Accessing electronic health records in a hospital setting
The Inquiry Committee recently considered a complaint alleging that a physician had improperly accessed the electronic health record (EHR) of a patient he was not treating. The health authority provided an audit log which appeared to show that the physician had accessed the patient’s records during a visit to the hospital’s emergency department.
The health authority’s investigation also found that because the computer system was very slow, hospital staff considered it acceptable to share computer terminals. One physician would log into the system for an entire shift, and others would access patient records under the identity of their logged-on colleague. While the practice was intended as a reasonable solution to increase workflow, the result was clearly problematic as the audit log did not accurately document those who had actually accessed the patient’s record.
In this case, the patient believed that his privacy had been intentionally breached. For a number of reasons, this was considered unlikely, but definitive resolution was not possible.
The practice of always logging in under one’s own name before accessing records is imperative for patient privacy protection, audit process integrity and accurate reflection of legal responsibility for the EHR content. Potential risks of using a colleague’s identity include patient distress, damaged relationships, an investigation by the health authority, a complaint to the College, or other serious legal consequences. Unauthorized access to patient records may be characterized as serious professional misconduct and may trigger disciplinary or legal action against the offender.