HIPAA
Content
HIPAA: the Privacy Rule and Security Rule
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 mandates that the privacy and security of patient information be maintained in a confidential manner. This process begins when the individual arrives for their first appointment. Patients must be given detailed written information concerning their privacy rights. This includes the steps the practice will take to protect their privacy and how the medical practice will use patients’ protected health information (PHI). To document that the medical practice made an effort to comply with this regulation, the practice must obtain a written acknowledgment from the patient that he or she has reviewed these rights. Acknowledgment may be in the form of a signature or the patient’s initials on the notice signifying that he or she has received the required information. If the patient declines to acknowledge receiving a Notice of Privacy Practices, this must be documented in the patient’s chart. This documentation shows a good faith effort was made by the practice to inform the patient and details the reason for failure to accomplish this act and comply with the regulation. Medical practices must also post a Notice of Privacy Practices in the office, usually in the reception area. Additional copies of the notice should be made available if a patient requests a copy. The regulation also requires medical practices to have a written policy and procedure in place for determining who has access to patient medical information. For example, the policy may state that the receptionist may view the names of the patients coming into the office but may not view patients’ records. To accommodate computerized information, two types of access codes (passwords) should be used. The first set would allow the receptionist to view the physician’s schedule but would not allow the receptionist to view patient records. The second set would allow the physician, nurse, and medical assistant to view the patient records for the purpose of patient care. A tracking system that keeps detailed information of all staff members viewing a patient’s medical record should be in place. The HIPAA regulation also addresses the issues of sign-in sheets and calling the names of patients who are sitting in the waiting area.
Can a medical practice use patient sign-in sheets and call out the names of patients in the waiting room? Yes; the practice can do both, as long as the information disclosed is appropriately limited. The Privacy Rule allows for incidental disclosure as long as appropriate safeguards are in place. For example, the sign-in sheet cannot contain confidential patient information (e.g., reason for the visit, medical problem). It is best to change used sheets with clean ones periodically during the day. Calling patients by name is still the most acceptable, courteous, and respectful way to “invite” patients into the examination area.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 mandates that the privacy and security of patient information be maintained in a confidential manner. This process begins when the individual arrives for their first appointment. Patients must be given detailed written information concerning their privacy rights. This includes the steps the practice will take to protect their privacy and how the medical practice will use patients’ protected health information (PHI). To document that the medical practice made an effort to comply with this regulation, the practice must obtain a written acknowledgment from the patient that he or she has reviewed these rights. Acknowledgment may be in the form of a signature or the patient’s initials on the notice signifying that he or she has received the required information. If the patient declines to acknowledge receiving a Notice of Privacy Practices, this must be documented in the patient’s chart. This documentation shows a good faith effort was made by the practice to inform the patient and details the reason for failure to accomplish this act and comply with the regulation. Medical practices must also post a Notice of Privacy Practices in the office, usually in the reception area. Additional copies of the notice should be made available if a patient requests a copy. The regulation also requires medical practices to have a written policy and procedure in place for determining who has access to patient medical information. For example, the policy may state that the receptionist may view the names of the patients coming into the office but may not view patients’ records. To accommodate computerized information, two types of access codes (passwords) should be used. The first set would allow the receptionist to view the physician’s schedule but would not allow the receptionist to view patient records. The second set would allow the physician, nurse, and medical assistant to view the patient records for the purpose of patient care. A tracking system that keeps detailed information of all staff members viewing a patient’s medical record should be in place. The HIPAA regulation also addresses the issues of sign-in sheets and calling the names of patients who are sitting in the waiting area.
Can a medical practice use patient sign-in sheets and call out the names of patients in the waiting room? Yes; the practice can do both, as long as the information disclosed is appropriately limited. The Privacy Rule allows for incidental disclosure as long as appropriate safeguards are in place. For example, the sign-in sheet cannot contain confidential patient information (e.g., reason for the visit, medical problem). It is best to change used sheets with clean ones periodically during the day. Calling patients by name is still the most acceptable, courteous, and respectful way to “invite” patients into the examination area.
