Physician Update

24 INTEGRIS Employees Terminated in FY18 for HIPAA Privacy Violations 

From time to time, you may know someone in the hospital – a family member, friend, co-worker, church member, public figure, professional athlete, politician or other acquaintance. Please remember: if you are not part of the patient’s treatment team or do not need access to the EHR (electronic health record) to perform your job duties, you should not access that person’s EHR.

If you are not acting in your role as an employee, you must access PHI using the INTEGRIS procedures applicable to patients (SYS-IM-101). INTEGRIS forms Authorization to Use or Share PHI and Patient Request for Health Information authorize the release of information by HIM (Health Information Management) or other designated departments/clinics for release of information. These forms do not allow a third party (including co-workers) to electronically access medical records. They allow the named person to go to HIM or the authorized department/clinic to obtain a copy of a record.

Please do not ask a co-worker or provider, including a PA or NP, who is not your established provider to review your electronic record or pull up test results (i.e., lab or diagnostic tests) you are waiting on. Use the INTEGRIS & Me patient portal or call your treating provider to obtain these records. If that co-worker or provider accesses your record outside of his/her job related functions, he/she may be terminated. If you seek a second opinion, set an appointment with that provider to establish a provider-patient relationship for a second opinion.

Corporate Compliance audits the INTEGRIS EHR utilizing a software program called FairWarning. This software runs 24/7/365 to identify all activities the user performs including employee self-access, co-worker access and family member/same household access. Violations occur when an employee accesses a record outside the scope of his/her job functions when accessing his/her own record or that of a co-worker or family member.

The following are examples of violations (but are not limited to):
Looking up appointments in Epic
Looking up lab work or test results
Looking up prescriptions 
Looking up billing information or insurance payments 
Looking up co-worker birthdays
Logging into a computer in a patient room of a family member
Asking a co-worker to access employee information (that will result in corrective action for both employees) 
Not badging out, followed by someone else accessing EHR of the employee, co-worker or family member information under the employee logon (employees are accountable for their actions and those taken under their logon).

We encourage you to refrain from looking at your record or the record of another person if it is not a legitimate part of your job. Please direct your medical record or billing inquiries to the patient portal, HIM or the Business Office. When you sneak a peek at electronic records when you are not acting in your role as an employee – either out of curiosity or malicious intent – it will likely end badly.

Eighteen employees were terminated for HIPAA privacy violations in FY17. So far in FY18, 24 employees have been terminated for privacy violations. These violations often require INTEGRIS to notify the patient (i.e., the co-worker or family member) or the government of the unauthorized access. Please contact Corporate Compliance if you have specific questions or would like to set up training. If you would like to report an unauthorized access, you may contact Corporate Compliance at 405-949-6081 or contact the Integrity Line at 888-243-9597. Integrity Line calls are not recorded or traced – you will remain anonymous. 

Questions?

Teresa Williams, J.D., vice president, Regulatory Service, Corporate Compliance and Privacy Officer 
405-951-4887