Mobile Logo in White
Report a Concern Search/Quicklinks

Privacy Monitoring Activity Audits

  • Who will be audited? Everyone who uses EPIC.
  • Does an audit “alert” mean that I have violated HIPAA? No, audit alerts only show that someone accessed a record. It raises the question “Was the access required or permitted for work-related purposes?” It triggers a review and potentially an investigation. Disciplinary action will only be taken if the investigation reveals that the access was inappropriate in accordance with the Institutional Handbook of Operating Policies (IHOP) 11.1.17 Sanctions for Privacy and Security Violations.
  • How will I know If I have been audited and do I have to prove that my access was work related? Any audit report that indicates possible unauthorized access will be followed up with a thorough review process and potentially an investigation. Your manager will be contacted as part of the review process, and you may be asked about the circumstances and intent surrounding the access.
  • Does the fact that I printed something show up in an audit? Printing is captured in the EPIC audit trail. It might not be the basis for a privacy monitoring auditing alert, but it may be helpful in determining why a record was accessed.
  • What factors will be considered in deciding what disciplinary action should be applied? The facts and circumstances of the inappropriate access will be considered in accordance with the Institutional Handbook of Operating Policies (IHOP) 11.1.17 Sanctions for Privacy and Security Violations. The effect of any unauthorized access on patient care, the risk of harm, as well as the reason for the access, the amount of data access, and whether there are previous violations, will be considered, among other factors.
  • Can I use EPIC to look up my own appointment time, dates, locations, and or insurance coverage, labs, etcetera? No. Your EPIC login and security level is for usage related to the performance of your specific job duties. The MyChart portal has all necessary information about your appointment time, dates, locations, and/or insurance coverage, labs, and more. More information about MyChart can be found here: https://www.uthscsa.edu/patient-care/physicians/mychart.
  • Can I use EPIC to look up the appointment times for my small child (under 13) or my teenage child? Direct access to children’s records by using EPIC is prohibited. This is true even if you have a legal right to access such information because you are the child’s parent or guardian. If your child is age 13 or under, you may access their information via the MyChart Proxy portal.
  • Can I use EPIC to look up the appointment times for: My spouse? An adult family member? My friends, per their request? No. Direct access to these records using EPIC is prohibited. This is true even if you have a legal right to access such information, for example, through a power of attorney, or conservatorship. The better practice is to access appointment information via the MyChart portal.
  • What do I do if my child, spouse, parent, coworker, next door neighbor or friend comes to my department for treatment? Follow your department’s policies and procedures, which might or might not prohibit your access to such records. Speak to your supervisor for further guidance, which may vary depending on your department.
  • What should I do if a coworker asked me to pull up their record so that it does not show up on their audit trail? Unless accessing a coworker’s record is required or allowed for the performance of your specific job, you should not do so. If you do access a coworker’s record, even at their request, you will be subject to possible disciplinary sanctions in accordance with the Institutional Handbook of Operating Policies (IHOP) 11.1.17 Sanctions for Privacy and Security Violations.
  • If I access a coworkers or other record by mistake, should I tell my supervisor, in the event of an audit? No, back out of the record as soon as you realize that you were in the wrong record.
  • How is “coworker” defined for the purposes of this audit? Coworkers include people who work, or have worked, in your department or section, at any level. This also includes UTHSA faculty and staff, and other departments, with whom you have regular contact. This could either be through close physical proximity or because of the nature of your job.
  • If an immediate family member asks me to confirm a prescription drug and/or dosage they are taking, to check on a medication that has been ordered, or to provide results of a lab test, can I access the record to review and relay that information to them? No. Access should be limited to your specific “need to know” to carry out your specific job duties within your department. They can access their own record to see this information via the MyChart portal.
  • If my friend or neighbor is sick and asks for my advice or help in understanding their medical condition, can I access their record to view their diagnosis and treatment plan? No. Your friend or neighbor can access their own information via the MyChart portal. From there, they can print diagnosis and treatment plan information and share it with you, if they deem necessary.
  • What happens if I view my own record? It is against UTHSA policy to review your own record through EPIC. instead, you should use your MyChart portal to review your own record. If you’ve viewed your own record through EPIC, it may lead to disciplinary action in accordance with the Institutional Handbook of Operating Policies (IHOP) 11.1.17 Sanctions for Privacy and Security Violations.

RESOURCES

Managers: Did you receive an Investigation Review?

Click here for the Investigation Reviewer Guide.