Possible HIPAA violation and consequences?

Panacea Financial Contract Review
This forum made possible through the generous support of SDN members, donors, and sponsors. Thank you.
Status
Not open for further replies.
I never used Epic in my career, so, I am not sure on this.

Were you looking at the patient list, or can you search for doctors? If it is garbage and any names in a file are searched, that's, well, garbage.

But, if you were searching patient lists, that's approaching bad.
 
No, it was searching in the search function, like if you were to look up a patient on any other EHR in the hospital's database
 
residentanonymous3313 said:
My program director (PD) contacted me yesterday after compliance reached out to him (I think yesterday, but not sure) about me searching for a co-residents name on Epic last month (November). Did not and have never opened any charts. I have searched for other colleagues' names in the past but have never opened any charts ever or heard about it (like compliance contacting my PD). This particular search I misspelled the name of the resident several times until getting it right, which is probably why it was reviewed by compliance.

The co-resident and I were talking about if residents were "searchable" on epic the same way other general patients were, or if we were protected, so this was my explanation for why i searched their name. My PD didn't seem concerned and we filled out a form over the phone which he emailed back to compliance. Is anything going to come of this/am i going to be placed on probation or fired for violating hipaa? Is this even a hipaa violation? I'm really worried and even though i went through hipaa training i didn't realize that even searching a name was considered a violation. He said compliance might reach out to me for more information but he can't say for sure

Help appreciated. I didn't realize just searching names was a hipaa violation and i'm embarrased for what i did
Click to expand...

Yes, even searching a name can be considered a HIPAA violation. Especially in Epic, where a pretty detailed summary pops up whenever you even just select a patient's name (but do not open their chart). And ESPECIALLY in Epic, which is advanced enough that it can track your movements through it.

At my hospital, we were told that even looking at another clinician's schedule in a different department could potentially trigger an audit.

If nothing happens, then that is great. Compliance may reach out to you - assuming that you're not FOS, tell them what you were genuinely looking for. I would also encourage you to ask about activating the "break the glass" feature for residents, not just employees.
 
Well the problem is that I am not sure if this is going to trigger a review of my past searches, which would reveal the other colleagues I searched for. I don't have a good explanation other than just curiosity, obviously i didn't go into charts I was just...bored. I know that isn't a good excuse, I am just wondering what the likelihood is of this ending up on my permanent residency record/if this would be something I would have to reveal to fellowships and eventually a future state medical board down the line. I'm just an intern still figuring it out
 
residentanonymous3313 said:
Well the problem is that I am not sure if this is going to trigger a review of my past searches, which would reveal the other colleagues I searched for. I don't have a good explanation other than just curiosity, obviously i didn't go into charts I was just...bored. I know that isn't a good excuse, I am just wondering what the likelihood is of this ending up on my permanent residency record/if this would be something I would have to reveal to fellowships and eventually a future state medical board down the line. I'm just an intern still figuring it out
Click to expand...

Oh. So you've searched for other colleagues before?

- Yes, compliance probably will do a deeper dive into your past searches.
- If that is the case, then your explanation for this current episode ("The co-resident and I were talking about if residents were "searchable" on epic the same way other general patients were, or if we were protected, so this was my explanation for why i searched their name.") sounds totally unbelievable. If you searched for other residents in the past then you should know if they are searchable or not.
- In Epic, it doesn't matter if you didn't open the chart. The profile summary that you see as soon as you select a patient can give you a lot of information.

What happens next depends on your hospital. They may take pity on you because you're an intern. They may make you just take HIPAA training; it may be on your permanent record. At my hospital, there is a zero tolerance policy, so supposedly they would have fired you already. I don't know what will happen.
 
residentanonymous3313 said:
Seriously? I could get fired for this? Maybe I should try to get a lawyer then
Click to expand...

I don’t know your hospital’s approach to this. Give it some time and see how it goes. Maybe nothing will happen. It doesn’t hurt to talk to a lawyer but I wouldn’t panic just yet.

But also…learn your lesson now and don’t do it again. No matter how curious or how bored. You could inadvertently learn something very private about a coresident - how awkward. And how terribly unfair to them.
 
Am curious if anyone else has experiences with this. I am very distraught about what could possible happen to me for having just searched for names. I have never had an issue before and this is a first time infraction...
 
residentanonymous3313 said:
Am curious if anyone else has experiences with this. I am very distraught about what could possible happen to me for having just searched for names. I have never had an issue before and this is a first time infraction...
Click to expand...
As others have said, it depends on your specific hospital.
 
residentanonymous3313 said:
Am curious if anyone else has experiences with this. I am very distraught about what could possible happen to me for having just searched for names. I have never had an issue before and this is a first time infraction...
Click to expand...
If you’ve done it multiple times it’s not a first infraction. Therein lies the biggest problem here. You need to quit trying to justify this behavior and own up to the fact that what you did is definitely a HIPAA violation.

Every click and keyboard stroke is recorded. For example, if you hear a celebrity is admitted to your hospital and you are caught looking up just the name of the celebrity, or bringing up different unit lists you have no patients on just to see the name of the celebrity there, it’s a HIPAA violation. Just like commenting on a review a patient makes, thereby confirming that they are a patient, even if they have already release that information, is a HIPAA violation.
 
Best bet is sit tight and hope nobody does a deeper dive into anything. You’re definitely on thin ice if anyone decides to look into your history. Nothing a lawyer can do for you at this point - just cross your fingers and hope for the best. If they do a dive, then they should follow whatever their internal procedures are. Usually for blatant hipaa violations it’s termination immediately, but maybe you’d be able to plead ignorance and get lucky.

For any other residents reading this thread: if you ever access or search/view a summary of a protected chart, be sure to put some kind of documentation in it. I had to access some protected charts in training and never had issues because I always entered detailed notes. Compliance never even called because my reason for accessing was right there in the record for them to read. They DID call me all the time early on when we used paper charts in clinic and the resident signature part always got cut off, but after epic I never heard from them again. So don't get near a protected chart unless you plan to do something with it.
 
Totally agree with @operaman advice.

There is no point to a lawyer, certainly not yet. It's very likely you'll end up with some sort of warning rather than termination. But no matter what, a lawyer won't be able to do much. You broke the rules, and should have known better.

What's going to cause you the most trouble is the recurrent nature (so clearly not just a mistake) and lack of any coherent explanation. Looking people up isn't "fun" by most standards. When we see this, we start to worry about people checking out who's available to date (marital status, age), or getting their home address.

Disclose fully (to your hospital) and await their decisions. If you work at more than one institution and did this at both locations, and only one caught you, you should disclose to the other immediately.
 
residentanonymous3313 said:
Well the problem is that I am not sure if this is going to trigger a review of my past searches, which would reveal the other colleagues I searched for. I don't have a good explanation other than just curiosity, obviously i didn't go into charts I was just...bored.
Click to expand...

WTF? What is wrong with you?

This is nurse level nonsense, like every so often a nurse will get fired for accessing a celebrity's medical records. I don't expect this type of nonsense from a doctor. EMR stands for "electronic medical record". You do NOT go into EMR without a valid patient care reason. EMR is not for your entertainment. If you're bored, you probably aren't studying enough during residency.
 
Apollyon said:
In around 2000 (before I got there), my residency hospital canned several people (no doctors) for looking up George Clooney's information.
Click to expand...
For what it's worth, I remember this when it happened too and this was several nurses/staff who entered George Clooney's chart and reviewed his medical history/active problems after that motorcycle accident he was in. I'm not trying to vindicate myself, just saying that this is a completely different animal.

Fortunately I found our hospital's policy re: potential privacy violations, and it states that first-time issues (such as mine) without intention for malice/harm to a person, and without actually entering a chart, should result in an oral/written warning first.

So to anyone else out there: don't make the same mistakes I did, and review your institution's policies for this type of stuff.
 
residentanonymous3313 said:
For what it's worth, I remember this when it happened too and this was several nurses/staff who entered George Clooney's chart and reviewed his medical history/active problems after that motorcycle accident he was in. I'm not trying to vindicate myself, just saying that this is a completely different animal.

Fortunately I found our hospital's policy re: potential privacy violations, and it states that first-time issues (such as mine) without intention for malice/harm to a person, and without actually entering a chart, should result in an oral/written warning first.

So to anyone else out there: don't make the same mistakes I did, and review your institution's policies for this type of stuff.
Click to expand...

What's frustrating for me to read is this wasn't your first time. I'm surprised you would think it's ok to type co-residents names in the EMR search field. Just finding out a co-resident was treated at your hospital (because their name pops up) is a HIPPA violation. You could have seen if they were hospitalized, or taken care of by a psychiatrist just by typing in their name but not opening the chart.

This is a big deal if your PD finds out you did this. Not only did you violate HIPAA, but you violated it on your co-residents.

Yes, George Clooney's case had more flagrant invasive violations of his privacy. But how do you think your co-residents would feel about you searching their names and the information you can get from that?
 
Status
Not open for further replies.

Similar threads

D
Is it possible?
Replies
3
Views
1K
Blade28
B
parvas24
Is it possible?.....
Replies
2
Views
1K
Blade28
B
nu2004
Possible to defer residency?
Replies
17
Views
3K
Ale
A
F
State licence and NRMP match violation
Replies
22
Views
7K
MD Dreams
M
DebDynamite
Violation of work hours with "home call"...
Replies
22
Views
6K
CouchPotato
C
Top