QUESTION: Patients at our practice sign-in on a paper sheet at our front desk when they arrive for their appointments. Recently, a patient expressed concern that other people signing in might see her information. How can we reduce the risk of violating patient confidentiality when patients sign in (and the associated HIPAA penalties that could follow)?
Question from Miami, FL Subscriber
ANSWER: If you use a sign-in sheet during your check-in process, it can cause significant risk to your patients’ Protected Health Information (PHI). Whether your sign-in document is paper or electronic, sign-in sheets are HIPAA disasters waiting to happen — if not handled properly.
The biggest issue is that your sign-in sheet can make it easy for patients to see each other’s information. In many instances, everyone who signs in on a paper sheet can see whatever previous patients have written on the sheet, as well. This can also be a problem for electronic sign-ins. If your electronic sign-in is not in a private area, other patients may see personal information as it is typed in.
Another risk is asking your patients to include additional information on your sign-in sheet, such as the physician’s name or the reason for the visit. Although it may seem like no big deal and it make your life a little easier, when checking patients in, it could open you up to an additional set of HIPAA breaches.
WARNING: If you are found guilty of a HIPAA violation based on your sign-in sheet, it may be applied to ALL of your patients. You could get hit with a separate privacy breach for each patient that has signed in over a period of days or weeks. That means a separate penalty for each, too. These fines can add up to HUGE monetary penalties, which could cripple your practice.
Here are several solutions to help you improve your sign-in sheet processes to reduce your chances of disclosing patient PHI:
– Digital: Although digital sign-in sheets won’t completely eliminate your risk, they can be a simple way of significantly reducing it.
Electronic Health Record (EHR) software systems increasingly include digital sign-in sheets. Some of these systems have patient kiosks or iPads as options. Again, these don’t completely mitigate your liability, but they certainly can help. For example, if your sign-in kiosk is in a high-traffic area, visitors could look over a patient’s shoulder and read his or her private information. To avoid these issues, kiosks should be placed in a private corner of your waiting room, or in a separate room. This will help make patients’ PHI less visible to other people coming into your practice. Kiosks can also help cut down on the time your front desk staff spends with patients during check-in, freeing them up for other duties.
– Sign-in cards: When your patients arrive, try having them fill out an individual sign-in card instead of a sign-in sheet at your front check-in area. Sign-in cards are inexpensive to make and help remove the chance of a breach of patient information — if they are managed correctly. For example, handing out sign-in cards can be extremely dangerous to your HIPAA compliance if you don’t keep track of them. These cards will most likely contain PHI and you need to properly safeguard them until they can be shredded.
To create your sign-in cards, try using brightly colored card stock (available from any office supply store) to make them easy to spot. Then, in a program such as Microsoft Word, set up your cards so that several print on one sheet of paper. A sample card appears in the box on the previous page to help you design your own.
SAMPLE FORM: Download a Sample Card
Once your sign-in cards are complete, put them in a pile at your front desk, and be sure to include a sign next to them that says something like:
“Welcome to our practice. To help us get you in to see the doctor quickly, please take a card and fill it out. Once completed, please hand it to someone at our front desk. If you have any questions, please let us know. Thank You. (IMPORTANT: Do not leave your completed card unattended.)”
Your sign-in cards can contain as little or as much information as you’d like. The great thing is that you don’t have to worry about patient privacy. Once your patient returns the card to a member of your staff, the information can be entered directly into your computer. Then the card should be immediately shredded.
Another option to collect patient sign-in cards is to have a secure box at your check-in desk. This reduces the chance that a patient will leave a completed sign-in card face up at your reception desk for all to see. However, be sure that the box is emptied out regularly. It would be a customer service disaster to leave completed cards in the box for any length of time. Also, to prevent patients from seeing the information in the box, it should be secured, and NOT be see-through.
WARNING: Sign-in cards certainly reduce your risk, but only if your front desk team is trained to use them correctly. They can still be a HIPAA disaster if your patients hand in their completed card to someone at your front desk and they leave it face-up on their desk for everyone to see. It’s even worse if your front desk is unattended while completed cards accumulate. You must foresee all possible breaches before you put any new process in place. Remember, it is ultimately your responsibility — not your patients’ — to keep their information protected while they are in your care.
Paper: If you choose to continue using a paper sign-in sheet, think carefully about what information you ask patients to fill in. Keep in mind that what’s “safe” on your sign-in sheet can vary depending on your type of practice. For example:
- Same specialty, multiple physicians: If you have several doctors in your office that basically all provide the same services, it is probably OK to ask the patient on the sign-up sheet which physician he or she is scheduled to see. In this situation, knowing that a patient is seeing Dr. Smith as opposed to Dr. Jones doesn’t indicate the reason for the patient’s visit.
- Multiple specialties, multiple physicians: If you have several doctors at your office in different specialties, it may be a HIPAA breach to ask your patients to name the doctor they are there to see on the sign-in sheet. For example, your practice has a family practitioner, a psychologist, and an internist. Patient A, while signing in, notes that his appointment is with your psychologist. Patient B, while signing in, sees the doctor’s name listed on the sign-in sheet by Patient A and now knows that he is seeking mental health treatment. Patient B also happens to know Patient A’s wife and mentions it to her, although Patient A did not want his wife to know. You’ve just violated Patient A’s right to confidentiality. This is only one simple scenario of how easy it is to violate HIPAA guidelines.
If you must know the name of the specific doctor your patient is scheduled to see, there are some workarounds for your paper sign-in sheet. You can still request this information as long as you remove it quickly — BEFORE the next patient signs in and sees it. For example, you can quickly cover the unwanted information from the sign-in sheet with a sticker or a marker.
Finally, avoid putting IIHI (Individually Identifiable Health Information) that can be collected in other ways on your sign-in documents (regardless of the method). For example, don’t ask for birth dates, addresses, or health insurance identification numbers. Leaving this information on the front desk counter for other patients to see is a clear HIPAA violation.
You can easily obtain this information more securely by having patients’ complete forms with direct questions. You also can have your staff member that brings the patient back to the exam room collect the information in a more confidential setting.
HIPAA Resources To Protect Your Practice