How do you handle patient information on security sign in sheets?

Specialties Home Health

Published

Hi! New here, be gentle with me!

Working home health care in an urban area, I often have to sign in with security when entering a building. The forms often request time in, time out, my name, my company name (no problems so far) and then the resident's name and apartment number. Those fields make me profoundly uncomfortable from a patient privacy standpoint. It feels very HIPAA-violationy. These forms are quite often left unsecured on a clipboard on a counter accessible to anyone walking in, not behind a desk with a security officer.

I totally understand that secured buildings' management wants this information for safety and accountability, but how can I provide them with what they need while protecting my patients and my license?

Thanks in advance for any suggestions.

0 Votes

You are not revealing any protected information. Simply because you are from a home health agency does not say 'why' you are there.

Part of the reason you are signing in is for your own protection. If the building needed to be evacuated you would be accounted for.

There is no violation here.

Best wishes, and don't look for trouble where there is none.

0 Votes

Stop and think about it for a minute. Imagine what steps you would take to make this into a HIPAA violation so that you could lodge a complaint. Reaching too far. Reread the portion of the explanation of HIPAA where it states that information necessary for the conduct of the 'business' of healthcare is allowed to be communicated when necessary. It is literally impossible to keep everything a state secret.

0 Votes

If the resident lives in this building, then they are aware of the security procedure being utilized and don't have an issue with it. I'm sure this is in the lease that they signed.

0 Votes
Specializes in Pedi.

I am also in an urban area and there are certain buildings that I frequent where the doorman needs to know who I'm going to see. I don't see it as a HIPAA violation, as the doorman needs this information to do his job. He doesn't know anything about the patient's medical information.

0 Votes

Thank you for your answers. I'm trying to reconcile them with the responses in this thread, which are overwhelmingly that address, or name + address, ARE protected health information and thus revealing them is a HIPAA violation.

According to the hhs website:

“Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

Summary of the HIPAA Privacy Rule

Since "Health Care" is part of my company's very name (and some buildings even require me to write something in a field labeled "Service Rendered" or similar, where I generally write "Nursing",) and name and address are being provided by me...yes, I'm still concerned.

Now, it's possible that one could construe the building security/management to be "Business Associates" of either the home health company or the client, or maybe both. But for information to be shared with a Business Associate, "a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates.10 Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the Rule." Janitors, vendors and visitors to the building are not authorized to see IIHI, even if a lawyer could argue that a security guard is.

0 Votes
Specializes in Complex pedi to LTC/SA & now a manager.
Thank you for your answers. I'm trying to reconcile them with the responses in this thread, which are overwhelmingly that address, or name + address, ARE protected health information and thus revealing them is a HIPAA violation.

According to the hhs website:

Summary of the HIPAA Privacy Rule

Since "Health Care" is part of my company's very name (and some buildings even require me to write something in a field labeled "Service Rendered" or similar, where I generally write "Nursing",) and name and address are being provided by me...yes, I'm still concerned.

Now, it's possible that one could construe the building security/management to be "Business Associates" of either the home health company or the client, or maybe both. But for information to be shared with a Business Associate, "a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates.10 Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the Rule." Janitors, vendors and visitors to the building are not authorized to see IIHI, even if a lawyer could argue that a security guard is.

I think that you are over thinking this. Have you asked your clinical supervisor or agency's HIPAA compliance officer for advice? Simply linking agency name to an individual is not indicative of care rendered or diagnosis.

0 Votes

You are not giving any info regarding the patient's healthcare. Simply a name without any medical information is not a violation of anything. If you are in a doctor's office the receptionist or nurse still calls out 'Mrs. Smith' into the waiting area, not a violation. 'Mrs. Smith, your HIV test is negative' is a violation.

Simply stating you are from a home health agency does not in itself reveal anything. The name has to be connected to some piece of actual health information. If you stated that you were going to see Mrs Smith to draw blood for a PT/PTT, or to do wound care, then that would be a violation. Simply being there is not a violation.

Some places now have a seperate book just for home care personnel. I don't really see the difference.

0 Votes

And besides all of the above: It would not be YOU violating HIPPA, but instead the building management.

0 Votes
Specializes in neuro, ortho, peds, home, home cardiac.

No. You're not revealing any personally-identifiable health information by recording the name and location of the patient/client.

0 Votes
Hi! New here, be gentle with me!

Working home health care in an urban area, I often have to sign in with security when entering a building. The forms often request time in, time out, my name, my company name (no problems so far) and then the resident's name and apartment number. Those fields make me profoundly uncomfortable from a patient privacy standpoint. It feels very HIPAA-violationy. These forms are quite often left unsecured on a clipboard on a counter accessible to anyone walking in, not behind a desk with a security officer.

I totally understand that secured buildings' management wants this information for safety and accountability, but how can I provide them with what they need while protecting my patients and my license?

Thanks in advance for any suggestions.

Actually to calm your nerves I suggest you leave off any designation from your name such as RN and don't fill out the company name. Those are two things the security in the building has no need to know. Without that info nobody who looks at the log will be able to assume anything other than you are a visitor.

0 Votes

I think what is lost here is that HIPAA exists to protect health information privacy- not any and all information pertaining to the individual. If you pulled up in a van that said ABC home health agency, DEF respiratory supplies, or XYZ DME company, would this patient's neighbors know any more than they do now when you fill out the form as you are currently doing?

I would encourage you to further research the difference between PHI (Protected Health Information) and SPI (Sensitive Personal Information). SPI includes information such as date of birth, SSN#, etc- information we certainly don't want to share. Generally, only PHI is covered under HIPAA. SPI is typically protected under separate organizational policies.

According to the Department of Health and Human Services (http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html), information that cannot be shared due to HIPAA regulation must include one of the following:

  • "the individual's past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual"

Most importantly, I would encourage you to always provide the "minimum necessary" information to security. Remember, just because they ask on the form why you are there and what company you are there from doesn't mean you have to answer those questions. Family and friends likely visit these patients too, and they don't have to fill out those boxes to see the patient, so you likely don't have to either. If security does need further information, handing the security staff a business card should likely suffice- then they get the information that you are an RN from ABC home health agency, but that is not connected to the patient and listed on the same form as the patient's name. If you remain concerned, talk with your supervisor, to get his or her take on the matter.

0 Votes
+ Add a Comment