Oops, You’re Violating HIPAA and Didn’t Even Know It

From time to time I visit physician offices, whether for client meetings, appointments as a patient, or even just to accompany another family member. I usually cannot help myself from evaluating the practice from the perspective of a visitor and am often surprised at what I see, specifically with regard to patient privacy and HIPAA concerns. Consider the following: 

1. At one office I was greeted by a beautiful bulletin board that welcomed new patients to the practice, identifying the patient by the patient’s full name and town. Patient names and addresses are protected health information under HIPAA and may not be shared in this manner without authorization from the patient.

2. In most doctor offices I have visited, patients are called up in the waiting room by their full names in front of everyone. Using first or last names only is recommended. In smaller offices, approaching the patient directly is preferable.

3. The check-in process for patients also leaves much to be desired in terms of privacy. Consider this fairly common interaction at my doctor’s office:

Staff: What’s your birthday?
Me: March 5, 1990 (I wish)
Staff: Is your name Ericka Adler?
Me: Yes
Staff: Is your address still ___________?
Me: Yes
Staff: Are you still with Blue Cross Blue Shield?
Me: Yes

In this one conversation, overheard by everyone, information is revealed that is protected health information under HIPAA and which could be used for identity theft. This is an interaction that is unnecessary and inappropriate. Patients should be spaced out so they cannot be overheard with the reception staff. In addition, the amount of information reviewed verbally should be minimized. Consider simply asking if anything has changed or request the patient review private information on a computer screen to confirm its accuracy.

4. I cannot tell you the number of times I have been left in a room waiting for a physician with another patient’s chart sitting on the desk or otherwise readily accessible. Likewise, standing at receptionists’ desks, I see charts in plan view which identify a patient’s name, address and other information without the need to even open the chart.

5. I brought my daughter to a practice for a procedure and in the procedure room was a large mounted screen which identified the scheduled procedures for the day: every patient’s full name and birthday, the time of the procedure, the assigned physician and the service being provided. This is a blatant disclosure of protected health information.

6. An OB/GYN practice client ran into trouble when its receptionist recognized a woman from her neighborhood who came in for STD testing. The receptionist promptly posted a gleeful message on Facebook regarding the patient’s medical issue after tracking down the test results, and common acquaintances on Facebook became privy to this confidential information. Improper access to patient information by office staff and dissemination of these details using social media are significant challenges that must be addressed.

The privacy rules created by HIPAA can seem cumbersome but every practice should evaluate its operations to make sure it is compliant:

1. Hand out/provide a Notice of Privacy Practices to every new patient. Review your HIPAA policies from time to time to update them.

2. Do not disclose protected health information to anyone except for payment, treatment, or healthcare operations. This means you are limited as to what information, if any, you may disclose to family members without an authorization (there are specific rules for minors/incompetent patients).

3. Make sure everyone in your office has access only to the limited amount of information necessary for their job performance. Computer access should be password protected and there should be strict rules regarding the use of social media.

4. Minimize access to protected health information by third parties in your office: Reconsider your check-in procedures, chart organization and look for gaps in your policies where disclosures may occur.

5. Educate your staff on the requirements of HIPAA and have a policy of discipline for failure to comply.

There are many scenarios where HIPAA can be cumbersome, illogical, or hard to apply. Basic patient privacy in the practice setting, however, is something that can be achieved with proper planning and attention to detail.

For more on Ericka Adler and our other Practice Notes bloggers, click here.