Submit your HIPAA questions to Editor Jaclyn Fitzgerald at firstname.lastname@example.org and we will work with our experts to provide the information you need.
Q: Is it considered a breach if an employee of an organization views his or her own records or the records of their family members (containing full name, Social Security number, diagnosis, medications, etc.) without a legitimate business need?
A: Accessing the records of family members without a legitimate business need may well be a breach, but a staff member accessing his or her own records may not be. If there is no legitimate reason for accessing family member records, that would be a breach of unsecure PHI.
A number of CEs have implemented policies requiring employees to access their own medical records in the same way as all other patients—by submitting a written request and having the record copied or setting up a time for the employee to view his or her own record. Having an employee view his or her own record is not a breach of unsecure PHI. However, it may be a violation in the CE’s policy and result in sanctions.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.