COVID, Privacy, and HIPAA Violations

The Cooper Privacy Department monitors access to patient medical records. With COVID numbers rising across the country, we are all concerned about ourselves and our family members. Recently, we have seen a significant surge in HIPAA violations where employees are accessing a family member’s medical record to review COVID test results without the family member’s written permission.

We would like to take this opportunity to remind you that, as Cooper employees, we all have the responsibility to protect the privacy of patient information. You have access to information you need to perform your job and provide care to your patients. In general, this means that you may, without the patient’s permission:

  • Discuss the patient’s care with other providers within and outside Cooper, e.g., a Cooper physician discussing a hospital stay with the patient’s primary care physician.
  • Discuss the patient’s care with the patient’s care designee.
  • Provide a copy of the patient’s medical record to a patient’s specialist, nursing home, rehab center, etc.

Actions such as those above are defined under HIPAA as “purposes of treatment.” “Purposes of treatment” means activities that you perform as part of your job at Cooper. UNLESS you are accessing the patient’s medical record as part of your Cooper job responsibilities to treat the patient, you are NOT accessing the records for purposes of treatment.

A HIPAA violation occurs when an employee accesses the medical record of any individual (including a family member) who is not related to the performance of the employee’s job responsibilities (payment, treatment, or operations) unless Cooper has a signed written authorization from the patient authorizing the employee to access their medical record.

The following outline summarizes conduct consistent with Cooper policy and HIPAA requirements (acceptable) versus conduct that is not (unacceptable) when accessing the medical record of a family member living within the confines of your home. It also outlines the disciplinary process that will follow unacceptable conduct. This policy will apply to all employees including physicians:

  • Accessing your own medical record – Acceptable to access your own medical record for view and print only. You may not make changes to your medical record. (Cooper prefers that in lieu of accessing your own medical record, you set up a myCooper account, which you can accomplish in any Cooper office.)
  • Accessing the medical record of an adult family member living within the confines of your home with a signed written authorization. The authorization must be signed prior to the access, scanned into the patient’s medical record and is good for one (1) year – Acceptable to access the medical record, assuming there is no malicious intent. (Cooper prefers that, in lieu of accessing the patient’s medical record directly, you set up a proxy access in myCooper, which can be accomplished by contacting the patient’s PCP office.)
  • Accessing the medical record of an adult family member living within the confines of your home outside of payment, treatment, or operations without a signed written authorization – Unacceptable to access the medical record.
    • First Offense – Written warning and re-education, assuming there is no malicious intent.
    • Second Offense – Termination.
  • Access the medical record of your custodial minor family member under the age of 12Acceptable to access the medical record, assuming there is no malicious intent.
  • Accessing the medical record of you custodial minor family member outside of payment, treatment, or operations from 12 years old to 18 years old[1]
    • First Offense – Written warning and re-education, assuming there is no malicious intent.
    • Second Offense – Termination.

The following outline summarizes conduct consistent with Cooper policy and HIPAA requirements (acceptable) versus conduct that is not (unacceptable) when accessing patient medical records. It also outlines the disciplinary process that will follow unacceptable conduct. This policy will apply to all employees including physicians:

  • Access the medical record of all adult individuals with a signed written authorization. The authorization must be signed prior to the access, scanned into the patient’s Epic medical record and is good for one (1) year – Acceptable to access the medical records, assuming there is no malicious intent. (Cooper prefers that you set up proxy access in myCooper in lieu of accessing the patient record directly.)
  • Access the medical record of all adult individuals outside of payment, treatment, and operations without a signed written authorization – Unacceptable to access the medical record.
    • First Offense – Termination.
  • Access the medical record of all other minor individuals outside of payment, treatment, or operations – Unacceptable to access the medical record.
    • First Offense – Termination.

Cooper reserves the right to vary the discipline outline above based on the existence of mitigating or aggravating circumstances.

These requirements and limits apply to all Cooper personnel and medical staff members. If you have questions, please call Cooper’s Privacy Officer, Phil Curran, at 856.361.1967 or email privacyofficer@cooperhealth.edu.

[1] Under NJ law, minors are treated as adults for purposes of consent to treatment in certain areas, including pregnancy, venereal disease, HIV, drug and alcohol dependency, and in treatment in connection with a sexual assault. Since Epic does not provide a mechanism to limit access to these protected areas, the expectation is that the employee will communicate with HIM to obtain the medical record so HIM will have the opportunity to redact any information protected by the statutory prerogatives for minor’s consent to care.