Do you have firewalls to protect EH records?
Do you have firewalls to protect EH records?
Occ med has to ‘break the glass’ for info
Failure to have the right firewalls on your hospital’s electronic medical record (EMR) to protect employees’ health information could be a violation of federal law.
With a push toward EMRs, some hospitals may be tempted to streamline by including their occupational health records with employees’ personal health records. (See HEH, June 2012, p.66.) But the Americans With Disabilities Act (ADA) and Genetic Information Nondiscrimination Act (GINA) strictly limit an employer’s access to personal health information.
“[M]aintaining personal health information and occupational health information in a single EMR, particularly one that allows someone with access to the EMR to view any information contained therein, presents a real possibility that the ADA, GINA, or both will be violated,” Peggy R. Mastroianni, legal counsel to the Equal Employment Opportunity Commission (EEOC) wrote to the American College of Occupational and Environmental Medicine.1 ACOEM had requested clarification of the use of EMRs to collect both personal health information and employee health records.
Electronic records can improve the flow of information and the practice of medicine, while protecting privacy with firewalls and protections, says ACOEM president T. Warner Hudson, MD, FACOEM, FAAFP, medical director of Occupational and Employee Health at the UCLA Health System and Campus in Los Angeles, CA.
As EMRs evolve, occupational health professionals need to advocate for the proper balance of information sharing and privacy protection, he says. For example, occupational medicine physicians sometimes need to access personal health information — to “break the glass” of the firewall — to treat an employee, he says.
“I worry that administrators, politicians, [and] lawyers may, for all the best of intentions regarding patient privacy, create bulletproof glass that really harms the health of health care workers as an unintended consequence,” he says. “In the course of trying to protect privacy, if we can’t get access to the records we need, it will harm health care workers.”
Fast access after exposures
One of the most sensitive situations involves follow-up to a needlestick. At Ronald Reagan UCLA Medical Center, for example, about one-quarter of exposures involves a patient with a bloodborne pathogen, Hudson says. One in 10 is HIV-positive, he says.
Being able to find out the bloodborne pathogen status of patients from the EMR enables occupational health to start post-exposure prophylaxis quickly — and not to start it unnecessarily. Most hospitals provide a release for patients to sign in the event of a bloodborne pathogen exposure. But hospitals also may act to protect health care workers if the patient was brought in unconscious, says Bill Buchta, MD, MPH, medical director of the Occupational Health Service at the Mayo Clinic in Rochester, MN.
“It’s a public health initiative,” says Buchta. “The threat to the employee is a higher priority than the breach of the patient’s confidentiality.”
Time is of the essence. “I have two hours to put the person on medication before that virus inserts in that employee’s DNA for life,” says Hudson. “I need to know what medications the [HIV-positive] source patient was on because it impacts what I give the exposed employee.”
At the same time, the employee’s privacy should be protected. Employees should not be able to look up a co-worker’s medical record and see that they had an exposure, Hudson says. Firewalls exist to prevent nosy co-workers from looking at medical records and managers from accessing employee health information that they are not entitled to.
EH benefits from EMRs
Often, it is the occupational health physician or nurse who needs to “break the glass” of the firewall and access the employee’s personal medical information. A pop-up box may ask for authorization. For example, the UCLA system tracks everyone who accesses a record (and employees have been fired for unauthorized access, such as perusing a celebrity’s record).
“Twenty times a day, we have to access a personal health record,” says Hudson. “An employee we’re seeing was seen last night in the emergency department. We’ll look in the medical record to see what happened. The X-ray I order goes into the personal medical record, the lab test I order goes into the personal medical record.”
In fact, employees expect occupational health physicians to have access to their medical records, says Buchta. “If it’s a doctor-patient relationship, the provider should have free reign with the EMR, just as a cardiologist would have access to the record to see why the person is having palpitations,” he says. “We’re looking for reasons why a person is not healing as fast as they should or why they responded to a certain medication. That’s what the record is there for.”
Yet in their relationship as employees, health care workers have the same privacy rights as other workers. Just because they visit physicians in the hospital system or have a procedure at the hospital does not make that information available to their managers, says Joe Fanucchi, MD, FACOEM, president of Meditrax, a vendor of occupational health software and electronic medical records.
If you want to view employee medical information, you need to obtain consent, he says. “Hospital employees should have no fewer protections than any other of the hospital’s patients. Anybody who accesses their record needs to have authorization,” he says.
If handled correctly, electronic records can provide greater privacy than paper records, notes Fanucchi. An electronic system can track every user who accesses a record. With paper records, no one would ever know if a curious but unauthorized person opened a file.
1. U.S. Equal Employment Opportunity Commission. ADA & GINA: Confidentiality Requirements (letter), May 31, 2011. Available at www.eeoc.gov/eeoc/foia/letters/2011/ada_gina_confidentrequre.html. Accessed on June 21, 2012.Failure to have the right firewalls on your hospitals electronic medical record (EMR) to protect employees health information could be a violation of federal law.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.