Epic HIPAA violation

Updated:   Published

You are reading page 3 of Epic HIPAA violation

Specializes in orthopedic; Informatics, diabetes. Has 11 years experience.
On 12/27/2021 at 12:14 AM, 2BS Nurse said:

"Usually, the IT people can track everywhere you go in EPIC and when."

I know that they "can", but I work for a large organization that seems short-staffed all around. What would cause them to look into an employee's access?

I work for a very large organization as well (>10K employees) There are flags/alerts that pop up. I have "break the glass" for me and my kids so that adds a layer of extra protection and many employees do that because there are those that are nosy. 

We had a nurse get fired b/c they went into another RN's chart when they were hospitalized. Not sure what flagged the alert to begin with in this particular case. 

I agree they are on higher alert when it is a celebrity or VIP, but there are many instances of safety reporting reports and notes and flowsheet charting are reviewed regularly. As a teaching hosp, lots of people run reports all the time to search for certain things. I for one, audit hypoglycemic events and may look at 25 charts/month. We have pain audits, CAUTI and CLABSI audits, skin audits. These are just a few that I know of. Lots of other random research projects going on. 

Specializes in NICU. Has 40 years experience.

Distance yourself from this loser, she  would be terminated in most places,keep your head down and away from the glare, when pushed hard she might claim you made her do it.Lesson learned.I worked with some nosy people like this,they claim they did not open charts etc.,still they knew the rules and consequences.,they checked on co workers ages too.Stay as far away as possible, don't get dragged into this.Good luck.

Emergent, RN

2 Articles; 4,065 Posts

Specializes in ER. Has 30 years experience.
1 hour ago, mmc51264 said:

 

We had a nurse get fired b/c they went into another RN's chart when they were hospitalized. Not sure what flagged the alert to begin with in this particular case. 

 

We were told that employees charts would always be audited, to protect against curious coworkers with prying eyes. 

2BS Nurse, BSN

677 Posts

Has 10 years experience.

 "I have "break the glass" for me and my kids so that adds a layer of extra protection and many employees do that because there are those that are nosy."

I did not realize employees could make this request. My organization has > 30,000 employees. We get the generic (very broad) HIPAA online training every year, but we never hear specifics about how they protect patients. 

"At my workplace we are allowed to open our own charts and our children's charts until they turn 16 at which time they have to sign it over before we can continue." 

I find it fascinating that some organizations allow self chart access and some don't! Considering we are forced to use our employer's providers as in network, I think we should be allowed to access our own charts. 

nursel56

7,046 Posts

Specializes in Peds/outpatient FP,derm,allergy/private duty. Has 47 years experience.
On 12/23/2021 at 5:13 PM, EmNightShamala said:

I hear that.  Honestly, I've never heard of a situation like this.  I've definitely heard of people opening a relative's chart before and getting in trouble for that.  I've just never heard of someone getting in trouble without opening a chart

It's evidence of extremely bad judgment.  That doesn't usually get better, especially if a person is not allowed to experience the full component of negative consequences.  

 

Specializes in Community health. Has 5 years experience.

Here’s what I want to know (this is a real question, I’m genuinely curious). Why do the hospitals actively run searches and audits to sniff out people who are doing this?  

I work in an outpatient clinic and we use a different EHR. If someone was reported by a coworker for snooping into people’s charts, I guess the IT team could figure out how to run a report on who accessed what. But that certainly isn’t part of standard operations. What is the incentive for hospitals to actively scan their charts to see who opened them?  Is that a Medicare requirement or something?  (And obviously it’s not “to protect patients”— hospital systems have a business or a regulatory reason for the things they do.) 

2BS Nurse, BSN

677 Posts

Has 10 years experience.

"Who has enough time to be sitting around doing this anyways?"

You'd be shocked at what I see staff have "time for" in the outpatient setting. Lots of facebook, Yahoo News and web surfing. Basically, snooping into coworkers' personal lives on the web. Supervisors walk in and out of the unit and say nothing (I think everyone is afraid of losing staff these days). 

PoodleBreath

69 Posts

Specializes in Hospice, LPN. Has 17 years experience.

Did they notify the coworkers whose information was accessed? This is a pretty serious boundary violation, if it were me I'd be advocating for the employee to be fired. That's the kind of thing that will follow your friend around forever through the nursing grapevine.

I have a feeling that a big part of this investigation is about how the facility is going to spin this. They would have to report any security breach where personal information was accessed - even non-healthcare organizations have to do that. A HIPAA breach will create a world of hurt for any healthcare employer - penalties, fines, publicity, tags, etc. Your friend is toast.

However they end up defining this the coworkers will also need to be informed. It's going to be a mess.

JKL33

6,471 Posts

On 12/29/2021 at 7:05 AM, CommunityRNBSN said:

I work in an outpatient clinic and we use a different EHR. If someone was reported by a coworker for snooping into people’s charts, I guess the IT team could figure out how to run a report on who accessed what. But that certainly isn’t part of standard operations. What is the incentive for hospitals to actively scan their charts to see who opened them?  Is that a Medicare requirement or something?  (And obviously it’s not “to protect patients”— hospital systems have a business or a regulatory reason for the things they do.) 

Yes it is. There isn't wording about which precise actions they must take (and that is by design, since different types and sizes of organizations would need to take different actions to accomplish the goals for their particular business) but they must make significant effort to secure and guard PHI and then they must ensure compliance with the principles of HIPAA. They must actively look for problems within their approach/system and take steps to eliminate them. They are also required to have someone assigned to make sure that they are following privacy procedures (we often refer to as compliance officer).

They would surely face significant fines/penalties if they had a major breach and then when asked what they had been doing to ensure compliance their answer was the equivalent of shrugging.

Specializes in Community health. Has 5 years experience.
8 hours ago, JKL33 said:

Yes it is. There isn't wording about which precise actions they must take (and that is by design, since different types and sizes of organizations would need to take different actions to accomplish the goals for their particular business) but they must make significant effort to secure and guard PHI and then they must ensure compliance with the principles of HIPAA. They must actively look for problems within their approach/system and take steps to eliminate them. They are also required to have someone assigned to make sure that they are following privacy procedures (we often refer to as compliance officer).

They would surely face significant fines/penalties if they had a major breach and then when asked what they had been doing to ensure compliance their answer was the equivalent of shrugging.

Thanks for sharing— helpful info! 

On 12/26/2021 at 11:14 PM, 2BS Nurse said:

"Usually, the IT people can track everywhere you go in EPIC and when."

I know that they "can", but I work for a large organization that seems short-staffed all around. What would cause them to look into an employee's access? We all assumed that they only check charts of celebrities - not your average Joe. I do not violate need to know access, I just assume the organization doesn't care as much as we are lead to believe.

Why would you make such a ridiculous assumption?  Why are you not shaking in your boots about this rule like everyone else is?

On 12/28/2021 at 1:41 PM, Leader25 said:

Distance yourself from this loser, she  would be terminated in most places ,keep your head down and away from the glare, when pushed hard she might claim you made her do it. Lesson learned. I worked with some nosy people like this, they claim they did not open charts etc., still they knew the rules and consequences. ,they checked on co workers ages too. Stay as far away as possible, don't get dragged into this. Good luck.

Did you get in trouble?