Written by Dr. MedLaw

Just about everyone who works at our family practice office (PA’s, an RN and clerical staff) is also a patient there. Needless to say, many of them are accessing their own records. I have talked to my partners about this because I am really concerned that we would be hit hard about this in a HIPAA investigation but they said that it is fine because people are only looking at their own records, which they have a right to do. Are they correct or am I?


You are.

A patient has the right to see their records but could not just go to the receptionist’s desk and start downloading them. The same applies if they happen to work at the practice. There are proper procedures to follow.

The real issue is that this conduct is a red flag for HIPAA laxity at your practice if you are ever investigated, even for another reason, because it shows that you are treating records as an open access matter to all staff, including non-medical staff, which is an invitation to improper use.  When records access is unregulated  it is frankly inevitable that there will eventually be privacy violations such as looking up the records of someone the staff member has a personal question about.

When a staff member wants their results have them submit a request just like any other patient would or simply ask their treating practitioner to check for them.  Include this as a set policy in your office’s employee regulations that can be proffered to the OCR as proof that you deal with this properly if you are investigated or used as evidence in a lawsuit for a privacy breach under state confidentiality law.