Problem solve Get help with specific problems with your technologies, process and projects.

Who has rights to patient information under HIPAA?

Under HIPAA's guidelines, it can be hard to tell who should have access to what information. So who makes the call? Security management expert Mike Rothman explains.

I work as the Nursing Quality Improvement Coordinator for a hospital. Our HIPAA coordinator has told me that I have no right to access patient files. As the Nursing QI, I do investigate incident reports, and of course we collect data for compliance with CMS control monitoring. Do I have the right to patient information as a QI person?
There is no simple answer to that question. HIPAA is pretty nebulous about who should access specific types of data, so that really puts the decision in the hands of whichever auditor shows up to evaluate the controls and processes that protect patient data.

This question is essentially about right and wrong. Unless there is a clear need for a QI to access patient information,...

then he or she shouldn't. Period. If the QI is conducting an investigation, driven by either an incident or as part of a process improvement initiative, then it might be acceptable. However, the patient should be notified ahead of time, and give his or her permission to proceed.

Yes, that's a hassle. And yes, it's possible to structure the HIPAA notification to allow access to the patient's data under certain circumstances. But that doesn't make it ethically right. The question is: What's best for the patient? Would he or she want a QI rummaging through his or her data? Probably not.

More information:

This was last published in July 2008

Dig Deeper on HIPAA

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.