The following message is from Harris Frankel, M.D., chief medical officer, Nebraska Medicine; Debra Bishop, privacy officer, Nebraska Medicine; Aileen Warren, director, UNMC Department of Human Resources; and Frank Venuto, chief human capital officer, Nebraska Medicine.
Dear colleagues,
As part of our continued commitment to ensuring patient privacy at Nebraska Medicine, we will begin using the Iatric auditing system next week. The system will be particularly beneficial as the U.S. Department of Health and Human Services’ Office for Civil Rights launches the 2016 Phase 2 HIPAA (Health Insurance Portability and Accountability Act) Audit Program. This program audits health care organizations, health plan providers and businesses associates to monitor HIPAA compliance.
The Iatric system is automated and currently receives feeds from Nebraska Medicine HR, UNMC HR, McKesson, Sunquest and Epic. Additional systems will be added over time. It will automatically detect violations of patient privacy within the electronic medical record, as they occur. This should not impact your daily functions, as policy is already in place to ensure that patient information is only accessed by those with a need to know information as part of their assigned, current, job-related responsibilities. Remember, unauthorized access can lead to termination of employment and can also result in UNMC program dismissal.
As a reminder, HIPAA defines the circumstances in which colleagues may use/access protected health information (PHI). The primary permitted reasons for access are for treatment, payment and health care operations. This includes:
- Members of the workforce who are responsible for providing treatment or coordinating or managing care and related services may access patient information to provide those services.
Access for any other reason,is subject to the Minimum Necessary Rule, ensuring access is limited to the minimum amount of PHI needed to accomplish the intended purpose. Minimum necessary guidelines apply to the following:
- Members of the workforce who are responsible for payment activities may access patient information to fulfill that responsibility.
- Members of the workforce who have responsibility for health care operations such as quality assessment and improvement, case management, competency assurance and credentialing, compliance programs, risk, and administration may access patient information to fulfill those responsibilities. Health care operations include conducting training programs in which students, trainees or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers.
Colleagues are permitted to login to their own electronic health records, but are not allowed to view records belonging to family members, including spouse, parents or children, regardless of age. Patients cannot override the policy by providing permission. If a patient wants to share information, he/she should request a copy from Health Information Management or should give you proxy access to his/her online patient portal account.
If you have questions about whether access is appropriate, please contact the Privacy Office: Debra Bishop, privacy officer, at 402-559-5136, or Michelle Thompson, privacy analyst, at 402-559-3929.
As health care providers, we take our responsibility for our patients’ privacy very seriously, knowing that any unauthorized access to PHI breaks patient trust. If patients do not feel that they can trust that their information is secure, they may withhold it or choose another organization to provide their care. The consequences to our reputation could be worse than any fines imposed to individuals or institutions who do not comply with HIPAA, which can be in the millions of dollars.
Thank you for your continued commitment to keeping our patients’ information secure.