A majority of medical staff surveyed recently said they have accessed an electronic medical record (EMR) system using a password improperly supplied by a fellow medical staffer, and explained that strict confidentiality rules can make it difficult to get the data needed to do their jobs properly.

The survey results are part of the first study to examine EMR access among medical providers. In the study, researchers gathered survey responses from 299 medical professionals, including residents, medical students, interns, and nurses. The research team included researchers from Ben-Gurion University of the Negev, Harvard Medical School, Duke University, Hadassah-Hebrew University Medical Center, and the Interdisciplinary Center in Herzliya, Israel. (The survey results are available online at http://bit.ly/2x2tdiw.)

Nearly three-quarters (73%) of the 299 participants claimed to have used another medical staff member’s password to access an EMR at work, and more than 57% of participants (171 out of 299) estimated they have used someone else’s password an average of 4.75 times.

All medical residents said they had obtained another medical staff member’s password with consent. Within the student and intern groups, 77% and 83%, respectively, used someone else’s access credentials because they said they “were not given a user account.”

In addition, 56% of students and almost 70% of interns cited that their user access had inadequate permissions “to fulfill my duties,” forcing them to ask for someone else’s access credentials. Only half of the nurses surveyed (57.5%) reported using someone else’s password. The researchers offer these recommendations:

• Attaining access credentials needs to be less difficult and time-consuming.
• “Understaffed hospitals, especially during on-call hours, may need to delegate administrative tasks and extend EMR system access to paramedical, junior staff, interns, and students,” they wrote. “Nurses, who generally carry out more precisely defined duties, are more likely to have the EMR privileges they need.”
• “Healthcare organizations should add an option for each EMR role that grants maximum privileges for one-time use only. When this option is invoked, the senior physician and a protected health information security officer would be informed,” the researchers wrote. “This would allow junior staff to make urgent, lifesaving decisions under formal retrospective supervision without having to sneak onto the EMR.”