Epic HIPAA violation

20 hours ago, 2BS Nurse said:

I figured nobody payed attention to this. Typically, they are only concerned if you open your own chart. 

We are allowed to look at our own charts and those we have permission to (I am HCPOA of my son and he has signed a waiver) although I have never been brave enough to go into my own. 

Most organizations take issues like this very seriously. To get to a face sheet, you are in the chart. (I am an informatics nurse). We have yearly training reqs for HIPAA. 

Usually, the IT people can track everywhere you go in EPIC and when. Only time I go into other charts or even lists, is when I am in charge and have to determine if a patient in appropriate for our unit.  

Friend or not, I would support them away from work. They are most likely going to lose their job. 

"Usually, the IT people can track everywhere you go in EPIC and when."

I know that they "can", but I work for a large organization that seems short-staffed all around. What would cause them to look into an employee's access? We all assumed that they only check charts of celebrities - not your average Joe. I do not violate need to know access, I just assume the organization doesn't care as much as we are lead to believe.

"Epic HIPAA violation"

very apropos title

8 hours ago, 2BS Nurse said:

I do not violate need to know access, I just assume the organization doesn't care as much as we are lead to believe.

No insider knowledge, just my perception: I think they do care (for their own reasons). It definitely behooves them to keep tabs on this and be able to show that they have privacy procedures and policies in place and that they do monitor who is accessing charts and for what reasons; these things are part of the privacy regulations. I believe they do have certain things set to be flagged, such as high-profile patients, certain patient events (death), patterns of unusual activity, etc. As to whether or not a particular RN should have been in any random xyz chart, my guess is they don't have a great way to know this. "Need to know" means that it's plausible that I could have had a reason to be in the chart of any patient in my department and pretty much anywhere in the hospital, as well as patients from recent past--e.g. checking or amending charting, multiple other sanctioned/assigned activities such as chart reviews and auditing, call-backs, labs/culture reviews, etc. Altogether, this could mean that for any given recent ED patient or inpatient I could very well have a plausible reason for having entered the chart. They don't have time for that level of monitoring and inquiry.

But it isn't hard to imagine that a pattern of making multiple patient searches in the EMR for people who have possibly not even received services recently is a pattern that could be easily detected.

Some places have a spot where you are asked to select the reason for chart access, but where I have been it is typically only used in situations where the EMR police might not understand the reason for access unless it is specifically documented. I have never used the function myself, it's pretty much something I don't feel like entertaining. If I am in a chart it is for a sanctioned activity, period. I've only been notified of an inquiry as to why I accessed a chart one time and it was for a legitimate reason. My manager had already told them to buzz off before I received the notification of inquiry and I never heard any more about it.

15 hours ago, 2BS Nurse said:

I know that they "can", but I work for a large organization that seems short-staffed all around.

Safeguarding the privacy of patients is one of the foremost responsibilities of a healthcare provider. Your friend must have done something that caused a red flag and once that happened they would have investigated more fully. Doing things you know you shouldn't just because you don't think there's enough staff to catch you doing it doesn't excuse the behavior. I still have no idea what your friend was thinking accessing ANY information about coworkers.

We have had people fired for what might appear to be less. Once there was a pediatric code in the emergency department. Any employee in the hospital not directly related to that code situation that so much as clicked on the patient's file was fired. 

Again, even just knowing/acknowledging that a person is in the hospital, if you're not responsible for their care, could be considered a HIPAA violation. There are instances where charge nurses are keeping tabs on census in other units, but for the most part there is no reason to directly access ANY individual patient information. 

The investigation isn't a foregone conclusion... I underwent a "compliance audit" following access to a chart for a patient that was not mine and I was ultimately absolved of any fault...

"I don't know what I was thinking," though, probably isn't going to cut it. Her only chance is to articulate defensible reasons for her chart access. If she hasn't any, then she's probably going to be terminated for cause.

I wasn't the OP so my friend wasn't involved.

I've never known anyone in the clinic setting get fired over a chart access violation. The organization highly emphasized that we shouldn't be accessing our own charts or those who live on the same street as us (two flags). My organization emails out company-wide medical error scenarios. Why wouldn't they email chart access violations as well? 

As JKL33 said: "a pattern of making multiple patient searches in the EMR for people who have possibly not even received services recently is a pattern that could be easily detected." I agree, but I really don't think a one time chart access is going to be detected unless that person is a high profile celebrity. 

1 hour ago, 2BS Nurse said:

I wasn't the OP so my friend wasn't involved.

Sorry, I tried to edit my comment when I realized that I had my quotes mixed up.

Again though, just because it might not be detected doesn't mean that it's less of a violation. You never know if someone's chart could randomly be involved in a lawsuit of somesort or another legal issue. Unnecessarily accessing ANY protected health information is technically a HIPAA violation. 

Who has enough time to be sitting around doing this anyways ? 

On 12/25/2021 at 1:51 PM, Lunah said:

No, that is incorrect. Opening anyone's chart, even just to the facesheet, violates policy unless you are caring for the patient or have a need to know. Period. Opening your own chart is also typically a policy violation everywhere I have worked. 

Yep. I accessed my chart to look up my labs when I hadn't heard from my doctor in about a week because I was nosy.  I don't know how but they found out I did this and got a verbal and I never did it again.

Some of us have to learn the hard way.  When we have a good friend that makes a careless mistake unfortunately we can't undo it or sugar coat the fall out that is out of our control.  Like the poster above said, what you can do is just be there for her as a friend.  Nothing you can do at this point to undo the reality.  

Hopefully, they will just get a written warning and not terminated.  

Off topic, but do they typically notify the person whose chart you opened without a "need to know"?

It is really easy to technically open the chart in EPIC. Even hovering or performing a search which populates certain patient information can qualify as a violation. Be very careful. 

Side note, at my workplace we are allowed to open our own charts and our children's charts until they turn 16 at which time they have to sign it over before we can continue.