Suggested alternative: Seek management's assistance in sending flowers to a co-worker's home address or let your fingers do the walking through the phone book. It may be easier or more convenient to access the medical record, but to do so for non work-related purposes is against GHSU's Privacy of Health Information policy, Hospital/Medical Center policies, as well as HIPAA federal privacy regulations.
Suggested alternative: The patient (or the patient's designated personal representative) may contact centralized scheduling to confirm his own upcoming health care appointment. It's certainly quicker to look up an appointment on the IDX for a spouse (or yourself), but to do so without a work-related need-to-know violates institutional policies and HIPAA regulations.
Suggested alternative: Just because you have the capability to access this information does not mean that you have the authorization to do so. HIPAA violations are often related to access outside the scope of a work related "need-to-know". An alternative may to be contact a family member for assistance in planning the surprise shower.
Office of Compliance and Enterprise Risk Management