My boss accessed my medical records without my consent

I was recently hired as a medical assistant for a private practice. I was notified that I would need to submit a urine sample for a pre-employment drug screen. I’m on two controlled substances that I know would show up in my urine.

I went to one of the owners of the practice and was transparent about what would show up in my urine and why. I was instructed to provide a doctor’s note to basically back up my story.

About an hour or two later, I was pulled back into her office and she told me that the other owner of the practice, her husband, accessed my medical records without my consent. Obviously, I was pretty shocked to hear this but I really need this job.

I’m well aware of the fact that this is a massive HIPAA violation but at this point, it’s their word against mine.

Any suggestions would be greatly appreciated because I don’t think there’s much that I can do.

Any access to records is traceable

Hayden said:
Any access to records is traceable

It’s supposed to be “traceable”. But from one breach you can get thousands of access if it ends up in a file somewhere.

Hayden said:
Any access to records is traceable

Not necessarily. Small practices can be exempt and reports in Epic let you bypass tracking.

Greer said:

Hayden said:
Any access to records is traceable

Not necessarily. Small practices can be exempt and reports in Epic let you bypass tracking.

As someone in IT, you can’t just turn off tracking in Epic LOL. That would make the entire system non-HIPAA compliant. You can absolutely trace who is accessing what information no matter what settings you have configured.

@Logan
You are right about it cause ses issues and I’ve brought it up to my bosses. I used to prepare data dumps for subpoenas out of Epic for a hospital system.

The logging in Clarity doesn’t happen until the chart is opened. Seeing the name on a list doesn’t count as an audit even. Heck, initials are shown on the boards in the ED so everyone walking by can see it without a log.

@Greer

The logging in Clarity doesn’t happen until the chart is opened.

It’s almost certain that the OP’s prospective boss just opened the chart, though, no? It’s not likely they started trying to drill down in reporting workbench because they know it won’t be tracked the same.

They probably just opened the chart, and went into Chart Review, and either pulled up a recent encounter or went into the Meds tab to confirm OP was prescribed what they said they were prescribed.

That’d certainly be logged, and it’s up to OP whether they want the job or they want the user in question to face consequences for violating HIPAA. In practice, it shouldn’t hurt them, but we all know it will.

@Merit
I bet it was just word of mouth.

And frankly, the doc will get a slap on the wrist and OP would be fired. Filing HIPAA doesn’t mean a payout for the patient.

Greer said:
@Merit
I bet it was just word of mouth.

And frankly, the doc will get a slap on the wrist and OP would be fired. Filing HIPAA doesn’t mean a payout for the patient.

Filing HIPAA doesn’t mean a payout for the patient.

Because we’re all faceless names on reddit: I have a decade in patient quality and healthcare IT, I know that. It rarely means a payout… but at least at my organization, a doctor accessing a record of a prospective employee would face far more severe consequences than a slap on a wrist. But then, this might be a small practice and nothing will happen even if the HHS chooses to investigate.

It’s an unfortunate situation, and the ramifications of your employer being able to access your medical records without fear of reprisal are significant: pregnancy, gender, chronic disease discrimination all come to mind.

Greer said:

Hayden said:
Any access to records is traceable

Not necessarily. Small practices can be exempt and reports in Epic let you bypass tracking.

IT would still be able to see that you accessed a report that has their health information on it.

@Tilden
Not with Epic reports. It knows you ran a report but it doesn’t directly link you to a patient record.

We had a problem where someone was outed as trans. No record of the person looking at the chart. But we tracked down that they had built a Workbench report that looked for specific procedure codes. That showed the patient’s name.

@Greer
Small practices aren’t using Epic. I worked for Epic for 5 years. Epic is just too expensive if you’re not a large health system. Most small practices use smaller EMRs like Tebra or Simple Practice.

@Chen
True, we started offering it to small practices. But I worked with practices still on paper. The fine was cheaper than an EMR.

@Greer
But you were able to figure out that they saw the patient’s name through a report. That’s the point I’m trying to make: you can see what report they ran and show that the person’s name and info would appear on that report.

@Tilden
Maybe. If we didn’t have a target person to look at. And the report listed hundreds of people a day. So we couldn’t say for sure if they saw the name or not.

And that isn’t part of the normal audit. Opening the chart triggers a bunch of tracking. Reports do not.

@Greer
It sounds like in this case, they would be able to find that though.

@Tilden
If it’s a small practice and they outsource IT stuff, it’s very possible those controls are not in place.

Jordan said:
@Tilden
If it’s a small practice and they outsource IT stuff, it’s very possible those controls are not in place.

Hell, I’ve worked with small practices whose “charts” were a Windows folder with the patient’s name, stuffed with MS Word files and PDFs.

Small practices can be janky af.

@Marlow
Yeah I’ve seen it, dentists etc.

Jordan said:
@Tilden
If it’s a small practice and they outsource IT stuff, it’s very possible those controls are not in place.

Wouldn’t they be non-compliant at that point?