Epic HIPAA violation

Nurses HIPAA

Updated:   Published

hipaa-violation.jpg.c8b7870afdca6bbb40c603940311365f.jpg

Hi, I have a friend that has been found to have used epic inappropriately.  She stated that she typed in names of coworkers, pulling up their facesheet, but did not open their chart.  She's very frantic at this point said she doesn't know what she was thinking and knows it was a really dumb move.  Anywho, HR has suspended her while they are investigating.  I'm trying to help her with this situation but I'm not sure how to guide her.  Is there anything I can say to help her out or is there any advice I could possibly give her to help her keep her job as far as advising her what to say and/or do at this point?

Thank you 

Specializes in orthopedic/trauma, Informatics, diabetes.
On 12/27/2021 at 12:14 AM, 2BS Nurse said:

"Usually, the IT people can track everywhere you go in EPIC and when."

I know that they "can", but I work for a large organization that seems short-staffed all around. What would cause them to look into an employee's access?

I work for a very large organization as well (>10K employees) There are flags/alerts that pop up. I have "break the glass" for me and my kids so that adds a layer of extra protection and many employees do that because there are those that are nosy. 

We had a nurse get fired b/c they went into another RN's chart when they were hospitalized. Not sure what flagged the alert to begin with in this particular case. 

I agree they are on higher alert when it is a celebrity or VIP, but there are many instances of safety reporting reports and notes and flowsheet charting are reviewed regularly. As a teaching hosp, lots of people run reports all the time to search for certain things. I for one, audit hypoglycemic events and may look at 25 charts/month. We have pain audits, CAUTI and CLABSI audits, skin audits. These are just a few that I know of. Lots of other random research projects going on. 

1
Up Vote Up Vote ×
Specializes in NICU.

Distance yourself from this loser, she  would be terminated in most places,keep your head down and away from the glare, when pushed hard she might claim you made her do it.Lesson learned.I worked with some nosy people like this,they claim they did not open charts etc.,still they knew the rules and consequences.,they checked on co workers ages too.Stay as far away as possible, don't get dragged into this.Good luck.

1
Up Vote Up Vote ×
Specializes in ER.
1 hour ago, mmc51264 said:

 

We had a nurse get fired b/c they went into another RN's chart when they were hospitalized. Not sure what flagged the alert to begin with in this particular case. 

 

We were told that employees charts would always be audited, to protect against curious coworkers with prying eyes. 

2
Up Vote Up Vote ×

 "I have "break the glass" for me and my kids so that adds a layer of extra protection and many employees do that because there are those that are nosy."

I did not realize employees could make this request. My organization has > 30,000 employees. We get the generic (very broad) HIPAA online training every year, but we never hear specifics about how they protect patients. 

"At my workplace we are allowed to open our own charts and our children's charts until they turn 16 at which time they have to sign it over before we can continue." 

I find it fascinating that some organizations allow self chart access and some don't! Considering we are forced to use our employer's providers as in network, I think we should be allowed to access our own charts. 

1
Up Vote Up Vote ×
Specializes in Peds/outpatient FP,derm,allergy/private duty.
On 12/23/2021 at 5:13 PM, EmNightShamala said:

I hear that.  Honestly, I've never heard of a situation like this.  I've definitely heard of people opening a relative's chart before and getting in trouble for that.  I've just never heard of someone getting in trouble without opening a chart

It's evidence of extremely bad judgment.  That doesn't usually get better, especially if a person is not allowed to experience the full component of negative consequences.  

 

Up Vote Up Vote ×
Specializes in Community health.

Here’s what I want to know (this is a real question, I’m genuinely curious). Why do the hospitals actively run searches and audits to sniff out people who are doing this?  

I work in an outpatient clinic and we use a different EHR. If someone was reported by a coworker for snooping into people’s charts, I guess the IT team could figure out how to run a report on who accessed what. But that certainly isn’t part of standard operations. What is the incentive for hospitals to actively scan their charts to see who opened them?  Is that a Medicare requirement or something?  (And obviously it’s not “to protect patients”— hospital systems have a business or a regulatory reason for the things they do.) 

1
Up Vote Up Vote ×

"Who has enough time to be sitting around doing this anyways?"

You'd be shocked at what I see staff have "time for" in the outpatient setting. Lots of facebook, Yahoo News and web surfing. Basically, snooping into coworkers' personal lives on the web. Supervisors walk in and out of the unit and say nothing (I think everyone is afraid of losing staff these days). 

Up Vote Up Vote ×
Specializes in Hospice, LPN.

Did they notify the coworkers whose information was accessed? This is a pretty serious boundary violation, if it were me I'd be advocating for the employee to be fired. That's the kind of thing that will follow your friend around forever through the nursing grapevine.

I have a feeling that a big part of this investigation is about how the facility is going to spin this. They would have to report any security breach where personal information was accessed - even non-healthcare organizations have to do that. A HIPAA breach will create a world of hurt for any healthcare employer - penalties, fines, publicity, tags, etc. Your friend is toast.

However they end up defining this the coworkers will also need to be informed. It's going to be a mess.

Up Vote Up Vote ×
On 12/29/2021 at 7:05 AM, CommunityRNBSN said:

I work in an outpatient clinic and we use a different EHR. If someone was reported by a coworker for snooping into people’s charts, I guess the IT team could figure out how to run a report on who accessed what. But that certainly isn’t part of standard operations. What is the incentive for hospitals to actively scan their charts to see who opened them?  Is that a Medicare requirement or something?  (And obviously it’s not “to protect patients”— hospital systems have a business or a regulatory reason for the things they do.) 

Yes it is. There isn't wording about which precise actions they must take (and that is by design, since different types and sizes of organizations would need to take different actions to accomplish the goals for their particular business) but they must make significant effort to secure and guard PHI and then they must ensure compliance with the principles of HIPAA. They must actively look for problems within their approach/system and take steps to eliminate them. They are also required to have someone assigned to make sure that they are following privacy procedures (we often refer to as compliance officer).

They would surely face significant fines/penalties if they had a major breach and then when asked what they had been doing to ensure compliance their answer was the equivalent of shrugging.

2
Up Vote Up Vote ×
Specializes in Community health.
8 hours ago, JKL33 said:

Yes it is. There isn't wording about which precise actions they must take (and that is by design, since different types and sizes of organizations would need to take different actions to accomplish the goals for their particular business) but they must make significant effort to secure and guard PHI and then they must ensure compliance with the principles of HIPAA. They must actively look for problems within their approach/system and take steps to eliminate them. They are also required to have someone assigned to make sure that they are following privacy procedures (we often refer to as compliance officer).

They would surely face significant fines/penalties if they had a major breach and then when asked what they had been doing to ensure compliance their answer was the equivalent of shrugging.

Thanks for sharing— helpful info! 

2
Up Vote Up Vote ×
On 12/26/2021 at 11:14 PM, 2BS Nurse said:

"Usually, the IT people can track everywhere you go in EPIC and when."

I know that they "can", but I work for a large organization that seems short-staffed all around. What would cause them to look into an employee's access? We all assumed that they only check charts of celebrities - not your average Joe. I do not violate need to know access, I just assume the organization doesn't care as much as we are lead to believe.

Why would you make such a ridiculous assumption?  Why are you not shaking in your boots about this rule like everyone else is?

1
Up Vote Up Vote ×
On 12/28/2021 at 1:41 PM, Leader25 said:

Distance yourself from this loser, she  would be terminated in most places ,keep your head down and away from the glare, when pushed hard she might claim you made her do it. Lesson learned. I worked with some nosy people like this, they claim they did not open charts etc., still they knew the rules and consequences. ,they checked on co workers ages too. Stay as far away as possible, don't get dragged into this. Good luck.

Did you get in trouble?

1
Up Vote Up Vote ×
+ Add a Comment