Employee Medical Records in the EHR Environment

Viewing Hospital Employee Medical Records

As more and more hospitals and medical practices adopt electronic health records (90% by end of 2017) , these organizations must grapple with how HIPAA  Privacy and Security rules apply to employee medical records.

Current approaches to Access to Employee Medical Records

Dealing with access to employees’ medical records created and maintained in the electronic medical record application is an issue in virtually all hospitals with electronic health records.  Some institutions have strict prohibitions on viewing or accessing employee’s (or their family members) own medical records. Others have virtually unfettered access for employees to their own ePHI.  Issues include:

  • HIPAA regulations allow the release of PHI in employee medical records to the person who is the subject of the information.  How can healthcare organizations control access when employees have access via their EHR user credentials (logon and password)?
  • Employees grow to expect access to employee medical records utilizing their EHR user credentials.
  • Employees also expect access to family members’ medical records utilizing their EHR user credentials.

For healthcare organizations monitoring access to employee medical records in their EHR system, unfettered access can result in a great deal of investigation to ensure compliance with HIPAA.

Do the HIPAA Privacy and Security Rules cover employee medical records?

Of course they do!   The Privacy Rule protects all “individually identifiable health information” (IIHI) held or transmitted by a covered entity (CE) in any form or media, whether electronic, paper or oral.  The Privacy Rule calls this “protected health information” (PHI).

IIHI, including demographic data, is information that relates to:

  • The individual’s past, present or future physical or mental health or condition,
  • The provision of health care to the individual, or
  • The past, present, or future payment for the provision of health care to the individual, and
  • That identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.

The Privacy Rule excludes employment records that a CE maintains in its capacity as an employer, from PHI.   A major purpose of the Privacy Rule is to define and limit the circumstances in which PHI may be used or disclosed by CEs.  CEs may not use or disclose PHI except either, (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the personal representative) authorizes in writing.

CEs are required to disclose PHI in only two situations, (1) to the individual when they (or the personal representative) request access to PHI; or, (2) to HHS when undertaking a compliance investigation.

CEs are permitted, but not required, to use and disclose PHI, without an authorization to/for:

  • The individual (unless required for access or accounting of disclosures); {Note: a CE may disclose PHI to the individual who is the subject of the information without an authorization};
  • Treatment, Payment and Healthcare Operations (TPO);
  • The opportunity to Agree or Object;
  • Incident to an otherwise permitted use and disclosure;
  • Public Interest and Benefit activities; and
  • A limited Data Set for the purpose of research, public health or healthcare operations.

The “minimum necessary” standard, requires CEs to disclose only the minimum necessary PHI to accomplish the purpose of the disclosure.  This does not apply to disclosures to the individual who is the subject of the information.  The HIPAA Security Rule (SR) also requires CEs to ensure the confidentiality, integrity and availability of all the ePHI they create, receive, maintain or transmit.

How do the HIPAA Privacy and Security Rules apply to Employee Medical Records?

The Privacy Rule and Security Rule affect the policies on allowing employees to utilize their logon credentials to access their own, or their family members’ PHI as follows:

  1. Although employees have a right to request access to their own PHI in employee medical records, they do not have a right under HIPAA to utilize their login credentials to access the PHI.  Healthcare organizations can impose reasonable requirements to access PHI, e.g., obtaining the information from the HIM department subsequent to a request for access.
  2. Healthcare organizations have an obligation to ensure the integrity of their ePHI.  Since many employees have user rights to add or modify PHI, special care must be taken when access to a person’s own PHI via user credentials is possible.
  3. The Privacy Rule permits persons to request an amendment to their records for inaccurate or incomplete information.  Healthcare organizations should have a policy that requests for amendment to information in a designated record set be made in writing.
  4. Employees would not typically be involved in providing or documenting their own care or treatment, so access to their own PHI would not be covered by access for TPO reasons, or for Public Interest and Benefit activities.
  5. The Privacy Rule makes no special provision for access by parents to the records of minor children except as personal representatives. Nor is there any special provision for access by a spouse of another spouse’s PHI.
  6. States have various laws and regulations that also cover access to employee medical records.  Examples include (1)  special protections for mental health and substance abuse treatment, and (2) retaining and disclosing genetic information.

What should be the policy on access to employee medical records in an EHR?

  • Many healthcare organizations have adopted a policy of prohibiting employees from viewing or accessing their own PHI electronically.  Instead, employees must use the same policies in place for all patients to access their PHI.  This policy is easier to enforce when there is a useful patient portal available.
  • If a healthcare organization will continue to allow employees to access their own PHI, and that of minor children or spouses, using their login credentials, require employees to fill out an authorization for the use and disclosure of protected health information form for themselves, and for each minor child or other family members.  Scan and store a copy of the form in the medical record of each person for whom access is authorized.  Monitor the access to employee medical records to ensure the organization is protecting the privacy of everyone’s PHI!

This issue is not going away anytime soon.  Healthcare organizations should examine their experience and policies.  Do it before you have an unauthorized disclosure involving an employee that leads to sanctions.  That is not an occurrence that will improve employee morale!

When you need proven expertise and performance

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.

Leave a Reply

Your email address will not be published. Required fields are marked *

I accept the Privacy Policy

5 thoughts on “Employee Medical Records in the EHR Environment

  1. I am trying to get guidance on a related concern. I am the EH nurse at a tribal facility. Many of our employees use our facility as their medical home. In short, their employee health chart and medical chart are one in the same. EH notes are confidential; however labs, medications, imaging are not. An employee with a bloodborne exposure will have labs and possibly medications-HIV medications, for example- visible in their “patient” chart and cannot be made confidential. Anyone accessing the chart for medical reasons can also view EH related labs, medications, imaging. This is also a small facility where everybody knows everybody. I have concerns-especially as I am the Employee Health nurse. Any guidance would be appreciated. Should I relax and just chill-as has been suggested?

    1. HIPAA regulations specify that employer records, including records with employee health information, are not protected by HIPAA, and can be utilized by the employer without authorization. But it also says the Privacy Regulations protects your PHI if your employer is also a provider. So most employers keep employee health records separate from employee medical records. It sounds like you are able to keep the employee health notes, where you may have information about treatment, referrals, etc., related to the employee health situation separate. There is an argument for letting the employee’s primary care physician see information about things like medications, especially to avoid conflicts with prescriptions, etc. This is not an unusual situation when an EHR is in use by an employer, and employees are also patients. I suspect some information is related to employee health (orders, results, etc.) are always available to other staff members with access to the EHR.

      You may want to keep employees informed about the crossover of medical information, and the inability of the EHR system to keep them segregated. An employee could potentially choose to go elsewhere for primary care if they felt strongly about the issue.

  2. Can DHHS access an employee’s online activity for that person looking at someone’s medical records? That office is not associated with my medical treatment in any way. I believe my estranged son’s girlfriend who is a nurse at Elara Care has accessed my husband’s medical record and used it in a vindictive manner. I don’t know any other way to prove it is her. Can this be looked into without her knowing she is being watched? She works remotely from home at this time. My husband or myself would NOT want her having access to our records.

    1. There may be no way for DHHS to monitor what one of their employees is accessing if the employee is using a personal computer. But you can contact the Elara facility where your husband’s medical records are being kept, and ask them if there has been any access by the estranged girlfriend to your husband’s medical recrods. Ask for the Privacy Officer at the facility and express your concerns, explaining what the vindictive use is and how you heard about it.