Don’t give employees unrestricted access to medical records

Xixinxing/Adobe Stock

I recently assisted a physician being audited by state investigators. We worked together to gather the medical records, then briefly reviewed them for completeness and content. They appeared to be quite thorough.

However, when we were ready to submit the records, the physician asked me to make a note in my cover letter that some of the records were unreliable because:

• employees had ordered their own blood tests,

• employees had ordered their own prescriptions, and

• certain patient records were individuals who had a medical record but were never actually a patient.

I was shocked. His request was a revelation: It showed how little control some physicians exercise over their practice and employees.

Employees’ roles in the practice is that for which they are hired, licensed, and trained. All employees should be trained in HIPAA, and they must only have as much (read: password controlled) access to the practice’s record system as necessary to perform their job. Employees with access greater than their role or employees who accesses records outside of their role (e.g., to view their own or others records) puts themselves-and the practice-in violation of HIPAA.

The practice’s information technology (IT) system should track who has engaged in certain activities within a practice. The practice should be able to see who creates a patient record or orders a test. Practicing medicine in accordance with HIPAA requires appropriate IT technology and a willingness to train and enforce HIPAA compliance. Sharing passwords and engaging in inappropriate activity should be grounds for discipline or termination under the practice’s HIPAA policies.

My client’s situation also raises non-HIPAA legal issues. A non-licensed employee who orders lab tests in a physician’s name is effectively misusing the physician’s identity, practicing without a license, and ordering tests or prescription for which there is arguably no medical necessity, which may be a false insurance claim. Moreover, such occurrences raise questions about who is reviewing the test results and raises the physician’s liability for tests ordered in his name that he never reviewed or, worse, may not know about.

Allowing employees to order prescriptions for themselves or others, unless at the request of the physician, also creates additional risk and liability. Payers require medical necessity in order to cover prescriptions. Should absence of necessity go unnoticed, the physician is still liable for any drug interactions, possible contraindications, and misuse/abuse of drugs. This is particularly true of opioids.

Physicians who allow this type of activity to occur in their practice are negligent and put their license and Drug Enforcement Administration (DEA) registration at risk. This type of employee conduct is also potentially criminal and should be reported to police and the DEA. My client did file police reports but the fact that multiple employees engaged in such conduct over time reveals much about lax practice policies.

Although this is an extreme example, this kind of conduct happens in many practices. Often, physicians are unaware or turn a blind eye to these behaviors. Changing practice policies and procedures may be a hassle and time consuming, but they are necessary. Installing appropriate IT safeguards, enforcing HIPAA, and employing mechanisms to review prescriptions and tests can save a physician’s practice-and his career.

Ericka L. Adler has practiced in the area of regulatory and transactional healthcare law for more than 20 years. She represents physicians and other healthcare providers across the country in their day-to-day legal needs, including contract negotiations, sale transactions, and complex joint ventures. She also works with providers on a wide variety of compliance issues such as Stark law, Anti-Kickback Statute, and HIPAA. Ericka has been writing for Physicians Practice since 2011.