Health Information Compliance Alert

Published on Thu Jan 28, 2010 PDF

Question: How should a medical facility handle employees' access to their own medical records? That is, should employees within a medical center or practice who have protected health information (PHI) on the facility's computer system be able to view their own PHI?

Answer: "Everybody has access rights under HIPAA," reminds Robyn Meinhardt, an attorney in the Denver office of Foley & Lardner.

Meinhardt says she's aware of some facilities with electronic medical records (EMR) that have allowed their healthcare provider employees to access their own records with "minimal interference from the system."

In other words, if the employee inputs his Social Security Number, that'll give him access to his own PHI. Meinhardt says one way to prevent employees from gaining easy access to their records would be to make them go through the normal access procedures, just like any other patient would have to go through.

The question that arises is, "Can you make it easier on employees to see their own records than for other patients?" Meinhardt says there may be some prohibitions under state law that might come into play here.

For example, "if your state law contains a prior physician review requirement, that could prevent an employee from gaining easy access to his records," she notes. But Meinhardt says it's likely --though not definite -- that the Health Insurance Portability and Accountability Act (HIPAA) would preempt the state law if that state law imposes a prior physician review requirement, so you should review your state laws to determine how they approach this requirement.