As we move into week three of CyberSecurity Month, our focus is on protecting the privacy of our patients’ information.
HIPAA regulations can be confusing and sometimes misunderstood. There is a difference in what you are allowed to access in your role as a health care professional/employee versus what you may access in your role as a parent, family member, or neighbor.
As a health care professional and/or employee, you have access to information which you need to know to perform your job and provide care to your patients. In general this means that you may, without the patient’s permission:
- Discuss the patient’s care with other providers within and outside Cooper, for example, a Cooper physician discussing a hospital stay with the patient’s primary care physician.
- Discuss the patient’s care with the patient’s care designee.
- Provide a copy of the patient’s medical record to a patient’s specialist, nursing home, rehab center, etc.
Actions such as those above are defined under HIPAA as “purposes of treatment.” Purposes of treatment means those activities that you are performing as part of your job at Cooper as a professional, treating provider. Unless you are accessing the patient’s medical record as part of your Cooper job responsibilities to treat the patient, you are not accessing the record for purposes of treatment.
A HIPAA violation occurs when an employee (physician or otherwise) accesses the medical record of any individual that is not related to the performance of the employee’s job responsibilities (treatment, payment, or operations) unless Cooper has a signed written authorization from the patient authorizing the employee or physician to allow access to their medical record.
The following outline summarizes conduct consistent with Cooper policy and HIPAA requirements (acceptable) versus conduct that is not (unacceptable) and the disciplinary process that will follow unacceptable conduct. This policy will apply to all employees including physicians:
Accessing your own medical record: It is acceptable to access your own medical record. (Cooper prefers that, in lieu of accessing your own medical record, you set up a myCooper account, which can be accomplished by contacting your PCP office.)
Accessing the medical record of an adult family member living within your household with a signed written authorization: The authorization form must be signed prior to the access, scanned into the patient’s Epic medical record and is good for one year. Acceptable to access the medical record, assuming there is not malicious intent. (Cooper prefers that, in lieu of accessing the patient’s medical record directly, you set up a proxy access in myCooper, which can be accomplished by contacting the patient’s PCP office).
Accessing the medical record of an adult family member living within your household outside of payment, treatment, and operations without a signed written authorization: Unacceptable.
- First Offense: Written warning and re-education, assuming there is no malicious intent.
- Second Offense: Termination.
Accessing the medical record of your custodial minor family member under the age of 12: Acceptable to access the medical record, assuming there is no malicious intent.
Accessing the medical record of your own minor family member outside of payment, treatment, and operations over the age of 12: Unacceptable.
- First Offense: Written warning and re-education, assuming there is no malicious intent.
- Second Offense: Termination.
Accessing the medical record of all other adult individuals with a signed written authorization: The authorization form must be signed prior to the access, scanned into the patient’s Epic medical record and is good for one year. Acceptable to access the medical record, assuming there is no malicious intent. (Once again, Cooper prefers that you setup proxy access in myCooper in lieu of accessing the patient record directly).
Accessing the medical record of all other adult individuals outside of payment, treatment, and operations without a signed written authorization: Unacceptable to access the medical record.
- First Offense: Termination.
Accessing the medical record of all other minor individuals outside of payment, treatment, and operations: Unacceptable to access the medical record.
- First Offense: Termination
Cooper reserves the right to vary the discipline outlined above based on the existence of mitigating or aggravating circumstances.
These requirements and limits apply to all Cooper personnel and medical staff members. If you have questions, please call Cooper’s Privacy Officer, Phil Curran, at 856.361.1697 or email PrivacyOfficer@cooperhealth.edu.