This question is essentially about right and wrong. Unless there is a clear need for a QI to access patient information, then he or she shouldn't. Period. If the QI is conducting an investigation, driven by either an incident or as part of a process improvement initiative, then it might be acceptable. However, the patient should be notified ahead of time, and give his or her permission to proceed.
Yes, that's a hassle. And yes, it's possible to structure the HIPAA notification to allow access to the patient's data under certain circumstances. But that doesn't make it ethically right. The question is: What's best for the patient? Would he or she want a QI rummaging through his or her data? Probably not.
This was first published in July 2008