Medicare Compliance & Reimbursement

Question: At our rural practice, most staff are also patients as we are the only healthcare provider in the area. Is it OK to store employees’ COVID-19 vaccination records with patients’ EHRs in our system, so we can track who’s been vaccinated?

Iowa Subscriber

Answer: Both the Occupational Safety and Health Administration (OSHA) and the Centers for Disease Control and Prevention (CDC) recommend strongly against storing staff files — both paper and electronic — with patient data.

Here’s why: Though EHR technology can greatly help with the maintenance of staff records, you should avoid mixing patients’ protected health information (PHI) with employees’ data. Staff should be afforded the same privacy and security rights under HIPAA that patients are, and housing healthcare personnel (HCP) records together with patient records could infringe on those rights if other workers are privy to what’s in the EHRs.

It’s critical to safeguard HCPs’ data and align with both state and federal compliance requirements. This allows workers to feel confident that their information is protected and that unauthorized staff are restricted from access, the CDC suggests.

“Keeping HCP records and information in the same system as patient care information can risk unauthorized staff access to private information,” says CDC guidance. “Some HCOs separate patient and HCP records by using separate paper files or electronic systems. State and local requirements for the separation of patient and HCP records may exist.”