HIPAA privacy in the office

How to mitigate your risk with protected health information

It is imperative to secure your networks and data from breaches. The Office of Civil Rights (OCR) website ( ) lists numerous data breaches that took place during 2019, with settlements ranging from $10,000 to $3 million. These settlements come from covered entities failing to secure health information properly or failing to report breaches properly.

Equally important to data breaches, it is also necessary to look at HIPAA privacy and security from a micro perspective. Look around your office and you will likely find several examples of protected health information (PHI) that might be viewed by anyone, which puts you at risk of exposing PHI.

The following are some common issues where PHI may have exposure along with some thoughts on how to mitigate the risk:

1. Appointment schedule list

Many practices have the appointment schedule (or schedules for multiple providers) on or around the front desk check-in area to make it convenient for the technician to initial or indicate when patients have been taken for work-up. As a best practice, use a cover sheet with the provider’s name on top of the appointment list, so the patient names remain covered and secure.

2. Paperwork at the front desk

The front desk is a busy location in any office, and many times front office staff are responsible for receiving faxes and paperwork that need to be scanned into the patient’s electronic health record (EHR) file. As a best practice, turn all paperwork facedown to prevent PHI exposure when patients or non-employees are near.

3. Diagnostic testing equipment

Patient information displayed on diagnostic equipment is generally on the technician’s side of the instrument and not visible to the patient. Still, be sure that no patient information is visible when a patient sits down at the diagnostic equipment in the office. Some systems have the patient list of appointments for the day on-screen, while others allow each patient to be pulled up by their medical record number, name, or date of birth. Sit as the patient would to ensure no PHI is visible. Additionally, if the patient is accompanied by someone, be sure no PHI is visible wherever that person sits or stands.

4. Image viewers in lanes

Having an image viewer in the lane helps keep the clinic moving, but it also adds another element of PHI risk. Some viewers show all patient information including name, medical record number, date of birth, and more on a fixed screen that you cannot minimize to hide information, while other viewers allow for re-sizing of the data on the screens. Be aware the patient and accompanying person could potentially see other patients’ information when images are pulled up for the provider to review. Be sure to lock the computer screen if stepping away for any period of time and closing the record when the visit is over.

5. EHR

The unintentional exposure of PHI from EHR is a real risk. One of the easiest fixes is to use a screen protector, which allows the typist to see the information clearly looking straight-on at the screen but blurs or blocks the information from other angles. Some practices use two monitors in the lanes: one for EHR and the second to provide an unobstructed view of the diagnostic testing image to the provider and the patient. It is prudent to ensure the list of patients on the diagnostic testing viewer software is on the monitor with the filter to prevent accidental exposure of other patients’ PHI.

HIPAA privacy and security have numerous facets. Look at the office with a patient and visitor perspective to see if PHI is being exposed to ensure the practice is as compliant as you think. OP