Visiting practices, whether for client meetings, appointments as a patient, or even just to accompany another family member. I usually cannot help myself from evaluating the practice from the perspective of a visitor and am often surprised at what I see, specifically with regard to patient privacy and HIPAA concerns. Consider the following:
1. At one office I was greeted by a beautiful bulletin board that welcomed new patients to the practice, identifying the patient by the patient’s full name and town. Patient names and addresses are protected health information under HIPAA and may not be shared in this manner without authorization from the patient.
2. In most offices I have visited, patients are called up in the waiting room by their full names in front of everyone. Using first or last names only is recommended. In smaller offices, approaching the patient directly is preferable.
3. The check-in process for patients also leaves much to be desired in terms of privacy. Consider this fairly common interaction at my doctor’s office:
Staff: What’s your birthday?
Me: March 5, 1990 (I wish)
Staff: Is your name Justin Gerock?
Staff: Is your address still 1234 Main Street, Raleigh, NC 27603?
Staff: Are you still with Blue Cross Blue Shield?
In this single 3o second conversation, overheard by everyone, information is revealed that is protected health information under HIPAA and which could be used for identity theft. This is an interaction that is unnecessary and inappropriate. Patients should be spaced out so they cannot be overheard with the reception staff. In addition, the amount of information reviewed verbally should be minimized. Consider simply asking if anything has changed or request the patient review private information on a computer screen to confirm its accuracy.
4. I took my daughter to an urgent care for a high fever only to see other patients information on the desk while we checked in. Patient’s full name and birthday, the reason for their visit, the assigned physician and the service being provided. This is a blatant disclosure of protected health information.
The privacy rules created by HIPAA can seem cumbersome but every practice should evaluate its operations to make sure it is compliant:
1. Handout/provide a Notice of Privacy Practices to every new patient. Review your HIPAA policies from time to time to update them.
2. Do not disclose protected health information to anyone except for payment, treatment, or healthcare operations. This means you are limited as to what information, if any, you may disclose to family members without an authorization (there are specific rules for minors/incompetent patients).
3. Make sure everyone in your office has access only to the limited amount of information necessary for their job performance. Computer access should be password protected and there should be strict rules regarding the use of social media.
4. Minimize access to protected health information by third parties in your office: Reconsider your check-in procedures, chart organization and look for gaps in your policies where disclosures may occur.
5. Educate your staff on the requirements of HIPAA and have a policy of discipline for failure to comply.
There are many scenarios where HIPAA can be cumbersome, illogical, or hard to apply. Basic patient privacy in the practice setting, however, is something that can be achieved with proper planning and attention to detail.