It's not uncommon for doctors and other healthcare practitioners to place “sign-in” sheets in their waiting rooms. When a patient arrives for an appointment, he or she will place their John Hancock on the sign-in sheet. The receptionist will then go through this list of names, calling each patient back in the appropriate order. But how exactly do these patient sign-in sheets correspond with the Health Insurance Portability and Accountability Act (HIPAA)?
HIPAA: the Basics
HIPAA was established back in 1996 with the primary goal of protecting the privacy of healthcare patients. It consists of the Privacy Rule, Security Rule, and Breach Notification Rule, each of which has its own unique characteristics. The Privacy Rule, for instance, states that all doctors and other covered entities must take meaningful and appropriate steps to prevent the unauthorized use or disclose of Protected Health Information (PHI).
Here's where things can get confusing: the Department of Health and Human Services (HHS) classifies a wide variety of information as being PHI, including patient names and addresses. Therefore, some doctors may assume that placing patient sign-in sheets in their waiting room is a violation of HIPAA's Privacy Rule. If patients are required to write their names on a sign-in sheet that's open and available to the public, isn't this a violation of the Privacy Rule?
Are Patient Sign-In Sheets HIPAA-Compliant?
The short answer is yes. In most cases, patient sign-in sheets are compliant with HIPAA. While they do contain patient names, this is generally the only type of personal information that's included on them. HIPAA states that its Privacy Rule is “not intended to impede these customary and essential communications and practices.” If doctors were forced to scrap the patient sign-in form, it could hinder their ability to provide medical services to patients, which in turn could be worse than disclosing patient names to a dozen or so other patients in the waiting room.
There are limitations regarding the use of patient sign-in forms in waiting rooms, however. The single most important thing to remember when using these forms is to require as little personal information as possible. If patients are required to enter the name, address, reason for visiting the doctor, and medical ID number, this could be viewed as a HIPAA violation. The HHS wants doctors to keep sign-in forms simple and with minimal personal information.
You can learn more about the use of patient sign-in forms by visiting the HHS webpage at http://www.hhs.gov/ocr/privacy/hipaa/faq/safeguards/199.html.