We polled patients to find out which HIPAA slip-ups Part B practices might be making--the answers may surprise you. Your HIPAA compliance plan is in place, double-checked and approved by an attorney, and you've got the appropriate privacy notices all over your practice. You're buttoned-up, right? Maybe not. The Insider polled patients across the country to find out the errors that medical practices might still be making that could jeopardize HIPAA compliance. If your practice has touched on any of these issues, you should consider implementing solutions so you don't make the same mistakes that these practices did. Mistake 1: Asking the Patient If He Knows Your Other Patient One of the most surprising responses that a patient gave the Insider was that he has been asked by a physician whether he knows another patient by name. "I saw the doctor for a bacterial skin infection, and he said he had only seen it once before, but it was on the same day and the other patient worked at the same employer as I do," the patient notes. "So the doctor asked me if I knew this co-worker of mine and named him, noting that we had the same condition. I went into work that afternoon and ran into the guy, and said 'Hey we see the same doctor -- and we both have the same problem.' My co-worker and I didn't think anything of it, but my wife said that was against HIPAA rules." Needless to say, a physician should never reveal other patients' names or medical conditions. In fact, the doctor doesn't even have to name the patient to breach his private health information (PHI). He could just describe that patient to you, and if he tells you enough details to allow you to figure it out, he has revealed too much PHI. For instance, if a patient works in an office with five people and the doctor tells him, "Someone else at your company also has a staph infection on his face," it's easy for that patient to identify which colleague has a facial rash--which means that the doctor has revealed the patient's colleague's medical condition. Mistake 2: Sign-In Sheets That Request Too Much Information Many practices still ask patients to write on the sign-in sheet when they present for a visit, but don't substitute the sign-in form for a patient history form. One patient tells the Insider, "My ob-gyn's sign-in sheet asks for my name, the time of my appointment, my last menstrual period, and also has a box that says, 'If pregnant, number of weeks.' The strip where I write my name is supposed to be peeled off after I sign in, but the receptionist doesn't always get to it right away, and I wouldn't want someone who knows me to find out I'm pregnant from looking at the sheet before I'm ready to tell them." Sign-in sheets can be a bone of contention among privacy experts, many of whom discourage practices from using them at all. However, you are legally entitled to use them, as long as you don't request too much data from the patient. "Covered entities, such as physician's offices, may use patient sign-in sheets or call out patient names in waiting room, so long as the information disclosed is appropriately limited," the Department of Health and Human Services says on its Web site. "However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician)." If you need a patient to give you private information such as her last menstrual period or a list of medications she's taking, hand her a history form to complete while she's in the waiting room. Mistake 3: Showing Patients Your Scheduling Screen Scheduling patients for follow-up visits can be easier if you show them your doctor's open appointment slots--but not at the risk of revealing information about all of your other patients. A patient tells the Insider, "I was waiting in line to check out at my doctor's office and the lady in front of me was trying to schedule a flu shot. She was having trouble finding a time that fit her availability so the receptionist just turned the computer screen around and showed the patient all of the openings. The patient pointed to an appointment that had already been set and said, 'Hey, that's my neighbor! She and I should ride in together for our shots!' I was surprised that all of the patient names were on the screen like that." Showing your patient a computer screen filled with other patient names is definitely not appropriate, but there are ways to make this practice HIPAA-compliant. You can configure most scheduling software programs to show when the reserved appointments are without showing the patients' names. For instance, the scheduling grid might show only open time slots, or may show just the words "AWV visit" without saying who the patient is. That way, if you ever show patients the available times, they won't see any private information.