Health system leaders can expect that many of their physicians, C-suite executives, nurses and other employees—and their close family members—will receive their own health care at hospitals and clinics within the organization.
That results in those employees’ sensitive health information being contained in the health system’s EHR that co-workers are able to access.
To ensure that no one improperly accesses that information, health systems can ask EHR vendors to turn on “break-the-glass” EHR functionality. That functionality includes requiring an EHR user to enter additional authentication information and documentation of a specific reason for accessing a patient record before being granted access to a patient chart. A designated security or compliance staff member then tracks and monitors each time that health record is accessed.
But do privacy regulations really require health systems to create these additional steps and administrative burdens for all employees?
No.
Patient data security should be a top concern for all health systems, but the HIPAA privacy rule does not specifically require that health care organizations universally apply restrictive “break-the-glass” EHR functions for others to access records belonging to employees or their immediate family members.
The AMA is spreading that message from the AMA through its “Debunking Regulatory Myths” articles that provide clarification to physicians and their care teams in an effort to reduce the administrative and other burdens that divert doctors’ attention from the delivery of patient care.
“By de-implementing universal heightened restrictions for health-system employee patient records that require the use of a ‘break-the-glass’ function to access those records—and only enabling this feature for those who have requested such restrictions—health care organizations can increase efficiency for physicians and other clinicians treating those patients,” the AMA explains.
The series is part of the AMA’s practice-transformation efforts and gives physicians and their care teams resources to reduce guesswork and administrative burdens so their focus can be on streamlining clinical workflow processes, improving patient outcomes and increasing satisfaction.
From AI implementation to EHR adoption and usability, the AMA is fighting to make technology work for physicians, ensuring that it is an asset to doctors—not a burden.
What privacy is required?
Employees can request extra restrictions be put in place for others in the organization to access their medical records, but a health system does not have to automatically apply those restrictions for all of their employees.
No matter what, though, “HIPAA does require health care organizations take reasonable steps to ensure patient information is only accessed when, and by whom, it is necessary to provide care or services,” the AMA explains. That requirement is in place for all patients, whether they are employed by the health system or not.
Instead of applying “break-the-glass” restrictions universally, health care organizations should aim to balance protecting sensitive health information with workflow efficiency.
Instead of creating universal restrictions, health care organizations should:
- Explore ways to provide safeguards that don’t create unnecessary administrative burdens.
- Consider restrictions that the state where they are operating may place on health records to ensure that information remains protected.
- Consider how some federal restrictions, such as those regarding records related to substance-use disorder, should factor into restrictions on health records.
Fighting for Physicians
Get updates on how the AMA is fighting for physicians on critical issues—delivered to your inbox.
Universal restrictions “can create unnecessary onerous steps and inefficiencies for clinicians treating patients who work in the health system,” the AMA says. “Over the course of a patient’s time with a health system, this extra effort of validation can take a clinician’s time away from other important patient-facing tasks.”
Meanwhile, “break-the-glass” protocols can be effective when sensitive patient information is shared outside of the health system or accessed in certain environments, such an external emergency department. In these situations, those who are not affiliated with the health system is required to document a clinical reason before accessing the restricted records.
Earn CME credit
Learn more with the “AMA Debunking Medical Practice Regulatory Myths Learning Series,” which is available on AMA Ed Hub™ and provides regulatory clarification to physicians and their care teams. For each topic completed, a physician can receive CME for a maximum of 0.25 AMA PRA Category 1 Credit™.
Physicians who would like clarification about a potentially misinterpreted rule or regulation that has burdened them or their care team are encouraged to email the AMA’s experts, who will research the matter. If the concern turns out to be a bona fide regulation that unnecessarily diverts physicians’ time and focus away from their patients, the AMA can advocate for regulatory change.
