Medical Records: You Snoop . . . You Lose

Medical Records: You Snoop . . . You Lose

Access patient information only for legitimate business reasons

The Health Insurance Portability and Accountability Act (HIPAA), state laws, and our policies prohibit unauthorized access to protected health information (PHI). This means that unless you have a legitimate business reason to access a patient’s record, you should not access, use, or disclose it. This includes records of:

  • family and friends
  • significant others or exes
  • neighbors
  • celebrities and politicians


Access must be the minimum necessary

Even when interacting with PHI for a business reason, you should access, use, or disclose only the minimum necessary to accomplish the task you are trying to accomplish.

  • A billing clerk may need to know that a particular test was performed, but not the results of the test.
  • When making an appointment, a scheduler may need to look at when the previous appointment was, but not the patient’s entire schedule history.
  • A provider may need to access a patient’s family history in the patient’s record, but should not go into the actual records of the family members.


Auditing and monitoring

Our organization takes patient privacy seriously and proactively audits and monitors our employees’ access to patient records. You may be asked to explain your activity; failure to provide a valid explanation may result in disciplinary action.

We are legally required to investigate suspected inappropriate access. Furthermore, we will report privacy breaches to patients and government authorities. Penalties Inappropriate access, use, or disclosure of PHI can lead to penalties from various sources:

  • Federal law: up to and including $250,000 and imprisonment for 10 years
  • State law: California, for instance, provides that individuals can be fined $25,000 to $250,000
  • Employment: up to and including loss of privileges and termination


The penalties are real . . . and serious

Image: HIPAA Penalties

Content provided by Beazley Group | Beazley Breach Solutions

Business Associate and Business Associate Agreements

A Business Associate (“BA”) is a third party that performs services or functions that require the use of or access to protected health information (“PHI”) for an entity that is covered by Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). It can also be a subcontractor of someone who does business with the entity, when that subcontractor might have access to this same information.

HIPAA requires that we have a signed agreement with our business associates. This agreement lists obligations and responsibilities of both organizations pertaining to the protection and use of the PHI. The agreement is called a Business Associate Agreement (“BAA”).

In order to determine whether you need a BAA, you need to know if PHI will be accessed or transferred to someone outside of our organization. A more detailed definition can be found on page (3), but PHI can be broadly defined as follows:

Any oral or recorded information relating to past, present, or future physical or mental health of an individual, the provision of health care to the individual, or the payment for health care and that also contains information which makes it possible to identify the individual.

Do you need a BAA?

Please see the Decision Tree below.

View Decision Tree

Image: BAA Decision Tree

If you need a BAA, where do you find it?

Contact the Chief Legal Officer or Compliance Office for a copy of ARHS’s approved BAA. If the BA that you are working with requests you use their BAA, it will need to be reviewed by the CLO prior to signing.

How long is the agreement valid?

Due to revisions in the federal code, any BAAs completed prior to 2016 needs to be reviewed to ensure that they are still valid. Otherwise, each agreement should have an effective date and a termination date.

Who can approve the BAA?

All BAAs should be forwarded to a VP or higher for approval/signature. After the agreement has been signed by both parties, a copy should be sent to Deatra Sellers so that it can be included in our contract database.


Call either the CLO at 828-266-8915 or the Compliance Office at 828-262-4239.

Key Terms

  1. PHI is defined as, “Any oral or recorded information relating to past, present, or future physical or mental health of an individual, the provision of health care to the individual, or the payment for health care and that also contains information which makes it possible to identify the individual.” The eighteen (18) types of information that quality as PHI according to guidance from the department of Health and Human Services Office for Civil Rights are :
      • Name;
      • Geographic subdivisions smaller than state: street address, city, county, precinct, zip code;
      • Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89;
      • Telephone number;
      • Fax number;
      • Email address;
      • Social Security number;
      • Medical record number;
      • Health plan beneficiary number;
      • Account number;
      • Certificate/license number;
      • Vehicle identifiers, serial number, or license plate numbers;
      • Device identifiers or serial numbers;
      • Web URLS;
      • IP address;
      • Biometric identifiers, such as fingerprints or voice prints;
      • Full-face photos; and
      • Any other unique identifying numbers, characteristics, or codes.
  1. “Members” of an ARHS workforce include employees, volunteers, interns, and other whose conduct in the performance of work is directly under the control of an ARHS entity. Individuals can be members of an ARHS entity’s workforce even if they are paid by another party, as long as their work is managed and controlled by an ARHS entity.


Other Instances in which a BAA may not be Required

In addition to the most commonly occurring situations mentioned above, there are other instances in which a BAA may not be required for disclosure by an ARHS entity, including:

      • Disclosures to governmental agencies pursuant to official investigations (e.g., Centers of Medicate and Medicaid Services, US Department of Health and Human Services Office for Civil Rights, US Food and Drug Administration, Federal Bureau of Investigations)
      • Disclosures to FDA-regulated medical device manufacturers for adverse event reporting or for other purposes relating to the quality, safety, or effectiveness of a FDA-regulated device. Research conducted pursuant to ARHS policies and in which appropriate informed consent forms are obtained from the subjects of the research.
New Incident Reporting Procedure

New Incident Reporting Procedure

As you know, our policy at ARHS is to report all unusual occurrences involving patients, personnel, or visitors in any ARHS area or department. Any incident that is not consistent with our normal routine, regardless if there is an apparent injury or not should be reported. Our goal is to learn from those incidents reported so that we can evaluate the processes that impacted that event and to help our staff in behaviors choices if needed. I want to thank each of you that have reported events for helping us make ARHS safer for all.

Incident Submission IconWe have been using an on-line reporting system called RiskWeb for several years. We will be moving to a new system called C360. By April 1st, an icon will replace the RiskWeb icon on your desk top.

You will receive a TEDS module to review that will give you screen shots for how to submit and if you are a manager, steps for how to review an incident. You will continue to be able to report an incident by using the incident reporting hotline at 828-386-2034 or at WMC extension 62034.

Just as a reminder, you still need to use the Employee Injury Report for employee injuries and exposures. That form includes information that is needed for Worker’s Comp and OSHA reports.

If you have any questions or need help, please call 828-262-4239 or the Clinical Risk Manager at 263-1207.