Confidentiality, Electronic Media, and Protected Patient Information

Overview/Rationale 

Columbia University Irving Medical Center and the College of Physicians and Surgeons is committed to maintaining patient privacy; our policies require students, employees and professional staff to be educated about related laws, as well as procedures and safeguards to ensure compliance. The underlying ethical principle of the policies and laws is simple: use of protected health information and confidential materials are based on a need to do so, whether the need arises from the care of patients or the business of managing that care in our facilities and care provided in our affiliated hospitals and clinics. 

Accreditation Standards

LCME Accreditation Standard: 3.5 Learning Environment/Professionalism

A medical school ensures that the learning environment of its medical education program is conducive to the ongoing development of explicit and appropriate professional behaviors in its medical students, faculty, and staff at all locations and is one in which all individuals are treated with respect.

Stakeholders

Students, Staff and Faculty

Policy: (Includes definitions and policy)

Required Guidelines: HIPAA and Electronic Medical Record Access

• Health Insurance Portability and Accountability Act (HIPAA): Students must be knowledgeable about and abide by HIPAA policies. This includes the related Columbia University Irving Medical Center (CUIMC) and NewYork-Presbyterian Hospital (NYPH) HIPAA IT Security policies, and HIPPA policies at affiliate sites.
• Access to Electronic Medical Records (EMRs): Access to health information is highly regulated by laws, including HIPAA, which applies to Protected Health Information (PHI). PHI includes all medical, social, demographic, laboratory, imaging, and other data in the electronic medical records systems at hospitals, ambulatory care centers and other healthcare institutions. These laws carry civil and, for some forms of violation, criminal penalties for individuals who break them, as well as sanctions and penalties for institutions that fail to protect health and personal information.

Students are permitted to access patient EMRs and other Protected Health Information (PHI) for patients they are following, cross covering or have directly encountered with their team as part of their clinical clerkships, selectives and electives.  Access for any other reason is unprofessional, unethical and illegal. Any attempt to access patient information without the need to know will be dealt with severely, including termination of matriculation at VP&S. If a situation arises about which a student is unsure, they are encouraged to discuss it with the supervising attending or with the course/clerkship director. 

Access to EPIC, the NYP- electronic medical record, is not permitted without appropriate HIPAA training beforehand. When a student is provided with an access code for the NYP electronic medical record, they sign a legal document that states they will use this information only to provide patient care and in the context of the need to know. At CUIMC, there is a specific computer screen which appears when an individual attempts to access information about a patient who has a special relationship to the institution. That screen must be overridden to continue in the quest of information. If an individual overrides that screen without the need to know, they have breached the privilege granted them. 

• Access of Data for Research: An important exception to the regulations outlined above is research data. Research data should always be accessed under an approved IRB protocol to which the student needs to be specifically named. These data are usually, although not always, de-identified (coded), depending on the context of the research. 

• Passwords: Students must not share their EMR password with anyone else and must not use another person’s password, under any circumstance. Students will be held accountable for any breaches that occur using their password. Every access to a patient record is recorded and systematic audits are conducted that are directed in part as flagged (“VIP” or employee or student) records but extend to all records. Breaches may under law be reportable to the government and to the patients involved in addition, to adjudicated via the VP&S Academic Infraction Policy. 

Required Guidelines: Student Entries into the Electronic Health Record 

The guidelines below address some common issues that students encounter when given access to computer-based clinical data, but do not cover all possible situations. When in doubt, students should ask the course director how to handle a specific situation. 

Writing Requirements and Use of Copy and Paste: Students are expected to enter notes on the patients they are following in their clinical rotations. Students are expected to follow the clinical site’s guidelines/policy for note submission. NYP- policy states that all student notes should be read, corrected and co-signed by a resident or attending physician within 24 hours. Students at other clinical affiliates must follow the affiliate’s guidelines/policy. 

Creating an electronic medical record that facilitates excellence in patient care, meets requirements for billing compliance, and constitutes a suitable legal record requires attention and vigilance. Legal, ethical, and billing compliance principles that apply to electronic documentation are no different from those governing traditional handwritten notes. However, there are two fundamental differences between the paper record and the electronic health record (EHR). First, EHRs have built in “support tools” like copy forward that can be simultaneously helpful and dangerous. Second, EHRs have audit logs that track every keystroke. 

1. Notes should be concise, accurate, non-redundant, and easy to read. 

2. Notes should emphasize what took place on the day of service. 

3. Special emphasis should be placed on the discussion and plan portions of the note to clearly communicate the clinical reasoning behind the plan for diagnostic work up, or the pros and cons of particular treatment decisions. 

4. “Copy and paste” and “copy forward” should not be used. 

5. Copying and pasting text without attribution from another provider (including, for example, a radiology report without attribution) is plagiarism and from a billing perspective, fraud. 

6. Copying and pasting laboratory and radiology reports should be avoided. Important results should be noted, interpreted, and any actions taken should be documented. Wholesale importation of information readily available elsewhere creates clutter, is unnecessary, and may adversely affect physician-to-physician communication. 

7. Notes must only be entered in the EHR. Using any non-University or Hospital supported system (such as Google docs or Gmail) for composing notes or communicating patient information is a violation of Columbia University and clinical affiliate policies and jeopardizes patient privacy. 

8. Providers are required to author their own notes. EHR’s permit multiple providers to co-author a given note if they are jointly providing a given service, but the attending physician must review, contribute their own content, and sign as the ultimate owner of each note for their patients. Providers must never share their password and never edit or otherwise change the content of another provider’s EHR note if they were not involved in providing that particular service. 

9. Timely completion of medical record entries is required. Attending linkage/attestation statements should be done within 24 hours of the resident notes to which they are linked. Attestation statements for some procedures require specific statements regarding attending presence or involvement. 

10. Providers should sign and finalize their notes within 24 hours of the service being rendered. No charges should be dropped without a signed note. 

11. Once a note is finalized, an addendum can be added to the document for additional clinical information.  

12. All health record documentation can be read by others often including the patient and audited, thus should be written accordingly. 

Following these guidelines will help to ensure safe and effective documentation practices that serve patients well, enable robust communication and care coordination, and protect providers from professional liability. 

Order Writing Policy: NYP policy states that medical students cannot practice medicine and therefore, are not permitted to order medications, and/or any medical treatments or regimes. Orders via the electronic system may not be entered by a medical student using the password of the graduate staff member or attending who is the authorized user. Unauthorized or improper use of the system or the information in it may result in dismissal and civil or criminal penalties. Students must never give verbal orders. 

While these policies have been developed specifically in collaboration with NYP, they pertain to student activities at all other clinical affiliate sites. 

Required Guidelines: Other Electronic Media Confidentiality and Security 

Students are responsible for the security of confidential, sensitive and protected patient information (digital and paper-based), and are prohibited from posting images or other patient information on social networking sites or anywhere else on the internet. 

• Social Networks: Students must be knowledgeable about and abide by the  Columbia University Irving Medical Center (CUIMC) Social Media Policy Social Media Management | Columbia University Irving Medical Center for both personal and official registered CUIMC and VP&S accounts. Any accounts that utilize the Columbia logo and brand must obtain permission and be registered, otherwise the use of the logo and brand are not permitted.  

• Secure Email: Students must use only Columbia University email systems for patient information and Columbia matters.  Students must not auto-forward Columbia University email to Gmail or other unapproved and unsecure email systems. 

• Devices: Students must encrypt portable devices (e.g., laptops and USB drives, etc.) used to store patient or individual research data, and encrypt data files with Protected Health Information (PHI) if stored on a portable device that is not encrypted. 

• Photos: Students must not take photos or videos of patients except for the purpose of documentation in the medical record, and then, only if the image can be directly uploaded to the EHR. Such images may not leave CUIMC on a student’s electronic device and may not be transmitted in any other way than the EHR.

• Use of Electronic Devices in Classroom and Clinical Settings: Professional behavior in medical school includes the expectation that students demonstrate their undivided attention when rounding, at the patient bedside, and in didactic sessions. Cell phones, laptops, and other electronic devices can provide a student with access to up-to-date information related to classroom material and patient care. However, use of these devices must be limited so as to not interfere with lectures, patient care delivery, and team discussions. Students are expected to use judgment when using these devices. 

Required Guidelines: Copyright & Network Use 

• Copyright: Copying, storing, displaying or distributing copyrighted material using University systems or networks without the express permission of the copyright owner, except as otherwise allowed under the copyright law, is prohibited. Under the Federal Digital Millennium Copyright Act of 1998, infringements of copyright by a user can result in termination of the user’s access to Columbia University systems and networks. 

• Network Use: In addition to copyright violations, file sharing programs consume substantial bandwidth drawn on the CUIMC network. The use of the suite of Tools in Microsoft 360 is expected to be used for file sharing.   File sharing copyrighted material from unauthorized sources is unethical and against the law and compromises the security of the source computer and increases the vulnerability of the University network to hackers. Breach of Columbia University policy will result in immediate disconnection of the I.P. of the offending party. 

Procedures

All use of electronic media will be consistent with the Columbia University Medical Center HIPPA Policies, and the Columbia University Policies including the Information Security Charter, Acceptable Use of Information Resources Policy, Electronic Data Security Breach Reporting and Response Policy, Electronic Signature Policy. Columbia University Irving Medical Center (CUIMC) Social Media Policy