It's not uncommon for doctors offices, hospitals and other healthcare establishments to feature dry-erase whiteboards. Doctors and nurses often use them to write the name and other information of patients in various rooms. So instead of having to scan through the file system to determine the location of a patient, they can simply look at the whiteboard. This begs the question, however: is the of such whiteboards legal under HIPAA?
Under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, doctors, dentists, nurses and other covered entities must implement meaningful and appropriate safeguards to prevent the unauthorized disclosure of Protected Health Information (PHI). If a covered entity is found in violation of HIPAA, they could be subject to fines or even criminal prosecution in extreme circumstances. Assuming the whiteboard contains personally identifiable information about a patient, it could be considered PHI, leaving some to believe that displaying the whiteboard on a public area (e.g. outside a patient's room) could be a violation.
Normally, however, the use of a whiteboard – even it contains PHI – is not a violation of HIPAA. HIPAA's Privacy Rule excludes something known as “incidental use and disclosure,” which as the name suggests involves the incident disclosure of PHI. The Department of Health and Human Services elaborates on the Privacy Rule's incidental use and disclosure, saying it permits certain use and disclosure of PHI as long as the covered entity has implemented reasonable safeguards to minimize the risk.
“The HIPAA Privacy Rule is not intended to impede these customary and essential communications and practices and, thus, does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards,” wrote the Department of Health and Human Services (HHS) on its website.
Does this mean it's okay to use a whiteboard in your healthcare facility? Generally speaking, the answer is yes – as long you take steps to minimize incidental disclosure. If you're going to use a whiteboard, for instance, try to keep the information somewhat generic, such as the patient's name and date of check-in.
Also, avoid displaying sensitive information on a whiteboard like the patient's phone number, address, social security number, specific condition from which he or she is suffering, etc. Names are OK, but you want to minimize the amount of PHI revealed on whiteboards. Following this simple formula will ensure that your practice remains compliant with HIPAA.