Health Information Management

HIPAA Q&A: Office staff in physician offices

HIM-HIPAA Insider, April 26, 2010

Q. Our hospital is considering allowing staff members in private physician offices to access our electronic medical records. We have discussed open access for office staff members because many of the physicians see patients on a consultation basis or cover for their peers. What safeguards are necessary before we grant such access?

A. Remember that HIPAA requires that PHI access be limited to the “minimum necessary.” If possible, try to limit access for office staff members to patients treated by their employing physician. If that is not technically feasible, ensure that every user signs a detailed user agreement acknowledging that they will access only the information necessary to perform their jobs. You also will need to establish audit trails to facilitate review of access to specific records if you receive privacy complaints or for random audits.

Editor’s note: Mary Brandt, president of Bellaire, TX-based Brandt & Associates, LLC, answered this question. This is not legal advice. Consult your attorney regarding legal matters. Brandt is president of Brandt & Associates, Inc., a healthcare consulting firm in Bellaire, TX. She is a nationally recognized expert on patient privacy, information security, and regulatory compliance, and her publications provided some of the basis for HIPAA’s privacy regulations. She is also the former director of policy and research for the American Health Information Management Association.


Most Popular