HIPAA statute states that employees should be provided with the minimum necessary access to protected health information (PHI) to conduct their specific job duties. Further, regardless of the level of access granted, employees may only utilize that access to view PHI for a justifiable business purpose, such as confirming an appointment, verifying insurance, posting fees, or conducting chart reviews of an approved research project for which Compulink access has been granted. You may feel tempted to access the patient information for prominent university individuals, fellow employees, or family members. Accessing the records of these “VIPs” without a specific business purpose is not allowed. Beginning this month, the HIPAA steering committee will be conducting random chart audits on a monthly basis to determine any unauthorized access of patient records.