We don’t think twice about gathering health information from the computer, since we’re accessing health records throughout the day. The problem occurs when we get curious — and might be entering forbidden territory!
Can you relate to these situations?
You spot a familiar name. Looking at one of your patients, you notice a familiar name is in a nearby room. So, you jump over into that person’s chart, read the H&P, check a few notes and labs, and figure out it’s your neighbor! It can take seconds, given how fast we are — but this is a significant HIPAA violation. So, pause, and think: What’s my role in this situation? If it isn’t your patient, curiosity isn’t a good enough reason to review the chart.
Break The Glass notification. You’re getting ready to see a patient, and a Break The Glass notification comes up. Time to pause and think. Do you have a valid reason to look? Good, so type in your password, and continue taking care of the patient. The Break The Glass is an important HIPAA tool to identify patients with a higher level of chart-access scrutiny. If you PAUSE and THINK it can save you headaches later if you shouldn’t be in that chart.
Your friend is in the hospital. You’re worried, of course – are they OK? Do they need help understanding or making decisions? You consider opening up Epic and checking out the situation. Time to pause and think: Do you have a valid HIPAA reason to access the chart? Just go visit them instead. Excellent decision!
The trap of committee work. If you serve on committees or interdisciplinary teams, you might run across PHI pertaining to your own clinic or department while working on an improvement project with other departments. This is a good time to confirm your role – and not share that confidential information because the committee may not need to know it.
The Key: minimum information
The HIPAA Privacy Law protects all health information created or maintained by Salem Health Hospitals and Clinics. Even when using protected health information for treatment purposes, HIPAA requires us to use the minimum amount of information required to accomplish the intended purpose. Safety and patient care come first, but we need to know the difference between need-to-know and right-to-know. If you are not the treating provider, you don’t have a need to know.
What hat are you wearing?
An easy way to approach PHI is to ask yourself, “What hat am I wearing?” Our ability to use and disclose PHI depends on our role. For example, if you’re on a nursing unit and notice a friend has been admitted, ask yourself, “Am I part of the care team, or am I here as a friend?” We can only access and share PHI with the need to know for our job roles. Accessing PHI for a friend is a HIPAA violation, and may lead to corrective action, up to termination.
Questions about HIPAA? Call Ellen Hampton, Director of Corporate Integrity, Safety and Risk Management at 503-561-2494 or Sue Xiong, Corporate Integrity Analyst & Supervisor at 503-814-2826. Or email them or stop by their office in Building B, 2nd floor, south hallway.