Not sure if this is a HIPAA violation -

A coworker accessed her friend's radiology report to see if it had been signed off by the ordering physician. It had not been signed, so she called the physician's PA and left a message asking her to do this. I'm also pretty sure she read the results to her friend later that day.

Should this be reported?

If this friend was not directly involved with the care of the patient, it is indeed a violation.

Depends, what was the professional medical relationship between the co-worker and you're her friend? From what has been said I can't assume the co-worker is not medically involved with the patient

Depends, what was the professional medical relationship between the co-worker and your her friend? From what has been said I can't assume the co-worker is not medically involved with the patient

She had no role in her friend's care, just knew about the situation.

Then how could she physically have access to the records? What position does she perform in the office/hospital.

Then how could she physically have access to the records? What position does she perform in the office/hospital.

Her friend is a patient of our group.

It sounds like the co-worker was following some duty to make sure reports were properly signed. If this was part of the co-workers duties then there was no HIPAA violation. If the co-worker was not authorized to access the record then it was.

Now my question to you is why do you want to report it. Do you understand what the consequences would be?

It sounds like the co-worker was following some duty to make sure reports were properly signed. If this was part of the co-workers duties then there was no HIPAA violation. If the co-worker was not authorized to access the record then it was.

Now my question to you is why do you want to report it. Do you understand what the consequences would be?

Don't WANT to report it, but unsure if there's a violation since this coworker had no part in the patient's care.

Again, it may not be required that the co worker was part of the patient's care. If it was the co-worker's responsibility to ensure that reports are properly signed it may have been within her responsibility to check them. So if you don't want to report it, what DO you want?

Again, it may not be required that the co worker was part of the patient's care. If it was the co-worker's responsibility to ensure that reports are properly signed it may have been within her responsibility to check them. So if you don't want to report it, what DO you want?


You beat me to it. Seems like the choices are - report it; don't report it.

Let someone else sort out the pieces.

I just never understand unless you're the person who is harmed in some way why things come down to reporting people, particularly in this economy, again, when you are not harmed.

You beat me to it. Seems like the choices are - report it; don't report it.

Let someone else sort out the pieces.

I just never understand unless you're the person who is harmed in some way why things come down to reporting people, particularly in this economy, again, when you are not harmed.

In fact, I don't see how ANYONE has been harmed here. Unless the co-worker revealed information about the friend's treatment the friend wasn't harmed?

So what is the real issue here?

Workplace cattiness is my guess.

"her friend is a patient of our group" not sure what this means and am still waiting to hear the position or role thes co-worker is filling. To have access to the records she must be part of the medical treatment team.

"her friend is a patient of our group" not sure what this means and am still waiting to hear the position or role thes co-worker is filling. To have access to the records she must be part of the medical treatment team.

Not quite so. Typically, there is one computer program that is used to store the records of all patients of a group/hospital/facility. All employees have a code that lets them access the program in order to put in data, place orders, review charts, etc. Each employee has their own identifying sign-in username and password. It is expected that the employees only access the information of the patients they are caring for, but some take upon themselves to review information of other patients.

As an example, when I am at work I can access our program. I have the ability to review the information, or diagnoses, etc. for every patient that has ever been a patient at the hospital since the inception of the program.

I understand but that is a shortcoming of the program your facility is using. If doctors and hospitals took the time every record of every patient file could be issued a password for authorized personnel to use, how hard would that be? My wife and I both use the same program for e-mail but I can't read hers and she can't red mine, password protected. I think, that when there is a breach of HIPAA regulations the person who transmitted the information should be held accountable but so should the hospital that carelessly allow the access to the records to ever happen. Still waiting to hear from the OP what medical relationship the co-worked had with the patient.

I understand but that is a shortcoming of the program your facility is using. If doctors and hospitals took the time every record of every patient file could be issued a password for authorized personnel to use, how hard would that be?? My wife and I both use the same program for e-mail but I can't read hers and she can't red mine, password protected.

Actually, it's a lot harder than you think. The analogy of your e-mail program doesn't apply. You are both logging in once to your e-mail and you need to be authenticated to the database so the program can filter access for your mail.

But a program like J_9 describes would require a great deal of maintenance to restrict access to specific patients. In a medical setting like this, responsibility for patients can change frequently. A doctor can be asked to take a look as a consult. Which would mean someone from IT would have to add him to the list of users who can access his record. It's a maintenance headache. HIPAA already has standards of IT compliance, but has not included this requirement because it would represent an onerous burden for maintenance.