HR at Your FingerTIPS: Privacy Breach

Follow

In the fast-paced, ever changing world of healthcare, Mayo Clinic employees and students need quick access to resources and tips regarding situations that affect their work lives. This site provides those resources, accessible from any computer or device. Here, you will find general information, tips, and summaries of specific policies and procedures.  Some of the resources mentioned are not public and must be accessed from a Mayo Clinic workstation or device.

Public page

• Copy link to clipboard

Privacy Breach

Patient privacy is deeply rooted in Mayo Clinic values. It’s an expectation by patients. It’s a condition of employment. And it's a legal requirement. Patient care staff have access to private health information as part of their duties and are responsible for protecting patient privacy. Staff should take this responsibility seriously

Recently, there have been instances in which staff have inappropriately accessed the electronic health record of family members and friends for personal reasons without a signed authorization.

Below are five myths and explanations of why patient information cannot be accessed to satisfy curiosity:

MYTH: I can use the electronic health record to look up a family member’s hospital room number so I can visit. FACT: You cannot access the hospital census or directory to obtain a relative or friend’s room number. You should use the same procedures as all other visitors. An unexpected visit to a patient room, especially if he or she has requested additional privacy protections for visitors, is a violation of privacy.MYTH: I’m friends with the person, so I can use the electronic health record to find out how she is doing.FACT: A relationship outside of work does not give you permission to access the person’s health information. Only a signed authorization grants this type of permission. Often, patients will share their experiences at Mayo Clinic on social media sites. Even if a patient shares his or her story first, you should not connect the patient back to Mayo Clinic through a comment or use the electronic health record to look up his or her status.MYTH: I am just concerned and wasn’t planning on telling anyone else about the person’s health condition.  FACT: One unnecessary set of eyes on a patient’s record is one too many. Your ability, or inability, to keep a secret does not grant you permission to look at another person’s record.MYTH: My parent was hospitalized, and I used the electronic health record to review the provider’s notes so I could update the rest of the family.   FACT: Family members, including you, should only get updates from the providers and care team members. You are allowed only the same, limited patient information as all other visitors and family members.MYTH: I was curious about why my neighbor is wearing a cast, so I looked up his information in the electronic health record.FACT: Curiosity is not a valid business reason for accessing a patient’s record. If you want to know what happened, you should ask your neighbor.

If it is determined that you have inappropriately accessed patient records, corrective action may be taken. An inappropriate access may not result in corrective action if it is determined to be accidental, or inadvertent, or there are mitigating factors. Cases are reviewed by the Privacy Breach Council, to ensure consistency across the institution. The Privacy Office is required to notify affected patients in writing of the privacy breach. Several patients have been notified in recent months as a result of the types of situations described above. On request, patients are provided the name of the staff member who accessed the records inappropriately.