Situation:
I have 1099 employees, one being an acupuncturist. However, all patients that come in fill out intake forms. My acupuncturist is requesting that her patient notes not be visible to anyone in the practice but herself. Further, when we migrated EMRs, those patient notes were transferred into our new EMR system in a location where all providers could see past notes by our acupuncturist (should they go look at them), which I know would violate HIPAA unless there was a legitimate reason for another provider to go read those notes.
So my questions are:
1. Is this "legal" regarding recordkeeping/HIPAA?
2. How should I handle this situation?
Answer:
The practice, as the covered entity, holds ownership and ultimate responsibility for the PHI, including the acupuncturist’s notes. The notes form part of the practice’s legal medical record, not the acupuncturist’s personal domain. The practice retains the discretion to determine how PHI is managed within its systems, provided it aligns with HIPAA’s permissible uses, such as treatment or operations. Her request to limit visibility to herself conflicts with the practice’s authority, as it implies a level of control she doesn’t possess as a business associate. Assuming there is a BAA, it should stipulate that the acupuncturist may use and disclose PHI solely to fulfill her contracted duties and must adhere to the practice’s HIPAA policies. Her request to restrict access exceeds her role as a business associate. Indeed, HIPAA permits the practice to share PHI internally among its workforce and business associates for HIPAA permitted purposes (e.g., treatment, payment, operations). Granting her request fully could impede this permissible sharing, potentially disrupting patient care.
A concerning issue is the practice’s lack of safeguards to limit access to that which is the minimum necessary PHI needed by others to view the acupuncturist’s past (and perhaps future) notes. The Minimum Necessary Rule requires the practice to limit PHI access to what’s required for the job function/role. The current EMR configuration, allowing all providers to view the past notes (and potentially future notes), risks noncompliance if not all providers need access to that PHI. That being said, the fact that the past notes are accessible to all providers doesn’t inherently constitute a disclosure – there must be actual viewing of the notes to constitute a disclosure and HIPAA violation. Notwithstanding, the lack of access controls requires remediation to mitigate this existing risk. Note the foregoing applies equally to non-provider personnel.
Below are recommended remediation steps to mitigate the risk of an impermissible use/disclosure of the notes:
BAA Review:
- Review the BAA (assuming one exists) to verify that it clarifies the practice’s ownership of PHI and authority over access controls. If one exists and it’s needed, amend it to reinforce these points to ensure the acupuncturist understands her role. If no BAA exists, get one in place.
- Recommended timeline: Within 30 days.
Implement Access Controls:
- Implement role-based access controls by adjusting the EMR configuration to restrict past (and future) note visibility to the acupuncturist, excluding other providers and personnel who don’t need access (e.g., billing unless for claims) to comply with the Minimum Necessary Rule and HIPAA security requirements. The practice’s HIPAA policies should include these safeguards or be updated accordingly.
- Recommended timeline: Immediate priority.
Audit EMR Logs:
- Review the EMR access logs to determine who has accessed her notes, document findings, and address any unauthorized views promptly.
- Recommended timeline: Within 30 days. Thereafter, the practice should be auditing the EMR logs periodically to ensure authorized access only to maintain compliance with HIPAA requirements and the practice’s HIPAA policies (which should include audit and monitoring procedures for its systems).
Access Assessment:
- If other providers or personnel need access to her notes, the practice should document an assessment of this need, identifying who needs access and why (e.g., for collaborative care, billing, etc.). This documented assessment is tied to several provisions in the HIPAA Privacy and Security Rules, particularly those related to implementing reasonable safeguards, ensuring the minimum necessary standard, and maintaining policies for PHI access. 45 CFR §164.530(i)(1) - Policies and Procedures; 45 CFR §164.502(b) & §164.514(d) - Minimum Necessary Rule; 45 CFR §164.308(a)(4) -Administrative Safeguards, Information Access Management.
- Recommend timeline: Within 30 days for any current workforce members who have a known need. Thereafter, as needed and prior to granting access.
____
The Real Talk article series includes real customer questions and our answers. Since these are questions directly from actual clinics, practices, hospitals, and businesses, we thought you might have these questions too. We hope that you find this format helpful. Stay tuned for more Real Talk - your question might even be featured!