hamstergang

may or may not contain hamsters
7+ Year Member
May 6, 2012
1,903
1,812
NJ
Status
Attending Physician
I'm curious to see what other's think of this. I'm a little unsure how to search online for the answer as this scenario doesn't seem too common. However, for those of us in training, it certainly can happen as we end up at multiple rotation sites.

I'm at outpatient site X and see a patient there. She was seen for the past 7 years until 3 months ago at outpatient site Y. These sites are not linked in any way, but I also work at the hospital of site Y and so have access to their EMR. Can I, in my role as the treating physician of the patient at site X, read the medical records from site Y without the patient's explicit consent?

For the 'no' column: the patient does not know that I have access to Y's records and has not authorized me to see them.

For the 'yes' column: I don't need the patient's permission to speak with the prior doctor at site Y, so I shouldn't need permission to read the records myself.
 

Doctor Bagel

so cheap and juicy
Moderator Emeritus
15+ Year Member
Sep 26, 2002
10,919
1,122
from the ministry of information
Status
Attending Physician
You need explicit permission. Access to their chart in one location doesn't equal access to their chart in another location. Now I'm curious how this works with things like Epic Everywhere where you can see epic data from other locations. I'm guessing you sign some form of consent to make that allowable. We did have this very specifically explained to us regarding VA records in that we were not allowed to log into the VA to read about patients we might be seeing at our university site. It might be a bit of a grey area, but I'd be as conservative as possible in these types of situations.

Editing to add that I'm curious about epic everywhere and its protections. I got medical care through the same system that I worked for as a resident, and my records had extra protection because of that. Someone had to "break the glass" to look at my records, and I had the right to ask to see whoever looked at my information. I'm hoping that still applies for my records through epic everywhere.
 
OP
H

hamstergang

may or may not contain hamsters
7+ Year Member
May 6, 2012
1,903
1,812
NJ
Status
Attending Physician
We did have this very specifically explained to us regarding VA records in that we were not allowed to log into the VA to read about patients we might be seeing at our university site.
Due to hospital policy, or the law? I can't find what law this would actually violate.
 

psych md jd

Better safe than sorry.
7+ Year Member
Jun 12, 2012
199
208
Status
Attending Physician
No Fun Aloud.

I would call the HIPPA officer at hospital Y.
 

Doctor Bagel

so cheap and juicy
Moderator Emeritus
15+ Year Member
Sep 26, 2002
10,919
1,122
from the ministry of information
Status
Attending Physician
Due to hospital policy, or the law? I can't find what law this would actually violate.
It's true that my example with the VA might not pertain to other records because VA records are I guess extra protected in some way even beyond HIPAA. I still feel like it's enough of a grey area that I wouldn't go there unless I had more clarification and a really strong need to see the records.
 

michaelrack

All In at the wrong time
10+ Year Member
Dec 22, 2007
3,956
1,095
Memphis TN
Status
Attending Physician
It seems to me that this is more hospital policy and unauthorized (by the hospital) access to medical records than HIPPA. Even if you have signed consent by the patient, you would still need to go through proper procedure at the 2nd hospital to gain access to those records.
 

Raryn

Infernal Internist / Enigmatic Endocrinologist
10+ Year Member
Apr 25, 2008
7,705
6,624
Status
Attending Physician
I always look things up like this between our VA and our main hospital, as do all of my coresidents. Both ways. Actually navigating the system is 10000000x more efficient than going through 50 pages of printouts of the most useless nursing notes you can imagine.
 

gutonc

No Meat, No Treat
Staff member
Administrator
10+ Year Member
Mar 6, 2005
18,360
11,316
Status
Attending Physician
I always look things up like this between our VA and our main hospital, as do all of my coresidents. Both ways. Actually navigating the system is 10000000x more efficient than going through 50 pages of printouts of the most useless nursing notes you can imagine.
We all did/do this. But it is explicitly prohibited by the VA.

As to the Epic CareEverywhere, it depends on what the host institution's "Consent for Treatment" said at the time of the patient signing it. Most of them now say something to the effect of allowing the transfer of your medical records to/from other institutions, as necessary for your care here at Man's (or at least the Neighborhood's) Greatest Hospital. This allows for "seamless" sharing of records. It's no different than if the records were faxed from Hospital X to Y and then scanned in Y's EMR.

The issue with access at multiple hospital systems is somewhat alleviated by the fact that, if you are an employee of Hospital X but don't have a medical record at Hospital Y (despite working at Hospital Y), nobody can see your record through CareEverywhere because, as far as Hospital Y is concerned, you do not exist. If you do happen to have an MRN at Hospital Y, just request "break the glass" status there if it's not automatically granted and you're good to go. I am credentialed at 4 different hospital systems (8 hospitals in total), all of which use Epic. I checked myself out once out of curiosity and only have a record at the hospital where I have actually received care. No idea whether or not, if I was taken to one of those other hospitals in an emergency (it's literally every non-VA hospital in a 150 sq mile radius), if I would be a "break the glass" player there or not.
 
  • Like
Reactions: Winged Scapula

Raryn

Infernal Internist / Enigmatic Endocrinologist
10+ Year Member
Apr 25, 2008
7,705
6,624
Status
Attending Physician
We all did/do this. But it is explicitly prohibited by the VA.
*shrug*. Been doing it for going on five years now (at two different systems) and no one has mentioned anything except gratitude for the ability to find the relevant records. And thats with various chief of X as my attendings at both places. If I get in trouble, I'll stop. As long as it's for patient care, I can't imagine they'll fire me... (I'm not exactly looking up Kim Kardashian's records out of sheer curiosity)
 

gutonc

No Meat, No Treat
Staff member
Administrator
10+ Year Member
Mar 6, 2005
18,360
11,316
Status
Attending Physician
*shrug*. Been doing it for going on five years now (at two different systems) and no one has mentioned anything except gratitude for the ability to find the relevant records. And thats with various chief of X as my attendings at both places. If I get in trouble, I'll stop. As long as it's for patient care, I can't imagine they'll fire me... (I'm not exactly looking up Kim Kardashian's records out of sheer curiosity)
We were warned about it at the beginning of each year (6 years in a system with University and VA that are physically connected by a pedestrian bridge) and then nobody said anything ever again. Just pointing it out for the kids out there.
 

dozitgetchahi

10+ Year Member
Oct 21, 2008
1,583
611
Status
Fellow [Any Field]
Our residency covers 4 different hospitals with three different EMRs (one of which is a VA medical center).

For the record, every single resident and/or fellow in our GME system has done exactly what the OP is describing at some time or another; our residency program appears to officially condone this. In fact, we have a dedicated computer located inside the VA in the residents' break room that connects to the network of the university hospital for access. This was officially condoned and set up by our department of medicine explicitly for this purpose, and its use is 100% allowed and encouraged. It is also extremely common to see fellows (who are usually taking consults at multiple hospitals at once) logging into one of the other hospital systems' EMRs (including CPRS) to complete notes on patients they saw at one of the other hospitals. This is not only considered 100% permissible, but in fact essential to the survival of our otherwise overworked and stressed out fellows.

Very surprised to see all the drama above with regards to this question. I figured this was a no brainer, especially with the proliferation of remote access. I have VPN access to all EMRs at my institution; do I need 'express permission' to check records from home (which every single housestaff in our program does, including VA records)? I call bull****.

(Now I know VA records are probably covered by some extra layer of rules that don't apply anywhere else, but the OP's question doesn't appear to be referring to a VA anyway).
 
Last edited:

aProgDirector

Pastafarians Unite!
Moderator
10+ Year Member
Oct 11, 2006
8,280
7,163
Status
Attending Physician
I am amazed at the above answer. From my viewpoint, the answer is very clear. You can't access records at any hospital without the patient's permission. If you see the patient at Hospital X and you know they are seen at Hospital Y, and you have EMR access at both, it is absolutely a HIPPA violation to access their records at Hospital Y without a release. Hospital Y is not going to care that you are seeing them at Hospital X. You need a release. There is no legal grey area here. Sure, people may "do this all the time", and most of the time no one will care. But it's not allowed.

Let's be clear -- it's perfectly OK to access the EMR from home to read records at Hospital X when you're going to see a patient at Hospital X the next day. Once the patient books an appointment with you, that gives you implicit permission to access their records. What you can't do is log into Hospital Y and Hospital Z to see what's happened there.

For the 'yes' column: I don't need the patient's permission to speak with the prior doctor at site Y, so I shouldn't need permission to read the records myself.
Although you do not need anyone's permission to speak with the prior doctor, the prior doctor ABSOLUTELY needs permission to speak to you. Again, they need a release. If someone calls you from another hospital asking for information about a patient, your answer should be "no comment".
 
OP
H

hamstergang

may or may not contain hamsters
7+ Year Member
May 6, 2012
1,903
1,812
NJ
Status
Attending Physician
Although you do not need anyone's permission to speak with the prior doctor, the prior doctor ABSOLUTELY needs permission to speak to you. Again, they need a release. If someone calls you from another hospital asking for information about a patient, your answer should be "no comment".
I'm a little torn here because I always hear people say this, but when I try to look it up I only see the opposite:
"The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider for that provider’s treatment of the individual."
http://www.hhs.gov/ocr/privacy/hipaa/faq/disclosures/271.html

Am I misinterpreting something?
 
  • Like
Reactions: Crayola227

Raryn

Infernal Internist / Enigmatic Endocrinologist
10+ Year Member
Apr 25, 2008
7,705
6,624
Status
Attending Physician
Although you do not need anyone's permission to speak with the prior doctor, the prior doctor ABSOLUTELY needs permission to speak to you. Again, they need a release. If someone calls you from another hospital asking for information about a patient, your answer should be "no comment".
If that provider has reason to believe you are involved in the continued care of the patient, no formal consent is needed. The only reason hospitals request signed forms is a CYA mechanism in case someone is attempting to fraudulently obtain information and the patient later tries to sue or report them to the government. It's not actually a legal requirement, just one that theoretically provides them some measure of protection.

As for using your access for another system, I personally know dozens if not hundreds of people with access to multiple systems who do this frequently, even copy/pasting results from one chart to another, with no one ever blinking an eye at it. That includes residents working directly under privacy officers or chiefs of medicine or whatnot. Including myself last week under the associate chief of medicine at our local VA. I'd say it's a lot grayer of an area than you think, given that in that case you're 100% certain that the provider accessing the records (...you) is involved in the continuing care of that patient.
 

Raryn

Infernal Internist / Enigmatic Endocrinologist
10+ Year Member
Apr 25, 2008
7,705
6,624
Status
Attending Physician
Oh, and even the VA in their privacy training which I have done every year for the last 5 years states, and I quote:

With a few exceptions, sharing individually identifiable information with a provider within or outside of the VHA system for the purposes of treatment (or payment for healthcare operations) does not require prior written authorization of the patient.

The exceptions, for which prior written authorization is required, include:

  • Exception 1 — Information related to VA treatment of Drug Abuse, Alcoholism, Sickle Cell Anemia and HIV (DASH) (by order of: 38 U.S.C. 7332) if communicated outside of VA facilities or to non–VA providers.
    • Exception 2 — Psychotherapy notes (even between VA facilities).
That is *written* in the TMS privacy training. Flat out. No authorization needed, even if they are outside the VHA system.This is followed by a number of questions (which I'm not sure if I can reproduce) where the correct answer is you do not need any authorization from a patient (written or verbal) to discuss continued care that doesn't fall into drug/etoh/hiv/sickle cell/mental health with any outside provider that is involved in the continued care of the patient. You can just call them up and talk to them.

Edit: Typos
 

RadOncDoc21

7+ Year Member
Oct 24, 2010
1,193
665
Status
Attending Physician
Can this be used inter/intra departmentally?

Eg: A patient can deny access to their derm records but allow access for their neurology records. Or a patient can deny doc A in surgery access but not doc B who covers for them.

If so, we're all screwed!

This is in regards to this actually being a violation.
 
OP
H

hamstergang

may or may not contain hamsters
7+ Year Member
May 6, 2012
1,903
1,812
NJ
Status
Attending Physician
This is followed by a number of questions (which I'm not sure if I can reproduce) where the correct answer is you do not need any authorization from a patient (written or verbal) to discuss continued care that doesn't fall into drug/etoh/hiv/sickle cell/mental health with any outside provider that is involved in the continued care of the patient.
Just to clarify, mental health information isn't extra-protected as a whole. Only drug/alcohol diagnoses and psychotherapy notes are.
 
  • Like
Reactions: Crayola227

psych md jd

Better safe than sorry.
7+ Year Member
Jun 12, 2012
199
208
Status
Attending Physician
I'm a little torn here because I always hear people say this, but when I try to look it up I only see the opposite:
"The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider for that provider’s treatment of the individual."
http://www.hhs.gov/ocr/privacy/hipaa/faq/disclosures/271.html

Am I misinterpreting something?
HIPPA is federal law applicable to all states. Additionally, states may have additional restrictions. Then, the hospital may have their own policies on top of all of that.

I have always thought HIPPA allows past or current treatment providers/entities to disclose PHI w/o the patient's consent to other treatment providers/entities. The rationale was that the law should not impede treatment.

In the OP's situation, no provider/entity is disclosing PHI. Essentially it is DIY and it may violate state privacy laws. That's the main issue I see.
 

turkeyjerky

10+ Year Member
Sep 27, 2008
1,791
187
Status
Resident [Any Field]
No Fun Aloud.

I would call the HIPPA officer at hospital Y.
You're likely to get an overly conservative answer from the hipaa compliance officer (whose chief concern is avoiding any possibility of a violation). Like the (patently false) statement that 'it's a hipaa violation to look at your own medical records'. The scenario posed by the OP may or may not be a violation of their states' or institution's policies, but it's definitely not a hipaa violation. S/He is the treating physician and has a right to view the medical record, as conveyed by the general consent to care.

Repeat after me: HIPAA is not meant to impede care.
 

psych md jd

Better safe than sorry.
7+ Year Member
Jun 12, 2012
199
208
Status
Attending Physician
I read the OP's situation as he is the treating provider at X, but not Y.

As a HIPPA officer myself, I was not aware that was possible.

Thanks for the info.
 
  • Like
Reactions: Crayola227

michaelrack

All In at the wrong time
10+ Year Member
Dec 22, 2007
3,956
1,095
Memphis TN
Status
Attending Physician
The issue appears to be not violating HIPPA directly, but violating the institution's policies/procedures that were insituted to comply with HIPPA (and may be more strict than required by HIPPA). Either one can get you fired (if you are caught and the institution chooses to crack down on you).
 

DoctwoB

7+ Year Member
Jan 10, 2010
1,719
811
Status
Resident [Any Field]
Further complicating the issue is that many of us now work in hospitals that are part of larger health systems with EMRs that were integrated at various times. I often don't know without looking at a specific note what piece of information came from where and what releases were signed.

I don't worry too much about it. If you are accessing records for legitimate purposes in patient care and are involved in treating that patient you are complying with the spirit, if not the letter, of hipaa and are unlikely to be punished.

Now if the hipaa officer looked at my texting history, on the other hand . . .
 
  • Like
Reactions: Winged Scapula

Siggy

10+ Year Member
Oct 27, 2004
3,602
1,458
34
Status
Fellow [Any Field]

doc05

2K Member
15+ Year Member
May 24, 2003
3,517
1,435
U.S.A.
Visit site
Status
as far as the OPs question, it's not a HIPAA violation, as the law is very clear in that sharing between/among providers doesn't require explicit permission from the patient.

On the other hand, medical records are property of each hospital. so hospital Y may require paperwork in order to release information to hospital X.

Then again, if patient care requires it, hospital Y absolutely must share information with hospital X.
 
  • Like
Reactions: Crayola227

maxxor

10+ Year Member
Apr 11, 2009
862
631
Status
Attending Physician
I also have looked into this pretty extensively, because it comes up a lot in radiology with old records when interpreting studies / following up on your interpretations. The main conflict comes where hospital privacy/HIPAA officers set more restrictive regulations than what HIPAA itself actually requires. In my reading, if you are involved in the patients care team, you can use all the records you have access to, even if you are treating at site X and using records from Y or Z.

This comes up a lot for me in residency. My hospital is owned by a large organization with 9 member hospitals and tons of private groups that pool data into the many EMR systems. On top of that, we have built in linkages to two other independent multi specialty groups. If I'm interpreting an MRI at site X, it's expected that I review pertinent history from hospitals A-F or pertinent information from the many multi specialty groups I have EMR access to, even if I am only physically interpreting Scans at site X. We don't rotate around at all.

as far as the OPs question, it's not a HIPAA violation, as the law is very clear in that sharing between/among providers doesn't require explicit permission from the patient.

On the other hand, medical records are property of each hospital. so hospital Y may require paperwork in order to release information to hospital X.

Then again, if patient care requires it, hospital Y absolutely must share information with hospital X.
I'm not sure that it's settled legally who owns medical records. Is it the hospital who maintains the EMR? The patient? The individual physician who authors them? This appears to vary by state

The patient controls access through HIPAA, but that doesn't mean they own them.
 

michaelrack

All In at the wrong time
10+ Year Member
Dec 22, 2007
3,956
1,095
Memphis TN
Status
Attending Physician
As an attending, I work at several different independent hospitals under various arrangements (employed physician, contracted physician, locum tenens doc, etc). At each I have signed agreements that I will only access patient info that I need to treat patients at that facility. If I directly access records the records of John Doe at hospital A to treat him at hospital B, I can be disciplined/fired by hospital A. This would not be due to violating HIPAA, but due to violating hospital regulations.

Different rules may apply when working within a setting consisting of non-independent hospitals within a larger organization.
 

maxxor

10+ Year Member
Apr 11, 2009
862
631
Status
Attending Physician
As an attending, I work at several different independent hospitals under various arrangements (employed physician, contracted physician, locum tenens doc, etc). At each I have signed agreements that I will only access patient info that I need to treat patients at that facility. If I directly access records the records of John Doe at hospital A to treat him at hospital B, I can be disciplined/fired by hospital A. This would not be due to violating HIPAA, but due to violating hospital regulations.

Different rules may apply when working within a setting consisting of non-independent hospitals within a larger organization.
How do these hospitals track this? How do they treat follow up of your patients? What if you are the author of notes at both facilities?


As a side note, there was a hilariously awkward moment at my orientation where the HIPAA officer said we are not allowed to follow up on patient scans we had read to see if the biopsy/pathology matched our radiographic diagnosis. One of the attendings in the audience said "this needs to be readdressed at the hospital level, because the entire department and residency program breaks that rule hundreds of times a day".
 

michaelrack

All In at the wrong time
10+ Year Member
Dec 22, 2007
3,956
1,095
Memphis TN
Status
Attending Physician
How do these hospitals track this? How do they treat follow up of your patients? What if you are the author of notes at both facilities?
".
Right now I only do inpt psych. It doesn't matter who wrote the note. Access can be tracked through the EMR- it would be suspicious if at hospt A I looked up a patient's records when he wasn't currently an inpatient- probably wouldn't be caught, but it's a risk.
 

DrBowtie

Final Countdown
Moderator Emeritus
10+ Year Member
Feb 24, 2005
15,488
1,876
Classyville
Status
Resident [Any Field]
How do these hospitals track this? How do they treat follow up of your patients? What if you are the author of notes at both facilities?


As a side note, there was a hilariously awkward moment at my orientation where the HIPAA officer said we are not allowed to follow up on patient scans we had read to see if the biopsy/pathology matched our radiographic diagnosis. One of the attendings in the audience said "this needs to be readdressed at the hospital level, because the entire department and residency program breaks that rule hundreds of times a day".
Not to mention required by Mammo. Administrators gonna administrate.
 
  • Like
Reactions: Winged Scapula