Ready for HIPAA? Take steps to protect patient privacy before it’s too late

You’ll need strategies to avoid being fined for noncompliance

Patient records left on a desk in full view. Interviewing a sexual assault patient in full earshot of others. Answering a caller’s question about whether a certain individual is being treated in your ED. These may be common occurrences in your ED, but as of April 2003, they also may be violations of the Health Insurance Portability and Accountability Act (HIPAA).

"It’s this year’s Y2K," says Jeanne McGrayne, director of emergency department strategies for VHA Consulting Services, a nationwide network of community-owned health care systems, based in Charlotte, NC. "Ultimately, we’re all going to have to comply, just like with the Joint Commission [on Accreditation of Healthcare Organizations]," she says. "And the bottom line is: It’s the right thing to do."

ED managers: Unprepared

Many ED managers interviewed by ED Management admitted they have done little or nothing to comply, but most are very concerned about the effect HIPAA regulations will have on their EDs. (To obtain a copy of the proposed regulations, see resources at the end of this article.) Violations of HIPAA are a major concern, especially since the criminal penalty for disclosing patient information without malicious intent is up to $50,000 plus one year in prison.

The biggest challenge for ED managers, says Jonathan Kent, RN, CEN, assistant director of the emergency center at Medical Center of Central Georgia in Macon, is protecting privacy in a crowded, noisy ED. "Patients have as much desire for the world to know their medical complaints as they have to show them the color of their underclothes, but we are still not perfect at protecting the privacy of our patients," he says.

Here are effective ways to comply with HIPAA requirements for patient privacy:

Protect patient records from view. You will need to have a secure place for all patient records in your ED, McGrayne says. "This is something you have to pay attention to," she emphasizes. She gives the example of digital X-ray systems that list patient names at the bottom and may be viewed at various workstations. "You need to consider where you put those screens and ensure that the patient’s name is not visible," she says. She notes that one hospital has a practice of delivering medical records to the ED for all patients being treated. "This is a best practice because it’s better for the patients if their clinical history is available to providers."

However, HIPAA will require records to be secured, she says. "Right now, they are laying all over the place," she says. "Anyone could walk through the ED, pick up one of the records, and walk away with it. It can be very serious." The front page of a patient’s chart may be visible, since many EDs keep charts at the bedside or the front desk, McGrayne says. She offers the following solutions:

  • Centralize records.
  • Put a cover page over demographic information.
  • Use binders that protect patient information.
  • Scan and automate access to old records.

Use a sign-in sheet that conceals the patient’s name. Medical Center of Central Georgia’s ED uses a triage sign-in sheet consisting of a multipart form with individual tear-off tickets. As each patient signs in, a list that is concealed behind a cover sheet is generated with the name, time, and chief complaint. The form includes a place to write a telephone contact number, should the patient decide to leave prior to being seen by the triage nurse, Kent adds.

Limit what other patients can hear. McGrayne warns against the common practice of ED physicians dictating patient outcomes in open workstations, which discloses sensitive information to those standing around the desk. "If planning for a new facility, ensure there is adequate space for dictation or telephone discussions to allow for privacy," she says.

Another solution McGrayne offers is investing in automated documentation features that eliminate verbal dictation altogether. She suggests using the HIPAA requirements as leverage to obtain this resource from administrators. Calling out names of patients waiting to be seen is another potential problem, McGrayne says. She refers to her own consulting experiences, when asked to pose as a patient to evaluate ED processes firsthand. "When I have done mystery patient visits’ and someone yells out my name while I’m sitting in a crowded waiting room, I cringe," she says. "Regardless of HIPAA requirements, I feel it’s very inappropriate."

To address this concern, ED patients at Gunderson Lutheran Medical Center in La Crosse, WI, are given pagers by the triage nurse so they can be contacted confidentially, says Stephanie Swartz, RN, administrative director of emergency medical services. There also is an added benefit because patients can leave the ED waiting room area and wait in the lobby, cafeteria, or outside, Swartz says. She notes that the cost for a pager is $140, including the charger units and transmitters, and she says the ED has not had much of a problem with the loss of pagers. "Our customer feedback shows that patients like the privacy and the increased mobility," Swartz says.

Give staff inservices specifically about privacy. The way you educate staff about privacy requirements will be the biggest factor in determining whether you are HIPAA-compliant, according to Kent. "They are the ones who control information at the outset," he emphasizes. All ED staff are required to complete an annual competency assessment on privacy issues and receive regular inservices on this topic, he says.

Dispose of health information properly. Kent recommends placing receptacles wherever a document with the patient’s name or other identifying information is produced. He suggests using a document-destruction company to empty them. Staff are instructed to dispose of all protected health information, including floppy disks, CD-ROMs, plastic identification cards, embossers, and name bands, in one of the 10 locked receptacles. Kent notes that it’s very important to place a receptacle at the automated medication dispenser. "If a receipt is generated and not used for documentation, it must be destroyed, as it has the patient’s name and drug listed on it," he says.

Use a special code for increased privacy. Kent says that ED patients at his facility are offered a "No Press, No Info" (NPNI) special code. "Patients under this designation will have their presence in our facility neither confirmed or denied by phone or in personal contact with visitors," he says. He explains that if any ED staff member feels a patient may desire increased privacy, such as a community "VIP" or a victim of violence, the "NPNI" designation is offered. "The patient can choose to have zero information available even regarding his or her presence in the hospital, except on an absolute need-to-know basis for caregivers," Kent says.

Make every attempt to increase privacy by shifting the location of patients. Kent says his ED staff make every possible effort to ensure audio and visual privacy for all patients, including shuffling placement in rooms and holding at least one room open for private interviews and exams. He notes that staff may be used to needing a private space for physical examinations to protect a patient from being exposed to onlookers, but it’s important they understand that interviews also may require the same level of privacy. "It is difficult at times to make these arrangements, but we do it to the absolute limit of our capability," he says.


For more information on how to protect patient privacy, contact:

• Jonathan Kent, RN, CEN, Assistant Director, Emergency Center, Medical Center of Central Georgia, P.O. Box 6000, Box 142, Macon, GA 31208. Telephone: (478) 633-2038. Fax: (478) 633-7879. E-mail:

• Jeanne McGrayne, MSN, RN, Director, Emergency Department Strategies, VHA Consulting Services, 521 E. Morehead St., Suite 300, Charlotte, NC 28202. Telephone: (910) 947-6075. Fax: (910) 947-5596. E-mail:

• Stephanie Swartz, RN, Administrative Director of Emergency Medical Services, Gundersen Lutheran Medical Center, Trauma and Emergency Center, 1910 South Ave., La Crosse, WI 54601. Telephone: (608) 791-3213. Fax: (608) 775-2050. E-mail:

Proposed changes to the "Standards for Privacy of Individually Identifiable Health Information," part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), were published in the March 27, 2002, Federal Register. To view the proposed rules and a side-by-side comparison of this new proposal, go to: A final rule will be published later this year. To order a copy of the Federal Register with the proposed rule, contact New Orders, Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date requested. Credit card orders also can be placed by calling the order desk at (202) 512-1800 or by faxing to (202) 512-2250. The cost for each copy is $10. The Federal Register is available at many libraries and on the web: