Health Information Management

Q&A: Accessing your own information

HIM-HIPAA Insider, April 13, 2009

Q. Is it a HIPAA violation for an employee to access his or her own information via the hospital’s registration system and/or electronic medical record (EMR)?

It is not a violation per se, given the employee is accessing his or her own PHI. It is common practice, though, to prohibit employees from looking up their own records.  
Many covered entities require employees to request access to their own medical records in the same manner as any other patient. This reduces the temptation to look at other records (e.g., a friend’s, or relative’s) inappropriately. 

Also, there may be confidential information stored in the EMR that is not a part of the designated record set (i.e., the medical record available to patients). In many instances, the employee should not be accessing other confidential information stored in the record, such as disciplinary action against a provider related to treatment of the patient.

This is a good example of the fact that the HIPAA privacy rule established the floor when it comes to privacy standards. Covered entities can adopt more stringent privacy practices and, in this case, probably should. It is uncommon to allow employees to access their own record via the covered entity’s registration system or EMR.

Editor's note: Chris Apgar, president of Portland, OR-based Apgar & Associates, LLC, answered this question. This is not legal advice. Consult your attorney regarding legal matters.

Most Popular