This is a really specific problem for medical centers who have an in-house EMR and are also doing occ/emp health for the medical center’s employees. If you are a free standing occ health clinic seeing employee from the plant down the road on a contract, this would be easy. But for us, not so easy. As I see it there are these issues:


1.       HIPAA and OSHA privacy requirements for employment-related health records to prevent intentional or inadvertent access by coworkers.

2.       GINA and ADA risks for non-employment related health records to prevent access by the employer.

3.       Tracking of occupational services for compliance purposes.


The appropriateness of various software tools needs to be evaluated for each consideration.


For HIPAA and OSHA privacy, if you are taking care of external customers, a regular EMR should meet requirements as it does for any patient. However if you are documenting employment-required medical services for your own employees, extra measures need to be taken so that people outside your occupational health/employee health practice cannot see those records. That can be a privacy setting, a sequestered database, a firewall, or an alias system. Not just a “break the glass” feature where once someone is in the EMR to provide primary care, occupational records are still visible.


To minimize GINA and ADA risks to the employer, the person’s private medical record should be off limits to the employer without a specific signed release. How you accomplish this can vary - your own internal legal counsel and other stakeholders need to be comfortable. Maybe you don’t allow anyone who works on behalf of the employer doing occ/emp health to have access to the personal EMR at all. Or perhaps you establish tight policies and practices that ensure no information from that EMR is shared between occ/emp health and any other party without appropriate releases, and ensuring that nobody in occ/emp health is making employment/job decisions impacting that employee.


For tracking and reporting, an EMR is not the ideal tool anyway. EMRs are good at documenting medical care. They are lousy at identifying what wasn’t done for patients that were never seen. Can you imagine an EMR that could show you all the county residents over 65 who have not had a pneumococcal vaccine? Not what they are designed to do. Nor are they designed to track people’s jobs and occupational risks, as Dr Sparhawk observed, much less their current employer and department. All of which you need to do if you are going to know the compliance rate for hepatitis B vaccination/declination for the MICU staff of your hospital. To track occupational compliance, you need a tracking system separate from the EMR. The holy grail is a system that can communicate in a HIPAA/OSHA compliant way, so that your staff don’t need to double enter simple services like flu shots – and can enter them quickly and outside a traditional clinic-based encounter. But if you expect an EMR to do everything for you – track work restrictions, send email reminders to employees, populate compliance reports for all your programs, identify groups exposed to a common source patient, track outcomes of those exposures, etc – I don’t think that’s realistic.


I think the best we can hope for is a good tracking system that populates your employees automatically, ideally in real time or daily, knows where they work and what they do and what occupational health programs and services they need, allows you to track completion of those services and other “metadata” for all the services you do, and can produce routine and ad hoc reports. But that doesn’t really replace a medical record. In the EMR you’ll put vital signs, exam findings, prescriptions, imaging, etc. The tracking system just needs those key fields the employer needs to identify trends and track compliance – date of injury, hazard, route of exposure, object causing injury, etc. We built one and have tweaked it over the years to suit our needs, and found it’s better in the long run than an off-the-shelf product. But whether that’s the best solution will depend on your size, complexity, and resources.


I think we’ll be able to use EPIC as the EMR and still accomplish the first two objectives. But use it for tracking purposes? No way.


Melanie Swift, MD

Director, Vanderbilt Occupational Health Clinic


From: MCOH-EH [] On Behalf Of Lovelace, Connie A.
Sent: Thursday, January 19, 2017 8:56 AM
Cc: Walker, Eileen; Ferebee, Mark
Subject: Re: [MCOH-EH] #ExtMail# Re: [External] EPIC


Thank you very much, this is very helpful!


Connie Lovelace, RN, COHN

Clinical Operations Manager/Worker's Compensation Manager
Bon Secours Virginia Health System |

Employee Wellness Services
8565 Magellan Parkway, Suite 900 | Richmond, VA | 23227
W: 804-627-5146 | F: 804-627-5145 |

Description: cid:image018.jpg@01D21E48.CB574B20

Good Help to Those in Need®

 P  Please consider the environment before printing this e-mail

The information in this communication is intended to be confidential for the individual(s) and/or entity to which it is addressed.  It may contain information of a Privileged or Confidential nature, which is subject to Federal and/or State privacy regulations.  In the event that you are not the intended recipient or the agent of the intended recipient, do not copy or use the information contained within this communication, or allow it to be read, copied or utilized in any manner, by any other person(s).  Should this communication be received in error please notify the sender immediately either by response email or by phone at (804) 281-8395, and permanently delete the original email, attachment(s), and any copies.



From: MCOH-EH [] On Behalf Of Dr Joe Fanucchi
Sent: Wednesday, January 18, 2017 8:18 PM
Subject: #ExtMail# Re: [MCOH-EH] [External] EPIC


On 1/18/2017 1:56 PM, [name redacted] wrote:

We are using Cerner as our EMR for Employee Health.  We ended up using a one lifetime encounter for our EH visits and our WC creates a new encounter for each injury/illness based on DOI.  WC then discharges them when the case is closed, although she does have the ability to re-open it, if needed.


We are able to share information on immunizations throughout the system, so for flu, if you got it at the MD’s office we could see it and if EH adm the vaccine, the MD’s office can see it.


This is an excellent example of what I noted in a post just a few minutes ago regarding HIPAA compliance. If you store PHI in a database such as Cerner, it is almost always available to anyone who can log into Cerner. Although most employees may not care if a nursing supervisor knows they got the flu vaccine, others may be a little sensitive about their Hep B (or Hep C, or HIV) titers being readily available to coworkers -- including their ex who works in the pediatric nursery. Our legal advisors confirm this could open up the hospital to a potentially costly EEOC lawsuit.

You should ALWAYS check with your HIPAA compliance officer before storing PHI in an electronic database which is widely accessible.


Joe Fanucchi

Joe Fanucchi MD FACOEM
President and Medical Director
MediTrax / OHS, Inc.

MediTrax software: Everything you need, at a fraction of the cost!

The information in this communication is intended to be confidential to the Individual(s) and/or Entity to whom it is addressed.
It may contain information of a Privileged and/or Confidential nature, which is subject to Federal and/or State privacy regulations.
In the event that you are not the intended recipient or the agent of the intended recipient, do not copy or use the information
contained within this communication, or allow it to be read, copied or utilized in any manner, by any other person(s). Should
this communication be received in error, please notify the sender immediately either by response e-mail or by phone,
and permanently delete the original e-mail, attachment(s), and any copies.