In common with many, if not most of you, I wear several hats: compliance officer, risk manager, assistant vice president for quality, care partner, and patient.
As a patient who works in a healthcare organization, I can empathize with the point of view that one should be able to view one’s electronic medical record (EMR) at will. After all, it’s my information! And it’s right there, just a few clicks away. I get it.
But as with all things healthcare, it’s not that simple. Several compliance colleagues in the Health Care Compliance Association community describe employee access to their own records as a slippery slope, and they’re absolutely right. Once the bright line between employee and patient has been violated, it becomes easier for the individual to justify accessing the medical records of family members, colleagues, friends, neighbors, and VIPs.
As some of us have seen, this can lead to directly scheduling appointments, messaging providers, and other insider activities that can and do disrupt processes and workflow to the detriment of other patients, care providers, and the organization itself.
Let’s break down the reasons for the bright line
Unauthorized access to an EMR can destroy the integrity and credibility of the legal medical record. It is now common practice for malpractice attorneys to request the metadata behind the visible EMR. Every time someone accesses a record, the date, time, reviewer’s identity, and length of time online is recorded. If the employee accessing the record has edit permissions, this risk is compounded if anything is deleted, added, or otherwise changed. With my risk manager hat on, this is now the point you’ve lost your ability to defend a case—even if the clinical care was without flaw.
By all accounts, the COVID-19 pandemic spurred an uptick in snooping, as healthcare employees with access sought to discover who among their colleagues, friends, and neighbors tested positive for the virus. In some cases, the employee’s supervisor was the snoop. Accessing the EMR of a family member, friend, neighbor, colleague, or VIP for a purpose unrelated to one’s role in an organization is a HIPAA violation on its face.
In many organizations, this is an activity that will result in immediate termination if proven by investigation. In common parlance, it is known as “snooping.” As we’ll see in a moment, the cost of snooping not only to the patient and the organization but also to the snoop can be catastrophic on many levels.
On the human resources front, if your organization has a policy in place that clearly states employees and providers may access the EMR only for legitimate role-specific purposes, and that policy is effectively communicated, violation of that policy then becomes an event that should invoke the organization’s progressive discipline policy.
Tangentially, if proven by the meta-data referenced in number one, accessing the EMR for purposes unrelated to one’s job while on duty could be construed as theft of time, also actionable.
Accessing one’s own EMR outside the established process, which typically involves notification of the patient’s physician or provider of the request, can result in the discovery of information that the physician or provider would prefer to discuss with the patient in person. Additionally, the practice has the potential to violate certain exceptions to rights of access rules for records related to mental health issues or potential harm to the patient.
And finally, there is the issue of fairness. Not all healthcare employees have direct access to the EMR. The only effective means of leveling the playing field is to draw and hold the bright line between employee, provider, and patient, and require everyone to follow your organization’s process for obtaining medical records correctly.