Are patient sign-in sheets a HIPAA violation? Should you even take the HIPAA risk?
I’m frequently asked if patient sign-in sheets in waiting rooms are HIPAA violations. They’re not violations, as long as certain conditions are met to protect the privacy of patients. The security risk sign-up sheets pose is incidental exposure of protected health information (PHI) to other people in the waiting room, or improper storage or destruction of the sheet later on.
Does HIPAA allow patient sign-in sheets?
According to the Department of Health and Human Services (HHS) FAQ, sign-in sheets are allowed. It states, “Yes. Covered entities, such as physician’s offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited.”
So what does ‘appropriately limited’ mean?
The HHS goes on to say, “Incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician).”
On a practical level, this means you should not use a sign-in sheet if an alternative method would be reasonable. For example, if you need to gather more than just a name at sign-in, you might offer electronic tablets that accept information and then blank the screen and wipe memory prior to being used by the next patient. Another option would be to allow patients to speak with a receptionist who keys in the information on a computer that is not easily accessible to the public.
If a sign-in sheet is used, cross-cut shred it at the end of the day or store it in a secure manner, if it needs to be retained for a legitimate purpose.
Focus on risk
Sign-in sheets aren’t the real problem, though. When performing a risk analysis, many organizations focus on things like sign-in sheets because they’re a tangible aspect of PHI. You can point to them, hold them, and read what is written on them. This makes them easier to recognize as a place PHI exists and should therefore be protected. But focusing on the potential exposure of a single name in a small group of people in a practice waiting room can distract organizations from recognizing where true risks lie–in electronic stores of PHI (ePHI).
Hackers want more
People looking to steal valuable information target EHRs, file shares, and databases. Large stores of ePHI give them a bigger bang for their buck because they contain valuable information for hundreds or thousands of patients, rather than the one or two snippets of information they might overhear in a waiting room.
In addition, ePHI can be taken remotely, which means while you might notice a single suspicious malicious actor in your office, remote threats number in the hundreds or thousands and can be much harder to detect, if you don’t have the proper security controls in place.
By all means, consider the risk of incidental PHI exposure in your practice, but don’t stop there. Perform a complete and accurate risk assessment so you can prioritize risk and apply your HIPAA privacy and security efforts to risks correctly.