How do you handle patient information on security sign in sheets?

  1. 1
    Hi! New here, be gentle with me!

    Working home health care in an urban area, I often have to sign in with security when entering a building. The forms often request time in, time out, my name, my company name (no problems so far) and then the resident's name and apartment number. Those fields make me profoundly uncomfortable from a patient privacy standpoint. It feels very HIPAA-violationy. These forms are quite often left unsecured on a clipboard on a counter accessible to anyone walking in, not behind a desk with a security officer.

    I totally understand that secured buildings' management wants this information for safety and accountability, but how can I provide them with what they need while protecting my patients and my license?

    Thanks in advance for any suggestions.
    Joe V likes this.
  2. Get our hottest nursing topics delivered to your inbox.

  3. 11 Comments so far...

  4. 0
    You are not revealing any protected information. Simply because you are from a home health agency does not say 'why' you are there.
    Part of the reason you are signing in is for your own protection. If the building needed to be evacuated you would be accounted for.
    There is no violation here.

    Best wishes, and don't look for trouble where there is none.
  5. 0
    Stop and think about it for a minute. Imagine what steps you would take to make this into a HIPAA violation so that you could lodge a complaint. Reaching too far. Reread the portion of the explanation of HIPAA where it states that information necessary for the conduct of the 'business' of healthcare is allowed to be communicated when necessary. It is literally impossible to keep everything a state secret.
  6. 0
    If the resident lives in this building, then they are aware of the security procedure being utilized and don't have an issue with it. I'm sure this is in the lease that they signed.
  7. 0
    I am also in an urban area and there are certain buildings that I frequent where the doorman needs to know who I'm going to see. I don't see it as a HIPAA violation, as the doorman needs this information to do his job. He doesn't know anything about the patient's medical information.
  8. 0
    Thank you for your answers. I'm trying to reconcile them with the responses in this thread, which are overwhelmingly that address, or name + address, ARE protected health information and thus revealing them is a HIPAA violation.

    According to the hhs website:
    “Individually identifiable health information” is information, including demographic data, that relates to:


    • the individual’s past, present or future physical or mental health or condition,
    • the provision of health care to the individual, or
    • the past, present, or future payment for the provision of health care to the individual,

    and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
    Summary of the HIPAA Privacy Rule

    Since "Health Care" is part of my company's very name (and some buildings even require me to write something in a field labeled "Service Rendered" or similar, where I generally write "Nursing",) and name and address are being provided by me...yes, I'm still concerned.

    Now, it's possible that one could construe the building security/management to be "Business Associates" of either the home health company or the client, or maybe both. But for information to be shared with a Business Associate, "a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates.10 Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the Rule." Janitors, vendors and visitors to the building are not authorized to see IIHI, even if a lawyer could argue that a security guard is.
    Last edit by Chi-townHomeRN on Jun 9, '12 : Reason: fixed typo; probably missed more!
  9. 0
    Quote from Chi-townHomeRN
    Thank you for your answers. I'm trying to reconcile them with the responses in this thread, which are overwhelmingly that address, or name + address, ARE protected health information and thus revealing them is a HIPAA violation.

    According to the hhs website:
    Summary of the HIPAA Privacy Rule

    Since "Health Care" is part of my company's very name (and some buildings even require me to write something in a field labeled "Service Rendered" or similar, where I generally write "Nursing",) and name and address are being provided by me...yes, I'm still concerned.

    Now, it's possible that one could construe the building security/management to be "Business Associates" of either the home health company or the client, or maybe both. But for information to be shared with a Business Associate, "a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates.10 Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the Rule." Janitors, vendors and visitors to the building are not authorized to see IIHI, even if a lawyer could argue that a security guard is.
    I think that you are over thinking this. Have you asked your clinical supervisor or agency's HIPAA compliance officer for advice? Simply linking agency name to an individual is not indicative of care rendered or diagnosis.
  10. 0
    You are not giving any info regarding the patient's healthcare. Simply a name without any medical information is not a violation of anything. If you are in a doctor's office the receptionist or nurse still calls out 'Mrs. Smith' into the waiting area, not a violation. 'Mrs. Smith, your HIV test is negative' is a violation.

    Simply stating you are from a home health agency does not in itself reveal anything. The name has to be connected to some piece of actual health information. If you stated that you were going to see Mrs Smith to draw blood for a PT/PTT, or to do wound care, then that would be a violation. Simply being there is not a violation.

    Some places now have a seperate book just for home care personnel. I don't really see the difference.
  11. 0
    And besides all of the above: It would not be YOU violating HIPPA, but instead the building management.
  12. 0
    No. You're not revealing any personally-identifiable health information by recording the name and location of the patient/client.


Top