Corporate Compliance

Q&A: Disclosing all personnel that have access to medical records

Compliance Monitor, June 8, 2011

Q:Can I obtain a list of the names of hospital staff members who may have inappropriately accessed my medical records? If all personnel have access to my information, why can't I have access to their names?

A:The HIPAA Privacy Rule does not require covered entities (CE) to provide patients an accounting of disclosures for treatment, payment, or healthcare operations.

Hospital staff members can legitimately access PHI for these uses.

However, pursuant to American Recovery and Reinvestment Act of 2009, CEs that acquire an electronic health records (EHR) system after January 1, 2009, must provide an accounting of disclosures for treatment, payment, and healthcare operations by January 1, 2011, or the date on which they acquire an EHR.

CEs that had an EHR in place as of January 1, 2009, have until January 1, 2014, to comply with this requirement.

At this time, many CEs are not required to provide the information you seek. However, if you believe ­specific individuals inappropriately accessed your medical records, you can file a complaint with the organization's privacy officer. Be prepared to provide the names of the individuals you believe inappropriately accessed your information and why you believe they did so.

This tip was adapted from the June 2011 issue of Briefings on HIPAA. More information about Briefings on HIPAA is available at the HCMarketplace.

Most Popular