UAB Medicine policy forbids staff to view electronic health records (EHR) — including their own — unless it is directly related to their job.
Typically, violations have been reported to the UAB Hospital Compliance Department and through the Hospital Compliance Hotline, but the process is being automated with FairWarning — software that tracks EHR access in real time and flags potential misuse. Flagged activity is reported to the compliance department to determine its appropriateness, which can be completed in a few days instead of a few weeks.
"You wouldn't believe how many people look at their own records — not just once but routinely — and the data show that it impacts employee productivity," said Dave Summitt, chief information security officer for the Health System and UAB HIPAA security officer.
So-called self-snooping isn't prohibited by HIPAA, but it does violate UAB Medicine policy. "Your health records are in the system, but that doesn't give you the right to look at them; they are UAB property," Summitt said.
Mona Jackson, director of Hospital Compliance, said the department takes incidences of self-snooping “very seriously," and she expects a sharp reduction as employees realize access is being monitored.
The software satisfies HIPAA and Meaningful Use requirements for monitoring and reviewing employee access to protected health information. Using database interfaces, FairWarning also can flag instances of employees looking at records for family members, co-workers and neighbors.
To report possible instances of inappropriate EHR access, call the UAB Compliance Office at 975-0585 or file an anonymous report online.