Skip to page content


GUIDANCE (Dec. 2005; Updated March 2011)

MEDICAL CENTER EMPLOYEES ACCESSING PERSONAL HEALTH INFORMATION

Patients have a right to access their own health information.  The institution has established procedures to assist patients with that access.  This is usually done by contacting the care provider directly or by submitting a request to Health Information Management.  Inpatients may view their medical record with a clinician present to interpret the information and answer questions (see A2-02 Release of Patient Medical Information and Emergency Release
). 

Employees of the Medical Center with job-related access to hospital information systems (e.g. EPIC) may access their own health information (e.g. electronic or hard copy).  Employees who access their own information may not edit or make changes to their information in any hospital information systems, including but not limited to demographic information and scheduling of appointments.  Under no circumstances may an employee access the health information of his/her spouse, partner, child, family member or friend.  This access is strictly limited to the employee's own health information.  

The following standards for accessing personal health information must be met:

  1. Employees may only access protected health information (e.g. electronic, hard copy) for purposes necessary to perform their own job duties.
  2. Employees with job-related access to hospital information systems may access their own medical information through the institution's current information systems, including test results, clinic notes, and operative reports.  Employees may not edit or make changes to their information, including but not limited to demographic information and scheduling of appointments. 
  3. Employees may not access through the institution's current information systems the medical information of family members, friends, or other individuals for personal or other non-work related purposes, even if written or oral patient authorization has been obtained.  Employees designated as "Personal Representatives" (A05-30 Personal Representatives of Patients) should contact the physician or submit a formal request to Health Information Management.  Employees must not use their employee status to obtain medical information for anyone else.
  4. In those very rare circumstances where an employee's job requires him/her to access and/or copy the medical information of family members, a co-worker, or other personally known individuals, then he/she may do so only to the extent necessary to perform his/her job.  However, employees should report the situation to their supervisor who will determine whether to assign a different employee to complete the task involving the specific patient.  The employee should continue his/her responsibilities to the extent patient privacy is not compromised.
Employees who violate these guidelines will be subject to disciplinary action, up to and including termination, in accordance with the applicable UCMC, BSD, Medical Staff, or University policies.  Contact the HIPAA Program Office at 4-9716 if you have any questions.

December 2005
Updated March 2011

Back to Guidances





Call 4-9716 for more information

PDF version