Q&A: Accessing information for friends and family members

June 7, 2018

Q. Is it acceptable for front office staff at a physician office to make appointments for their friends and family members, check records, lab results, etc.?

A. Yes, as long as the duties are fully job related, it is acceptable. When a staff member schedules an appointment for a friend or family member, or checks a family member’s records or lab results, it is important to fully document that the staff member is accessing only the information necessary and only doing so to perform a specific job-related activity. Access must meet the minimum necessary standard laid out in the HIPAA Privacy Rule. If a front office staff member is assigned to provide lab results to patients over the phone, accessing the lab results would be acceptable. On the other hand, if this is not part of the staff member’s duties, it would not be acceptable. For example, if a staff member at the office is not assigned to answer phones or report lab results to patients, it is not acceptable for that staff member to check a friend’s record if the friend calls and asks about her lab results. Doing so would mean the particular staff member was not acting within assigned duties. The staff member should instead direct the friend to the individual assigned to look up lab results for patients.

To enforce this rule, document and communicate to staff what is not considered acceptable. The rule should be documented in policy and communicated widely within the organization.

Editor’s note: Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Editor Nicole Votta at nvotta@hcpro.com.