As Epic gains ground, look out for potential HIPAA violations
Privacy officer gives advice for navigating a ‘sea change’ in how we approach our work
As more and more Yale Medical Group (YMG) practices implement the Epic electronic medical record (EMR), providers are accessing an unprecedented wealth of patient information. With this ability comes the potential for unauthorized access to the EMR. Whether this access is intentional or not, it can lead to serious repercussions.
The Office of Clinical Affairs is charged with ensuring that patient privacy rights mandated by the Health Insurance Portability and Accountability Act (HIPAA) are maintained. “We believe Epic will have a significant impact on quality of care and safety. However, one of our patients’ main concerns is the privacy of their electronic record,” said Ronald Vender, MD, chief medical officer and associate dean of clinical affairs.
Angela Oren, senior deputy privacy officer and risk management administrator, spoke with Yale Practice about how to avoid non-compliance with HIPAA in the new Epic environment.
What kind of impact has the EMR made on HIPAA?
The availability of EMRs represents a sea change in how we see patient privacy. Epic is a paradigm shift. When patient records were all on paper and filed away, you had to ask someone for access. And each practice kept its own records, so as a practical matter, the information from one practice was separate from that of another. But with Epic, everything is now one record, and more people have easier access to it.
Are there guidelines in place to ensure only the right people have access to a particular record?
The laws and regulations that govern appropriate access have been around for a long time. Simply stated, you should be accessing only the information necessary to do your job. If you are a doctor, that means you may access only the records of patients whose care you are involved in. If you are a billing representative, it means only patients whose cases you are working with.
How will anyone know if I look at a patient record?
Epic has an application called “Break the Glass” that requires users to document their reasons for any apparently unauthorized attempt to access an EMR. It displays a security screen that requests a reason you need to look at the record before access is granted. The software then creates an alert that will go to Yale Information Technology Services (ITS) and to the privacy officer for follow up. Meanwhile, the Yale New Haven Health System is implementing a separate application called FairWarning™, a utility that uses human resources data and other sources to automatically detect certain kinds of unauthorized access. The software generates a report for follow-up action.
What if you want to look at your own record—or that of your spouse, parent or child?
Looking at your own electronic record is against our current policy, and unless your spouse gives specific, written authorization, you may not access his or her records under any circumstances. If you want to see your child’s record, you should talk to your child’s doctor. Otherwise, as a Yale Medical Group employee, the only records you should be accessing are those that you are required to look at as part of your job.
Say you’re a physician advising a colleague about a case. Can you access the EMR of someone who is not your patient?
Yes you can. YMG encourages and supports collaboration among physicians. But with Epic, it is critically important for both the primary and consulting physicians to document their involvement, even for an informal consultation. It’s one extra step, but it’s important for patient privacy that anyone who looks at a patient record can show documentation that they had an appropriate and relevant reason for doing so.
What will happen if I am charged with accessing a record inappropriately?
First, you’ll need to explain why you accessed that EMR and show that your job required you to do it. In most cases, that’s where the matter will end. But there have been incidents at other institutions where people have accessed records with malicious intentions, and even, in the case of a stalker or a custody battle, for criminal purposes. We would take any suspicious activity very seriously and want to investigate further.
How have providers greeted the rollout of this Epic watchdog?
I’ve been getting a lot of hard questions. Typically, what I hear is that providers don’t do this maliciously, so why should they be punished? But they also know what the law requires, so while some are not happy, their main concern is that the audits be used fairly and wisely. My hope is that by the time Epic is fully implemented, everyone will have learned about the newly enhanced audit capabilities and we’ll have zero hits of unauthorized access.