Practice Challenges Ruling, Defends Firing Over Improper EHR Access
July 28, 2015 in News
Background on Case
The case involves an employee at the Rocky Mountain Eye Center in Missoula, Mont., Britta Brown, who used the practice’s EHR system to obtain the contact information of 17 coworkers. She then provided information on 12 coworkers to a union representative. Rocky Mountain fired Brown, citing a HIPAA violation and abuse of the practice’s confidentiality agreement.
However, an administrative law judge found that while the practice’s personnel files were kept in a separate software system, it mixed patient and employee contact information in its EHR system because employees entered their contact information into the EHR system as part of training. The judge also found that Rocky Mountain allowed the EHR system to be used as an employee directory.
In the decision, the judge wrote, “It was generally known that coworkers and supervisors accessed the Centricity system to get employee contact information,” adding, “Employees accessed each other’s contact information for work-related purposes, primarily involving last-minute schedule changes.”
The decision also noted that Rocky Mountain employees no longer enter their contact information into the EHR system and that the practice’s Human Resources Department now handles scheduling changes.
Details of the Challenge
In an Exceptions document filed with the National Labor Relations Board on July 10, the practice argued that the EHR system is a database reserved for patients. The practice noted that Brown accessed records of patients who happened to be employees before turning them over to a third party without approval (Durben Hirsch, FierceEMR, 7/24).
According to the Exception document, under HIPAA’s minimum necessary standard, “employees of a covered entity are not permitted to access a patient’s [personal health information] in the employer’s [EHR] system for personal reasons unrelated to that patient’s care or services” (Rocky Mountain Eye Center Exceptions, 7/10).
Rocky Mountain also argued that Brown never testified that she witnessed or was told it was acceptable to use the EHR system to find patient-employee contact numbers. In addition, it stated there is no evidence the practice allowed such access (FierceEMR, 7/24).