Jump to content

Family with access to hospital/clinic EMR

Has 8 years experience.

I had an uncomfortable interaction with a patient's family member while working as unit secretary the other day. I don't believe I acted in the wrong at all but I still feel really uneasy about it. This is long-winded but I'm just wondering if anyone has encountered a similar situation--and if so, how you handled it.

A woman came to the desk and introduced herself as a NP and wanted me to provide her with all medical records on a particular patient. I'd never seen this woman before in my life, but we have a lot of new hospitalist providers lately. However, this set off some red flags because any provider with clinic/hospital privileges can access the EMR themselves, and can typically access more records than what unit secretaries are granted access to.

I pried for a little more information and found out that yes, she was in fact a NP, but she was not involved with this patient's care and actually, the patient she was requesting records on was her aunt. I told her that if her aunt filled out the necessary release of information paperwork and authorized our medical records department to share her information, I could submit it for review and she could receive copies in the mail. This was not good enough for her but I stood my ground.

The patient consented to have her records released to her niece, and I sent the paperwork to our ROI department, informing them that they would receive hard copies of the requested records in the mail upon the patient's discharge from the hospital.

The niece/NP stated, "But I can look everything up in Centricity before then." I explained that no, per our systemwide policy, the ROI consent does not allow her to use her EMR access to view records of her family members, regardless of her status as a provider. She then informed me that she would do it anyway.

I documented my interaction with the patient and her family member and emailed my manager expressing my discomfort with this situation, but I wonder if there was anything more that I could have/should have done? This just doesn't sit well with me. I'm on PTO right now but I'm thinking of going in to file a formal incident report. Am I overreacting?

JustBeachyNurse, RN

Specializes in Complex pediatrics turned LTC/subacute geriatrics. Has 10 years experience.

Did you alert medical records/HIM & your manager in writing? The only other alert you could make other than the notifications would be corporate compliance and perhaps the HIPAA compliance officer. Likely HIM or your manager followed protocol and alerted the appropriate parties. Check your responsibilities via the employee handbook regarding potential breech in patient confidentiality/unauthorized access to EMR of family notification.

RiskManager

Specializes in Healthcare risk management and liability.

You should file an event/incident report. This is the best way to ensure that the Compliance/Privacy people are notified. Speaking as the person who has to follow up on these reports, the first thing I would do is run an access log on the patient's chart, and if the NP had indeed accessed the chart, I would be chatting with the Chief of Staff and/or HR, assuming that the NP is an employee of, or has privileges at, the system.

Princess Bubblegum

Has 8 years experience.

Thanks RiskManager! I'm going to go file an incident report this afternoon and get back to focusing on my vacation time. Even if nothing happened, it was just a hinky situation--how she presented herself solely as a provider, but wouldn't disclose her actual relationship to the patient until after much prompting.

OCNRN63, RN

Specializes in Oncology; medical specialty website.

I would have called HIM/HIS and he'd them shut down her access to the system until it could be determined just what information she was planning on accessing.

Why didn't she have an ID badge if she was supposedly a provider?

Princess Bubblegum

Has 8 years experience.

Why didn't she have an ID badge if she was supposedly a provider?

That was another thing that made me wary. But she does work for our company as a NP in an outpatient department, so she could have come in wearing her ID (the badges look the same company-wide) and easily gotten whatever it was that she was after if she had spoken with someone less paranoid than me. Interesting to think about. My manager said that the appropriate departments have "looked into it," whatever that means. Thanks for all your input, everyone.

applesxoranges, BSN, RN

Specializes in ER.

Yeah. It's not even allowed to look up your own medical records. I cringed when a unit clerk mentioned she looked up her own records before. She's an idiot and can have fun explaining that. I would fill out an incident report and document that interaction.

NRSKarenRN, BSN, RN

Specializes in Vents, Telemetry, Home Care, Home infusion. Has 43 years experience.

Chiming in as a Privacy officer at work: you were correct in being wary of this NP''s query, not permitting access, providing release of information form and reporting up chain of command. Once a report is made, HIM staff would run report staff accessing chart + give to Privacy officer/Manager for review of names. Our homecare software lists staff names then sections of EMR visited with date + time: demographics, clinical notes, medications, insurance, insurance authorization, non-clinical notes, wound care addendum, etc.... one report can have hundreds or thousands of entries in hospital setting. Privacy officers look for staff that should not be accessing chart at all or section of chart that does not apply to them.

Similar situations have occurred in our health system:employed family member with computer access looked up parents homecare chart 2 visit notes--outcome as first time occurrence: counselled that if accessed again would be terminated. Surgeon's staff accessed spouses chart several times- immediate termination.

Protecting individual's privacy important.

BuckyBadgerRN, ASN, RN

Specializes in HH, Peds, Rehab, Clinical. Has 4 years experience.

Nope! My employer required titer draws and re-vax for MMR and Hep B. When I wanted to provide a copy of those vax to my PCP, I had to submit a request for the records, of course. But they needed my patient ID number to do that "visible on your statement in X box" Except I don't receive statements! I had to have reception look up my account to provide me with my account number in order to request copies of my own records.

Yeah. It's not even allowed to look up your own medical records. I cringed when a unit clerk mentioned she looked up her own records before. She's an idiot and can have fun explaining that. I would fill out an incident report and document that interaction.

Altra, BSN, RN

Specializes in Emergency & Trauma/Adult ICU.

You did the right thing. If she believed, in good faith, that she had the right to access her aunt's record via the EMR she would have simply done so. Instead, she made an attempt to see records without there being digital evidence of her having done so. Remember that, in any future interactions with her.

Here.I.Stand, BSN, RN

Specializes in SICU, trauma, neuro. Has 16 years experience.

Thank you for protecting your pt, the hospital's integrity, and federal law!!

As others have stated, what this woman told you she was going to do is very much illegal. My IT dept made it clear in orientation that we can't even look up our own record using our Epic login--we would be fired, and that the legal way to access our record was through HIM, after filling out the form. Just like you told this niece.

Jory, MSN, APRN, CNM

Has 10 years experience.

Thanks RiskManager! I'm going to go file an incident report this afternoon and get back to focusing on my vacation time. Even if nothing happened, it was just a hinky situation--how she presented herself solely as a provider, but wouldn't disclose her actual relationship to the patient until after much prompting.

You are sharp and this is an EXCELLENT example of understanding HIPAA.

×

By using the site you agree to our Privacy, Cookies, and Terms of Service Policies.

OK