• E-mail
• Print
• RSS

Can employees with computer privileges access their own PHI?

HIPAA Weekly Advisor, September 11, 2006

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

This represents two issues. Employees can access their own PHI. There are no provisions in the privacy rule that prevent this. From a practical standpoint, however, many organizations require employees with access to PHI to follow the same process for accessing PHI as other patients or health plan members.

This allows for tracking access, confines access to only the organization's defined designated record set, and gives a qualified medical official the opportunity to review the request before granting access. There are some instances, such as when access could be dangerous to the patient, plan member, or others, in which you can deny access.

Regarding family members, allowing the employee access to family member PHI without authorization is clearly a violation of the privacy rule. (There are some exceptions regarding the PHI of minors, but you must be careful of what state laws say regarding the privacy of a minor's records, even if it is the parent requesting access to the minor's PHI.)

This is a HIPAA basic. The employee should have access only if the purpose is for treatment, payment, or healthcare operations. Otherwise, an authorization from the family member is required (per 45 CFR 164.502).

Editor's note: Chris Apgar, president of Portland, OR-based Apgar & Associates, LLC, answered this question. This is not legal advice. Consult your attorney for legal matters.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive