HIPAA Compliance: Access to Practice Staff Medical Records

For those of you working in medical practices, your own medical record is sometimes only a few clicks or a few steps away. But be careful. Easy access shouldn’t translate to open access.

“Under HIPAA everybody is supposed to have access only to the minimal necessary to do their job,” Practice Notes blogger and Illinois-based attorney Ericka L. Adler told Physicians Practice. “You’re not your own doctor obviously, so just because you work somewhere doesn’t mean you should be able to access your own medical records.”

In addition, while every patient has a right to his or her own record, that doesn’t mean any patient (including a practice employee or physician) should bypass the HIPAA patient record-related protocols that should be in place at all practices, Steven Kabler, an attorney at Denver-based Jones & Keller told Physicians Practice.

“What happens is under HIPAA there are a number of regulations that deal with the security of medical records,” he said. For instance, covered entities must ensure the confidentiality of all health information they receive, and they must enact procedures and policies to keep that information secure.

“To protect the integrity of the medical records and to protect the confidentiality, a healthcare provider should go through the procedures that a patient would go through in order to access their record,” said Kabler.

At a minimum, Kabler recommends these procedures include a requirement that all patients (even those who work at the practice) either sign a release or submit a written request for their records when they wish to view them. That way, providers can document who has viewed the records and what they have viewed.

Even in smaller practices where the atmosphere is open and laid back, it’s important that staff members and physicians follow strict guidelines when it comes to accessing their own records, said Adler. “There’s a slippery slope [toward HIPAA violations] and right now they’re really enforcing HIPAA, and these are the kinds of things that get practices into trouble.”

For instance, if a staff member can easily access any records, including her own, that means the necessary HIPAA procedures are not adhered to at the practice, said Adler. “It’s getting more and more likely a practice could be audited for its HIPAA practices and policies,” she said, noting that compliance is key.

Other HIPAA-related problems could arise if staff members are questioned about HIPAA policies and it comes to light that they are able to look at their own records. It “invites scrutiny,” said Adler, noting that an employee looking up his own medical record, “may not necessarily be the initial reason for a HIPAA audit/investigation, but could lead to problems.”

Beyond HIPAA violations, when staff members or physicians freely access their own records it raises other issues. For instance, an employee or physician who views his record might alter it. Or, if the physician who is treating the employee knows the employee is freely accessing his own record, the physician may have difficulty providing an honest assessment of the employee (patient) in the record, said Adler.

Kabler advises practices specifically address this issue with staff members, noting that HIPAA requires covered entities to make staff members aware of record procedures.

“It always makes sense to have that [employees and physicians not having open access to their own records] as a written policy,” he said. “You absolutely need to make staff and employees aware of it.”

What other problems might arise if staff members or physicians freely access their own medical records?