Is your front office staff accidentally violating HIPAA without realizing it?
While it’s illegal to share patient treatment information without their permission, The Office for Civil Rights, the arm of the Department of Health and Human Services responsible for enforcing HIPAA laws, receives more than 30,000 reports about privacy violations each year.
Interestingly enough, many of these complaints don’t come from the doctors or other service providers themselves, but from talkative staff members in the waiting room and from other breaches of privacy around the office.
It can be tricky for many offices to keep patient information completely under wraps, however.
So how do you ensure that everyone in your office is protecting patient confidentiality?
In most cases, it comes down to having an awareness of what constitutes a violation in the first place (even an accidental one) and properly training staff to detect when patient information is overshared.
Accidental HIPAA Violations in the Office
There are many small ways that accidental HIPAA violations can occur without so much as a second thought. A few common instances include:
- Staff calling patients in the waiting room by their full names in front of other patients (using first names only is recommended, or approaching the patient directly)
- Verbal check-ins at the front desk (e.g. “Is your name ______?” “Is your address still _____?” “Are you still with Blue Cross Blue Shield?”)
- Patient charts left visible on the front desk or in the physician’s office (with another patient’s information)
- Computers or workstations with patient information or treatment schedules left visible to patients
- Patient information is left on a printer or fax machine
- Facebook or other social media posts made about patients without their authorization (even if it’s a “welcome” message or story with no patient name directly mentioned)
If the waiting room is full and verbal intakes are done at the front desk, private patient information may be overheard by unwanted third parties, resulting in a HIPAA violation. Yet may clinics still perform verbal check-ins as standard practice.
Posting patient information to social media is another major HIPAA violation that happens more often than you’d think. Pro Publica lists 65 incidences of HIPAA violations that occurred when nursing home staff posted pictures of patients on social media.
Unfortunately, many of these instances were the result of seemingly harmless intent or forgetfulness. It’s often easier to ask a patient to confirm their address at the front desk, even if it’s busy, than it is to find a separate space for them to give information.
But there are ways that front office staff can mitigate the risk of accidental HIPAA violations by knowing what to look for and how to address co-workers when they notice it happening.
How to Avoid Accidental Oversharing
Here are a few ways that staff can avoid violating HIPAA when checking clients in or navigating them through the clinic.
Use online intake forms. Online intake forms allow patients to fill out information before hand, without needing to verbally give information to front desk staff when they arrive. Some clinics also use dry-erase patient intake forms for patients to confirm information that is later wiped away so that other patients can’t see or access it.
Address patients by first name. When calling patients back to a room or up to the desk, it’s important to address them by their first name only, if possible. This may be more difficult with common first names, especially if the waiting room is busy, in which case a last name may work better.
Avoid discussing personal stories or gossiping. Office staff may discuss their own personal stories, or that of other patients, during slow times in the office or when dealing with difficult cases (processing certain patient paperwork may lead to voiced frustrations, for example). But you never know when patients are around, and it’s easy for stories to be overheard by parties that are not privy to that information.
Get patient permission before posting to social media. Even posting anonymous stories may be a violation of HIPAA if someone else from the clinic (or elsewhere on the internet) recognizes the story or the person involved. Everynurse.org lists common social media breaches, including:
Posting videos or photos of patients – even if they can’t be identified
- Posting photos or videos that reveal room numbers or patient records
- Descriptions of patients, their medical conditions, and/or treatments
- Referring to patients in a degrading or demeaning manner
Even patients that give permission to have their story told may not understand HIPAA laws, and in such cases it may be better to avoid posting their story online.
Keep a clean desk and workstation. The potential for a security violation is enormous at employee workstations and around the desk. If open folders, patient paperwork and notes from doctors can all be seen by patients walking past or standing at the desk, it’s a HIPAA violation. Keep workspaces clear and monitors turned off if other patients are around.
Check printers, copiers, and fax machines. Patient paperwork may be left unattended while it prints, which may result in the wrong party picking up that information and leaving it somewhere it doesn’t belong. Make sure staff knows to check printers and copiers for patient paperwork if necessary.
Avoid post-it notes for login IDs and sensitive information. HIPAA violations can also occur with electronic health records if systems are not properly secured. Keeping computer login information or passwords on post-it notes around the office is a bad idea. Even notes like, “Call XYZ patient back” should be kept electronically behind a secure login and not sitting on a desk.
One of the most important steps to ensuring that office staff knows how to recognize and prevent HIPAA violations is by educating and training them on the requirements of HIPAA, and to have a policy of discipline in place in case of failure to comply.
How to Train Staff
There are several things that practices can do to make sure that front office staff, nurses, doctors, and even other patients are compliant with HIPAA in both large and small ways.
Give staff a Notice of Privacy Practices to hand out or hang up. It’s common for clinics to review HIPAA policies with new patients, but it’s important that staff be aware of privacy practices and that they can recognize when it’s happening around them. A written or posted notice may help with this.
Set boundaries for social media use in the workplace. This includes the office’s social media pages (if managed by staff in your clinic) as well as information they are sharing on their own personal pages.
Limit access to information. Make sure everyone in your office has access only to the information necessary for their job performance. Computer access should be password protected and there should be strict rules regarding the use of social media.
Document your expectations. Your medical practice should hold the front desk staff to a consistent set of expectations, regardless of personalities or attitudes. Document what you expect, and have new employees train from that manual.
HIPAA violations need to be taken seriously, even if they’re considered small or relatively harmless. Many clinics have encountered lawsuits or worse due to negligence when it comes to patient information, making it essential to follow the rules, not only for patient protection, but for clinic protection as well.
Take advantage of digital tools to mitigate any risk by having patients fill out intake forms electronically and by having staff members use electronic forms to take notes instead of paper forms that can be left around the office.
Ensure that staff is properly trained on how to talk to patients, especially in busy waiting rooms, and make sure that expectations are documented and that training is reviewed with them regularly so that every patient is protected at all times.