Family with access to hospital/clinic EMR

Nurses HIPAA

Published

I had an uncomfortable interaction with a patient's family member while working as unit secretary the other day. I don't believe I acted in the wrong at all but I still feel really uneasy about it. This is long-winded but I'm just wondering if anyone has encountered a similar situation--and if so, how you handled it.

A woman came to the desk and introduced herself as a NP and wanted me to provide her with all medical records on a particular patient. I'd never seen this woman before in my life, but we have a lot of new hospitalist providers lately. However, this set off some red flags because any provider with clinic/hospital privileges can access the EMR themselves, and can typically access more records than what unit secretaries are granted access to.

I pried for a little more information and found out that yes, she was in fact a NP, but she was not involved with this patient's care and actually, the patient she was requesting records on was her aunt. I told her that if her aunt filled out the necessary release of information paperwork and authorized our medical records department to share her information, I could submit it for review and she could receive copies in the mail. This was not good enough for her but I stood my ground.

The patient consented to have her records released to her niece, and I sent the paperwork to our ROI department, informing them that they would receive hard copies of the requested records in the mail upon the patient's discharge from the hospital.

The niece/NP stated, "But I can look everything up in Centricity before then." I explained that no, per our systemwide policy, the ROI consent does not allow her to use her EMR access to view records of her family members, regardless of her status as a provider. She then informed me that she would do it anyway.

I documented my interaction with the patient and her family member and emailed my manager expressing my discomfort with this situation, but I wonder if there was anything more that I could have/should have done? This just doesn't sit well with me. I'm on PTO right now but I'm thinking of going in to file a formal incident report. Am I overreacting?

Up Vote Up Vote ×
Specializes in Complex pedi to LTC/SA & now a manager.

Did you alert medical records/HIM & your manager in writing? The only other alert you could make other than the notifications would be corporate compliance and perhaps the HIPAA compliance officer. Likely HIM or your manager followed protocol and alerted the appropriate parties. Check your responsibilities via the employee handbook regarding potential breech in patient confidentiality/unauthorized access to EMR of family notification.

Up Vote Up Vote ×
Specializes in Healthcare risk management and liability.

You should file an event/incident report. This is the best way to ensure that the Compliance/Privacy people are notified. Speaking as the person who has to follow up on these reports, the first thing I would do is run an access log on the patient's chart, and if the NP had indeed accessed the chart, I would be chatting with the Chief of Staff and/or HR, assuming that the NP is an employee of, or has privileges at, the system.

Up Vote Up Vote ×

Thanks RiskManager! I'm going to go file an incident report this afternoon and get back to focusing on my vacation time. Even if nothing happened, it was just a hinky situation--how she presented herself solely as a provider, but wouldn't disclose her actual relationship to the patient until after much prompting.

Up Vote Up Vote ×
Specializes in Oncology; medical specialty website.

I would have called HIM/HIS and he'd them shut down her access to the system until it could be determined just what information she was planning on accessing.

Why didn't she have an ID badge if she was supposedly a provider?

Up Vote Up Vote ×
Why didn't she have an ID badge if she was supposedly a provider?

That was another thing that made me wary. But she does work for our company as a NP in an outpatient department, so she could have come in wearing her ID (the badges look the same company-wide) and easily gotten whatever it was that she was after if she had spoken with someone less paranoid than me. Interesting to think about. My manager said that the appropriate departments have "looked into it," whatever that means. Thanks for all your input, everyone.

Up Vote Up Vote ×
Specializes in ER.

Yeah. It's not even allowed to look up your own medical records. I cringed when a unit clerk mentioned she looked up her own records before. She's an idiot and can have fun explaining that. I would fill out an incident report and document that interaction.

Up Vote Up Vote ×
Specializes in Vents, Telemetry, Home Care, Home infusion.

Chiming in as a Privacy officer at work: you were correct in being wary of this NP''s query, not permitting access, providing release of information form and reporting up chain of command. Once a report is made, HIM staff would run report staff accessing chart + give to Privacy officer/Manager for review of names. Our homecare software lists staff names then sections of EMR visited with date + time: demographics, clinical notes, medications, insurance, insurance authorization, non-clinical notes, wound care addendum, etc.... one report can have hundreds or thousands of entries in hospital setting. Privacy officers look for staff that should not be accessing chart at all or section of chart that does not apply to them.

Similar situations have occurred in our health system:employed family member with computer access looked up parents homecare chart 2 visit notes--outcome as first time occurrence: counselled that if accessed again would be terminated. Surgeon's staff accessed spouses chart several times- immediate termination.

Protecting individual's privacy important.

Up Vote Up Vote ×
Specializes in HH, Peds, Rehab, Clinical.

Nope! My employer required titer draws and re-vax for MMR and Hep B. When I wanted to provide a copy of those vax to my PCP, I had to submit a request for the records, of course. But they needed my patient ID number to do that "visible on your statement in X box" Except I don't receive statements! I had to have reception look up my account to provide me with my account number in order to request copies of my own records.

Yeah. It's not even allowed to look up your own medical records. I cringed when a unit clerk mentioned she looked up her own records before. She's an idiot and can have fun explaining that. I would fill out an incident report and document that interaction.
Up Vote Up Vote ×
Specializes in Emergency & Trauma/Adult ICU.

You did the right thing. If she believed, in good faith, that she had the right to access her aunt's record via the EMR she would have simply done so. Instead, she made an attempt to see records without there being digital evidence of her having done so. Remember that, in any future interactions with her.

Up Vote Up Vote ×
Specializes in SICU, trauma, neuro.

Thank you for protecting your pt, the hospital's integrity, and federal law!!

As others have stated, what this woman told you she was going to do is very much illegal. My IT dept made it clear in orientation that we can't even look up our own record using our Epic login--we would be fired, and that the legal way to access our record was through HIM, after filling out the form. Just like you told this niece.

Up Vote Up Vote ×
Thanks RiskManager! I'm going to go file an incident report this afternoon and get back to focusing on my vacation time. Even if nothing happened, it was just a hinky situation--how she presented herself solely as a provider, but wouldn't disclose her actual relationship to the patient until after much prompting.

You are sharp and this is an EXCELLENT example of understanding HIPAA.

Up Vote Up Vote ×
+ Add a Comment