Is this a HIPAA violation?

Is this a HIPAA violation?

My hospital uses Epic (I'm fairly new to it). I have searched my name before and it flagged me. When I explained I was simply searching my name (out of boredom, and to see if I was even in Epic's system) and not actively in the chart, the problem was pretty much let go. So my question is, does it violate HIPAA to search a name if you're not double clicking into the chart and accessing it? I've known nurses to do that just to see if (for example) one of the patients we transferred was now deceased. Still, without actually accessing the chart. 

15 Answers

Specializes in Physiology, CM, consulting, nsg edu, LNC, COB.

OK. HIPAA violations are ruled on by the OCR ( Federal Office of Civil Rights) in response to a complaint. The violation, if any, would be penalized to the institution, not the individual, because the institution is responsible for maintaining confidentiality in its handling of all PHI (personal health information) and seeing that all its employees know how to do that.

In answer to your question, yes, just accessing a name (without going further) counts, because it confirms that the person did receive some kind of health service to warrant being in the database. That's enough to constitute a disclosure. So no, not OK to look up a name even if only to see if the pt is deceased; this would count as a HIPAA violation (albeit a smallish one).

In this case, who is complaining that their personal health information was inappropriately accessed? You? Did you report yourself to OCR?

Even so, most facilities prohibit even looking up your own record for reasons unrelated to HIPAA proper; people tend to lump it all together, though, which isn't strictly accurate.

 

Specializes in retired LTC.

I wonder if every morning at shift start, if some facility HIPAA staffer has to run an audit of all chart entries in the last 24 hrs or so. Just to review if all the entries were legitimately permitted. Like OP's entry might have come up 'flagged'.

It's such a shame that HIPAA has become such the monster that is has. But the underlying reason is to protect information for all. So it is imperative for all employees to KEEP OUT chart records unless for some real legit reason. C

'Curiosity is what killed the cat'.

OP - I hope nothing serious comes out of this search for you.

And welcome to AN.

On 3/26/2021 at 7:04 PM, guest0000005 said:

My hospital uses Epic (I’m fairly new to it). I have searched my name before and it flagged me. When I explained I was simply searching my name (out of boredom, and to see if I was even in Epic’s system) and not actively in the chart, the problem was pretty much let go. So my question is, does it violate HIPAA to search a name if you’re not double clicking into the chart and accessing it? I’ve known nurses to do that just to see if (for example) one of the patients we transferred was now deceased. Still, without actually accessing the chart. 

The bottom line is that about the time you are asking whether something is a HIPAA violation, you should understand that there's a good chance it's a violation of your facility's privacy practices or various policies or is just bad optics. So don't do it.

Boredom and curiosity are both very bad reasons to be messing around in the EMR platform.

This is really simple: Do your job and forget the rest.

Specializes in OB.

At our hospital we're allowed to look at our test results but not allowed to print them.  We're also allowed to look at minor children (under age 13 I think), but not spouses or older children.  We also have mychart, where you can access all of your labs & tests.

Specializes in Physiology, CM, consulting, nsg edu, LNC, COB.

HIPAA is actually fairly short and absurdly clear for a governmental document. Suggest you go to OCR.gov and download it, and tack up a copy on the board and forward it to everybody’s email. That should, ahem, help everyone to ummm, understand it more clearly. 

Specializes in Psychiatric, in school for PMHNP..

I was working at a hospital when they changed over to EPIC.  During the extensive training they warned us repeatedly to never search our own name because that would automatically generate a violation report.  I was glad I was there when they began with EPIC because we did get great training.  Basically, the rule was only search for the patients currently under your care.

Might not technically be a HIPAA violation but could violate your employer’s privacy rules. At my orientation (we use Epic also) we were told to NEVER access our chart or any immediate family member as that is an immediate firing offense. Some places consider the fact that you have an account created in Epic to be too much info because it means you’re a pt with that facility. In fact, I had a coworker get fired for checking her dad’s lab results even though he’s a pt with our practice; she should have had a coworker look. 

Specializes in nursing ethics.

My guess is that medical secretaries/receptionists have access to much information on everyone and can easily access it at some clinics. In detail. Sometimes the faxed orders are seen and other papers too. I think this is ubiquitous. Speaking as a patient.

  In my hospital, the medical records office did not know how to serve me when I asked to see my own record. Like it was too secret even for me.

Specializes in Emergency Nursing, Pediatrics.

I remember being taught in nursing school that it is most definitely against HIPAA to look up your own name.

Specializes in Physiology, CM, consulting, nsg edu, LNC, COB.
LeChien said:

I remember being taught in nursing school that it is most definitely against HIPAA to look up your own name.

A common misconception. It's usually a violation of an institutional rule against accessing their proprietary EHR without a bona fide business reason to to do. So many people misunderstand HIPAA that this got folded into their mythology. 

Specializes in Community health.

My facility sends the most absurd emails and they usually include the line “due to HIP PA ” (and yes, that spelling is often included and that’s when you realize the author doesn’t even know what HIPAA contains). It has become a way for a facility to police behavior- they just announce that something is “due to HIPAA” and they know everyone will accept it. 

On 3/30/2021 at 7:09 PM, CommunityRNBSN said:

“due to HIPAA”

LOL. We probably couldn't have water at the nurse's station because of HIPAA. Wait, that was Jake-o. Or, um, OSHA. Maybe the fire marshall.

Who knows. It was somebody though. Somebody said it.

 

Or....not.

+ Add a Comment