Confidentiality, Electronic Media, and Protected Patient Information

Required Guidelines: HIPAA and Electronic Medical Record Access

  • Health Insurance Portability and Accountability Act (HIPAA): Students must be knowledgeable about and abide by HIPAA policies. This includes the related Columbia University Irving Medical Center (CUIMC) and NewYork-Presbyterian Hospital (NYPH) HIPAA IT Security policies.
  • Access to Electronic Medical Records (EMRs): Access to health information is highly regulated by laws, including HIPAA, which applies to Protected Health Information (PHI). PHI includes all medical, social, demographic, laboratory, imaging, and other data in the electronic medical records systems at hospitals, ambulatory care centers and other healthcare institutions. These laws carry civil and, for some forms of violation, criminal penalties for individuals who break them, as well as sanctions and penalties for institutions that fail to protect health and personal information.

CUIMC has a policy to protect patient privacy. This policy requires education of students, employees, and professional staff about related laws, as well as procedures and safeguards to ensure compliance. The underlying ethical principle of the policies and laws is simple: use of protected information is based on a need to do so, whether the need arises from the care of patients or the business of managing that care. Students are permitted to access patient EMRs and other Protected Health Information for patients they are following, cross covering or have directly encountered with their team as part of their clinical clerkships, selectives and electives. They are permitted continued access after the patient is discharged from the hospital or transferred to another service, or when the student rotates off service, as part of the student’s medical education at Columbia University Vagelos College of Physicians and Surgeons (VP&S). Access for any other reason is unprofessional, unethical and illegal. Any attempt to access patient information without the need to know will be dealt with severely, including termination of matriculation at VP&S. If a situation arises about which a student is unsure, he or she is encouraged to discuss it with the supervising attending or with the course director.

Access to WebCIS/Eclipsys, the NYPH electronic medical record, is not permitted without appropriate HIPAA training beforehand. When a student is provided with an access code for WebCIS/Eclipsys, they sign a legal document that states they will use this information only to provide patient care and in the context of the need to know. At CUIMC, there is a specific computer screen which appears when an individual attempts to access information about a patient who has a special relationship to the institution. That screen must be overridden to continue in the quest of information. If an individual overrides that screen without the need to know, they have breached the privilege granted them.

  • Access of Data for Research: An important exception to the regulations outlined above is research data. Research data should always be accessed under an approved IRB protocol to which the student needs to be specifically named. These data are usually, although not always, de-identified (coded), depending on the context of the research.
  • Passwords: Students must not share their WebCIS/Eclipsys or CROWN password with anyone else and must not use another person’s password, under any circumstance. Students will be held accountable for any breaches that occur using their password. Some of the most serious problems that have arisen have occurred because of password sharing. Every access to a patient record is recorded and systematic audits are conducted that are directed in part at flagged (“VIP” or employee or student) records but extend to all records. Breaches may under law be reportable to the government and to the patients involved.

Required Guidelines: Student Entries into the Electronic Health Record

The guidelines below address some common issues that students encounter when given access to computer-based clinical data, but do not cover all possible situations. When in doubt, students should ask the course director how to handle a specific situation.

Writing Requirements and Use of Copy and Paste: Students are expected to enter notes on the patients they are following in their clinical rotations. NYPH policy states that all student notes must be read, corrected and co-signed by a resident or attending physician within 24 hours.

Creating an electronic medical record that facilitates excellence in patient care, meets requirements for billing compliance, and constitutes a suitable legal record requires attention and vigilance. Legal, ethical, and billing compliance principles that apply to electronic documentation are no different from those governing traditional handwritten notes. However, there are two fundamental differences between the paper record and the electronic health record (EHR). First, EHRs have built in “support tools” like copy forward that can be simultaneously helpful and dangerous. Second, EHRs have audit logs that track every keystroke.

  1. Notes should be concise, accurate, non-redundant, and easy to read.
  2. Notes should emphasize what took place on the day of service.
  3. Special emphasis should be placed on the discussion and plan portions of the note to clearly communicate the clinical reasoning behind the plan for diagnostic work up, or the pros and cons of particular treatment decisions.
  4. “Copy and paste” and “copy forward” should be used with extreme care:
    1. Copying and pasting text without attribution from another provider (most egregiously, another’s HPI, but including, for example, a radiology report without attribution) is plagiarism and from a billing perspective, fraud.
    2. It is acceptable in some settings to copy forward lists (e.g. problems, allergies, medications, social history items) as long as they are always reviewed and updated and do not clutter the note. Bringing forward previous history critical to longitudinal care is encouraged, so long as it always reviewed and updated. To copy forward other elements of history, physical examination or formulations is risky, as errors in editing may jeopardize the credibility of the entire note.
    3. Copying and pasting laboratory and radiology reports should be avoided. Important results should be noted, interpreted, and any actions taken should be documented. Wholesale importation of information readily available elsewhere creates clutter, is unnecessary, and may adversely affect physician-to-physician communication.
  5. Notes must only be entered in the EHR. Using any non University or Hospital supported system (such as Google docs or Gmail) for composing notes or communicating patient information is a violation of University policy and jeopardizes patient privacy.
  6. Providers are required to author their own notes. EHR’s permit multiple providers to co-author a given note if they are jointly providing a given service, but the attending physician must review, contribute their own content, and sign as the ultimate owner of each note for their patients. Providers must never share their password and never edit or otherwise change the content of another provider’s EHR note if they were not involved in providing that particular service.
  7. Timely completion of medical record entries is required. Attending linkage/attestation statements should be done within 24 hours of the resident notes to which they are linked. Attestation statements for some procedures require specific statements regarding attending presence or involvement.
  8. Providers should sign and finalize their notes within 24 hours of the service rendered, unless the provider is waiting for transcribed dictations to return for verification. Transcriptions from dictations should be reviewed within 48 hours, followed by making the note “final”. No charges should be dropped without a signed note.
  9. Once a note is finalized, an addendum can be added to document additional clinical information. An addendum should never be added for billing purposes alone.
  10. All health record documentation can be read by others and audited and should be written accordingly.

Following these guidelines will help to ensure safe and effective documentation practices that serve patients well, enable robust communication and care coordination, and protect providers from professional liability.

Order Writing Policy: NYPH policy states that medical students cannot practice medicine and therefore, are not permitted to order medications, and/or any medical treatments or regimes. Orders via the electronic system may not be entered by a medical student using the password of the graduate staff member or attending who is the authorized user. Unauthorized or improper use of the system or the information in it may result in dismissal and civil or criminal penalties. Students must never give verbal orders.

While these policies have been developed specifically in collaboration with NYPH, they pertain to student activities at all other sites.

Required Guidelines: Other Electronic Media Confidentiality and Security

Students are responsible for the security of confidential, sensitive and protected patient information (digital and paper-based), and are prohibited from posting images or other patient information on social networking sites or anywhere else on the internet.

  • Social Networks: Students must be knowledgeable about and abide by the CUIMC Guidelines for Social Media.
  • Secure Email: Students must use only Columbia University email systems for patient and Columbia matters and must not auto-forward Columbia University email to Gmail or other unapproved and unsecure email systems.
  • Devices: Students must encrypt portable devices (e.g., laptops and USB drives, etc.) used to store patient or individual research data, and encrypt data files with Protected Health Information (PHI) if stored on a portable device that is not encrypted.
  • Photos: Students must not take photos or videos of patients except for purposes of documentation in the medical record, and then, only with prior written consent of the respective institution and when possible, of the patient. Such images may not leave CUIMC on a student’s electronic device and may not be transmitted in any way other than from one approved email system to another approved email system and only to those caring for the patient.
  • Use of Electronic Devices in Classroom and Clinical Settings: Professional behavior in medical school includes the expectation that students demonstrate their undivided attention when rounding, at the patient bedside, and in didactic sessions. Cell phones, laptops, and other electronic devices can provide a student with access to up to date information related to classroom material and patient care. However, use of these devices must be limited so as to not interfere with lectures, patient care delivery, and team discussions. Students are expected to use judgment when using these devices.

Required Guidelines: Copyright & Network Use

  • Copyright: Copying, storing, displaying or distributing copyrighted material using University systems or networks without the express permission of the copyright owner, except as otherwise allowed under the copyright law, is prohibited. Under the Federal Digital Millennium Copyright Act of 1998, infringements of copyright by a user can result in termination of the user’s access to University systems and networks.
  • Network Use: In addition to copyright violations, file sharing programs consume substantial bandwidth drawn on the CUIMC network. Since the network’s goal is to serve the needs of the hospital, research and teaching, including the NYPH WebCIS (Web-based clinical information system), vital in the delivery of health care, bandwidth consumption from non-essential sources delays and can compromise patient care, research and teaching. Unhindered network connectivity to conduct everything from scientific data searches to the running of video conferencing is essential. File sharing copyrighted material from unauthorized sources is unethical and against the law, and compromises the security of the source computer and increases the vulnerability of the University network to hackers. Breach of Columbia University policy will result in immediate disconnection of the I.P. of the offending party.