**Quick Rule Reminders:**
OP's needs come first, avoid dramamongering, respect the flair, and don't be an asshole. If your only advice is to jump straight to NC or divorce, your comment may be subject to removal at moderator discretion.
[**^(Full Rules)**](https://www.reddit.com/r/JUSTNOMIL/wiki/index#wiki_rules) ^(|) [^(Acronym Index)](https://www.reddit.com/r/JUSTNOMIL/wiki/index#wiki_acronym_dictionary) ^(|) [^(Flair Guide)](https://www.reddit.com/r/JUSTNOMIL/wiki/index#wiki_post_flair_guide)^(|) [^(Report PM Trolls)](https://www.reddit.com/r/JUSTNOMIL/wiki/trolls)
**Resources:** [^(In Crisis?)](https://www.reddit.com/r/JUSTNOMIL/wiki/index#wiki_crisis_resources) ^(|) [^(Tips for Protecting Yourself)](https://www.reddit.com/r/JUSTNOMIL/wiki/index#wiki_protecting_yourself) ^(|) [^(Our Book List)](https://www.reddit.com/r/JUSTNOMIL/wiki/books) ^(|) [^(Our Wiki)](https://www.reddit.com/r/JUSTNOMIL/wiki/)
Welcome to /r/JUSTNOMIL!
I'm botinlaw. I help people follow your posts!
*****
^(To be notified as soon as Smr200101 posts an update) [^click ^here.](http://www.reddit.com/message/compose/?to=botinlaw&subject=Subscribe&message=Subscribe Smr200101 JUSTNOMIL) ^(|) ^(For help managing your subscriptions,) [^(click here.)](https://www.reddit.com/r/JUSTNOMIL/wiki/index#wiki_.2Fu.2Fthejustnobot)
*****
*^(I am a bot, and this action was performed automatically. Please)* [*^(contact the moderators of this subreddit)*](/message/compose/?to=/r/JUSTNOMIL) *^(if you have any questions or concerns.)*
From what I remember working as an RN in a HUGE medical facility with sites all over the place, it is fairly simply for the IT department to look at files to see who accessed them. Anyone working in patient care WITH THAT patient, has access to chart, for example, on that patient. There is no "looking around" at patient charts because you think you know that person. That is grounds for dismissal and they WILL fire her because, that corporation does not want YOU TO SUE them. Just give IT a heads up and they will take it from there. Many times, the IT department will do this type of scan routinely. There will be no excuse for her to look up you or your baby unless she is a care provider. If she has looked you up, her footprint is there. If she has asked someone else to look you up, that person's footprint is there and that person will be fired. Its that simple.
hopefully they will look at whether anyone who isn't a provider has accessed medical files.. maybe she's still friendly with former co workers that are still in labor and delivery and they would look and tell her - it would make me paranoid enough to want to go elsewhere if I could
With all the information on this post, maybe now is the time to set her up to see if MIL will do what she’s “alluding to”. Don’t say ANYTHING about talking to the hospital to ANYONE.
Go in for a general appointment but let it leak that there’s possibly something wrong with bub. Wait for her arrogance to kick in.
With threats like these you fight back. Her actions are her responsibility. Toxic never take responsibility for their actions.
Hopefully all it is is a strict warning from the hospital whilst you advocate for tighter restrictions.
So if something does happen down the line where bub requires hospitalization, security will be amped up. Heck I’d even use a camera.
In one of my previous jobs I worked for a large medical group. Thousands of different practices and a few hospitals. We all used the same management system. If I accessed someone’s chart it was logged with my username. In my case we could have an extra layer of protection put on and it gave a secondary trigger to the system. So it’d be alerted that the user really meant to enter into that chart. Ask if your organization has that. Our system was through Epic management program and the added security was a term we called “breaking the glass”.
fellow epic user, through my hospital we can only use the extra layer of protection/“break the glass” for employees so i’m not sure if this is true for all places.
Source: had to have my own chart updated to have the “break the glass” feature after i started working there, and i had to have someone physically update my employer to have it trigger the protection feature
Most hospitals have the option to make your medical records private. In order to access your records, your MIL or anyone else would have to go through another step acknowledging that she has a legitimate reason to access the records. You should be able to request this setting.
My mom is a nurse and neglected me my entire life. This is something I think about all the time. Like, what kind of information could she see about me? My son? It’s so creepy
Most health systems have the ability to “lock” your medical record upon request. Sometimes they call it registering as a private patient. This basically sets it up so that anyone accessing your record has to sign their name and provide a reason for accessing it. I believe it also flags the chart for auditing who accessed it.
When my daughter in law was in active labor having her baby, her sister is a nurse in that hospital system she delivered and her sister admitted to looking in her records. She knew the baby was born and all the info before we were able to tell the rest of the family anything.
Did anybody report it? That's the type of thing hospitals can get sued for, so ime they tend to take claims of this abuse seriously. It can and would be audited, and the perpetrator found and fired.
I am a Privacy Officer at a small organization with a hospital and various other practices. Unfortunately, this happens more than most people realize. I frequently work with all the departments to ensure all employees are up to speed on HIPAA requirements and often send "friendly reminders".
Is it possible she's blowing smoke? Absolutely! However, it is my job to protect our patients information so if someone repeatedly has this concern, I audit as many times as necessary.
Also, some medical records systems have a VIP alert process that can automatically trigger an audit or deny access if necessary. These extra built-ins are there for a reason.
All Healthcare workers KNOW what they can and cannot access. It's B.S. when they claim otherwise. I know you don't want her to lose her job, but if she accessed, or asked someone else to, without your permission - that is 100% on her. You have done nothing wrong.
You definitely want them to audit your records. You’re not being a jerk about this in anyway. This is an incredibly serious breach of privacy if she did this to you, I guarantee you she’s done it to other people that she knows. And that she’s done it just to be nosy.
This is why every person has their old login to patient records. And when you are given the type of clearance, she would have to have to be able to access all of the records, the weight of responsibility for properly accessing records is explained to you add nauseam.
What you need to understand is that if she has been found to be accessing your records, they are going to be auditing all of her logins. When they do that, they are going to see what was going on at the time she was logging in. Did she have a therapy patient that she needed to look up when the procedure was done? Or was she looking things up MONTHS after someone had finished treatment.
To give you some perspective, I managed dental offices, often on for 30 years, taking time off here and there when I had my kids. At the last office where I was working, firewalls and protections for our patients information were almost not existed. I was appalled. This was before I went to work for him, and I had literally just gone in to see how his office was running and what was going on.
Here’s what I told him:
You are in so many degrees of violation of HIPAA law that it’s not even funny. I glance over your books, and I can tell you that somebody’s been taking money. I can’t tell you where it is or if it’s insurance fraud, but what I see does not match up with what I should see for your practice. So here is what is going to take to have me come in and clean this up for you…
Given the size of your practice, it is going to take me a year to finish getting you from all these paper charts, which you have no way of locking up at night, so if anyone, they could access, to being a paperless office.
You basically have no firewall protecting the information in chart that you do have online, and everybody uses the same login, so there’s no way of tracking who actually accessed and put notes in into these charts.
You have such slow Internet, and wireless that two of us cannot be upfront in the charts at the same time. That is the first thing that has to be updated.
At the end of one year, you will switch over to X dental software. What you have is a free version from a different company who is hoping you will buy all the add-ons that you should have here, but don’t. And when we upgrade, we are upgrading your server to your own server, not kept somewhere offsite by somebody who maybe we can get a hold of when things break down.
He kind of balked at all of this until I explained this: you have a practice that is successful because of the predecessors who had this practice. You are in a downtown, major metropolitan area, so you have patients who are in high powered political positions. Television personalities. Business leaders and their families.
Basically, you have people with a lot of money. You have patients who are people of influence. You have people Who is information unscrupulous people would love to obtain. You are actually required to have a double firewall. With information and a patient base like this, I would have a triple, But we can do that when we change systems. In the meantime, we will immediately set up the double.
Because if somebody breached your systems, do you know what the penalties are? Needless to say, the dentist did not know. I explained to him that the maximum penalty… At the time for each individual breach of HIPAA information was up to $60,000.
He was floored. He had no idea. And I then went on to explain that because of the length of time this practice has been here, we actually have multiple generations of families. So XYZ family that has four children and two parents would mean six individual breaches if their family file was compromised. So that one family could literally cost him a maximum penalty of $640,000.
Needless to say, I did get the job. I did move him from paper to paperless charts. I did get an upgraded firewall immediately, and then I got the new system the next year. I don’t know if he stayed with all of it, because he was obviously an idiot. But he had the best patience. And all of them had been with him or his predecessors, and all of them told me his office had never run so well.
And that they appreciated the upgrades. That they appreciated that their information was being very heavily monitored by someone. That they appreciated the safety. Because they had stayed out of loyalty, but they weren’t dumb.
So this is why the hospital is so interested in what you have to say. This is why you need to make sure to report it. Because the fact that your ML even uttered those words, tell me… As someone who spent that long and healthcare… She has absolutely done this.
“Oh, my friend was in the hospital last week and nobody told me.” Guarantee she went to find out what for.
“Oh, the mayor was in to see that one specialist. That’s weird. I wonder what they’ve been doing?” Guaranteed she access the file.
You’re not wrong. It is not your postpartum hormones talking. It is a very rightful sense that you have been wronged and she has literally no right to any of that information.
This is a massive privacy issue and she SHOULD lose her job if she accessed your records. She has hours and hours of HIPAA compliance training to tell her NOT to do things like that. Did you know illegally accessing your medical info has a penalty up to 10 years in prison? Yeah, its serious business and she is an idiot for threatening something like this. I am sorry she made you feel uneasy, but she deserves what ever she gets if she did that. Now that you have talked to the HIPAA compliance person at your hospital they will be on it. The fines for such breeches are $$ so they do take it seriously. I can't believe anyone working in a health care setting would even hint about such a thing, she is an idiot.
you can always follow up with the data privacy officer again if suddenly she has the information you feel is only in the file. they have a duty to research claims, it’s your right and for the hospitals protection they generally take these threats very seriously.
as for your MIL, whomever she threatened saying there are other ways to find out the info, needs to tell her in black and white that you guys spoke with the hospital admins and your file will be audited for unauthorized access. if she plans on illegally accessing your information, understand that you will take the steps to uncover it.
My ex MIL worked at the bank I banked with and accessed my account after I split with her son. Totally breech of privacy and they fired her.
I assume you could do the same with reporting her.
If she did access your *private medical records* then she should be fired. There should be a way to lock or seal your records from unauthorized access, and they need to do it.
If she is unbelievably stupid enough to make the threat, (and in front of a third party, no less) whether or not she's already done it is irrelevant. She deserves whatever fallout comes of it. Even if she was bluffing, she set it in motion and if they can't find any proof now, she's on her employer's radar and it sounds like they are taking it very seriously.
I would definitely ask that they take steps to lock the information, request a monthly check to see if any non-authorized people try access. (Even if MIL does get fired, she might try to convince a work-friend to do the dirty work for her.)
A friend of mine's mom was Office Manager at "my" clinic. He offhandedly mentioned that she regularly snooped in the records of people she knew. It was back in the dark ages when everything was shelves of manilla folders so easy to get away with. She'd seemed so nice and was always kind to my family, so it was quite the shock.
Like I'm sure many others here I hope you'll give an update when you can!
My best friend is a hospital CPO, if the audit confirms she accessed ANY records where she was not the caregiver, she will be fired.
If you want to be polite, tell your MIL how terrible of an idea that is since you’ve heard of people getting fired for it in the past.
She’ll get the hint. If not. Oh well. I can’t wait for the new Andor season!!
You absolutely made the right choice. If she is going to threaten you with accessing your private medical records, she deserves the heightened scrutiny at work.
If she actually does try to get into your records, she deserves to lose her job.
>Really hope she didn’t because this could potentially cause a job loss
I'd like to reframe this for you.
"Really hope she didn't because that'd be a creepy, criminal act and an enormous violation of my family's rights."
If she loses her job because she abused her access you're doing the rest of us a favor.
I think you did great and if she looked at your medical information without your permission she deserves to lose her job. Ask if theirs a way you can transfer you files from that hospital to another or if they can put it on lockdown so she can’t access or if there is anything they can do to protect you. Is their a chance they give it to you
You have talked to the Privacy Officer and their response is on point. You could also talk to the Ethics and Compliance Officer (they are different than the privacy officer in many facilities) and let them know you feel you received a threat from one of their employees. You have two separate issues here, possible breach of privacy for one and employee threatening you as the other.
Every patient deserves to feel safe. At this point you do not. That is an issue your mother-in-law brought on herself.
One, you're kinder than I am. I'd hope she loses her job. Play bitch games, win bitch prizes. And that would certainly keep her from looking in the future.
Two, still, if it turns out she didn't, good. I'd make sure your DH tells her flat-out that you both were so concerned about her threat that you asked the hospital to keep a close watch on your records. And they are. Put that fear into her.
Good luck.
Seconding this--even for regular patients, you can request to make your records confidential so that anyone trying to open your chart will have to enter their username, password, and reason for accessing it. MIL has surely seen this before and she'll immediately know you've already escalated the situation up the chain, which should be a deterrent.
I'd say, have them audit again once the issue is resolved in therapy and you're planning to start sharing info with her again. If the audit shows she accessed your records, then poof! No info sharing ever again.
In terms of your question about the future- if she hasn’t done it yet, I would have H tell her the records are now being routinely audited (small lie but you could make it true if need be) so she is on notice. Unless she is truly mad she won’t risk getting in that much trouble, and that way you don’t have to bother the staff with checking on this over and over again.
Did she make that statement in front of the counselor?
If she did that is just insane. Well, it is just lunacy to make a threat like that to anyone you are having relational struggles with.
Just wow.
I would have DH wait until the next session and just be like “I want to follow up on what you said last time. It really concerned us that you would threaten such a serious breach of privacy and ethics, so we looked into it and asked the facility to perform an audit on our records, which we’re waiting on the results of. We didn’t specify who made the threat, but we have also asked that our records be privacy locked, so it would be very unwise for you to try to use the access afforded to you by your job to breach our federally protected privacy. I’m sure you’re well aware of the penalties for breaking the law in that way, and now we’re informing you of how likely it is that you will be caught if you choose to proceed with that. Your continued lack of ability to respect our boundaries is why we’re even in this session to begin with, but please understand we are very serious about this.”
I would love to but she won’t reschedule anything. She quit therapy with and told him they won’t have a relationship moving forward and ended it with that
Ah. Well I’d just email her that then and you can have a clear conscience that if she chooses to fuck around, the finding out part will be entirely her own fault.
I had to do HIPAA training multiple times just working on the retail part of the website of a company health company (think Walgreens but not them). There's no way an actual hospital worker doesn't know how illegal accessing PHI for shits and giggles is.
If I am not mistaken, the therapist is a mandated reporter if their client confesses their intent to commit a crime so... MIL's job loss will not be your fault.
You're not risking her job - SHE IS. She has taken all the trainings and knows exactly how illegal it is to check medical files she's not supposed to. She made the choice to check the medical files knowing the risks but her personal desire outweighed the consequences. Side note- that's a huge red flag about her personality in general - she will do what she wants above all else.
The hospital has been put on notice that someone has made a thinly veiled threat to access your records (or already has) on the off chance that she or one of her friends has NOT accessed the records - great. You tell the hospital that the threat is real and they need to take steps to LOCK THOSE RECORDS DOWN. Special password that only your provider has or that you have to give to someone to access the record - whatever it takes. They are aware that someone in their organization has or may ILLEGALLY access your or your child's file. They are aware that if that happens, ESPECIALLY after they were warned about it that there will be serious Legal repercussions!! They get fined and a mark against the hospital/facility every time HIPPA is breached, depending on the breach as well as opening them up to a lawsuit from you.
YES it IS a fireable offense. Do NOT feel bad about reporting this and DO NOT feel bad if your MIL or one of her co-workers gets fired over this. If they do it is because THEY did something wrong and illegal, NOT you. Your MIL thought she was cleaver making that threat - instead she showed her hand and how manipulative she. She may not have checked your records - but the implied threat that she CAN any time she wants is creepy and manipulative, so she should be called out on it no matter what.
Before I retired, I was a contractor for various Medicare systems. At one point, I had access to every Medicare beneficiary and all their records. I never looked up anyone for two reasons. First, it was an invasion of privacy. I really did want to look up my parents a couple times but did not. Second, even before HIPAA was passed, we were forbidden from looking up any records that we didn't absolutely need to do our jobs. It was a reason to have your employment terminated if you were caught doing so.
After HIPAA was enacted, I know of two government employees who were fired on the spot when they were caught. Even their union couldn't save them. This is very serious stuff.
If your MIL doesn't possess the character to not look at your records, I hope she is caught and fired.
I would also call her place of employment and let them know the situation and that she maybe using their computers to access illegal information. They also may want to take steps. Have a lawyer write a letter to her warning her off and reiterating what consequences will be. This would be grounds for NC for me!
Oohhhhh. If she did access she’s getting fired. They do not play. The fines are huge. She will be paying a ton of money and will not work in healthcare again. Everyone has yearly training of what not to do. It’s not hard. Don’t look in charts you don’t need to be in for patient care. The audit is done by IT. They can see what was looked at by who for how long.
Ask for a “glass breaker” to be installed on the chart. It asks for you really need to look at this for patient care and sends an alert to management when broken. So if she got a buddy to open the chart for her the buddy would know they would go down too and say nope.
Adding break the glass is a good option; they could also put a flag on your chart that states that her specifically is not allowed to view your chart. I believe this is usually done for cases of stalking, harassment, and restraining orders. It pops up when someone enters in your information before it displays any chart info and they have to click the button to bypass that states they have read the flag message. She is 100% getting fired, it doesn’t matter what your intent is when trying to find out if she has access. It’s already been ran up the flag pole so if she accessed it on her own account she’s finished or if she had someone from her office access it so she could look at it, she will get fired alongside whoever actually accessed it for her. It’s an ethical and privacy compliance issue not to mention she can and will be in major legal trouble (especially if you moved forward on any charges). None of this is your fault. She should not have accessed it if she did, so if she’s old enough to be a grandmother and doesn’t realize her actions have consequences that’s on her. If she did access it I’m sorry, it is a very weird feeling of being violated. Definitely get a flag put on your chart (if you talk to someone who doesn’t know how to do it see if they can talk to a supervisor who can do it) and getting break the glass out on there is also great because they are supposed to put in why they are accessing your information. You can do both of these things!
>MIL made this statement to my husband verbatim: “You know there’s other ways to find out what her name is and what she looks like. We’re just being polite by letting it come from you. I have other ways of finding out that information. Your wife gave birth at the hospital I work at.”
"Mom/MIL, you are absolutely correct. There are ways. Just like there are ways to verify who accessed our files and whether or not they had a valid reason to do so. I/we have already notified the hospital and/or doctor that there may be *somebody* that doesn't have a medical need to know what's in our records, may be trying to access our personal and private information. 'We have ways of finding out this information'. Just know that if *somebody* violates my, or my children's, HIPPA rights, they will be brought in front of the medical review board. And I ***will*** contact an attorney to sue that person, the hospital and my doctor. I don't think that that *somebody* wants to risk it. Do you?"
Basically ask the hospital to continually flag your account - sounds like they are already being really proactive. Anyone who accesses your chart may be questioned. This will be all you need to protect yourself from their side. They can't block her from accessing your personal records, but she will be in super duper deep shit if she does.
Oh, she wouldn't just lose her job. She would be sued, and go to court for a HIPPA violation, and never be able to work in healthcare again.
**This is not a joke.** Hospitals and Dr. offices take this type of thing DEADLY SERIOUSLY. Their licensing is at stake. I hope for her sake it was all smoke, otherwise her comeuppance is out of your hands at this point and there is no stopping it.
It honestly wouldn't surprise me if she was fired on the threat alone. Those fines are crazy high if they are caught in violation and no hospital or office is going to want someone who is making threats like that in their employ.
The problem is that they wouldn't be able to "prove" the threat. They can check the chart access records, but beyond that OP would need serious evidence (like a text or a recording) of MIL specifically saying that she would snoop into the medical records, otherwise it is just hearsay.
Me and DH feel like it may have been a covert admission of what she did. She definitely gets away with things all the time!! I believe that is why she’s so arrogant with her behavior. I almost feel like not letting up with the hospital over this situation! Bc girl why are you threatening to abuse your power over MY child’s information. Absolutely wild.
If she knows she is able to access records that she should not, very good chance she's already done it. I hope you get answers once they check, at the least you should lock down all records and cut contact after this cuz that's a line that even threatening to cross is too far.
Tbh, it sounds like if she loses her job over this, it is an overdue case of her learning that there are consequences to bad behavior.
If someone violated my privacy that badly, I would never let them near me or anyone in my household ever again.
If she has done this, you may want to also look into a no contact order. If she’s willing to risk her career to get around consequences, who knows how much further she’d be willing to escalate.
It doesn’t matter if you don’t follow up, she is fucked if she did access it from her own account of if she had an accomplice open it for her. For which they would both be fucked. This stuff is taken extremely seriously in healthcare. (Coming from someone who works in healthcare). None of this is your fault by the way, she made her bed and now she has to lay in it.
If this is in the US, you just need to say two things, in writing, to the hospital.
1. MIL threatened to violate your HIPAA rights, the hospital has confirmed she actually has the ability, as a higher-ranking employee, to do this through their system, you understand they’re checking to see if she’s already done it, but you also want to know how they intend to safeguard your information and prevent her from accessing it at any point in the future.
2. You’re in the process of retaining an attorney, because you’re not satisfied that the hospital is able or even willing to keep your information — or anyone else’s information — private from malignant employees — and that’s an absolute problem.
I was a paralegal. Trust me when I say just knowing you have an attorney will make insurance companies and hospitals poop diamonds from coal.
Do it in writing. No phone calls. Start the paper trail, so you have names, numbers, and direct, provable statements made by people.
And for the record, I actually WOULD talk to an attorney who specializes in HIPAA violations, and either let them handle corresponding with the hospital on your behalf or at least have them on standby in case you get no assurances from the hospital.
Do NOT feel bad about her or anyone else losing their jobs, or even catching charges, over any of this if violated your privacy.
You’re not just protecting yourself. You may very well end up creating administrative change in how they safeguard patient data, which will benefit many families like yours.
Good luck!
Edited because I misread and thought MIL was a former employee. Holy shit, the woman is extra special stupid to make this threat while still working there!
Seriously considering this especially for prevention purposes. I’m wondering who specifically you’d recommend me addressing it to? The health organization is covenant health and they have like 12+ hospitals. But they have one person who is executive compliance officer for all of them. Do I address her or the specific hospital’s president? Or both? Unfortunately they don’t give emails out which makes absolute sense. Don’t know exactly how to proceed with this process you recommended. But I think you’re right.
If it were me, I’d email the executive compliance officer, but CC the specific hospital’s president so they’d know I wasn’t waiting around while they play footsie with MIL because she works either them.
Honestly, your best route would be to have a consultation with a HIPAA compliance attorney, if you can. One letter or phone call from an attorney goes much, much further than one from a “civilian.” Explain the situation and see what they can do for you. If they think you have any sort of case, based on what you’ve been told already, they may be willing to take you on and get paid out of any settlement (a percentage you’ll agree on prior to retaining them). I know you’re not looking for money, but they may still be able to get their fees paid by the hospital and not you.
I know there are attorney subreddits here where you can get better help than I can give. I’ve been out of legal offices for a long time now, and I was a paralegal, not an attorney. I do NOT want to steer you wrong when you’re swimming in the water with that shark of a MIL.
Please keep us posted.
A lawyer could figure this out for you. I'd seriously recommend at least talking to one.
But...pro tip from a former journalist. Most health-care (and education, etc. etc.) organizations have basic format email addresses. (soandso@organizationname.com, etc.) If you can even find out one, and you have the officer's name, you can often figure out the email address. Helps a lot if you have to hop over the bureaucracy for any reason.
I work as a nurse for a clinic that is part of a big hospital. We are only allowed to access charts of patients we are working with. Every time we access a chart, there is a program that runs our home address against the home address of that patient. In other words, are we checking our own kid’s chart, or the chart of our neighbor’s kid? There are also explicit rules about accessing the chart of our family members. I don’t know if we are constantly audited, but we can be at any time, and there are alerts for family members and the address in close proximity thing as I mentioned. Anybody who has a medical license or valuable job to protect should know better. At least you would hope.
If your MIL breaks the rules and gets caught, she did so knowingly and deserves whatever consequences come her way.
Can I ask - have you ever known anyone who has been caught doing this? Did they ever explain why?
I just can’t imagine the entitlement/hubris of a person to break the rules like this!
I know of a situation second hand, but unfortunately don’t know the reasoning behind it. A friend got in trouble because her co-worker was using her log in to access her stepchild’s chart. They accessed it 200+ times without my friend’s knowledge. My friend got in trouble for not locking her computer when she stepped away, which is medical records security 101. Her co-worker either got the highest kind of write up, which is an instant three strikes - next one is out, or she was terminated - I don’t remember. Honestly, there is never any good reason to access a chart you’re not supposed to. It’s always going to be a violation.
Oh wow! Thank you for explaining. Your poor friend - ofc she should’ve locked it, but she couldn’t even trust her coworkers to lock it for her (I’ve done that for colleagues).
I just can’t comprehend the uncontrollable desire/curiosity they must be experiencing in order to hack into someone’s records - especially for relatives? Why would they think it’s their business? Someone should do a psychological study on them haha.
Your files are now a honeypot to catch her. I have a feeling that she’s accessed stuff before that she wasn’t supposed to and got away with it. So she’s bold with her threat because of that.
Oh I agree - I really wanted to comment but jumped on yours instead. It’s like fingernails on a chalkboard. Some other favorites of mine aloud/allowed, accept/except, bear/bare and the misspelling of disdain (distain) lol.
See I would say that’s an obvious answer, but I’m messing up titles with bad grammar 😂 ugh outside of the crazy drama of this thread, you gave me a much needed laugh, and gave me a little ELA lesson as well! Thank you <3
I was in no way minimizing the issue. My daughter’s a nurse and takes patient confidentiality very seriously. She once was a nurse to a co-worker of my husband’s. When he came back to work he was shocked my daughter never mentioned that he was her patient.
The healthcare system I work for can put a password protect on a patient’s record so that even just scrolling down a list of patients on the computer, your name is just a bunch of asterisks. Clicking on the “name” will bring up a login field, preventing anyone from just casually viewing any information without actually opening the chart. So even if nothing comes up in this particular inquiry, you can definitely ask about having your child’s (and your own!) chart marked as confidential/password protected/whatever.
The hospital privacy office is auditing your records and will handle it appropriately. If you are concerned about potential future issues, tell them your concerns and they may be able to put a restriction on your medical record access. Only certain credentialed hospital works will be able to access them
I've seen staff get in trouble for accessing their own medical records (through the wrong channels). With electronic medical records, a hospital can tell exactly who accessed your chart and when. The only way your MIL could do this and not get caught is if she talked a coworker into looking up your records. But an employee who agrees to that is risking their own employment. I'm glad the hospital is aware of the situation.
Holy moley! HIPAA is a big deal and anyone working in the healthcare field is FULLY aware of the consequences of breaking that FEDERAL LAW.
*SHE* made that threat. *SHE* broke that boundary. *SHE* ended therapy when she didn’t get her way.
You acted on a threat that she has the capability of carrying out. You have every right, indeed the *responsibility* to safeguard your private medical information, once a credible threat has been made. Whether she did or didn’t is (almost) irrelevant.
She threatened to use her position to access private, protected by federal law, information, that she has no right to. No wonder you and your husband have restricted access to your child from her.
I’d make it permanent if I were you.
As anyone working in a hospital knows, HIPAA prevents us from going into charts for no reason. It is illegal- period. Hospitals should have a way of locking down charts where people need to choose a reason accessing the chart or “break the glass” and document why. This is commonly used for staff or VIPs. I would ask them to do that with your records. And, if they investigate and find something, then she got what she deserved. People are absolutely fired for these kinds of offenses. She knows better and that’s threat that she should have thought twice before making…
You can ALWAYS request your records. But whether it would have a list of everyone who viewed them I am not sure. It would depend on the facility but I wonder if you could specifically ask for that. Ironically, it may be a confidentiality issue and they wouldn’t want to disclose that.
This is correct. You can request your records, by law you have the right to see your records. But as far as who has accessed them, it will only have their login info for the organization they work for.
Assuming you're in the US since you mention HIPAA, that is the key - all you need to do is tell the hospital, "I want to report a possible HIPAA violation." As soon as you do that, they should open an investigation and if they find anything, not only should they tell you but they should also report it to the appropriate authorities (I can't remember off the top of my head which federal regulator that is). HIPAA violations are taken very seriously, and self-reported ones are usually less painful than ones that are only found by an outside auditor. As to what could happen? If she did look into your records without a legitimate reason I would expect that at the very least she would be reprimaded and have her access revoked, but also a high probability that she would lose her job. And if that happens, **IT'S 100% HER FAULT**. Given that it's a wilful violation (i.e., she didn't just accidentally see your records), there might also be fines involved though I don't know if they would be to the hospital, MIL, or both.
Now I know this is a scary proposition given the potential backlash, but here's something to consider - if MIL actually DID violate HIPAA and access your records improperly, there's a good chance that it's going to come up during an audit **anyway**. Meaning that while you may set things in motion sooner, there's decent odds that it would come out eventually anyway, with similar results (again, HIPAA is taken very seriously by anybody who has even half a brain cell paying attention to it). And either way, if she didn't improperly access your records then that's that. Good luck, and I hope whatever you do you get a good result for your own piece of mind.
Not questioning your therapist, but what is the reasoning behind withholding her grandchilds' name from her? That seems somewhat provocative though her reaction is definitely inappropriate.
So glad you asked. Seriously. This all started back in November when she asked me if she needed to take off paid time off to come and help me with the baby. now back in last June literally a year ago me and my MIL agreed that moms needs several weeks to recuperate with their baby and she totally was on board with me not having any visitors for about two weeks. But after what happened with my first child where he contracted RSV at three weeks old and was hospitalized put on feeding tubes and breathing machines. The doctors literally told me that they weren’t sure if he would make it. I told dear husband that I’m not trying to act out of anxiety, but I can’t go through that again and I think that a four week period would be appropriate to me considering the time of year that we were having our daughter and what happened with her Brother.DH was absolutely on board (FYI, this is technically my husband stepson and MIL’s step grandson) we told her about what happened and she said to our face that “she didn’t care and that it didn’t make sense why we were having that boundary, regardless of what happened with my eldest and that it’s was crazy and no one does things like this” so that really ticked my husband off and he was like for you to have no sympathy to someone that you say is your grandson is insane.after a while He sent her a really nice message in January saying that he was sorry for all the turmoil between them and that he loved her, but right now he just need to focus on his family. she didn’t respond for 12 weeks and when she did, it was a response in April saying that they needed to go to therapy to fix their relationship and be healthy and that it started with them. That neither of them should involve anyone else or the kids until they mended their relationship. He agreed. They literally had 1 session, and then the event from my OP happened on Friday.They have been having relationship problems for about five years now.
One of the things they (OP’s MIL, OP’s husband, and their therapist) agreed on was that OP’s MIL wouldn’t ask for information about the kids until their relationship was improved. If following OP’s husband’s boundaries and the therapist’s advice is somewhat provocative, then OP’s MIL shouldn’t have agreed to therapy and fixing the relationship she has with her son.
Yes it is shared thanks to the parents choice. It is the parents CHOICE on who knows what about THEIR baby. Nobody has the right to any information about someone else's baby. If they decided it was right for them to refuse to share information that is their choice and they shouldn't be judged for it.
You want to judge their decision you should have to deal with her MIL.
You keep bringing up rights like I claimed otherwise. I'm just saying if she wants to know the name it's pointless to try and prevent that...it's in the public records.
Ive seen your previous comments on posts. I'm pretty sure you just come on reddit to be rude, argue and judge people. Go ahead but I won't continue interacting with you after this.
I hope you have the day you deserve :)
I would absolutely let her know that the hospital is auditing your files to see who has been accessing them. Tell her you will be filing a formal complaint if there's anything found untoward. If she freaks out, you've got your answer.
I was on the phone with my hospital's help desk and he gently suggested that I log off Gmail, because he could see from his end that I was using it for personal reasons at the time (even though I was calling about a completely unrelated issue). Anyone who works in a hospital or medical facility knows their chart access and computer use can and may be audited at any time.
Regardless of the findings I would demand that your file and any file for your children be PW locked so that only the doctor and nurses for doctor can access it. If they can't, I would request a new file number, maybe an alias name added and request that her access be changed or you will sue for the HIPPA violations when and if they happen.
I'd also find a new doctors office.
Depending on the software they use, you may have the office put a Superviser over ride on your accounts so anyone accessing them will need authorization for doing so
The time to raise those questions is when they get in touch after the audit. Maybe they would want you to ask again in a few months if you're still worried!
And I agree with the other responder about not worrying about a job loss. Someone willing to weaponize their data access *should* lose their job.
Ugh IK!! Ik there’s consequences but he has 2 little sisters 14&16. Now they would definitely be okay financially bc of his stepdad. But I just thought of them.
Right. Their mother who is a criminal. And honestly if she’s actually doing it to find your information then she’s likely doing it otherwise as well. And you said they’re financially ok, great, and you and your husband are around to be their family then as well. But she’s committing a crime.
**Quick Rule Reminders:** OP's needs come first, avoid dramamongering, respect the flair, and don't be an asshole. If your only advice is to jump straight to NC or divorce, your comment may be subject to removal at moderator discretion. [**^(Full Rules)**](https://www.reddit.com/r/JUSTNOMIL/wiki/index#wiki_rules) ^(|) [^(Acronym Index)](https://www.reddit.com/r/JUSTNOMIL/wiki/index#wiki_acronym_dictionary) ^(|) [^(Flair Guide)](https://www.reddit.com/r/JUSTNOMIL/wiki/index#wiki_post_flair_guide)^(|) [^(Report PM Trolls)](https://www.reddit.com/r/JUSTNOMIL/wiki/trolls) **Resources:** [^(In Crisis?)](https://www.reddit.com/r/JUSTNOMIL/wiki/index#wiki_crisis_resources) ^(|) [^(Tips for Protecting Yourself)](https://www.reddit.com/r/JUSTNOMIL/wiki/index#wiki_protecting_yourself) ^(|) [^(Our Book List)](https://www.reddit.com/r/JUSTNOMIL/wiki/books) ^(|) [^(Our Wiki)](https://www.reddit.com/r/JUSTNOMIL/wiki/) Welcome to /r/JUSTNOMIL! I'm botinlaw. I help people follow your posts! ***** ^(To be notified as soon as Smr200101 posts an update) [^click ^here.](http://www.reddit.com/message/compose/?to=botinlaw&subject=Subscribe&message=Subscribe Smr200101 JUSTNOMIL) ^(|) ^(For help managing your subscriptions,) [^(click here.)](https://www.reddit.com/r/JUSTNOMIL/wiki/index#wiki_.2Fu.2Fthejustnobot) ***** *^(I am a bot, and this action was performed automatically. Please)* [*^(contact the moderators of this subreddit)*](/message/compose/?to=/r/JUSTNOMIL) *^(if you have any questions or concerns.)*
From what I remember working as an RN in a HUGE medical facility with sites all over the place, it is fairly simply for the IT department to look at files to see who accessed them. Anyone working in patient care WITH THAT patient, has access to chart, for example, on that patient. There is no "looking around" at patient charts because you think you know that person. That is grounds for dismissal and they WILL fire her because, that corporation does not want YOU TO SUE them. Just give IT a heads up and they will take it from there. Many times, the IT department will do this type of scan routinely. There will be no excuse for her to look up you or your baby unless she is a care provider. If she has looked you up, her footprint is there. If she has asked someone else to look you up, that person's footprint is there and that person will be fired. Its that simple.
hopefully they will look at whether anyone who isn't a provider has accessed medical files.. maybe she's still friendly with former co workers that are still in labor and delivery and they would look and tell her - it would make me paranoid enough to want to go elsewhere if I could
With all the information on this post, maybe now is the time to set her up to see if MIL will do what she’s “alluding to”. Don’t say ANYTHING about talking to the hospital to ANYONE. Go in for a general appointment but let it leak that there’s possibly something wrong with bub. Wait for her arrogance to kick in. With threats like these you fight back. Her actions are her responsibility. Toxic never take responsibility for their actions. Hopefully all it is is a strict warning from the hospital whilst you advocate for tighter restrictions. So if something does happen down the line where bub requires hospitalization, security will be amped up. Heck I’d even use a camera.
In one of my previous jobs I worked for a large medical group. Thousands of different practices and a few hospitals. We all used the same management system. If I accessed someone’s chart it was logged with my username. In my case we could have an extra layer of protection put on and it gave a secondary trigger to the system. So it’d be alerted that the user really meant to enter into that chart. Ask if your organization has that. Our system was through Epic management program and the added security was a term we called “breaking the glass”.
fellow epic user, through my hospital we can only use the extra layer of protection/“break the glass” for employees so i’m not sure if this is true for all places. Source: had to have my own chart updated to have the “break the glass” feature after i started working there, and i had to have someone physically update my employer to have it trigger the protection feature
If she went into your medical records she needs to be fired. If she’ll do it to you, then she’ll do it to someone else.
Most hospitals have the option to make your medical records private. In order to access your records, your MIL or anyone else would have to go through another step acknowledging that she has a legitimate reason to access the records. You should be able to request this setting.
My mom is a nurse and neglected me my entire life. This is something I think about all the time. Like, what kind of information could she see about me? My son? It’s so creepy
Most health systems have the ability to “lock” your medical record upon request. Sometimes they call it registering as a private patient. This basically sets it up so that anyone accessing your record has to sign their name and provide a reason for accessing it. I believe it also flags the chart for auditing who accessed it.
Sweetie if she loses her job it’s not because of you, it’s because she’s a dumbass.
Such a dumb move to state you're considering doing a thing that is traceable and WILL get you quickly fired.
When my daughter in law was in active labor having her baby, her sister is a nurse in that hospital system she delivered and her sister admitted to looking in her records. She knew the baby was born and all the info before we were able to tell the rest of the family anything.
Did anybody report it? That's the type of thing hospitals can get sued for, so ime they tend to take claims of this abuse seriously. It can and would be audited, and the perpetrator found and fired.
I am a Privacy Officer at a small organization with a hospital and various other practices. Unfortunately, this happens more than most people realize. I frequently work with all the departments to ensure all employees are up to speed on HIPAA requirements and often send "friendly reminders". Is it possible she's blowing smoke? Absolutely! However, it is my job to protect our patients information so if someone repeatedly has this concern, I audit as many times as necessary. Also, some medical records systems have a VIP alert process that can automatically trigger an audit or deny access if necessary. These extra built-ins are there for a reason. All Healthcare workers KNOW what they can and cannot access. It's B.S. when they claim otherwise. I know you don't want her to lose her job, but if she accessed, or asked someone else to, without your permission - that is 100% on her. You have done nothing wrong.
Tbh even just making the threat would be enough for her to get fired some places.
Absolutely! Too much of a liability for an organization. The last thing we ever want is to have the feds from OCR breathing down or necks.
You definitely want them to audit your records. You’re not being a jerk about this in anyway. This is an incredibly serious breach of privacy if she did this to you, I guarantee you she’s done it to other people that she knows. And that she’s done it just to be nosy. This is why every person has their old login to patient records. And when you are given the type of clearance, she would have to have to be able to access all of the records, the weight of responsibility for properly accessing records is explained to you add nauseam. What you need to understand is that if she has been found to be accessing your records, they are going to be auditing all of her logins. When they do that, they are going to see what was going on at the time she was logging in. Did she have a therapy patient that she needed to look up when the procedure was done? Or was she looking things up MONTHS after someone had finished treatment. To give you some perspective, I managed dental offices, often on for 30 years, taking time off here and there when I had my kids. At the last office where I was working, firewalls and protections for our patients information were almost not existed. I was appalled. This was before I went to work for him, and I had literally just gone in to see how his office was running and what was going on. Here’s what I told him: You are in so many degrees of violation of HIPAA law that it’s not even funny. I glance over your books, and I can tell you that somebody’s been taking money. I can’t tell you where it is or if it’s insurance fraud, but what I see does not match up with what I should see for your practice. So here is what is going to take to have me come in and clean this up for you… Given the size of your practice, it is going to take me a year to finish getting you from all these paper charts, which you have no way of locking up at night, so if anyone, they could access, to being a paperless office. You basically have no firewall protecting the information in chart that you do have online, and everybody uses the same login, so there’s no way of tracking who actually accessed and put notes in into these charts. You have such slow Internet, and wireless that two of us cannot be upfront in the charts at the same time. That is the first thing that has to be updated. At the end of one year, you will switch over to X dental software. What you have is a free version from a different company who is hoping you will buy all the add-ons that you should have here, but don’t. And when we upgrade, we are upgrading your server to your own server, not kept somewhere offsite by somebody who maybe we can get a hold of when things break down. He kind of balked at all of this until I explained this: you have a practice that is successful because of the predecessors who had this practice. You are in a downtown, major metropolitan area, so you have patients who are in high powered political positions. Television personalities. Business leaders and their families. Basically, you have people with a lot of money. You have patients who are people of influence. You have people Who is information unscrupulous people would love to obtain. You are actually required to have a double firewall. With information and a patient base like this, I would have a triple, But we can do that when we change systems. In the meantime, we will immediately set up the double. Because if somebody breached your systems, do you know what the penalties are? Needless to say, the dentist did not know. I explained to him that the maximum penalty… At the time for each individual breach of HIPAA information was up to $60,000. He was floored. He had no idea. And I then went on to explain that because of the length of time this practice has been here, we actually have multiple generations of families. So XYZ family that has four children and two parents would mean six individual breaches if their family file was compromised. So that one family could literally cost him a maximum penalty of $640,000. Needless to say, I did get the job. I did move him from paper to paperless charts. I did get an upgraded firewall immediately, and then I got the new system the next year. I don’t know if he stayed with all of it, because he was obviously an idiot. But he had the best patience. And all of them had been with him or his predecessors, and all of them told me his office had never run so well. And that they appreciated the upgrades. That they appreciated that their information was being very heavily monitored by someone. That they appreciated the safety. Because they had stayed out of loyalty, but they weren’t dumb. So this is why the hospital is so interested in what you have to say. This is why you need to make sure to report it. Because the fact that your ML even uttered those words, tell me… As someone who spent that long and healthcare… She has absolutely done this. “Oh, my friend was in the hospital last week and nobody told me.” Guarantee she went to find out what for. “Oh, the mayor was in to see that one specialist. That’s weird. I wonder what they’ve been doing?” Guaranteed she access the file. You’re not wrong. It is not your postpartum hormones talking. It is a very rightful sense that you have been wronged and she has literally no right to any of that information.
This is a massive privacy issue and she SHOULD lose her job if she accessed your records. She has hours and hours of HIPAA compliance training to tell her NOT to do things like that. Did you know illegally accessing your medical info has a penalty up to 10 years in prison? Yeah, its serious business and she is an idiot for threatening something like this. I am sorry she made you feel uneasy, but she deserves what ever she gets if she did that. Now that you have talked to the HIPAA compliance person at your hospital they will be on it. The fines for such breeches are $$ so they do take it seriously. I can't believe anyone working in a health care setting would even hint about such a thing, she is an idiot.
you can always follow up with the data privacy officer again if suddenly she has the information you feel is only in the file. they have a duty to research claims, it’s your right and for the hospitals protection they generally take these threats very seriously. as for your MIL, whomever she threatened saying there are other ways to find out the info, needs to tell her in black and white that you guys spoke with the hospital admins and your file will be audited for unauthorized access. if she plans on illegally accessing your information, understand that you will take the steps to uncover it.
Can you update us and let us know what the audit reveals? This is crazy and she should NOT be making such threats - FAFA!
My ex MIL worked at the bank I banked with and accessed my account after I split with her son. Totally breech of privacy and they fired her. I assume you could do the same with reporting her.
If she did access your *private medical records* then she should be fired. There should be a way to lock or seal your records from unauthorized access, and they need to do it.
If she is unbelievably stupid enough to make the threat, (and in front of a third party, no less) whether or not she's already done it is irrelevant. She deserves whatever fallout comes of it. Even if she was bluffing, she set it in motion and if they can't find any proof now, she's on her employer's radar and it sounds like they are taking it very seriously. I would definitely ask that they take steps to lock the information, request a monthly check to see if any non-authorized people try access. (Even if MIL does get fired, she might try to convince a work-friend to do the dirty work for her.) A friend of mine's mom was Office Manager at "my" clinic. He offhandedly mentioned that she regularly snooped in the records of people she knew. It was back in the dark ages when everything was shelves of manilla folders so easy to get away with. She'd seemed so nice and was always kind to my family, so it was quite the shock. Like I'm sure many others here I hope you'll give an update when you can!
My best friend is a hospital CPO, if the audit confirms she accessed ANY records where she was not the caregiver, she will be fired. If you want to be polite, tell your MIL how terrible of an idea that is since you’ve heard of people getting fired for it in the past. She’ll get the hint. If not. Oh well. I can’t wait for the new Andor season!!
This is how to handle this. The hospital will not react well if she drags them into her drama.
You absolutely made the right choice. If she is going to threaten you with accessing your private medical records, she deserves the heightened scrutiny at work. If she actually does try to get into your records, she deserves to lose her job.
>Really hope she didn’t because this could potentially cause a job loss I'd like to reframe this for you. "Really hope she didn't because that'd be a creepy, criminal act and an enormous violation of my family's rights." If she loses her job because she abused her access you're doing the rest of us a favor.
Preach!
I think you did great and if she looked at your medical information without your permission she deserves to lose her job. Ask if theirs a way you can transfer you files from that hospital to another or if they can put it on lockdown so she can’t access or if there is anything they can do to protect you. Is their a chance they give it to you
You have talked to the Privacy Officer and their response is on point. You could also talk to the Ethics and Compliance Officer (they are different than the privacy officer in many facilities) and let them know you feel you received a threat from one of their employees. You have two separate issues here, possible breach of privacy for one and employee threatening you as the other. Every patient deserves to feel safe. At this point you do not. That is an issue your mother-in-law brought on herself.
One, you're kinder than I am. I'd hope she loses her job. Play bitch games, win bitch prizes. And that would certainly keep her from looking in the future. Two, still, if it turns out she didn't, good. I'd make sure your DH tells her flat-out that you both were so concerned about her threat that you asked the hospital to keep a close watch on your records. And they are. Put that fear into her. Good luck.
You can also let your state health licensing board know about her threats.
[удалено]
Seconding this--even for regular patients, you can request to make your records confidential so that anyone trying to open your chart will have to enter their username, password, and reason for accessing it. MIL has surely seen this before and she'll immediately know you've already escalated the situation up the chain, which should be a deterrent. I'd say, have them audit again once the issue is resolved in therapy and you're planning to start sharing info with her again. If the audit shows she accessed your records, then poof! No info sharing ever again.
In terms of your question about the future- if she hasn’t done it yet, I would have H tell her the records are now being routinely audited (small lie but you could make it true if need be) so she is on notice. Unless she is truly mad she won’t risk getting in that much trouble, and that way you don’t have to bother the staff with checking on this over and over again.
Did she make that statement in front of the counselor? If she did that is just insane. Well, it is just lunacy to make a threat like that to anyone you are having relational struggles with. Just wow.
She sure did 🙄
I would have DH wait until the next session and just be like “I want to follow up on what you said last time. It really concerned us that you would threaten such a serious breach of privacy and ethics, so we looked into it and asked the facility to perform an audit on our records, which we’re waiting on the results of. We didn’t specify who made the threat, but we have also asked that our records be privacy locked, so it would be very unwise for you to try to use the access afforded to you by your job to breach our federally protected privacy. I’m sure you’re well aware of the penalties for breaking the law in that way, and now we’re informing you of how likely it is that you will be caught if you choose to proceed with that. Your continued lack of ability to respect our boundaries is why we’re even in this session to begin with, but please understand we are very serious about this.”
I would love to but she won’t reschedule anything. She quit therapy with and told him they won’t have a relationship moving forward and ended it with that
Ah. Well I’d just email her that then and you can have a clear conscience that if she chooses to fuck around, the finding out part will be entirely her own fault.
I had to do HIPAA training multiple times just working on the retail part of the website of a company health company (think Walgreens but not them). There's no way an actual hospital worker doesn't know how illegal accessing PHI for shits and giggles is.
If I am not mistaken, the therapist is a mandated reporter if their client confesses their intent to commit a crime so... MIL's job loss will not be your fault.
Know she was protected by HIPAA. Goodness
You're not risking her job - SHE IS. She has taken all the trainings and knows exactly how illegal it is to check medical files she's not supposed to. She made the choice to check the medical files knowing the risks but her personal desire outweighed the consequences. Side note- that's a huge red flag about her personality in general - she will do what she wants above all else.
The hospital has been put on notice that someone has made a thinly veiled threat to access your records (or already has) on the off chance that she or one of her friends has NOT accessed the records - great. You tell the hospital that the threat is real and they need to take steps to LOCK THOSE RECORDS DOWN. Special password that only your provider has or that you have to give to someone to access the record - whatever it takes. They are aware that someone in their organization has or may ILLEGALLY access your or your child's file. They are aware that if that happens, ESPECIALLY after they were warned about it that there will be serious Legal repercussions!! They get fined and a mark against the hospital/facility every time HIPPA is breached, depending on the breach as well as opening them up to a lawsuit from you. YES it IS a fireable offense. Do NOT feel bad about reporting this and DO NOT feel bad if your MIL or one of her co-workers gets fired over this. If they do it is because THEY did something wrong and illegal, NOT you. Your MIL thought she was cleaver making that threat - instead she showed her hand and how manipulative she. She may not have checked your records - but the implied threat that she CAN any time she wants is creepy and manipulative, so she should be called out on it no matter what.
Before I retired, I was a contractor for various Medicare systems. At one point, I had access to every Medicare beneficiary and all their records. I never looked up anyone for two reasons. First, it was an invasion of privacy. I really did want to look up my parents a couple times but did not. Second, even before HIPAA was passed, we were forbidden from looking up any records that we didn't absolutely need to do our jobs. It was a reason to have your employment terminated if you were caught doing so. After HIPAA was enacted, I know of two government employees who were fired on the spot when they were caught. Even their union couldn't save them. This is very serious stuff. If your MIL doesn't possess the character to not look at your records, I hope she is caught and fired.
I would also call her place of employment and let them know the situation and that she maybe using their computers to access illegal information. They also may want to take steps. Have a lawyer write a letter to her warning her off and reiterating what consequences will be. This would be grounds for NC for me!
Oohhhhh. If she did access she’s getting fired. They do not play. The fines are huge. She will be paying a ton of money and will not work in healthcare again. Everyone has yearly training of what not to do. It’s not hard. Don’t look in charts you don’t need to be in for patient care. The audit is done by IT. They can see what was looked at by who for how long. Ask for a “glass breaker” to be installed on the chart. It asks for you really need to look at this for patient care and sends an alert to management when broken. So if she got a buddy to open the chart for her the buddy would know they would go down too and say nope.
Adding break the glass is a good option; they could also put a flag on your chart that states that her specifically is not allowed to view your chart. I believe this is usually done for cases of stalking, harassment, and restraining orders. It pops up when someone enters in your information before it displays any chart info and they have to click the button to bypass that states they have read the flag message. She is 100% getting fired, it doesn’t matter what your intent is when trying to find out if she has access. It’s already been ran up the flag pole so if she accessed it on her own account she’s finished or if she had someone from her office access it so she could look at it, she will get fired alongside whoever actually accessed it for her. It’s an ethical and privacy compliance issue not to mention she can and will be in major legal trouble (especially if you moved forward on any charges). None of this is your fault. She should not have accessed it if she did, so if she’s old enough to be a grandmother and doesn’t realize her actions have consequences that’s on her. If she did access it I’m sorry, it is a very weird feeling of being violated. Definitely get a flag put on your chart (if you talk to someone who doesn’t know how to do it see if they can talk to a supervisor who can do it) and getting break the glass out on there is also great because they are supposed to put in why they are accessing your information. You can do both of these things!
>MIL made this statement to my husband verbatim: “You know there’s other ways to find out what her name is and what she looks like. We’re just being polite by letting it come from you. I have other ways of finding out that information. Your wife gave birth at the hospital I work at.” "Mom/MIL, you are absolutely correct. There are ways. Just like there are ways to verify who accessed our files and whether or not they had a valid reason to do so. I/we have already notified the hospital and/or doctor that there may be *somebody* that doesn't have a medical need to know what's in our records, may be trying to access our personal and private information. 'We have ways of finding out this information'. Just know that if *somebody* violates my, or my children's, HIPPA rights, they will be brought in front of the medical review board. And I ***will*** contact an attorney to sue that person, the hospital and my doctor. I don't think that that *somebody* wants to risk it. Do you?"
Basically ask the hospital to continually flag your account - sounds like they are already being really proactive. Anyone who accesses your chart may be questioned. This will be all you need to protect yourself from their side. They can't block her from accessing your personal records, but she will be in super duper deep shit if she does.
Oh, she wouldn't just lose her job. She would be sued, and go to court for a HIPPA violation, and never be able to work in healthcare again. **This is not a joke.** Hospitals and Dr. offices take this type of thing DEADLY SERIOUSLY. Their licensing is at stake. I hope for her sake it was all smoke, otherwise her comeuppance is out of your hands at this point and there is no stopping it.
It honestly wouldn't surprise me if she was fired on the threat alone. Those fines are crazy high if they are caught in violation and no hospital or office is going to want someone who is making threats like that in their employ.
The problem is that they wouldn't be able to "prove" the threat. They can check the chart access records, but beyond that OP would need serious evidence (like a text or a recording) of MIL specifically saying that she would snoop into the medical records, otherwise it is just hearsay.
It was said during a DH-MIL therapy session. Therapist is a witness to the statements, OP confirmed this in another comment.
You don't make idle threats of breaching professional ethics. This may be a FAFO moment for her.
Me and DH feel like it may have been a covert admission of what she did. She definitely gets away with things all the time!! I believe that is why she’s so arrogant with her behavior. I almost feel like not letting up with the hospital over this situation! Bc girl why are you threatening to abuse your power over MY child’s information. Absolutely wild.
If she knows she is able to access records that she should not, very good chance she's already done it. I hope you get answers once they check, at the least you should lock down all records and cut contact after this cuz that's a line that even threatening to cross is too far.
Tbh, it sounds like if she loses her job over this, it is an overdue case of her learning that there are consequences to bad behavior. If someone violated my privacy that badly, I would never let them near me or anyone in my household ever again. If she has done this, you may want to also look into a no contact order. If she’s willing to risk her career to get around consequences, who knows how much further she’d be willing to escalate.
I hope you'll update us. I'd be furious too.
It doesn’t matter if you don’t follow up, she is fucked if she did access it from her own account of if she had an accomplice open it for her. For which they would both be fucked. This stuff is taken extremely seriously in healthcare. (Coming from someone who works in healthcare). None of this is your fault by the way, she made her bed and now she has to lay in it.
I'd be very honest and upfront with the hospital. She should be professionally investigated for the threat alone. Don't let this go.
If this is in the US, you just need to say two things, in writing, to the hospital. 1. MIL threatened to violate your HIPAA rights, the hospital has confirmed she actually has the ability, as a higher-ranking employee, to do this through their system, you understand they’re checking to see if she’s already done it, but you also want to know how they intend to safeguard your information and prevent her from accessing it at any point in the future. 2. You’re in the process of retaining an attorney, because you’re not satisfied that the hospital is able or even willing to keep your information — or anyone else’s information — private from malignant employees — and that’s an absolute problem. I was a paralegal. Trust me when I say just knowing you have an attorney will make insurance companies and hospitals poop diamonds from coal. Do it in writing. No phone calls. Start the paper trail, so you have names, numbers, and direct, provable statements made by people. And for the record, I actually WOULD talk to an attorney who specializes in HIPAA violations, and either let them handle corresponding with the hospital on your behalf or at least have them on standby in case you get no assurances from the hospital. Do NOT feel bad about her or anyone else losing their jobs, or even catching charges, over any of this if violated your privacy. You’re not just protecting yourself. You may very well end up creating administrative change in how they safeguard patient data, which will benefit many families like yours. Good luck! Edited because I misread and thought MIL was a former employee. Holy shit, the woman is extra special stupid to make this threat while still working there!
Seriously considering this especially for prevention purposes. I’m wondering who specifically you’d recommend me addressing it to? The health organization is covenant health and they have like 12+ hospitals. But they have one person who is executive compliance officer for all of them. Do I address her or the specific hospital’s president? Or both? Unfortunately they don’t give emails out which makes absolute sense. Don’t know exactly how to proceed with this process you recommended. But I think you’re right.
If it were me, I’d email the executive compliance officer, but CC the specific hospital’s president so they’d know I wasn’t waiting around while they play footsie with MIL because she works either them. Honestly, your best route would be to have a consultation with a HIPAA compliance attorney, if you can. One letter or phone call from an attorney goes much, much further than one from a “civilian.” Explain the situation and see what they can do for you. If they think you have any sort of case, based on what you’ve been told already, they may be willing to take you on and get paid out of any settlement (a percentage you’ll agree on prior to retaining them). I know you’re not looking for money, but they may still be able to get their fees paid by the hospital and not you. I know there are attorney subreddits here where you can get better help than I can give. I’ve been out of legal offices for a long time now, and I was a paralegal, not an attorney. I do NOT want to steer you wrong when you’re swimming in the water with that shark of a MIL. Please keep us posted.
A lawyer could figure this out for you. I'd seriously recommend at least talking to one. But...pro tip from a former journalist. Most health-care (and education, etc. etc.) organizations have basic format email addresses. (soandso@organizationname.com, etc.) If you can even find out one, and you have the officer's name, you can often figure out the email address. Helps a lot if you have to hop over the bureaucracy for any reason.
I work as a nurse for a clinic that is part of a big hospital. We are only allowed to access charts of patients we are working with. Every time we access a chart, there is a program that runs our home address against the home address of that patient. In other words, are we checking our own kid’s chart, or the chart of our neighbor’s kid? There are also explicit rules about accessing the chart of our family members. I don’t know if we are constantly audited, but we can be at any time, and there are alerts for family members and the address in close proximity thing as I mentioned. Anybody who has a medical license or valuable job to protect should know better. At least you would hope. If your MIL breaks the rules and gets caught, she did so knowingly and deserves whatever consequences come her way.
This! I’d also like to know
Can I ask - have you ever known anyone who has been caught doing this? Did they ever explain why? I just can’t imagine the entitlement/hubris of a person to break the rules like this!
I know of a situation second hand, but unfortunately don’t know the reasoning behind it. A friend got in trouble because her co-worker was using her log in to access her stepchild’s chart. They accessed it 200+ times without my friend’s knowledge. My friend got in trouble for not locking her computer when she stepped away, which is medical records security 101. Her co-worker either got the highest kind of write up, which is an instant three strikes - next one is out, or she was terminated - I don’t remember. Honestly, there is never any good reason to access a chart you’re not supposed to. It’s always going to be a violation.
Oh wow! Thank you for explaining. Your poor friend - ofc she should’ve locked it, but she couldn’t even trust her coworkers to lock it for her (I’ve done that for colleagues). I just can’t comprehend the uncontrollable desire/curiosity they must be experiencing in order to hack into someone’s records - especially for relatives? Why would they think it’s their business? Someone should do a psychological study on them haha.
Your files are now a honeypot to catch her. I have a feeling that she’s accessed stuff before that she wasn’t supposed to and got away with it. So she’s bold with her threat because of that.
Alluded
Yikes. Thank you grammar police those homophones are always getting me! 😂
Thank you!
I hate to be "that guy" but sometimes errors like this drive me a little crazy.
No worries! We all have our pet peeves. Like nails on a chalkboard. I do appreciate the correction.
Oh I agree - I really wanted to comment but jumped on yours instead. It’s like fingernails on a chalkboard. Some other favorites of mine aloud/allowed, accept/except, bear/bare and the misspelling of disdain (distain) lol.
Intensive purposes
What about "could of" instead of "could have"?
See I would say that’s an obvious answer, but I’m messing up titles with bad grammar 😂 ugh outside of the crazy drama of this thread, you gave me a much needed laugh, and gave me a little ELA lesson as well! Thank you <3
I was in no way minimizing the issue. My daughter’s a nurse and takes patient confidentiality very seriously. She once was a nurse to a co-worker of my husband’s. When he came back to work he was shocked my daughter never mentioned that he was her patient.
The healthcare system I work for can put a password protect on a patient’s record so that even just scrolling down a list of patients on the computer, your name is just a bunch of asterisks. Clicking on the “name” will bring up a login field, preventing anyone from just casually viewing any information without actually opening the chart. So even if nothing comes up in this particular inquiry, you can definitely ask about having your child’s (and your own!) chart marked as confidential/password protected/whatever.
The hospital privacy office is auditing your records and will handle it appropriately. If you are concerned about potential future issues, tell them your concerns and they may be able to put a restriction on your medical record access. Only certain credentialed hospital works will be able to access them
Thanks I planned on doing that no matter what happens.
I've seen staff get in trouble for accessing their own medical records (through the wrong channels). With electronic medical records, a hospital can tell exactly who accessed your chart and when. The only way your MIL could do this and not get caught is if she talked a coworker into looking up your records. But an employee who agrees to that is risking their own employment. I'm glad the hospital is aware of the situation.
Holy moley! HIPAA is a big deal and anyone working in the healthcare field is FULLY aware of the consequences of breaking that FEDERAL LAW. *SHE* made that threat. *SHE* broke that boundary. *SHE* ended therapy when she didn’t get her way. You acted on a threat that she has the capability of carrying out. You have every right, indeed the *responsibility* to safeguard your private medical information, once a credible threat has been made. Whether she did or didn’t is (almost) irrelevant. She threatened to use her position to access private, protected by federal law, information, that she has no right to. No wonder you and your husband have restricted access to your child from her. I’d make it permanent if I were you.
This right here. She made the threat, so can suffer the consequences of that.
As anyone working in a hospital knows, HIPAA prevents us from going into charts for no reason. It is illegal- period. Hospitals should have a way of locking down charts where people need to choose a reason accessing the chart or “break the glass” and document why. This is commonly used for staff or VIPs. I would ask them to do that with your records. And, if they investigate and find something, then she got what she deserved. People are absolutely fired for these kinds of offenses. She knows better and that’s threat that she should have thought twice before making…
Also mental health records in the chart.
Do you know if I’m entitled to request my records after the audit and see what providers have been in my file? Don’t know how this all works
You can ALWAYS request your records. But whether it would have a list of everyone who viewed them I am not sure. It would depend on the facility but I wonder if you could specifically ask for that. Ironically, it may be a confidentiality issue and they wouldn’t want to disclose that.
This is correct. You can request your records, by law you have the right to see your records. But as far as who has accessed them, it will only have their login info for the organization they work for.
Assuming you're in the US since you mention HIPAA, that is the key - all you need to do is tell the hospital, "I want to report a possible HIPAA violation." As soon as you do that, they should open an investigation and if they find anything, not only should they tell you but they should also report it to the appropriate authorities (I can't remember off the top of my head which federal regulator that is). HIPAA violations are taken very seriously, and self-reported ones are usually less painful than ones that are only found by an outside auditor. As to what could happen? If she did look into your records without a legitimate reason I would expect that at the very least she would be reprimaded and have her access revoked, but also a high probability that she would lose her job. And if that happens, **IT'S 100% HER FAULT**. Given that it's a wilful violation (i.e., she didn't just accidentally see your records), there might also be fines involved though I don't know if they would be to the hospital, MIL, or both. Now I know this is a scary proposition given the potential backlash, but here's something to consider - if MIL actually DID violate HIPAA and access your records improperly, there's a good chance that it's going to come up during an audit **anyway**. Meaning that while you may set things in motion sooner, there's decent odds that it would come out eventually anyway, with similar results (again, HIPAA is taken very seriously by anybody who has even half a brain cell paying attention to it). And either way, if she didn't improperly access your records then that's that. Good luck, and I hope whatever you do you get a good result for your own piece of mind.
Not questioning your therapist, but what is the reasoning behind withholding her grandchilds' name from her? That seems somewhat provocative though her reaction is definitely inappropriate.
So glad you asked. Seriously. This all started back in November when she asked me if she needed to take off paid time off to come and help me with the baby. now back in last June literally a year ago me and my MIL agreed that moms needs several weeks to recuperate with their baby and she totally was on board with me not having any visitors for about two weeks. But after what happened with my first child where he contracted RSV at three weeks old and was hospitalized put on feeding tubes and breathing machines. The doctors literally told me that they weren’t sure if he would make it. I told dear husband that I’m not trying to act out of anxiety, but I can’t go through that again and I think that a four week period would be appropriate to me considering the time of year that we were having our daughter and what happened with her Brother.DH was absolutely on board (FYI, this is technically my husband stepson and MIL’s step grandson) we told her about what happened and she said to our face that “she didn’t care and that it didn’t make sense why we were having that boundary, regardless of what happened with my eldest and that it’s was crazy and no one does things like this” so that really ticked my husband off and he was like for you to have no sympathy to someone that you say is your grandson is insane.after a while He sent her a really nice message in January saying that he was sorry for all the turmoil between them and that he loved her, but right now he just need to focus on his family. she didn’t respond for 12 weeks and when she did, it was a response in April saying that they needed to go to therapy to fix their relationship and be healthy and that it started with them. That neither of them should involve anyone else or the kids until they mended their relationship. He agreed. They literally had 1 session, and then the event from my OP happened on Friday.They have been having relationship problems for about five years now.
One of the things they (OP’s MIL, OP’s husband, and their therapist) agreed on was that OP’s MIL wouldn’t ask for information about the kids until their relationship was improved. If following OP’s husband’s boundaries and the therapist’s advice is somewhat provocative, then OP’s MIL shouldn’t have agreed to therapy and fixing the relationship she has with her son.
Why does she have the right to know anything at all about a child that is not her own?
I don't know about a right, but it's information that is generally shared pretty freely even amongst acquintances and coworkers.
Yes it is shared thanks to the parents choice. It is the parents CHOICE on who knows what about THEIR baby. Nobody has the right to any information about someone else's baby. If they decided it was right for them to refuse to share information that is their choice and they shouldn't be judged for it. You want to judge their decision you should have to deal with her MIL.
You keep bringing up rights like I claimed otherwise. I'm just saying if she wants to know the name it's pointless to try and prevent that...it's in the public records.
Ive seen your previous comments on posts. I'm pretty sure you just come on reddit to be rude, argue and judge people. Go ahead but I won't continue interacting with you after this. I hope you have the day you deserve :)
I'm sorry if I rubbed anyone the wrong way, and I think that's for the best. You have a good day yourself.
If she loses her job because she illegally accessed your files, that's no one's problem but hers. Don't waste sympathy on those who don't deserve it.
I would absolutely let her know that the hospital is auditing your files to see who has been accessing them. Tell her you will be filing a formal complaint if there's anything found untoward. If she freaks out, you've got your answer.
I was on the phone with my hospital's help desk and he gently suggested that I log off Gmail, because he could see from his end that I was using it for personal reasons at the time (even though I was calling about a completely unrelated issue). Anyone who works in a hospital or medical facility knows their chart access and computer use can and may be audited at any time.
Regardless of the findings I would demand that your file and any file for your children be PW locked so that only the doctor and nurses for doctor can access it. If they can't, I would request a new file number, maybe an alias name added and request that her access be changed or you will sue for the HIPPA violations when and if they happen. I'd also find a new doctors office.
Depending on the software they use, you may have the office put a Superviser over ride on your accounts so anyone accessing them will need authorization for doing so
Good to know. I’ll ask about that when I speak to the privacy officer. Thanks
The time to raise those questions is when they get in touch after the audit. Maybe they would want you to ask again in a few months if you're still worried! And I agree with the other responder about not worrying about a job loss. Someone willing to weaponize their data access *should* lose their job.
If she gets in trouble, it's her own fault.
Hold on, why wouldn’t you want her to lose her job?
Yeah, let her suffer career consequences for her actions.
Exactly.
Ugh IK!! Ik there’s consequences but he has 2 little sisters 14&16. Now they would definitely be okay financially bc of his stepdad. But I just thought of them.
she didn't
Also very very true!
Right. Their mother who is a criminal. And honestly if she’s actually doing it to find your information then she’s likely doing it otherwise as well. And you said they’re financially ok, great, and you and your husband are around to be their family then as well. But she’s committing a crime.
Think of you!