New software is being install on December 5, 2016, to increase protections for patient privacy. The software called Patient Privacy Intelligence created by FairWarning will scan electronic medical records (EMR) in Epic to detect unauthorized and inappropriate access to patient medical records. If irregularities are found, the software will provide reports that will be reviewed and investigated by the Information Security and Privacy (ISP) staff, led by Phil Curran, CISO & CPO, and Human Resources (HR).
All Cooper employees must understand that there is a difference between what you may access in your role as a health care professional who is treating another Cooper employee and what you may access in your role as a coworker.
As a health care professional and/or employee, you have access to information which you need to know to perform your job (treatment, operations, or payment) and provide care to your patients. When a Cooper employee is the patient, whether in an ambulatory or hospital location, they are afforded the same privacy rights as any other patient. In general this means that you may, without the patient’s permission:
- Discuss the patient’s care with other providers within and outside of Cooper, e.g., a Cooper physician discussing hospital stay with the patient’s primary care physician.
- Discuss the patient’s care with the patient’s designee.
- Provide a copy of the patient’s medical record to a specialist, nursing home, rehab center, etc., for ongoing treatment.
You may not access or review the medical record of another employee because you are concerned about him or her or because you are curious. If you access the medical record of any individual that is not related to the performance of your job without a signed, written authorization from that person – that is a HIPAA violation and subject to Cooper disciplinary action as well as potential personal liability under the law.
How will Cooper investigate potential violations?
We recognize that employees sometimes receive treatment from physicians in the same offices where they work, and, in the course of their job requirements, other employees in that office will legitimately need to access those medical records. In all cases, Cooper ISP and HR staff will conduct a thorough investigation, including interviews to determine if access was permissible or not.
If it is determined that an employee’s access of a coworker’s medical records was not job related and was, therefore, a HIPAA violation, the violator will be terminated, in accordance with Cooper’s Sanction Policy.
Cooper reserves the right to vary the discipline based on the existence of mitigating or aggravating circumstances. These requirements and limits apply to all Cooper personnel and medical staff members. If you have any questions, please call Cooper’s Chief Information Security and Privacy Officer, Phil Curran, at 856.361.1697 or email Privacy Officer@CooperHealth.edu.