HIPAA in the Waiting Room
How do you maintain compliance with the HIPAA Privacy Rule in a crowded, bustling waiting room? We discuss the issues.
The Health Insurance and Portability Accountability Act of 1996 (HIPAA) requires covered entities to maintain the privacy of patient records. Thus, many providers wonder how to maintain HIPAA compliance in a crowded, bustling waiting room. Below we explore HIPAA requirements in more detail and how they apply to common practices in the waiting room.
HIPAA Privacy Rule Overview
HIPAA’s Privacy Rule seeks to prevent the unauthorized disclosure of protected health information (PHI). It aims to balance safeguarding sensitive patient information with a provider’s ability to administer effective, efficient care.
PHI encompasses a range of information that identifies a patient, such as the patient’s name, address, birth date, or social security number. Under HIPAA, a covered entity may not disclose PHI unless the patient consents to the disclosure in writing or the disclosure falls within a limited set of permitted uses. One such permitted use is when a healthcare provider discloses PHI to facilitate treatment, payment, or healthcare operations activities. For example, PHI may be disclosed between two providers collaborating on a patient’s care.
Incidental Uses and Disclosures
There are times when PHI is disclosed unintentionally, especially in the context of a crowded waiting room. It’s common for practice staff to call out patients by name when summoning them for their appointment. Are such disclosures allowed under the Privacy Rule?
Fortunately, HIPAA allows disclosures of PHI as long as they are incidental to a permitted use. In addition, the provider must institute reasonable safeguards and limit the PHI to that which is “minimally necessary.” Let’s break down those last two conditions.
Reasonable safeguards are a set of policies and procedures that limit both impermissible and incidental uses and disclosures of PHI. What is “reasonable” will depend upon a practice’s size, patient population, and type of practice. These safeguards are not intended to eliminate all disclosures of PHI. Rather, they should mitigate the risk of disclosure. Every practice should evaluate the areas of their practice that create the most risk of PHI disclosure and determine how to protect patient privacy in those areas. Common reasonable safeguards include:
- bringing a patient or their family members into an empty treatment room to discuss the patient’s medical information;
- quietly asking a patient’s name for the registration process, rather than using a sign-in sheet; and
- eliminating conversations about patients — even the mention of their name and the provider they’ve come to visit — in publicly accessible hallways or behind the reception desk.
Meanwhile, the minimum necessary standard requires that providers disclose the least amount of PHI needed to further the purpose of the disclosure. For example, when an employee requires only the patient’s name, birthday, and address to complete a task, the employee should not have access to the patient’s entire medical record.
See our related video, “HIPAA Minimum Necessary Requirement Explained.”
Common Practices in the Waiting Room
So how well does the average waiting room scenario comply with HIPAA? Let’s look at some of the most common behaviors.
Calling Out a Patient’s Name
Calling out a patient’s name in a waiting room is permissible under the Privacy Rule. This action alerts the patient that it is time for their appointment and that they should enter the treatment room. Thus, it satisfies the first condition of contributing to the patient’s treatment.
Obviously, calling out a patient’s name in a public waiting room could result in the incidental disclosure of PHI to other patients. Therefore, to maintain compliance, providers should ensure that they have instituted reasonable safeguards and are following the minimum necessary standard.
Addressing the patient by name is often unavoidable, and if so, it would be consistent with the reasonable safeguards expected by the Privacy Rule. Meanwhile, the practice can satisfy the minimum necessary requirement by announcing only the patient’s first name. By omitting the patient’s last name and information about their medical situation or treatment plan, the provider would comply with the minimum necessary standard. Consider the difference between announcing “Susan?” rather than “Susan Smith for Dr. Jones?” The first approach is far more protective of the patient’s information.
Each patient who signs in on a common sheet for an appointment risks exposing their PHI to every patient who signs in after them. If implemented appropriately, however, these incidental disclosures may be permissible.
Providers should ensure that sign-in sheets display only the information necessary for check-ins, such as the patient’s name and time of arrival. Another solution would be a small dry-erase board that the patient completes and hands to the receptionist before it is erased and returned to the check-in counter.
Sign-in sheets should never include sensitive information, such as the treatment sought (which could include the provider with whom they’ve scheduled an appointment). Additionally, providers should consider replacing completed sign-in sheets with blank ones at frequent intervals throughout the day.
Many providers conduct oral patient intakes at a reception desk located inside the waiting room. This presents a privacy concern, as others can overhear conversations such as “Good morning [patient’s full name.] Are you still located at [patient’s address?] Are you still with [patient’s insurance company?]”
Practices should enact safeguards to mitigate the risk of an incidental disclosure. For example, they should arrange their waiting rooms to seat patients further away from the front desk. Additionally, they could ask patients waiting to check in to remain seated until the front desk is clear, avoiding unnecessary crowding in the area. In these situations, practice staff should limit their questions to those necessary for patient intake. Alternatively, healthcare practices can promote privacy by encouraging advance online check-in, or by offering a paper form or a tablet to complete intake questionnaires.
Get Legal Support
The waiting room represents just one area where you must safeguard your patient’s PHI. As you develop HIPAA-compliant practice protocols, a healthcare attorney can serve as an important resource. The attorneys of Jackson LLP Healthcare Lawyers are experienced in supporting independent healthcare practices in multiple states. If you need assistance with legal or HIPAA compliance, please schedule a consultation to determine whether we fit your needs.
This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader. It should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.