Health in Denver. "There really are no degrees here," she says. "There is only privacy of patient information." In Jensen's opinion, any access of a medical record by any employee not involved in the case must be sanctioned.

"Disciplinary sanctions need to be in place and employees need to know about them before any breach in confidentiality occurs," she says. "You shouldn't really even need to tell employees that they can't access each other's records. This is nothing new. Confidentiality has always been crucial to health care." The implementation of HIPAA regulations, combined with increasing use of electronic records, has heightened concerns, Jensen believes. "Electronic records seem easier to access," she says. "You no longer have to go into a ward or an HIM office to look at a chart. You can just go online."

"This has been an issue at my hospital for years," Jensen says. "There are a number of employees who don't receive health care here because they are worried about access to their records." Denver Health's records system is integrated and does not differentiate between employee and other patient records, except in the case of behavioral health treatment, Jensen says. The expectation is that all patient records will be kept private and secure, she says.
That doesn't mean there is no auditing done to ensure that confidentiality is kept. "Sometimes if an employee is admitted, we will check records post-discharge to see all the people who have had access to the record. We may do it on a random basis, but usually we do it in response to a request or complaint," Jensen says.

Staff training is critical
Electronic safeguards such as passwords and codes certainly help protect systems from unauthorized access, but they aren't enough, Jensen says. "Training is crucial. Every year we train staff on privacy and security issues, and every year we ask each employee to sign a confidentiality statement."

Eileen Bryant, health information management (HIM) director at Massachusetts General Hospital (MGH) in Boston, agrees that frequent and consistent staff training is the best way to protect confidentiality of all medical records, including employees' records. "We schedule an HIM Awareness Week several times each year," she says. "The last one we held focused on employees as patients. All new employees are trained in confidentiality as an important part of their orientation . . . [and] sign confidentiality statements."

MGH also restricts access to employee patient records. "Whenever an employee becomes a patient, the chart gets a medical record number that is a restricted access code. A warning comes up on the computer system any time that record is accessed. We do the same thing for high-profile patients and any patient who requests that [his or her] name be kept out of the patient directory. When an employee accesses a record like this, he or she doesn't know whether it's a fellow employee or not."

Upon request, any MGH patient can have his or her last name kept off white boards on the wards. The only exception to this policy is in the operating room where full names must be recorded. Like Denver Health, MGH conducts random audits to be sure that only staff involved in care have had access to a medical record.

Confidentiality for all
At Denver Health, the human resources department handles discipline, which is based on steps of action from a verbal warning to a written warning to suspension and termination.

"But HR doesn't have to follow the steps," Jensen says. "They are free to make decisions based on the individual case. To protect the confidentiality of an employee charged with a breach of policy, disciplinary actions are conducted quietly."

Although HIPAA is shining a sharper light on issues of privacy and security, there really is nothing new here, Jensen says.

"I'm an RN by training, and confidentiality has been drilled into me for years," she explains. "Covered entities don't need to hold employee records to a higher level of confidentiality that they would with other patients. Everyone's record is confidential."

Confidentiality quiz: Who has access to medical records when treating hospital staff?

Question: You are an orthopedic surgeon at a hospital. Your secretary is an inpatient following exploratory surgery. She has asked you to check in on her. When you finish doing rounds in ortho, you go up to your secretary's room to visit her. She has not awakened from the procedure at this point. You go out to the nurses' station and pull her chart. This is allowed because you have privileges at the hospital. True or false?

Answer: False. Just because your secretary has asked you to check in, that does not give you special access to her chart. In order to look at a patient's chart for which you are not part of the treatment team or servicing the patient as part of your job responsibility, you need a written authorization signed by the patient. This authorization gives you the right to review her protected health information. Without this written authorization, you have no access, and you shouldn't put staff on the unit in a position to have to point this out.

Question: You need to contact your supervisor at home due to an emergency in your department. You don't have her home phone number because she has recently moved. You know the number is in the health system's records because she sees an internist in one of the practices. You go into the computer and find her new number. Is this a breach?

Answer: Yes. This is a breach. The electronic health information system is used for patient care. By entering the system, you are using it as a telephone directory and taking advantage of the fact that your supervisor's medical record is housed and accessible to you, a colleague at her place of work. This is a violation of her privacy.

Question: One day, while working in the operating room (OR), you notice a colleague of yours being wheeled into one of the rooms. You are unaware that your friend had any medical problems. You log on to the computer and look up his record to find out what you can. You see that he will be moved to the 22nd floor for recovery. You promise yourself that you will find the time to go visit him when he is out of the OR. Have you breached his right to privacy?

Answer: Yes. You are not part of your friend's treatment team. You need an "authorization to release information" form signed by your friend, giving you authorization to review his record. You need to forget that you ever saw him being wheeled out of the OR.

As you were privy to this piece of information as part of performing your job, you cannot act on it or disclose it to anyone, according to the confidentiality agreement you sign annually. Also, whether you think he would appreciate a visit or not, you need to go through standard patient channels to confirm that he wants you to know he is in the hospital and is receiving visitors.

Question: You want to send flowers to one of your coworkers who has just had surgery. Select the proper way(s) to get this information without breaching confidentiality:
a) -Go into the computer and look for the coworker's address in the medical record
b) -Contact your supervisor, who will let you know if she has been given permission to release the information
c) -Go into the human resources system and look for your colleague's home address
d) -All of the above

Answer: (b). The only way to get information about your colleague is by talking to the supervisor. Any of these other ways is a breach of confidentiality.

Source: Excerpted with permission from a Massachusetts General Hospital staff-training quiz.

Most Popular