What can patients see on your reception desk?
Your reception desk might be one of the most vulnerable locations in your entire organization for a data breach. Why? Every patient you treat walks up to the reception desk and discusses their visit with the receptionist for at least a minute or two. What do they see when their eyes wander around that reception desk? What do they hear? What can they grab? Take a photo of?
Have a HIPAA Deadline?Request a Quote
HIPAA violations on reception desks
I’ve seen some pretty wild HIPAA violations from the viewpoint of both auditor and patient. The most common violations I see at reception desks are things like:
- Seeing the receptionists’ open computer with the day’s schedule, complete with full patient names
- Computer, EHR, and Wi-Fi passwords written on sticky notes, stuck to a computer monitor (in plain view of the public)
- Patient records on clipboards by the keyboard and easily viewable
- Keys (probably to a back office) within arm’s reach
- Bulletin boards with new patient names and notes about patients
- Unopened charts which still identify name and address of patients
- Patient messages for the doctor written on a pad of paper next to the phone on the reception desk, and in full view
- Recently received faxes of health insurance data left in plain view on the desk
- Recently printed scripts left sitting on the desk in plain view
- Unshredded patient records thrown in a trashcan shared by receptionists and waiting room patients
- Patient charts placed in clear door chart holders, clearly viewable to anyone walking by
Each situation I described above is either a HIPAA Privacy Rule or HIPAA Security Rule violation. All it takes is one patient or workforce member to report a single one of those violations to get you on the Office for Civil Rights’ (OCR) audit radar.
SEE ALSO: How Much Does HIPAA Compliance Cost?
Even worse, what if someone with malicious intentions saw your EHR password so conveniently displayed on your desk, and decided to hack in and steal patient data? Do you have the technical measures in place to know if this has happened, or is happening?
Stopping reception desk HIPAA violations
Receptionists have tried to convince me that as long as the information is upside down to the patient, it’s not a HIPAA violation. That is false, and truthfully ridiculous. A quick picture of that upside down patient data can quickly be turned right side up.
You can do a lot to mitigate the risk that your reception desk fosters, but the most important is employee training.
Receptionists, doctors, and nurses won’t leave patient information in plain view on reception desks if they have sufficient training explaining why. I truly believe that healthcare professionals care about the data that they are working with, but I don’t think that they always understand how they impact the privacy and security of that sensitive data.
Here are some more ideas that will help you keep your reception desk free and clear.
- Stand where your customers check in, walk the path they walk, and see if you can see any sensitive information, in any form.
- Stand at the reception desk and try to locate any administrative information that might assist a hacker to gain access to your system (like your EHR password)
- If you ever write something on paper, immediately turn it over, or place it in a locked drawer
- Pull out your phone, put in on the desk. What can you take photos of? I always recommend that you have a no phone policy at the front desk policy.
Many HIPAA impermissible disclosures are related to human error, and occur by accident. However, that also means most instances are avoidable. With the right procedures and training in place, you should be able to make sure your reception desk area is violation-free and HIPAA compliant.
Jen Stone (MSCIS, CISSP, CISA, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.