Q. What does HIPAA require with respect to employees of a covered entity (CE) viewing their own or a family member’s medical record?
A. With respect to HIPAA, treat employees as you would any other patient. Most CEs require that their employees request to view or receive a copy of their medical records as would any other patient. CEs generally don’t allow employees to view their medical records directly or randomly. Employees have the same privacy rights as other patients—they may view, inspect, or request a copy of their medical records.
Employees who wish to access a spouse’s, adult child’s, or, in some cases (depending on state law), minor child’s medical records must first obtain authorization from the specific family member.
Employees may not access family members’ medical records without permission unless it is for treatment, payment, or healthcare operations and is directly related to the employee’s responsibilities at work. Effective February 2010, doing so is a criminal act, pursuant to HIPAA and the HITECH.
Editor’s note: Chris Apgar, CISSP, answered this question. This is not legal advice. Consult your attorney regarding legal matters. Apgar is president of Apgar & Associates, LLC , in Portland, OR. He has more than 17 years of experience in IT and specializes in security compliance, assessments, training, and strategic planning.