Should clinical and non-clinical healthcare staff have the same permissions for viewing health information? First, we must establish the difference between electronic medical records (EMR) and electronic health records (EHR). According to the National Alliance for Health Information Technology (NAHIT), EMR is the patient record that is created every time a patient is seen at a healthcare organization, i.e., doctor’s office, hospital, etc. Whereas EHR is an accumulation of all patient’s health-related information gathered across more than one healthcare organization and includes substantially more data than commonly found in medical records. Furthermore, it consists of the EMR (as cited in HealthIT, 2011) Non-clinical healthcare staff should not have access to view patient health information to prevent Health Insurance Portability and Accountability Act (HIPAA) violations (Kloss et al., 2018, p. 60). EHRs access by unauthorized users and non-technological factors are sources of concern that could be a threat to data integrity and protection in EHRs (Bani Issa et al., 2020, p. 228). Harman (2012) suggested that the key to preserving confidentiality is ensuring that only authorized individuals have access to information and medical records (p. 714). Additionally, users’ authorization for viewing patients’ data should be limited based on the information needed (Kloss et al., 2018, p. 219). For example, in the behavioral unit where I work, nursing assistants do not have access to patients’ medical records-they only receive pertinent and necessary information needed to care for the patients. Although EHR has been named the backbone of digital health and the leading platform for storing and retrieving patient information, it still represents a threat to the integrity of patient privacy. Consequently, HIPAA states that preserving the integrity of EHR data is a vital duty of medical staff. So, confidentially policies related to IT information should include a contract for accountability and confidentiality – every healthcare provider should be responsible for their actions and commit to protecting patient privacy (Lee, 2017; as cited in Bani Issa et al., 2020, p. 224). Professor Nurkanovich, what a scary situation for both patients and staff! The hospital probably had to turn away patients as part of EMS diversion. A cyber-attack puts things into perspective because nurses and other healthcare workers are forced to switch back to paper charting, which is an inconvenience. Nurses lose the ability to scan medications, which is a huge safety concern. It is very uncomfortable to work under these conditions because there is no way to access radiology studies, old labs, EKGs, etc. References Bani Issa, W., Al Akour, I., Ibrahim, A., Almarzouqi, A., Abbas, S., Hisham, F., & Griffiths, J. (2020). Privacy, confidentiality, security, and patient safety concerns about electronic health records. International Nursing Review, 67(2), 218-230. https://doi.org/10.1111/inr.12585 Harman, L. B. (2012). Electronic health records: Privacy, confidentiality, and security. AMA Journal of Ethics, 14(9), 712-719. https://doi.org/10.1001/virtualmentor.2012.14.9.stas1-1209 HealthIT.gov. (2011, January 4). EMR vs HER-What is the difference? https://www.healthit.gov/buzz-blog/electronic-health-and-medical-records/emr-vs-ehr-difference Kloss, L. L., Brodnik, M. S., & Rinehart-Thompson, L. A. (2018). Access and disclosure of personal health information: A challenging privacy landscape in 2016-2018. Yearbook of Medical Informatics, 27(01), 060–066. https://doi.org/10.1055/s-0038-1667071
Patients have a fundamental right to privacy and for physicians and staff to respect their confidentiality (American Medical Association, n.d.). The maintenance of medical records is an important part of providing lifelong, quality care, but breaches of confidentiality can happen when these records fall into the wrong hands, whether intentionally or unintentionally. While this has always been true, the risk of such a breach occurring has been greatly elevated with use of electronic health records (Balestra, 2017).
The use of medical scribes is one gray area regarding non-clinical staff encountering health information. On one hand, the use of the scribes can free up time for providers to engage with patients face-to-face; this is valuable in a time when providers spend more time documenting in the EHR than in patient-facing care (Balestra, 2017). However, scribes (non-clinical staff) are then allowed access to otherwise confidential health information. This might disrupt the provider-patient dynamic; it’s possible that patients might not fully disclose helpful information in the presence of a third party. As a result, their treatment may suffer (Sulmasy et al., 2017).
Health information should be accessed on a need-to-know basis. As such, there should be few circumstances that warrant non-clinical healthcare staff to have permission to view this information. In the situations where this is warranted, access should be limited to only that information which is needed to complete the task. For example, personnel in the billing department might have access to diagnostic codes, but not narrative notes. It is recommended that clinics define and standardize their workflow prior to selecting and implementing an EHR (Ozair et al., 2015). In doing so, access to necessary parts of the EHR (and those parts only) can be built into the interface for each user depending on their role. In order to protect patient confidentiality, health IT systems should be designed with security as a top priority. Firewalls, data encryption, and two-factor authentication should be used ubiquitously.There should be a clear cut policy delineating the expectations for accessing health information and consequences for users who violate these expectations. Health IT systems should include a mechanism for auditing use. Ideally, the auditor would be able to ascertain who accessed what part of the EHR, when, for how long, and for what purpose.
American Medical Association. (n.d.). Code of Medical Ethics Opinion 1.1.3. Retrieved from: https://www.ama-assn.org/delivering-care/ethics/patient-rights#:~:text=To%20courtesy%2C%20respect%2C%20dignity%2C,and%20costs%20of%20forgoing%20treatment .
Balestra, M. L. (2017). Electronic Health Records: Patient Care and Ethical and Legal Implications for Nurse Practitioners. The Journal for Nurse Practitioners, 13(2), 105–111. https://doi.org/10.1016/j.nurpra.2016.09.010
Ozair, F.F., Jamshed, N., Sharma, A., & Aggarwal, P. (2015). Ethical issues in electronic health records: A general overview. Perspectives in Clinical Research, 6(2), 73-76.DOI: 10.4103/2229-3485.153997
Sulmasy, L. S., López, A. M., & Horwitch, C. A. (2017). Ethical implications of the electronic health record: In the service of the patient. Journal of General Internal Medicine, 32(8), 935–939. https://doi.org/10.1007/s11606-017-4030-1
Should clinical and non-clinical healthcare staff have the same permissions for viewing health information? Why or why not?
It depends on the non-clinical role whether someone should have the same permissions for viewing health information. A patient unit clerk or someone in charge of registering patients may have limited access to patient demographic, chief complaints, or access to patient insurance information in the Emergency Department. However, they do not need access to patient history or clinician notes. A coding auditor, for example, may need access to physician or nursing notes to validate that charges/coding on a patient’s account is correct based on clinician documentation.
What should confidentiality policies related to health IT systems include?
The security management process and security requirements by the Health Insurance Portability and Accountability Act of 1996 (HIPPA) protect patient privacy with provisions to safeguard patient information (Balestra, 2017). Patients should be given a choice as to whether allow personal health information to be available to others, to whom, and how. Confidentiality policies should also include annual employee competency training on confidentiality and protection of patient privacy regarding patient E.H.R. Individuals affected by a breach of information should be notified by covered entities or C.E.’s (health plans, healthcare clearinghouses, and clinicians) (healthit.gov). Protecting patient privacy is a shared responsibility, and policies related to I.T. systems should reassure patients that full adherence to confidentiality and security standards are being met. References: Balestra, M. L. (2017). Electronic Health Records: Patient Care and Ethical and Legal Implications for Nurse Practitioners. The Journal for Nurse Practitioners, 13(2), 105–111. https://doi.org/10.1016/j.nurpra.2016.09.010
The Office of the National Coordinator for Health Information Technology Health IT Playbook (2020, March 11). Privacy and Security. https://www.healthit.gov/playbook/privacy-and- security/
· The purpose of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to establish national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge (CDC, 2018).
· HIPAA contains standards for individuals’ rights to understand and control how their health information is used. A primary task is to ensure that individuals’ health information is adequately protected while sharing health information with multiple providers to ensure up-to-date patient information is available. Easier access to medical records through patient portals promotes autonomy, inclusion, and well-being.
· Balestra (2017) discusses the importance of patient privacy, cyber security, liability, and access to information. For example, as a clinical instructor for the University of Hawaii, the students are not allowed the same level of access to a patient’s chart as an RN at the bedside. It is reasonable for the health care organization to assume some risk with students as a teaching facility. However, the organization has determined that some risks are not valued, and restrictions are placed to prevent catastrophic errors or inappropriate exposure to sensitive information.
· Careful consideration should be given to anyone requesting access to EHRs. Job descriptions, the department where one works, licensing, facility access, and yearly corporate compliance training should all be considered. Therefore, equal access to patient information is inappropriate and should be determined based on need.
· IT systems confidentiality policies should include limited access to sensitive patient information, ensure cyber security by using password protection and dual verification measures, yearly corporate compliance training, and limiting the use of thumb drives and other outside sources that can introduce malicious viruses and place data at risk for phishing schemes (ACHE, 2021).
References American College of Healthcare Executives. (2021, December 6). Health Information Confidentiality. Retrieved April 18, 2022, from https://www.ache.org/about-ache/our-story/our-commitments/ethics/ache-code-of-ethics/health-information-confidentiality Balestra, M. L. (2017). Electronic Health Records: Patient Care and Ethical and Legal Implications for Nurse Practitioners. The Journal for Nurse Practitioners, 13(2), 105-111. http://dx.doi.org/10.1016/j.nurpra.2016.09.010 Centers for Disease Control and Prevention. (2018, September 14). Health Insurance Portability and Accountability Act of 1996 (HIPAA) | CDC. CDC. Retrieved April 18, 2022, from https://www.cdc.gov/phlp/publications/topic/hipaa.html