Health Information Compliance Alert

Published on Thu Jul 17, 2008 PDF

Question: We would like patients to write down their date of birth or the last four digits of their Social Security numbers on our sign-in sheet in addition to their names to use when trying to properly match patients with their charts. Would this lead to a privacy rule violation?

Nebraska subscriber

Answer: It depends, warns Mark Eggleston, manager of HIPAA compliance for Health Partners of Philadelphia.

You are allowed to use sign-in sheets, but only if the information disclosed on them is appropriately limited. And your sign-in sheet may only contain information necessary for sign-in purposes, the Office for Civil Rights explains in an FAQ on its Web site.

Best practice: Limit the identifying information patients are asked to write down along with their names, Eggleston suggests. For example, you could ask for their names and the month of their birthday or the name of their street. That way, even if someone inappropriately accesses the sheet, the information contained on it is unlikely to cause harm to the patient.

Tip: Ask patients to jot their information on stickers. Your staff can remove the stickers as patients sign in. Warning: A sticker-based system is risky if your staffers cannot remove the patient data as it is received because someone could snatch the sticker for inappropriate use, experts caution.

The bottom line: While any information seen on your sign-in sheet or overheard in your waiting room is categorized as an incidental disclosure, you must toe a fine line.