Med Students Violating HIPAA by Tracking Patients on EHRs
Medical students are using hospital electronic health records to track former patients, even though by doing so they are potentially violating the Health Insurance Portability and Accountability Act (HIPAA).
While it is known that the practice occurs, little research has been performed to determine the extent to which EHRs are accessed and the exact reasons why patients are tracked.
In August 2013, Gregory E. Brisson, MD of Northwestern University Feinberg School of Medicine in Chicago, IL and Patrick D. Tyler, MD of Beth Israel Deaconess Medical Center in Boston, MA conducted a survey on 169 students from one academic healthcare center to investigate medical students’ use of EHRs to track patients. The findings of the study have recently been published in JAMA Internal Medicine.
The study revealed that the vast majority of medical students were using EHRs to track former patients. 96.1% of medical students admitted that they had previously used EHRs to track former patients.
92.9% of students said there were educational benefits to be gained from following up on patients’ progress using EHRs. A majority said they accessed the records of former patients to track patient outcomes and to audit their own diagnostic impressions.
More than half of students said they learned how to track patients via EHRs on their own, and in many cases the activity was extracurricular. 17.2% of medical students who admitted using EHRs to track patients said they had ethical concerns about doing so and thought that it may not be appropriate to access the data when they were no longer directly involved in caring for the patients.
However, almost half of the students surveyed failed to distinguish between the accessing of patients’ health records for educational purposes and tracking patients out of curiosity. Many students said they accessed patient data because they liked their patients and were curious about patient outcomes. 39.8% of students admitted accessing the health records of former patients out of curiosity.
HIPAA does permit the use of patient data for educational purposes and quality assurance; however, patient health records cannot be accessed out of curiosity unless prior authorization has been obtained from the patient in writing.
Patients may have no qualms about medical students following up on their progress, but if this has not been authorized in writing it is a violation of patient privacy and a violation of HIPAA Rules.
The researchers point out that the tracking of patients is potentially valuable from an educational standpoint, while in an editor’s note, Rachael J. Stern M.D., pointed out that “when done well, medical student tracking via EMRs can benefit patients”. The researchers and Stern both said the practice raised ethical and privacy concerns. Brisson and Taylor said they were unclear how patients would view the activity. The study was only conducted on one academic healthcare center, although the researchers said there were indications that the practice was fairly widespread.
Taylor suggested “Medical school informatics and EMR curricula need to teach students to engage meaningfully and judiciously with patients’ data.” If the practice is likely to benefit patients or has educational value, the importance of accessing a patient’s health record should be explained and authorization obtained in writing from the patient while they are receiving care. This would prevent any future privacy and HIPAA violations.