Somehow that doesn’t appear to be spelled correctly, but my spell checker tells me otherwise…nosy that it.
First the official details: Meaningful Use Stage 1 and 2 require that you “ensure adequate privacy and security protections for personal health information”.
This is to be accomplished by conducting a security risk analysis per 45 CFR 164.308(a)(1).
This regulation is quite broad and really covers hundreds of items, but at this specific location of the regulation there is the requirement of an Information System Activity Review.
It is a mouth full, and I usually shorten it to ISAR.
Also, this is one of those items that tends to get poo-pood, especially for smaller practices.
Make no bones about is, this is required no matter how big or small your practice.
The latest example of why this must be accomplished and what the byproducts are to your office are highlighted in this case of the nosy nurse.
In short, a nurse at a certain practice accessed records of patients who were not patients at her practice.
Generally an ISAR is geared toward YOUR practice and YOUR patients. With that, your EHR should have the capability for specific users to be blocked from seeing certain patient’s records. These blocks could come because of a personality conflict and the patient makes the request, or the fact that some of the patients are staff members and do not wish others in the office to see their records…among other reasons.
In larger institutions restrictions should be placed so that staff members can only see patient records that are relevant to them.
All of this is fine and dandy until we then move to the macro level of patient records.
If your area has a medical data “hub” where many or all of the providers submit their patient information, safeguards should be put in place by the governing entity of the hub.
At this point, it doesn’t matter if you have a staff of 1 or 100, the possibility exists to have access to the records of all patients in your area.
It is reasonable to expect that the EHR used would have the capability to only allow reasonable access to the appropriate patient records, but as we move forward through the evolution of the EHR, we will continually see that the proper safeguards either do not exist or are not in place.
With this understanding, your practice should clarify exactly what is expected of your staff members. Without specific details, in your HIPAA based policies, your staff has no guidance and really won’t know right from wrong. Additionally, IF the need arises for discipline, YOU need to have a policy…a clear policy on which to stand in order to proper implement the discipline.