November 22, 2021

Policy on access to the electronic medical records of patients and employees updated

Vanderbilt University Medical Center has updated its policy on “Authorization to Access Medical Records of Self and Others.”

Vanderbilt University Medical Center has updated its policy on “Authorization to Access Medical Records of Self and Others,” and one change is that direct access through eStar to the medical record of your minor child is no longer allowed.

The policy applies to VUMC workforce members and has been approved by the Information Privacy and Security Executive Committee, the Health Record Executive Committee, and the Medical Center Medical Board.

It defines the circumstances and appropriate procedures for VUMC workforce members to access their own electronic medical record or medical record information about another patient where no direct treatment or role-based access relationship exists.

The My Health at Vanderbilt (MHAV) patient portal remains the preferred approach to access information in the medical record either as a patient or an authorized representative of another patient. MHAV is to be used when a workforce member wants to view their minor child’s EMR.

According to the new policy, VUMC workforce members:

  • Continue to be allowed to view their own medical record in eStar. However, the workforce member is prohibited from documenting or editing information in that medical record.
  • Are prohibited from accessing the EMR of their minor children. That access is allowed through the My Health at Vanderbilt patient portal as a parent or surrogate of the patient.
  • May not access the EMR of another adult patient — including a spouse, adult child or other adult family member — outside of an assigned job role unless the adult patient has authorized such access as documented in advance on the Communication with Family and Others form and the form is scanned into the patient’s EMR.

VUMC workforce members who access an electronic medical record without appropriate authorization are subject to disciplinary action in accordance with VUMC policy, Sanctions for Privacy and Information Security Violations.

For more information, go to https://www.vumc.org/information-privacy-security/welcome.