Medical Students Potentially Violating HIPAA by Tracking Patients using EHRs

A recent study published in JAMA Internal Medicine suggests medical students may be violating HIPAA regulations by tracking patients using EHRs. A survey was conducted in an academic health center to determine the extent to which medical students were tracking patients using EHRs. The survey was conducted in August 2013 on 169 fourth year students. Little research had previously been conducted and the extent to which students were tracking patients using EHRs was unknown.

96.1% of Medical Students Were Tracking Patients using EHRs

96.1% of students admitted to tracking patients using EHRs. Medical students were tracking patients in order to audit their diagnostic impressions and to observe patient outcomes. Many students were curious about their former patients or tracked outcomes simply because they liked their patients. 92.9% of students who used EHRs to track patients said they did so for educational purposes, while a majority did so to check on patient outcomes. 52.4% of students said they learned how to track patients using EHRs on their own.

While the activity certainly has educational benefits, the researchers were concerned about patient privacy. Many of the students failed to understand that there was an important difference between using EHRs to track patients for educational purposes and accessing EHRs out of curiosity. Many healthcare employees have discovered that curiosity can have serious implications. Accessing the medical records of patients without authorization is a violation of the Health Insurance Portability and Accountability Act (HIPAA). Many healthcare employees have been fired for viewing healthcare records without authorization.

Tracking Patients using EHRs and HIPAA Rules

In an editorial in JAMA Internal Medicine, Rachel J. Stern, MD expressed concern about potential violations of HIPAA Rules. HIPAA does permit the tracking of patients for education purposes and for quality assurance, yet prohibits patient tracking for other reasons.

Accessing patient records out of curiosity is a violation of HIPAA Rules unless patients have given express consent for their records to be accessed after their care has come to an end. According to the survey, 39.8% of students tracked patients out of curiosity.

If discussions took place with patients while care is being provided and written consent to access their records was obtained, it would be possible to avoid violating HIPAA Rules. Stern pointed out that the issue needs to be addressed. She said “Medical school informatics and EMR curricula need to teach students to engage meaningfully and judiciously with patients’ data.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of