
Interview with SA Health CMIO: when is it appropriate to access medical records?
We spoke to the CMIO of SA Health, Dr Santosh Verghese, about how his organisation uses technology to encourage safe, quality and professional medical practice when it comes to accessing medical records.
Clinicians access patients’ medical records all the time, but not every instance is appropriate. In fact, the consequences of inappropriately accessing medical records can be severe.
In South Australia, there have been multiple high-profile incidents of clinicians inappropriately accessing medical records and losing their jobs as a result. To find out more about how the health department handles privacy breaches, and how clinicians can avoid doing the wrong thing, we spoke to Dr Santosh Verghese, the Chief Medical Information Officer (CMIO) at SA Health.
Dr Verghese has 24 years of experience as an intensive care physician and works at Flinders Medical Centre in South Australia. “I split my time equally between working as an intensive care specialist and serving as a Chief Medical Information Officer (CMIO), where I bridge the gap between frontline clinical care and the digital health environment,” he says.
“I use my clinical experience to ensure the digital capabilities we design and implement are practical, fit for purpose, and genuinely support the needs of patients, clinicians, and the broader health system.”
When it comes to accessing medical records, Dr Verghese says that, while hospitals and health departments have policies and procedures in place, many clinicians aren’t aware of the rules within the organisation they work for. In SA Health, all policies and procedures relating to safe medical practice are on the intranet for clinicians to access, but he admits that sometimes this information is hard to find.
“There are very clear policies on access to records: who can access the record, in what circumstances you can access the record, and how you can use that record within your scope of practice,” he says.
“All of us have to do mandatory training on data access and data privacy, but it’s not every year.”
Dr Verghese also points out that when a clinician enters an electronic medical record (EMR) for the first time, they’ll be asked to confirm they are accessing it for the right reasons, but many clinicians don’t read the terms and conditions.
“Most people click past the prompt and don’t read through their responsibilities,” he says. “When there is a major update, we try to bring it to their attention, but we don’t want to do it every time a clinician accesses the EMR because it hinders them.”
It is the clinician’s responsibility, contractually, to understand the policies and not breach privacy legislation, he says.
Detecting and dealing with misconduct in South Australia
So how did it come to the attention of SA Health that clinicians were inappropriately accessing high-profile patients’ medical records?
Digital Health SA (DHSA) uses technology to monitor activity within EMRs and clinical systems, tracking who accesses them, particularly when a high-profile individual is admitted to the hospital.
"The EMR includes a 'break glass' feature," he explains. "When a clinician accesses a patient’s record outside their direct care, a popup appears, and the clinician must enter a valid reason to view the patient’s case notes. To proceed, the clinician documents the clinical justification into the patient record, verifying the legitimacy of their access. On the backend, this action is flagged, indicating that 'glass has been broken’.”
When a clinician accesses a record outside their direct care, an informal assessment takes place to evaluate the situation.
“DHSA’s security team can review who has triggered the 'break glass' feature and track every screen and document accessed. If there are concerns about inappropriate access to a patient’s clinical record, a review is conducted. As part of the review process, the organisation sends an initial email to the clinician, asking them to explain the reason for access. In 99% of cases, this is the result of a valid request to consult on the patient. However, for the 1% who cannot provide a valid explanation, the case is escalated for further assessment.”
Dr Verghese says the patient doesn’t have to be high profile for DHSA to monitor activity in the EMR. It could be a vulnerable person, like a victim of a violent relationship. The organisation can also run random audits to ensure that patient privacy is maintained.
We asked Dr Verghese how clinicians feel about being monitored in this way.
“There are two parties involved,” he explains. “The patient, who has no power in this situation, relies on us to provide care while safeguarding their privacy. They expect that everyone involved will act responsibly and do the right thing.
“The way I explain this to clinicians is by comparing it to banking security. If you had a bank account, would you want the bank to run random checks to detect unauthorised access? And would you consider that ethical and legal? Absolutely. That’s exactly what we’re doing.”
Accessing medical records for educational purposes
A common reason clinicians face scrutiny for accessing medical records is using them for training purposes. For example, a clinician may have treated a patient and later wants to review the record to see the treatment outcome. Alternatively, a consultant may instruct a clinician to review a record for learning purposes.
So how do clinicians navigate this?
“That’s a great question, and one I get asked often,” says Dr Verghese. “In our system, when you trigger the ‘break glass’ feature, there is a designated field where you can enter the reason for accessing the record.
“Make the most of the features available,” he advises. "We are looking for every legitimate reason a clinician had to access the record. Our goal is not to penalise clinicians for doing the right thing – if there’s a valid reason, document it."
Situations where clinicians get in trouble
"One area where clinicians run into issues is with the integration of the EMR and My Health Record," explains Dr Verghese.
"Although this is widely known, many clinicians don’t realise that when they access a patient’s My Health Record, it immediately triggers a notification on the patient’s mobile. However, this does not provide the patient with information about why the record has been accessed.
"The other issue is a lack of awareness around the intended use of My Health Record. According to its guidelines, it is meant for primary use – direct patient care – not secondary use, such as research. We’re working with the Digital Health Agency on this, and we are adding a popup reminder stating, ‘You shouldn’t be using this for research.’ This pop up will need to be acknowledged before opening ‘My Health Record’. Our goal is to make compliance as straightforward as possible.”
The uncertainty around whether records can be accessed for educational purposes understandably creates confusion. However, Dr Verghese emphasises that in over 95% of cases, clinicians have a valid clinical reason for access, and the issue does not escalate. When a clinician does not have a legitimate reason, it becomes an HR matter. Depending on the nature of the breach, they may be required to retake patient confidentiality training or face other disciplinary action.
"It could be a first-time mistake or a medical student who wasn’t aware of the rules, in which case they might receive a warning – depending on the severity of the breach and whether they acknowledge it. But if it’s a repeated issue or results in a breach of patient privacy, it can become much more serious.”
Dr Verghese advises clinicians to seek clarification if they are unsure about accessing a record.
"Most people encounter problems right after transitioning to a new system. I recommend asking colleagues who are familiar with it, ‘Is this allowed?’ That’s a good way to avoid issues.
"And if in doubt, document it. Good documentation is key."
Key takeaways
The main takeaways for clinicians from our chat with Dr Verghese are:
- Hospitals and local health districts have their own policies and procedures about data access. You should familiarise yourself with the policies to ensure you are not in breach.
- You should not access a medical record unless you have a legitimate reason to do so.
- Document every time you access the medical record of a patient not in your care, for patient follow-up, or for approved research.
- If you require medico-legal advice about accessing records, contact our Medico-legal Advisory Service
- For more information about medical records, visit our collection page of educational resources like factsheets and eLearning courses.
More information
For medico-legal advice, please contact us here, or call 1800 128 268, 24/7 in emergencies.
This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published.
More ways we can help you
Our CPD courses for Avant members
Tick off some CPD hours and learn more with our in-depth eLearning courses, free for Avant members. Our courses include education activities, reviewing performance and measuring outcomes.