Michael Wolfe at The Career Revolution covered the recent news that 27 employees at a hospital where George Clooney and his girlfriend were treated were just suspended for a month without pay for viewing his PHI (Protected Health Information). 

So the employees got caught looking and now they're paying the price.  I get that.  I'm supportive. More interesting to me is the comment in Wolfe's post from a Office Manager at a Doctor's office:

"When implementing our EMR, we modeled our security measures after the one the hospital many of our physicians are associated with developed, which basically adds up to a zero tolerance policy. One of the advantages of an EMR is that you can track any information users access, as I presume is the case here, and the general rule of thumb is that there are two reasons, and two reasons only why ANYONE should be looking in a patient's chart--whether it be George Clooney or Joe Schmoe:

1). You are directly involved in the patient's care (physicians and clinical staff).

2). You have to access information contained in the record in order to be able to do your job (support staff). End of story.

In my clinic, if you can't satisfy either of the above rules when looking in a patient's chart, you're outta there. Forget verbal warnings, forget suspensions without pay."

In a small, medium or large HR shop, HR people have access to a lot of PHI data, often without the login security and tracking that an EMR provides.  Also, a lot of data exists in medical files related to PHI.  Here's the $64K question.  If given the chance, would your HR people look at that data and maybe look up a code on the treatment provided?  Are you sure?

More importantly, do you even know if they have access?   How do you protect access to this type of information on Joe Schmoe?  The same procedures/systems that protect Schmoe protect Clooney. 

Human nature is at work here.  We're imperfect.  Name a privacy officer in your department and route all system access, dealing with Medical vendors, FMLA certifications, etc. through them unless someone has the need to know or is working the case.

I mean, can you imagine how many HR people are wanting to take a look at Kid Rock's medical history at Atlantic Records?   The life-event section of the employee file alone probably requires one of those book-size rubber bands....