Patient privacy reminder

A patient privacy reminder from John Hart, Chief Compliance Officer for UNC Health Care.

In a continuing effort to protect our employees and patients, we have increased the level of auditing of staff accesses into patient records. As we move forward we will expand our auditing to include a combination of automated and manual audits which are designed to identify inappropriate accesses.

We would like to remind you of how to properly access patient records:

  • Employees and physicians should only access medical record information as necessary to perform their job related functions.
  • Employees and physicians should likewise not discuss medical information except as necessary to perform their job related functions. FYI, the following data elements are defined as Protected Health Information (PHI) by the Privacy Rule:
  1. Name
  2. Address elements smaller than state (street address, city, county, precinct, zip code, other geocodes)
  3. Date Elements (excludes year but includes birth date, admission and discharge dates, date of death, ages over 89)
  4. Telephone Numbers
  5. Facsimile Numbers
  6. E-mail Addresses
  7. Social Security Numbers
  8. Medical Record Number
  9. Health Plan Beneficiary Numbers
  10. Account Numbers
  11. Certification/License Numbers
  12. Vehicle Identifiers and Serial Numbers including License Plates
  13. Device Identifiers and Serial Numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) Address Numbers
  16. Biometric Identifiers (including finger and voice prints)
  17. Full Face Photographic Images and any Comparable Images
  18. Any other Unique Identifier Number, Characteristic, or Code
  • Do not leave an unattended work station logged on. Any access from an employee or physician login will be attributed to that individual, so logging off before walking away from computers is important.
  • If a friend or family member asks you to look into his/her record, or provide information and feedback that would require access to his/her information; you must have a signed authorization on file in Medical Information Management before using your access to view patient records.
  • Patients have the right to “opt out” of patient listings that are typically available at the information desk. If the patient “opts out,” we may not even acknowledge that the patient is here. Individuals using WebCIS or other operational/clinical systems to look up a patient room number may be interpreted as violating a patient’s privacy if the patient has opted out of patient listings.
  • An assistant looking up information for a physician, administrator, or supervisor may also violate the patient’s privacy if the reason for the access is not related to treatment, payment, or health operations.
  • In order to access their own medical record information, employees and physicians must contact Medical Information Management and obtain access authorization. Although accessing one’s own medical record is not a Privacy Rule violation, it is a violation of UNC Health Care policy if the procedure for doing so is not observed.
  • Disciplinary action may result from violating these policies. If you have questions or are unsure if you should access an account review the situation with your supervisor/manager.


Please remember that a violation of a patient’s privacy can also result in a violation of the North Carolina Identity Theft Protection Act. We would like to thank all employees and physicians for your continuing efforts to protect patients’ privacy.

View this file as a PDF here.

Filed under: ,