March 8, 2023

Reminder: access to patient information monitored


The Vanderbilt University Medical Center Privacy Office wants faculty and staff who have access to systems or databases that contain patient information to keep in mind that access to patients’ information continues to be closely audited for potential privacy violations.

Unauthorized use of VUMC’s clinical databases, such as Epic or Star Panel to check on the health status of fellow employees, to see if a celebrity is a patient at VUMC or to view the medical records of other individuals not under someone’s care can result in progressive discipline or even termination.

Audits by the Privacy Office have uncovered instances where faculty and staff inappropriately accessed medical records of co-workers or others not under their care.

Gaye Smith, VUMC’s chief privacy officer, said accessing information about patients or searching for employees and patients without a legitimate business purpose or without appropriate authorization, even when done with the best of intentions, is a violation of HIPAA and VUMC policy.

“The Privacy Office finds that violators are most often of two types,” Smith said. “One is the individual who is just curious about a patient that they may know or have heard about, and the other is the individual who wants to get a phone number or room number but inappropriately goes into a system that contains much more personal, protected information.”

Another type of privacy violation involves the individual who logs in under his or her username and password and walks away from the device, allowing someone else to access information. The user who leaves the device and data unprotected is held accountable for any unauthorized access that occurs under their identification. The individual who accesses the information under someone else’s identification is also in violation of policy.

The Privacy Office continues to conduct audits of the medical records of Vanderbilt employees who are admitted as patients. Audits have been broadened to now include random and detailed analysis of other patients’ records to make sure those who are accessing this information have an appropriate reason to do so. The Break the Glass Privacy pop-up alerts that present when certain medical records are accessed will automatically trigger a detailed audit of the access to confirm a clinical or service relationship exists.

“As we have become so accustomed to using these clinical systems, we have become somewhat desensitized to the amount of information that’s immediately available,” Smith said.

When instances of potential privacy violations are discovered during the auditing process, or are reported by co-workers or patients, an investigation by the Privacy Office ensues.

The Privacy Office wants to remind all employees who have access to confidential patient information via Medical Center databases to be aware their access to these records is being carefully watched.

“We can tell what documents have been opened and precisely how long someone was looking at them,” Smith said.

Smith said there is an existing Medical Center form that employees can complete if they wish for individuals other than those authorized to have access to their medical records. Without this completed document, even spouses are violating VUMC’s privacy standards by accessing their husband or wife’s medical records.