Q: My boyfriend is a medical student. Can he see my Electronic Health Record? How would I know?
A: This is an excellent question, and very timely since this week is Health Information Privacy and Security Week. (No, I’m not kidding. Seriously… who comes up with these things?)
Anyway, the answer is a resounding NO, he could not access your personal health information at the Student Health Center. From a technical standpoint, our EHR system is separate and unconnected to the Medical Center’s, so our records are not accessible to people using the medical center system, like your boyfriend.
But let’s say you saw a doctor at the medical center, or you got really sick one night and ended up in the ER, or your boyfriend did a rotation with us at the Student Health Center. Technically speaking, he could access your health records, but he would be risking serious trouble if he did.
There is a federal law called HIPAA (Health Insurance Portability and Accountability Act) that contains privacy and security regulations to protect patient health information. The HIPAA privacy rule contains a very important standard called Minimum Necessary – healthcare providers may only access personal health information that is necessary to their job. So your boyfriend could only access your health records if he was directly involved in your care.
If he just snoops around in your chart because he was curious – he’s breaking the law. If you ask him to check your records to see what the doctor said about you or to get the results of that scan you had at 3 in the morning that you can’t remember because you were puking your guts out – he’s breaking the law. Let me put it this way. If he was seen as a patient at the medical center and looks at his own health records, he’s breaking the law. Unless it’s necessary for him to do his job, he can’t do it.
But let’s say that despite all of these legal and ethical restrictions, your boyfriend just can’t help himself and peeks into your electronic health record. How would you know?
The Security Rules of HIPAA require that healthcare organizations monitor the security of consumer personal health information. Both the medical center and Student Health Services utilize tools that report each and every individual who accesses a patient’s health record. If we (or the medical center) discover an unauthorized access to your health information, we are required by law to notify you and the Department of Health and Human Services.
All health care professionals – including medical students – take this stuff very seriously so I’m sure you have nothing to worry about when it comes to your boyfriend checking out your electronic health record. Now when it comes to him checking out the sunbathers on the Oval, you’re on your own…
Melissa Ames, RHIA, CHPS
Health Information Manager, Ohio State Student Health Services