Where HIPAA Violations Are Most Likely: Medical Reception Desks

If the front desk at your medical practice is buried in stacks of documents, you could be risking a HIPAA violation. Why? Everyone that walks into your office, including patients, sales reps, delivery drivers, and others, must pass through the front desk. And this is where sensitive information might be seen by wandering eyes.

HIPAA regulations are responsible for protecting patients’ private information in the healthcare industry and beyond, but HIPAA regulations are often misunderstood. As a result, though many people think they’re well protected by the law, easy mistakes are made that could compromise patient privacy.

Why the Reception Area Is a Weak Point for Patient Privacy

Even when a medical office’s computer infrastructure, software, and devices meet HIPAA compliance standards, there are still points at which PHI is vulnerable. In fact, one of the most likely places for patient data to potentially be exposed is at the front desk.

Your welcome desk could be one of your organization’s most vulnerable points for a data breach. This is why it’s important to get staff on board with HIPAA compliance to prevent possible violations. Here are some common scenarios that put patient data at risk:

• Patient sign-in sheet that all visitors can see
• Receptionists verifying patient information or treatment details in a manner that can be overheard by others
• Patient files that are left open or unattended.
• Documents that are handed across the front desk
• A computer screen that has been left unattended, displaying the appointment schedule with the full names of patients
• Post-it notes with Wi-Fi or electronic medical record passwords
• Names, addresses, and social security numbers of patients are saved within patient records
• Copies of patients’ health insurance cards stacked on the desk
• Patient messages for the doctor written down next to the phone
• Printed prescriptions waiting for pick-up
• Recently received faxes of health insurance data left in plain view
• Faxed messages from your answering service waiting to be reviewed

Training to Prevent HIPAA Violations at the Front Desk

Many HIPAA violations are caused by human error and happen by accident. The good news is that this means that the majority of incidents can be avoided. With the proper etiquette and training in place, a doctor’s office of any size should be able to ensure that the reception area is compliant with HIPAA compliance and security regulations.

1. Never leave patient files in a public place. Patient files should be returned to locked filing cabinets before leaving the desk if the reception area cannot be locked when the desk is left unattended.

1. Use opaque, rather than transparent door chart holders to ensure that patient charts are not visible to passersby.

1. If receptionists write something on paper, they should be instructed to turn it over immediately or put it in a locked drawer.

1. A ‘no cell phone’ policy at the front desk eliminates the possibility of PHI being photographed by an employee. Restricting mobile phone use is critical also because recording video or taking photos of patients, even if they’re accidentally in the background, without their written consent is a violation of HIPAA privacy rules.

1. Never talk about one patient in front of another.

1. When making a call or having a discussion among healthcare providers that includes patient information, these exchanges should be done in a private area of the office.

1. Keep patient information on a sign-in page to a bare minimum, such as the patient’s name, date, and arrival time. The sign-in sheet should never disclose a patient’s purpose for visit or insurance information.

1. Develop a standard method for covering or blacking out the names of patients who have already signed in and have been visited by the provider.

1. Be discreet while checking sensitive information with a patient, such as their insurance information. You can simply request their insurance card or ask them to confirm the facts on the screen by turning your computer monitor. There is no need to specify the purpose of the appointment in person or when scheduling follow-ups.

1. For all workstations, use a privacy screen so that visitors will be unable to see any PHI on the computer screen from the other side.

1. Set up timed logoff procedures for systems that hold or have access to electronic PHI.

1. Single sign on (SSO) tools can be helpful for managing passwords, ensuring secure usage while also eliminating the need to write passwords down.

1. Make sure physical keys to the cabinet or room where patient records are stored are kept in a secure place that is out of sight of visitors.

Best Practices for Preventing HIPAA Violations in Your Medical Office

The best strategy to guarantee the privacy and security of PHI is to identify your risk areas. Here are some steps your office can take on the macro-level:

First, consider things from the patient’s point of view. Stand where your customers check-in and travel the path they take. What can you see?

Then, conduct a yearly site audit to identify physical vulnerabilities to patient personal information. Site audits look at the security measures in place at your company’s physical location.

Finally, provide regular training and refresher courses that instruct healthcare admin staff on how to properly access and share PHI, procedures to ensure privacy, and how to report PHI-related breaches.

For HIPAA-compliant virtual receptionist services, contact PatientCalls today.