Don’t Access That Medical Record If You Don’t Have To

Johns Hopkins’ electronic medical record system, Epic, houses almost 6 million patient records that contain personal and sensitive medical information. If an employee attempts to access one of those medical records inappropriately, it’s considered a violation of the confidentiality of that patient’s personal information under the Health Insurance Portability and Accountability Act (HIPAA). And violations can result in psychological, reputational, and financial harm to the patient.

Employees may be violating patient privacy. To help ensure all patients’ medical records are protected, the Johns Hopkins Privacy Office uses a monitoring system, Protenus, which notifies the Privacy Office when someone tries to access, share or request a patient record for non-work-related purposes.

On average, Protenus analyzes over 30 million accesses to Johns Hopkins Epic records per day. According to Kate Denton, privacy compliance analyst for the Privacy Office, since her team began using the system two and a half years ago, it has substantially improved the way they keep track of access to electronic medical records.

“Since we’re able to proactively monitor access in real time, each time an access appears to show activity that is not necessary to perform a job duty, Protenus creates a case that is forwarded to the Johns Hopkins Privacy Office for investigation,” Denton says.

On average, the Johns Hopkins Privacy Office receives and investigates about 20 to 40 cases per month. To date, the Privacy Office has identified 237 violations, many of which resulted in disciplinary action, including termination.

The Privacy Office reports seeing many types of violations, such as employee attempts to access the records of VIPs, co-workers and family members, as well as any generally suspicious access.

One of the most important benefits of Protenus, Denton says, is that it helps Johns Hopkins identify potential breaches before a serious event can occur.

For additional information and guidance on specific topics related to accessing protected health information in Epic, visit the Johns Hopkins Privacy Office intranet site at intranet. insidehopkinsmedicine.org/privacy_ office/.