Technically Speaking: Sensitive Notes

We all know what protected health information (PHI) is. And we all know and accept that accessing patients’ medical records is allowable only for those clinicians who are providing care at that time. But what about a circumstance in which a provider wants to add an extra layer of security to a note? What if a patient divulges information that could be embarrassing? What if a history includes a narrative that could foster resentment between parents? What if a consult note documents an opinion that could be used by an abuser to change their story? How can we keep those notes away from people who don’t need to see the information while still allowing caregivers who could be impacted proper access? We can use sensitive notes.

Clinicians can mark notes in Epic as sensitive, meaning the note contains patient information that should be treated with additional care. Examples include, but are not limited to, behavioral health documentation, adolescent social history, results of sexually transmitted infection testing, and any information that should reasonably be kept out of the hands of parents and families (non-accidental trauma documentation, etc.). Sensitive notes cannot be opened unless a user has specific Epic security clearance. Sensitive notes are also not pushed to any electronic patient portals such as Children’s Connect. They are, however, still available if a parent requests a copy of the medical record from Health Information Management (HIM).

Currently, the following user classes have access to sensitive notes: providers, inpatient nurses, emergency nurses, social workers and nurse case managers.

Access to sensitive notes must strike a balance between the interests of patients (and families) and health care professionals. Patients and families have legal rights to confidentiality; the contents of medical records are protected information that can only be accessed on a “need-to-know” basis. In addition, it is reasonable for them to expect that “sensitive” information be treated with even more discretion. Health care professionals do have a duty to keep such information confidential; however, those same individuals also have a duty to provide safe, compassionate and comprehensive care. If the contents of a note could impact care in such a way, clinicians will have the ability to access the note. 

It must also be said that it is impossible to know the specific circumstances when a particular user in a single role would need to access sensitive content. We must think broadly, assume positive intent and grant access to entire classes of clinical users when a reasonable use case is brought forth. Decisions to grant access to sensitive notes are not taken lightly; a compelling case must be made to the Employee Health Records (EHR) Governance Committee when requesting access to sensitive notes and the request must be approved by a majority of the committee.

Clinicians are also encouraged to use other EHR tools (e.g., problem list, medical history, FYI flags) to communicate diagnostic and safety-related information, as this may obviate the need to read sensitive documentation altogether. 

Thanks for keeping patient information secure and for all you do!

Stephen Dolter, M.D., CMIO