TESting

No. Direct access to these records, using Epic and other systems, is prohibited. This is true even if you have a legal right to access such information, for example, through a Power of Attorney, conservatorship, or an Authorization to release information. The better practice is to access appointment information via the MyChart portal.

Direct access to children’s records, using Epic and other systems, is prohibited. This is true even if you have a legal right to access such information because you are the child’s parent or guardian.  If your child is age 13 or under, you may access their information via the MyChart portal.

No. An audit hit only shows that someone accessed a record. It raises the question, “was the access required or permitted for work-related purposes? It triggers an investigation, not a disciplinary action.  Disciplinary action will be taken only if the investigation reveals that the access was inappropriate. .

Coworkers include people who work, or have worked, in your department or section, at any level. They also include Yale faculty and staff in other departments, with whom you have regular contact. This could be either through close physical proximity, or because of the nature of your job.

For the purposes of these audits, “coworker” is defined in such a way that that should never happen. However, if it does happen, and if you are asked to justify your access, you will have an opportunity to explain not only the reason for the access, but the fact that you do not know the employee-patient. As always, if you are a Union member, you are entitled to have a Union representative present at that time.

Disciplinary sanctions for unauthorized access will not be applied if the reviewers cannot agree on whether access was required or permitted. [However, if the access constitutes a violation of some other policy, disciplinary sanctions will be applied accordingly]

No, you should not.  The better practice would be to continue to do your work, as you normally would, as assigned. It will usually be possible for the investigator to determine the reason for the accidental access based on the way that you usually work, and the records that you accessed around that time.

Our policy generally prohibits access to records of faculty and staff or anyone else unless the access is “required or allowed for the performance of your job.” If:

• In the normal course of performing your job, you are assigned to work on records or accounts belonging to you coworkers, and if
• You are not subject to any departmental policies that say otherwise, you will not be subject to disciplinary sanctions simply because you worked with a coworkers health information.

When asked to “Break the Glass”, you should take a moment to make sure that you are in the correct record. If you are in the correct record, and if access to that record is “required or allowed for the performance of your job,” you should follow the on-screen instructions and proceed as you normally would.

Yes, but only if someone intentionally or carelessly accesses your health information in a way that compromises the security of your information, and is not required or allowed for the performance of their jobs. On the other hand, if a coworker processes your record or account because it is required or allowed for the performance of their duties, you might never be told.

No.  The goal of the FairWarning audits is to verify that all access to e-PHI is appropriate. Break-the-Glass (“BTG”; a feature, in Epic, that requires users to explain why they are accessing a record) is triggered based on the kind of record that is accessed. BTG alerts do not indicate whether the access is appropriate. As such, they are of little use, in and of themselves, in discovering unauthorized access; that is, access which is not required or allowed for the performance of your job.

All faculty and staff, including faculty and supervisors, promise, every year, to abide by all HIPAA privacy and security policies. This includes the ITS policy on “Appropriate Use,” which specifically prohibits password sharing. See ITS Policy No. 1607  (http://policy.yale.edu/policy/1607-information-technology-appropriate-us… ), as well as the Yale Standards of Business Conduct (http://provost.yale.edu/faculty/policy) and the annual HIPAA assessment (http://hipaa.yale.edu/security/breach-prevention/compliance-requirements)

As always, use your best judgment in determining whether to access information in our patients’ records, in electronic, or any other form. The number of available alternatives, the nature and sensitivity of the information, and the potential effect of the access on the patient, should always be considered, along with any other relevant factors.

They might, depending on the system that you access, and the applications and functions that you use. Please remember, however, that if access to the list of appointments is “required or allowed for the performance of your job,” you need not worry that you are out of compliance.

The facts and circumstances of the inappropriate access will be taken into account. The effect of any unauthorized access on patient safety or patient care, as well as the reason for the access, and whether there are previous violations, will be considered, among other factors. 

“Core duties” are those tasks that you perform every day, many times a day, in order to do your job. These tasks, and, the way you perform them, will likely have changed since the implementation of electronic record. If you have any doubt about what those duties are, or whether they are for treatment, payment, or health care operations, consult with your supervisor.