Medical Visits 🏥

Written By the906.com

What if the person behind the glass is unethical?

Do you know someone outside of the facility in which they work? What happens to your personal records when this person is unethical outside of work but they have a career in the medical field?

Electronic Health Records (EHRs)

The simple definition of EHR. These records are electronic hence the name and are digital versions of a patient’s medical chart. Why does my healthcare provider have EHRs? The purpose is to update the records in real-time. Imagine how time consuming this would be if it was done in paper. Remember this when sitting in the waiting room for the next appointment. The provider’s have the ability to share safely (keyword) with authorized (keyword) healthcare professionals. The provider must use protected security measures to keep patient information private. The person accessing your records and receiving your records must have a need-to-know.

Need-to-know (defined): a person should only access or receive a patient’s electronic health record if the information is required to do their specific job and for a legitimate healthcare purpose.

*Note: Just because someone can see an EHR does not mean they should.

Inappropriate Access

  • Look up a patient out of curiosity

  • Access records of friends, family, or coworkers

  • View information unrelated to their job role

  • Read details “just in case” or “because it’s interesting”

  • Share patient information with unauthorized people

    • Unauthorized viewing alone is a violation.

What is in a person’s medical chart?

Basic Identifying Information

  • Full name

  • Date of Birth

  • Gender

  • Address

  • Phone Number(s)

  • Email Address

  • Emergency Contact Name and Number

  • Patient ID or Medical Record Number

Insurance and Financial Information

  • Health Insurance Provider

  • Policy and group numbers

  • Subscriber Information

  • Billing and Payment Records

  • Copay or balance information

Medical History

  • Past and current medical conditions

  • Diagnoses

  • Surgical history

  • Hospitalizations

  • Family medical history

Clinical Information

  • Doctor and nurse notes

  • Treatment Plans

  • Progress Notes

  • Care Instructions

Medications and Allergies

  • Current and past medications

  • Dosage and frequency

  • Drug allergies

  • Food and environmental allergies

Test Results and Measurements

  • Lab test results

  • Imaging Reports (X-rays, MRIs, CT Scans)

  • Vital signs (blood pressure, weight, temperature)

Immunization Records

  • Vaccines received

  • Dates of Immunizations

Appointment and Visit Information

  • Appointment dates and times

  • Reason for visits

  • Provider names and locations

Behavioral and Mental Health Information

  • Mental health diagnoses

  • Therapy Notes (when applicable)

  • Substance use history (if disclosed and documented)

Legal and Consent Information

  • Consent forms

  • Advance directives

  • Power of Attorney or healthcare proxy information

Access and Audit Information (Behind the Scenes)

  • Which staff members accessed the record?

  • Date and time of access

  • Changes made to the record

(This may help ensure accountability and privacy.)

What are you protecting your records from?

Did you know that the protection of the records themselves are generally safe in the system themselves. When we incorporate people into the equation, it may be their behavioral patterns, motivations, and that the person is vulnerable themselves where we have issues. Some readers would beg to differ and blame this as a technology failure. Regardless, of what you have heard about artificial intelligence (AI), there is always a human component.

Let’s provide some common examples (human factors) that may or may not resonate with you. If for no other reason than to peak your interest.

Human Limitations

It is very common today for humans to have limitations in the workplace. Think cognitive, psychological, and not to mention workplace constraints. Fatigue, stress, burnout, cognitive overload, or insufficient training.

  • Did you know that when someone is fatigued, stressed, or has burnout that they are more likely to be careless handing your records? Unethical data access.

Human Abilities

What makes an insider (person behind the glass) capable of violating EHR privacy?

  • The person has authorized system access, they know the system has workflow weaknesses, they know how to bypass internal controls, and may have the ability to hide activity.

Human Behaviors

It is common to have acquaintances that you would not want in your personal business much less your health records. Most people do not think anything of it nor do they think they have any control over their records. You are wrong in this way of thinking.

Curiosity-driven snooping. It may be non-malicious to the unethical person behind the glass. He/she may use the snooping for gossip or personal interest and this is common, even if for non-financial reasons.

Know your boundaries. Receptionists and/or other personnel behind the glass cannot improperly access personal health information (PHI).

Common unethical behaviors may include:

  • Snooping, discussing patient information with other coworkers, accessing charts of friends, family, or local public figures, misuse system access out of personal conflict, revenge, disgruntled with patient.

  • Having the mindset of “everyone looks things up sometimes and/or I was just checking something real quick.”

Human Processes

Humans process information differently. Some people are not trained thoroughly and cut corners. Staff that handle sensitive data may perceive, interpret, and mishandle EHR information because they misjudge the risk of privacy, curiosity, and poor security awareness. They may even be vulnerable to social engineering.

Role-Based Access Control

The organization should have a policy in place regardless of the establishment’s size. Role-Based Access Control (RBAC) is a security model that restricts access based on a user’s assigned job role within an organization. This means that employees can only see minimum necessary information required for their responsibilities.

The million dollar question. How do you know if this or any organization has controls in place? You don’t. You do have a responsibility to yourself to take action. You do not have to contact the organization first and can file a complaint anonymously if you choose to do so. You can file a complaint with the US Department of Health & Human Services (HHS) Office for Civil Rights (OCR) online (fastest), by mail, phone, or email.

If you would rather not work with the US government, you can request an Electronic Health Record (EHR) access log from the organization. They are required to provide it to you within 30 days, as it may be a potential HIPAA violation.

Ask: “I am requesting an accounting of disclosures and an access log for my electronic health record for the past 12 months.”


How do you protect your records and yourself?

It is not only a Health Insurance Portability and Accountability Act (HIPAA) of 1996 violation for someone to access your records without a need-to-know. This United States federal law protects privacy, security, and confidentiality of your medical records and/or information.

Learn more on how to protect yourself with tips in March’s issue of the Human Perimeter.

the906.com
Next

Privacy & Price