NEW patient privacy rules affect all professional staff members

Steven D FreerSteven Freer, M.D., FACP
Chief medical officer, Oregon Region
Isidor Brill Chair, Department of Medicine
Providence St. Vincent Medical Center

Electronic health records have made it easier than ever to access health information that is private and protected by law. While this has improved our ability to care for patients, it also is easier for those without a bona fide need for this information to casually access a patient’s private medical file. Providence policy now prohibits all professional staff and employees from accessing any health care record without a legitimate business reason.

Violating patient privacy is a serious legal, ethical and professional transgression. Providence also bears a legal and ethical duty to protect data security. Many organizations have incurred lawsuits and heavy fines for failing to ensure the privacy of patient information and for inadequately monitoring compliance of protected health information. 

Examples of potentially problematic activities

Through the PPM program, algorithms are used to identify electronic health record access patterns that may indicate snooping, potential identity theft or other behaviors that may violate Providence policy or state and federal laws. Violations can have serious implications for both practitioners and for Providence. Security breaches place Providence at significant legal and financial risk, compromise our reputation in the community, and erode the trust of our patients.

Providence’s PPM monitors for a variety of potentially problematic activities, including inappropriate access to records of family members and coworkers. When such activity is flagged, the provider will be notified by email. Many flagged events turn out to be “false positives.” If you receive such an email from the Providence Office of Integrity, Compliance and Privacy, please respond promptly. It does not mean you have violated any rules – only that the monitoring system flagged an access event. 

Electronic health record do’s and don’ts

A few rules of thumb about EHRs and privacy include: 

  • Never view a patient record outside your scope of work. Access records that are relevant only to performing your duties for patients with whom you have a legitimate health care relationship.
  • Concerns for family members, friends, coworkers or neighbors, however well intended, are NOT appropriate reasons to access their records.  
  • Proper channels for accessing the records of a family member who has given permission include a HIPAA compliant authorization available through Health Information Management, or through MyChart as a MyChart proxy.
  • Sanctions for inappropriately accessing protected health information are serious. People have lost jobs, privileges and lawsuits over this. 

For more information

The links below help further clarify what is expected under the Proactive Privacy Monitoring program. We all share the duty to retain the trust of our patients and our community. Ensuring the privacy of medical records and health information is a key element in earning and retaining that trust.

PowerPoint – Privacy monitoring program expansion

Frequently asked questions

Flier – What can’t you do in Epic?