Overboard over HIPAA

Since HIPAA came out some years ago, there's been this general feeling of frenzy and fear that you'd better not let one piece of unauthorized information be available to anyone else. I've heard fears of being overheard in patient rooms and in the hallways, etc. And remonstrations that you'd better not let patient names be visible anywhere, anytime to unauthorized peoples.

But the guidelines in HIPPA are about taking REASONABLE measures to protect patient information, not making major changes. Of course, you shouldn't be shouting about patients' conditions up and down the hallway. And you shouldn't be discussing Mrs. So-and-so's condition in an elevator full of visitors. But that doesn't mean you have to whisper in a patient's ear to discuss their condition (unless they ask you to) and you don't have to lean over your charting to make sure that no wandering eyes happen across some unauthroized information.

Here are some excerpts direct from the US Dept of Health and Human Services (I added the bold).

B. Section 164.502--Uses and Disclosures of Protected Health

Information: General Rules

1. Incidental Uses and Disclosures

...some expressed concern that health care providers could no longer engage in confidential conversations with other providers or with patients, if there is a possibility that they could be overheard. Similarly, others questioned whether they would be prohibited from using sign-in sheets in waiting rooms or maintaining patient charts at bedside, or whether they would need to isolate X-ray lightboards or destroy empty prescription vials. These concerns seemed to stem from a perception that covered entities are required to prevent any incidental disclosure such as those that may occur when a visiting family member or other person not authorized to access protected health information happens to walk by medical equipment or other material containing individually identifiable health information, or when individuals in a waiting room sign their name on a log sheet and glimpse the names of other patients.

The Department, in its July 6 guidance, clarified that the Privacy Rule is not intended to impede customary and necessary health care communications or practices, nor to require that all risk of incidental use or disclosure be eliminated to satisfy its standards. The guidance promised that the Department would propose modifications to the Privacy Rule to clarify that such communications and practices may continue, if reasonable safeguards are taken to minimize the chance of incidental disclosure to others.

...The Department does not intend with this provision to obviate the need for medical staff to take precautions to avoid being overheard, but rather, will only allow incidental uses and disclosures where appropriate precautions have been taken.... For example, a provider may instruct an administrative staff member to bill a patient for a particular procedure, and may be overheard by one or more persons in the waiting room. Assuming that the provider made reasonable efforts to avoid being overheard and reasonably limited the information shared, an incidental disclosure resulting from such conversation is permissible under the Rule.

[Federal Register: August 14, 2002 (Volume 67, Number 157)]

[Rules and Regulations]

[Page 53181-53273]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr14au02-32]