Your spouse, family member or friend has some lab tests done and is anxious to get the results.
Coincidently you happen to work in the same healthcare system that he or she visits and can access their medical records. The family member or friend asks you to check if the lab results are back and gives you permission to view his or her records. What should you do?
My advice is DON’T DO IT! Even if the family member or friend has given you permission to look it up. HIPAA privacy and security rules clearly limit access to electronic protected health information (EPHI) to only those individuals that need the access to perform their job. So even if you are a doctor or a nurse and have access to EPHI, you are not allowed to access medical records of any person other than your
Most of the healthcare organizations require their employees to sign and attest in writing acknowledging the above EPHI access restrictions and failure to comply leads to a disciplinary action and even termination of employment. A recent case of a nurse fired from her job for accessing her husband’s lab results brings this matter to the forefront. In this case even though the nurse in question had her husband’s permission to view his record, as per HIPAA privacy and security laws, her employer had made her aware that she could only access those medical records that were a part of job responsibilities.
It may seem silly or absurd that the nurse in question lost her job over this and that punishment does not fit the crime. You may even view it as the law going too far, but the fact is that the HIPAA privacy and security laws are in place to protect people from accessing anyone else’s medical records. Sometimes a spouse may not want his/her partner to know about a sensitive medical condition. Patients themselves can ask for a copy of their personal health records from their healthcare provider if they so desire. There is no real need for anyone apart from your doctor or nurse to view your medical record.
Healthcare organizations are mandated under HIPAA privacy and security laws to take all appropriate measures to safeguard protected medical information. The Office of Civil Rights(OCR) has started audits of healthcare providers and there are severe penalties for non-compliance. All healthcare organizations are required to have well documented policies and procedures that clearly state the steps the organization has taken to secure the patient data. Having a well documented Sanction Policy is required under the administrative safeguards of the HIPAA security rule. It requires covered entities to:
“Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.”
You may think that you are doing your spouse or friend a favor by looking up their lab results or other medical reports, but it is against the law if it is not a part of your job it may result in your employment termination. So DON’T DO IT!!