“We take privacy issues very seriously here,” began the supervisor, who then listed the 4 times that Ms. D had accessed Joe’s records. Ms. D immediately began explaining the situation, including the fact that she had Joe’s consent, but the supervisor seemed to be working from a script. 

“Is Joe your patient?” the supervisor asked. 

Continue Reading

“Well, no….” Ms. D said. 

“Right,” the supervisor said. “He is not your patient. You accessed his records in violation of our privacy policy and HIPAA, and you had no legitimate work-related reason to access those records.” The supervisor went on to tell Ms. D that her employment with the medical center was terminated and that she would be escorted out of the building. 

Ms. D was stunned and furious. She filed a grievance to challenge the medical center’s actions. A hearing was held, during which Joe testified that he had executed every form necessary to give Ms. D authority to look at his records and that she had his full authority to speak with his physicians, obtain his files, and act as his agent. The hearing officer found in Ms. D’s favor and ordered that she be reinstated. The medical center appealed, and the appeal was heard by the court of appeals of the state. 

The medical center claimed that Ms. D had violated the HIPAA Privacy Rule by accessing records that she had no “legitimate work-related reason” to access. The court disagreed, stating that nothing in HIPAA prevents a patient from appointing someone to act as a representative. According to the court, Joe had every right to his own medical records, and he had every right to appoint Ms. D, as his representative, to view those records. The medical center argued that Ms. D should not have accessed the records directly. However, the court of appeals pointed out that federal law does not forbid direct access, and since proper legal authorization had been given, there was no fault by Ms. D. 

Ms. D was restored to her position, and the medical center had to pay her back wages for the time when she was out of work. 

Legal background

A patient is always entitled to access his or her own records. Nothing in HIPAA’s Privacy Rule ever affects that. A patient is also entitled to appoint a representative to look at his or her records. In this case, the court of appeals reiterated that HIPAA does not change the fact that one person can act as the authorized representative of another person for purposes of accessing confidential medical information, provided that a power of attorney or other appropriate formal legal document has been properly executed according to state law in the local jurisdiction. 

Protecting yourself

There are few things that cause as much confusion as HIPAA. In particular, HIPAA’s Privacy Rule, despite being published 16 years ago, still causes misunderstanding when it comes to who can access patient medical records and for what reasons. 

Ms. D did almost everything she could to protect herself from what eventually happened to her. She and her ex-husband obtained and executed the proper forms, including the medical center’s own form. The only thing she might have done to better protect herself was to inform her supervisor that she wanted to see the records before she accessed them. The medical center seemed particularly disturbed that she accessed the records on her own, rather than follow the normal policy involved with requesting records. 

Be sure to familiarize yourself with the policies of your place of employment. If someone who is not your patient gives you permission to access records, be sure that: 1) he or she has filled out the requisite paperwork giving consent; and 2) you are accessing the records according to your employer’s policy.

Ann W. Latner, JD, a former criminal defense attorney, is a freelance medical writer in Port Washington, N.Y.