Yale performs ongoing monitoring of access to patient information to ensure that patient records are accessed in accordance with University policy and federal regulations. HIPAA Privacy staff in collaboration with departmental supervisors review access alerts generated by our monitoring software to determine work-related vs inappropriate record access. Inappropriate access is subject to disciplinary action in accordance with University policies.
HIPAA limits how we can use and disclose health information to a set of activities which mainly encompass activities related to treatment, payment for treatment and our healthcare operations. Details on how we can use and disclose health information is described in HIPAA Policy 5031, Authorization Requirements for Use and Disclosure of Protected Health Information. As a general rule, even though a person’s job duties allows them access to patient information, that information should not be accessed unless it is needed to perform their job-related duties. This is true not only for information related to VIP patients but also for access to your family members’ or friends’ records. If you do not need the information to do your job, you are violating HIPAA and Yale policy by looking at the information.
Enforcement of the HIPAA Privacy and Security Rules by the US Department of Health and Human Services (DHHS) was strengthened under the HITECH Act including increased fines and penalties for individuals and institutions that fail to comply. Recent enforcement activities indicate the seriousness with which DHHS intends to pursue HIPAA violations. Our access monitoring program provides Yale the opportunity to ensure rigorous monitoring of access to patient records.
If you have any questions about HIPAA and the monitoring practices, feel free to contact the HIPAA Privacy Office at firstname.lastname@example.org or 203-432-5919.