No snooping! Electronic access to protected health information is a privilege

Access to patients’ protected health information (PHI) for any reason other than a job-related duty or as permitted by the HIPAA Privacy rule can be a violation of patient privacy. Patient health information belongs to the patient, and when we protect this information, we are respecting the individual’s privacy and dignity.

Reminders:

Before you access a patient’s record, ask yourself, “Am I performing a work-related duty?”
Information within the electronic medical record may be accessed on a need-to-know basis only, and must tie back to a treatment, payment or operations-related job duty. Staff should not look up information outside of their own job-related duties or ask others to look up information unrelated to their job duties. Searching for patients within the medical record out of curiosity is not allowed.

Scenario: The family member of a fellow employee is currently a patient. The employee contacts you and requests that you provide them updates on their family member. The patient is not currently under your care, but you have access to Epic. Can you access the patient’s medical record to provide an update to your fellow employee?

Answer: No, you may not access the patient’s medical record to provide an update to your fellow employee. If you are not performing a job-related duty for the patient, you should not be accessing the patient’s medical record. You should refer the requester to the treatment team.

Everything in Epic is PHI and part of the medical record
As soon as you log onto Epic or any other clinical systems you are accessing a patient’s PHI. The medical record should not be used as a personal directory. Addresses, birthdays etc. should never be searched out of convenience. Patient listings, such as the Emergency Department Trackboard, should not be viewed out of curiosity.

Scenario: You want to send a co-worker a birthday card, but forgot their birthday. Can you look it up in Epic?

Answer: No, you may not use Epic as a personal directory.

MyChart Proxy, not Epic for minor children
YNHHS staff are not permitted to access the medical records of their minor children via their Epic credentials. MyChart Proxy access should be obtained.

Scenario: My minor child was taken to the Emergency Department for testing. May I look up their information within the medical record?

Answer: No. Workforce members are not permitted to utilize their log-on credentials to access the medical records of their minor children. MyChart Proxy access should be requested by the workforce member to access the MyChart account of their minor child. For copies of the record, the employee should contact Health Information Management (HIM).

Lock your workstation, just like your home
Every time you leave a workstation, ensure you log off, even if you will only be away for a moment.

Passwords: Keep them secret, keep them safe
Create a strong password and do not share your password with anyone. Passwords should never be provided to others or written down.

Policies and procedures:
Release of Protected Health Information (PHI) Policy: https://ynhh.ellucid.com/documents/view/6764
Patient’s Right to Access Policy: https://ynhh.ellucid.com/documents/view/6761
Minimum Necessary Policy: https://ynhh.ellucid.com/documents/view/6757
Safeguards for Confidential Information, Protected Health Information and Electronic Protected Health Information: https://ynhh.ellucid.com/documents/view/6768

If unsure, ask the Office of Privacy and Corporate Compliance
Phone: (203) 688-8416
Email: Privacy@ynhh.org or Compliance@ynhh.org