From the recent activity of my email inbox, I am guessing that the recent upsurge of interest and changes revolving around HIPAA has led many chiropractors to question the basics of what they need to do to be compliant and protect patient privacy.

Two of the most common questions that I get are in regards to sign-in sheets and display of personal health information (PHI).

While there are certainly tools to make compliance easier available,  unfortunately there are also entities that seek to charge you hefty prices for information you can get for free or is flat out unnecessary.  Sure you have to have a Red Flags Rule Identity Theft program in place by November 1, 2010.  But do you really need a $299 or a $699 software program that will write your Red Flag rules document in MS Word?  (Recently I received both of those ads via email on the same day!)  As for HIPAA compliant sign-in sheets?  Nice, but probably not necessary.  Here’s why:

Physicians can use sign in sheets and place patient charts in the plastic box outside your adjusting rooms.

Per the final modifications to the Federal Privacy Rule (67 Fed Reg. 53182, 53193-95), “incidental disclosures” such as these are allowed, provided you take reasonable safeguards to protect patient privacy.

What exactly are “incidental disclosures?”  According to the Dept of Health & Human Services Health Information Privacy page, “due to the nature of [healthcare] communications and practices, as well as the various environments in which individuals receive health care or other services from covered entities, the potential exists for an individual’s health information to be disclosed incidentally.”  In plain English, even the Feds understand that you are going to expose some PHI in the course of doing your everyday business.

So, here are a few tips to minimize your broadcasting of someone else’s business so that you can keep your nose clean:

  • Be careful that information is limited. Do not place medical info on the sign in sheet. I have seen some offices have a blank stating “list the reason why you are here.” I know the intention is to catch the occasional new injury or new patient who walks in without saying so. But you also run the risk of disclosing private health information, so get rid of that question on your form if you have one.
  • Limit access to private information. This can be achieved by monitoring you sign in sheet so that Ms. Busybody doesn’t sit there reading your list of patients to see if her friends have been in today. It may also mean providing limited access to certain areas of your clinic (don’t let patients wander around near your patient file cabinets) or come behind the front desk that has access to such sensitive information via computers and paperwork lying about.
  • Practice Good Faxing Etiquette. It’s a good idea to have a fax cover sheet with the standard disclosure/warning that the document contains private health information, is intended for the recipient only, and should be summarily fed to the shredder if it accidentally ends up into someone else’s hands. This would be considered a reasonable safeguard so that you can appropriately send PHI via fax to other providers, insurance administers, attorneys or anyone else requesting such information.
  • Password & Screen Protect. It is a good idea to provide an extra measure of security, such as adding passwords on computers that contain personal health information.  This is especially important for practices using EMR or where patients have regular access to computers in treatment rooms.  Unfortunately, left to their own devices, I have seen patients attempt to surf the net, check the schedule and even try and get into their own records via room computers.  Placing a huge sign on the computer that says “Staff only” or “Don’t Touch” or “This computer is protected by a pet python” don’t seem to have the same effectiveness as a good password.  Also, make it a policy to swat “screen snoopers”  — patients who love to come around the corner and read your computer screen.
  • Loose Lips Sink Ships. Unfortunately, the same “gift” that your front desk CA has that enables her to strike up a friendly conversation with anyone could also lead to disaster if her tongue is not kept on a short leash.  Refrain from discussing PHI in public places, hallways and remind your staff of their privacy obligations as well.

While these safeguards may seem basic to some, I have performed onsite consultations in offices breaking every one of these rules (and then some).  So, if your office is up to speed with these items, congratulations!  (Now go find some area of insufficiency and go fix that!)

Finally, for those of you who don’t trust anything other than “original source material” or are just looking to see how migraine-proof you really are, feel free to go to the Dept of HHS Health Information Privacy website to read much more about HIPAA in nauseating detail (Just don’t come back and say you weren’t warned!).