Avoid giving away information to other patients. Keeping a HIPAA plan in place and checking it quarterly to make sure it’s up to date can be a good strategy – but it can also give you a false sense of security. The reality is that it’s still easy to make patient privacy mistakes in your practice, but you should learn how to avoid those errors. When TCI polled patients across the country to uncover HIPAA compliance errors that medical practices might still be making, the results were surprising. If your practice has made any of these mistakes, it’s time to implement corrective action. Mistake 1: Asking the Patient If He Knows Your Other Patient One of the most surprising responses that a patient gave in that poll was that he had been asked by a physician whether he knows another patient by name. “I saw the doctor for a specific condition, and he said he had only seen it once before, but it was on the same day and the other patient worked at the same employer as I do,” the patient notes. “So the doctor asked me if I knew this co-worker of mine and named him, noting that we had the same condition. I went into work that afternoon and ran into the guy, and said ‘Hey we see the same doctor — and we both have the same problem.’ My co-worker and I didn’t think anything of it, but my wife said that was against HIPAA rules.” Needless to say, a physician should never reveal other patients’ names or medical conditions. In fact, the doctor doesn’t even have to name the patient to breach his private health information (PHI). He could just describe that patient to you, and if he tells you enough details to allow you to figure it out, he has revealed too much PHI. For instance, if a patient works in an office with five people and the doctor tells him, “Someone else at your company also has an upper GI infection,” it’s easy for that patient to identify which colleague has been out sick -- which means that the doctor has revealed the patient’s colleague’s medical condition. Mistake 2: Sign-In Sheets That Request Too Much Information Many practices still ask patients to write on the sign-in sheet when they present for a visit, but don’t substitute the sign-in form for a patient history form. One patient reports, “My doctor’s sign-in sheet asks for my name, the time of my appointment, and also has a box that says, ‘Reason for visit.’ The strip where I write my name is supposed to be peeled off after I sign in, but the receptionist doesn’t always get to it right away, and I wouldn’t want someone who knows me to find out why I’m seeing the doctor.” Sign-in sheets can be a bone of contention among privacy experts, many of whom discourage practices from using them at all. However, you are legally entitled to use them, as long as you don’t request too much data from the patient. “Covered entities, such as physician’s offices, may use patient sign-in sheets or call out patient names in waiting room, so long as the information disclosed is appropriately limited,” the Department of Health and Human Services says on its website. “However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician).” If you need a patient to give you private information or a list of medications she’s taking, hand her a history form to complete while she’s in the waiting room. Mistake 3: Showing Patients Your Scheduling Screen Scheduling patients for follow-up visits can be easier if you show them your doctor’s open appointment slots -- but not at the risk of revealing information about all of your other patients. A patient said, “I was waiting in line to check out at my doctor’s office and the lady in front of me was trying to schedule a follow-up visit. She was having trouble finding a time that fit her availability so the receptionist just turned the computer screen around and showed the patient all of the openings. The patient pointed to an appointment that had already been set and said, ‘Hey, that’s my neighbor! She and I should ride in together!’ I was surprised that all of the patient names were on the screen like that.” Showing your patient a computer screen filled with other patient names is definitely not appropriate, but there are ways to make this practice HIPAA-compliant. You can configure most scheduling software programs to show when the reserved appointments are without showing the patients’ names. For instance, the scheduling grid might show only open time slots, or may show just the words “office visit” without saying who the patient is. That way, if you ever show patients the available times, they won’t see any private information.