Corporate Compliance

HIPAA Q&A: EMR access

Compliance Monitor, October 26, 2011

Q. May we allow hospital employees who have been granted access to PHI through the workforce clearance procedure to access their own PHI through the electronic medical record (EMR) without first requiring them to sign a release or authorization?

A. HIPAA permits patients access to their medical and billing records. Covered entities (CE) may ask patients to sign an authorization form to obtain their records, but that is not a requirement. Organizations have discretion to establish policies and procedures for patients who are employees to access their medical records.

Some organizations allow employees to access their own records, but require them to go through formal channels (usually the HIM department) to access records of family members, including minor children. Other organizations prohibit employees from accessing even their own records without going through via formal channels.

Editor's note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of HIM at Scott & White Healthcare in Temple, TX, answered this question. Brandt is a nationally recognized expert on patient privacy, information security, and regulatory compliance, and her publications provided some of the basis for HIPAA's privacy regulations.

Most Popular