Vital patient record rules go into effect November 1

New feature monitors “self, friends and family” medical record access

Did you know that accessing your own medical record or viewing the medical record of someone you know (friend, family, colleague, acquaintance, etc.) without an authorized need is one of the most common violations of patient privacy?

This type of activity—referred to as “self, friends and family” access—can harm the authenticity of important patient information and interfere with your ability, or the ability of your friend or family member, to receive the best care. Even if you’re acting with the best intentions, using Cerner, Epic, PACS or any kind of electronic medical record (EMR) system to view patient information without an authorized need is a violation of HIPAA laws and must be reported.

On November 1, 2018 the IU Health Privacy Office will activate a new security feature to detect this type of activity. This new feature is a part of Haystack—a tool launched in February 2018 as an added safeguard to help keep patient information confidential and secure through tracking EMR activity. If Haystack flags out-of-ordinary behaviors based on team members’ previous activities, job codes and other factors, the Privacy Office is alerted to investigate.

Five reasons to think twice

If you have access to Cerner, Epic or other systems containing patient information, you should avoid:

  1. Looking at your own record
  2. Looking at records of family members, friends, neighbors, coworkers or other personal contacts without a legitimate business need
  3. Looking at records of celebrities or people who have been in the news
  4. Looking at records out of curiosity or concern
  5. Looking at records as a favor to someone without EMR access

And remember—help protect our patients and yourself by logging out when leaving a system unattended. You are ultimately responsible for what happens under your log-in credentials.

Access with integrity

Patients can always access their medical information through the My IU Health patient portal, which includes information about appointments, medical history, notes and more. If you, or someone you know, has questions or needs additional details regarding their care, contact the physician/provider’s office, or someone else directly on the care team, for help.

Questions? Read the HIPAA FAQs, or contact the IU Health Privacy Office at or 317.963.1940.