Medical center reinstates commitment to employee privacy

By Kristen Holland Shear

Employees who seek medical care at UT Southwestern University Hospitals & Clinics should rest assured that multiple safeguards — and penalties — are in place to prevent personal health information from being accessed inappropriately, said Cynthia Snyder, HIPAA privacy officer in the Office of Compliance.

“Individuals are permitted to access only what’s absolutely necessary to do their job,” Ms. Snyder said. “When we find someone who has breached these policies and procedures, we’re required by federal law to take some form of disciplinary action.”

Related Link: UT Southwestern employees can keep track of their medical records online. To do so, go to and follow the instructions.

While many employees do have access to patient medical records, the type and amount of information each person is authorized to view is restricted because of the Health Insurance Portability and Accountability Act of 1996, or HIPAA.

Ms. Snyder said employees who access colleagues’ medical records for inappropriate reasons have been and will be terminated.

“This is a matter that we take very seriously,” she said.

During August and September, Ms. Snyder said, six employees were terminated for inappropriately accessing medical records and two resigned rather than be terminated. Investigators determined that there was no inappropriate access in eight other complaints reviewed in September, but another eight complaints remain pending.

Ms. Snyder said excuses for looking at a colleague’s personal medical records have run the gamut from someone wanting to know a colleague’s birthday so they could send a card to simple curiosity about why someone is out sick.

One recent example involved an employee who accessed a colleague’s medical records to confirm that the individual was sick and had a doctor’s appointment.

Ms. Snyder said the medical center’s safeguards exceed HIPAA requirements. For example, while federal law requires that UT Southwestern keep track of who accesses patient records, the institution is not required to let patients monitor their own records.

“Although it’s not required, we allow employees who are patients to run audit trails on their own files,” she said, “and we encourage employees to run their own audit trails.”

Although an audit trail doesn’t report when or why someone accessed a file, it does provide a complete list of people who accessed an individual’s medical record.

“If you see something on there that seems suspicious or someone you think shouldn’t have had access to your file, then you can contact my office and we will run a report to see specifically what has been accessed, by whom and when,” Ms. Snyder said. “We then do an investigation to determine why the file was accessed.”

All patients may request an audit trail if they suspect someone accessed or is accessing their files inappropriately.

Protecting patient privacy is a serious issue, and those caught breaking the rules are undermining the entire system, Ms. Snyder said.

“They’re taking unfair advantage of information that they have access to,” she said.

Although all employees must complete privacy and security training when they are hired and every year thereafter, Ms. Snyder said the only surefire way to guarantee a successful operation is by continuous self-policing.

“If you know of someone in your department who is accessing co-workers’ records for nonwork-related purposes, we need to know about that,” she said. “It’s both a legal and an ethical issue for that employee.

“UT Southwestern takes patient privacy very seriously, no matter who the patient is.”