Despite widespread focus on the Health Insurance Portability and Accountability Act, some common practices in registration areas can violate patient privacy. Simple changes to protect patient privacy:
- Use only the patient’s first name on sign-in sheets.
- Ensure others cannot hear conversations about the patient’s medical condition or treatment.
- Get staff members in the habit of logging off whenever they leave their workstation.
“Mr. Bob Jones? Your colonoscopy will take place in 15 minutes.”
If a patient hears this statement said loudly in a crowded waiting room and knows his neighbor or co-worker just heard it too, he’ll likely be embarrassed. He also might report the incident as a potential Health Insurance Portability and Accountability Act (HIPAA) violation.
Kenneth N. Rashbaum, Esq., a partner with New York City-based Barton, sees two practices as particularly problematic in registration areas. “One is the registration person yelling out the person’s full name when calling the person up,” he says. The other is sign-in sheets that make the patient’s full name visible. “These are bad practices, for obvious reasons. They disclose the identity of a person waiting for treatment,” he says.
The solution is simple, he says: for registrars to use the patient’s first name only and to speak to patients in a private area or quietly so that others can’t hear the conversation. “The sign in sheet can be covered up, except for the name of the person signing in, or patients can sign electronically with a tablet, so they don’t see anyone else’s information at all,” says Rashbaum.
Most investigations conducted by the Department of Health and Human Services’ Office for Civil Rights (OCR) are complaint-driven, he adds. “If a patient complains about improper practices in the registration area, and an investigation is opened, they will probably find other things,” says Rashbaum. “This can be the thing that starts the investigation, but it may just be the tip of the iceberg.”
Failure to protect patient privacy in registration areas also could come up in a spot audit conducted by OCR. “OCR has been doing spot audits and has announced they will continue to do it in 2016,” says Rashbaum. “If they come to the registration area and see these things going on, it’s going to be a problem.”
In Rashbaum’s experience, some patient access employees don’t fully understand the need to protect patients’ privacy. “Most institutions have some form of HIPAA training, but sometimes registrars are overlooked,” he says.
Here are some common practices in registration areas that can lead to HIPPA violations, according to George F. Indest III, JD, MPA, president and managing partner of The Health Law Firm in Altamonte Springs, FL:
• Insufficient physical space and surroundings to ensure privacy.
“Even now, there are some hospitals that have not redesigned or remodeled the areas in which patient registration takes place so as to ensure that conversations cannot be overheard by other patients and those who may accompany a patient,” says Indest.
No one should be able to overhear discussions about a patient’s prior medical treatment, current illnesses or conditions, and current medications. “We have seen short walls or curtains used that are not soundproof and other physical set-ups that do not ensure privacy,” says Indest.
• Failure to have proper procedures and properly trained personnel to ensure that sensitive patient information is discussed only in the presence of the patient alone, unless there is a signed authorization to include others.
“We have been consulted on cases in which a patient’s HIV-positive status was discussed in the presence of a neighbor that had brought the patient in to the hospital,” says Indest. Another case involved a preliminary diagnosis of a sexually transmitted infection that was discussed with a patient in the presence of her minor children.
“These types of situations must be safeguarded against,” says Indest. “Proper written authorizations must be executed if such a discussion is going to take place in front of anyone other than the patient.”
• Failure to ensure that the correct private address at which the patient wants to receive mail and medical bills is obtained and used.
“We have seen bills for lab tests for sexually transmitted diseases sent to ex-spouses because they were the payer for the healthcare insurance for the patient,” says Indest.
• Failure to ensure registrars are aware of the facility’s privacy practices and the need to ensure patient privacy.
“This should be done with continuing in-service programs; reminders at daily, weekly, and monthly meetings; annual training sessions; email reminders; signs posted in the work area; and other methods,” says Indest. (See related story in this issue on how to create a culture of privacy in registration areas.)