Laws mandate need-to-know for accessing medical files

Key Points

There are no contractile issues of concern, and Dr. Derm is to leave as of Jan. 1, 2011. He is upset about his termination, but he finishes his days seeing patients and fulfilling his duties.

The dermatology group has a fairly sophisticated electronic medical record (EMR) system. There is full access to all relevant office materials from any computer anywhere in the world. Dr. Derm's access should have been terminated Jan. 1, but it was not until Feb. 1 that it was done. Out of curiosity, Dr. Derm signed into the system throughout the month of January and downloaded medical records of some of his former associates' family members.

Need-to-know basis

Dr. Derm's former associates contend that the medical records are part of a HIPAA-protected environment; information is only available on a need-to-know basis. If Dr. Derm had no official business pertaining to a file (he was no longer a practice associate), he did not "need to know." Healthcare professionals must consider HIPAA to be such a protected environment.

Last year, Congress passed HITECH, which further tightened restrictions on HIPAA-related healthcare privacy and increased penalties for transgressions. The HITECH Act was a regulatory measure that was introduced in anticipation of the sudden rise in the volume of healthcare practices adopting electronic health records (EHRs).

Violations of the HITECH regulations can lead to either civil or criminal liabilities. The HIPAA Privacy Rules lay down the standards that should be followed to become HIPAA-compliant, but it is the HITECH Act rules that elaborate on the criticality of following these norms. The rules also lay down enforcement, accountability, penalty and persecution-related guidelines for those involved in sharing or accessing personal health information.

HITECH's purpose

The purpose of HITECH is to define penalties that are imposed on healthcare professionals found guilty of HIPAA Privacy Rule violations; ensure that access to medical data in the form of EHRs becomes a national standard for storing/accessing patient information; laying down accountability clauses and defining penalties incurred on HIPAA-violating business associates; and introducing strict standards related to the notifications of patients whose personal health information has been violated.

HITECH stipulates that unauthorized access to patient records can lead to jail time. Recently, a surgeon working as a researcher at the University of California, Los Angeles was sentenced to jail under this rule. Huping Zhou, M.D., a cardiothoracic surgeon, was working at the UCLA School of Medicine as a researcher. His employment was terminated, but UCLA's information technology department didn't block his access to EMRs at the time. It took the university some time to process retraction of the doctor's authorization to the database, and during that time, Dr. Zhou accessed and read his immediate supervisor's medical records as well as those of former co-workers. What's more, his curiosity led him to remotely access other medical records he was unauthorized to see, including those of celebrity patients.

Authorities acknowledge that Dr. Zhou didn't try to sell the information. Dr. Zhou's attorney said the doctor, a Chinese immigrant, did not know he had committed a federal crime. Nevertheless, Dr. Zhou pleaded guilty to four misdemeanor counts of violating the HIPAA Privacy Rule. He was sentenced to four months in jail.

File snooping out of curiosity is not considered authorized access. There was no "need to know" for Dr. Zhou - or Dr. Derm. Accessing records of a neighbor, a child's teacher or a friend without authorization can lead to legal difficulties for a physician or any provider within that practice.

David Goldberg, M.D., J.D., is director of Skin Laser & Surgery Specialists of New York and New Jersey; director of laser research, Mount Sinai School of Medicine; and adjunct professor of law, Fordham Law School.