Practice Management Alert

What Would You Do?:

Mitigate HIPAA Risk at the Front Desk

Question: I was at my own PCP office and when I went to stand at check in, there was another patient in front of me. To give her privacy I moved as far away as I could but the room was very small and there weren’t many places to go. The receptionist loudly repeated the patient’s height, weight, blood pressure, address, age, etc. Then she confirmed how many weeks pregnant the patient was. Then she confirmed that this was her second pregnancy and that her first was aborted. I, along with everyone else in the waiting room, heard every detail. Isn’t this a HIPAA violation? This made me think about the practice I manage and I wondered if you have suggestions on mitigating these sorts of risks.

New York Subscriber

Answer: Yes, this is certainly a clear HIPAA violation, says Jim Sheldon Dean, director of compliance services for Lewis Creek Systems LLC in Charlotte, Vt. “The office staff must take pains to not speak loudly about a patient’s information. Calling a patient by name is fine, but any of the other details must be kept private, and oral communications are no exception.”

While a receptionist may repeat the minimum information necessary to identify the patient, other information should not be discussed at the front desk within earshot of others, especially in a loud voice, Dean explains.

For the scenario presented above, the practice should record the violation and apply sanctions, including training, to prevent a future occurrence.

Tips: To help eliminate this sort of problem a practice should provide sound deadening to the extent possible, and make it clear to staff that they cannot discuss patient health information (PHI), especially in a loud voice in a public area. “If there is no way the area can be made more sound proof, any discussions involving PHI must take place elsewhere,” Dean warns.