We polled patients to find out which HIPAA slip-ups medical practices might be making--the answers may surprise you.
Your pediatric practice’s HIPAA compliance plan is in place, double-checked and approved by an attorney, and you’ve got the appropriate privacy notices all over your practice. You’re buttoned-up, right? Maybe not.
Pediatric Coding Alert polled patients across the country to find out the errors that medical practices might still be making that could jeopardize HIPAA compliance. If your practice has touched on any of these issues, you should consider implementing solutions so you don’t make the same mistakes that these practices did.
Mistake 1: Asking the Patient If He Knows Your Other Patient
One of the most surprising responses that a patient gave Pediatric Coding Alert was that he has been asked by a physician whether he knows another patient by name.
"My son saw the doctor for a bacterial skin infection, and he said he had only seen it once before, but it was on the same day and the other patient went to the same day care centers as my son," the patient notes. "So the pediatrician asked me if I knew the other child and named him, noting that both kids had the same condition. I went into the day care center the next morning and saw that child’s parents, and said ‘Hey we see the same doctor – and our kids both have the same problem.’ The other parent and I didn’t think anything of it, but my husband said that was against HIPAA rules."
Needless to say, a pediatrician should never reveal other patients’ names or medical conditions. In fact, the doctor doesn’t even have to name the patient to breach his private health information (PHI). He could just describe that patient to you, and if he tells you enough details to allow you to figure it out, he has revealed too much PHI.
For instance, if a patient is in a day care age group with seven other children and the doctor tells the parent, "Someone else in that class also has a staph infection on his face," it’s easy for that patient to identify which child has a facial rash—which means that the doctor has revealed the other child’s medical condition.
Mistake 2: Sign-In Sheets That Request Too Much Information
Many practices still ask patients to write on the sign-in sheet when they present for a visit, but don’t substitute the sign-in form for a patient history form. One patient tells the Pediatric Coding Alert, "My daughter’s pediatrician’s sign-in sheet asks for her name, the time of my appointment, and to write down any new medications she’s taking. The strip where I write her name is supposed to be peeled off after I sign in, but the receptionist doesn’t always get to it right away, and I wouldn’t want someone who knows her to see what medications she is taking."
Sign-in sheets can be a bone of contention among privacy experts, many of whom discourage practices from using them at all. However, you are legally entitled to use them, as long as you don’t request too much data from the patient.
"Covered entities, such as physician’s offices, may use patient sign-in sheets or call out patient names in waiting room, so long as the information disclosed is appropriately limited," the Department of Health and Human Services says on its Web site. "However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician)."
If you need a patient to give you private information such as a list of medications she’s taking, hand the parents a history form to complete while they are in the waiting room.
Mistake 3: Showing Patients Your Scheduling Screen
Scheduling patients for follow-up visits can be easier if you show them your doctor’s open appointment slots—but not at the risk of revealing information about all of your other patients.
A patient tells Pediatric Coding Alert, "I was waiting in line to check out at my pediatrician’s office and the lady in front of me was trying to schedule a flu shot for her son. She was having trouble finding a time that fit her availability so the receptionist just turned the computer screen around and showed the woman all of the openings. The lady pointed to an appointment that had already been set and said, ‘Hey, that’s my neighbor! She and I should ride in together for our kids’ shots!’ I was surprised that all of the patient names were on the screen like that."
Showing your patient a computer screen filled with other patient names is definitely not appropriate, but there are ways to make this practice HIPAA-compliant. You can configure most scheduling software programs to show when the reserved appointments are without showing the patients’ names. For instance, the scheduling grid might show only open time slots, or may show just the words "5-year old visit" without saying who the patient is. That way, if you ever show patients the available times, they won’t see any private information.