Health Information Management

Q&A: EHR audit log retention

HIM-HIPAA Insider, February 9, 2010

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Q. We use numeric patient account numbers that cannot be tied back to a patient except by a workforce member authorized to access our EHR. Is it a violation of HIPAA to include these numbers in Microsoft Outlook calendar meeting reminders? Can it lead to inappropriate disclosure? 
 
A. No. This is not a violation as long as the reminders don’t list patient names and can only be accessed by authorized workforce members. It is unlikely that an unauthorized individual would be able to identify a patient by viewing a workforce member’s Outlook calendar schedule. This means that even incidental disclosure is improbable.
 
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question in the February issue of Briefings on HIPAA.



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular