January 5, 2016

Unauthorized access of patient information can result in termination

Unauthorized use of Vanderbilt University Medical Center’s (VUMC) clinical databases — Epic, Medipac or Star Panel — to check on the health status of fellow employees or to peer into the medical records of other individuals not under someone’s care, can result in progressive discipline or even termination.

(iStock image)

Unauthorized use of Vanderbilt University Medical Center’s (VUMC) clinical databases — Epic, Medipac or Star Panel — to check on the health status of fellow employees or to peer into the medical records of other individuals not under someone’s care, can result in progressive discipline or even termination.

The VUMC Privacy Office wants Medical Center faculty and staff who have access to systems or databases that contain patient information to keep in mind that access to patients’ information continues to be closely audited for potential privacy violations.

Audits by the Privacy Office have uncovered instances where faculty and staff inappropriately accessed medical records of coworkers or others not under their care.

Gaye Smith, VUMC’s chief privacy officer, said accessing information about patients without a legitimate business purpose or without appropriate authorization, even when done with the best of intentions, is a violation of HIPAA and VUMC policy.

“The Privacy Office finds that violators are most often of two types,” Smith said. “One is the individual who is just curious about a patient that they may know or have heard about, and the other is the individual who wants to get a phone number or room number but inappropriately goes into a system that contains much more personal, protected information.

Another type of privacy violation involves the individual who logs in under his or her user name and password and walks away from the device, allowing someone else to access information. The user who leaves the device and data unprotected is held accountable for any unauthorized access that occurs under their identification. The individual who accesses the information under someone else’s identification is also in violation of policy.

The Privacy Office continues to conduct audits of the medical records of Vanderbilt employees who are admitted as patients. Audits have been broadened to now include random and detailed analysis of other patients’ records to make sure those who are accessing this information have an appropriate reason to do so. The Privacy pop-up alerts that present when certain medical records are accessed will automatically trigger a detailed audit of the access to confirm a clinical or service relationship exists.

“As we have become so accustomed to using these clinical systems we have become somewhat desensitized to the amount of information that’s immediately available,” Smith said.

When instances of potential privacy violations are discovered during the auditing process, or are reported by co-workers or patients, an investigation by the Privacy Office ensues.

The Privacy Office wants to remind all employees who have access to confidential patient information via Medical Center databases to be aware their access to these records is being carefully watched.

“We can tell what documents have been opened and precisely how long someone was looking at them,” Smith said.

Smith said there is an existing Medical Center form that employees can complete if they wish for individuals other than those authorized to have access to their medical records. Without this completed document, even spouses are violating VUMC’s privacy standards by accessing their husband or wife’s medical records.