Compliance Q&A: Can we ask a patient their date of birth at the front desk while checking them in?
Law: The HIPAA Privacy Rule does not prohibit covered entities from engaging in common and important health care practices; nor does it specify the specific measures that must be applied to protect an individual's privacy while engaging in these practices. Covered entities must implement reasonable safeguards to protect an individual's privacy. In addition, covered entities must reasonably restrict how much information is used and disclosed, where appropriate, as well as who within the entity has access to protected health information. Covered entities must evaluate what measures make sense in their environment and tailor their practices and safeguards to their particular circumstances.
HHS has stated that the Privacy Rule applies to all forms of PHI including PHI in oral form. Under the privacy rule a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI). A covered entity must reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.
The Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. The rule only requires covered entities to implement reasonable safeguards that reflect their particular circumstances to ensure that providers' primary consideration is the appropriate treatment of their patients. HHS has also said that they also understand that overheard communications are unavoidable. For example, in a busy emergency room, it may be necessary for providers to speak loudly in order to ensure appropriate treatment. HHS will consider the following practices to be permissible if reasonable precautions are taken to minimize the chance of inadvertent disclosures to others.
Possible safeguards may include: reasonably limiting access to these areas, ensuring that the area is supervised, escorting non-employees in the area, or placing patient charts in their holders with identifying information facing the wall or otherwise covered, rather than having health information about the patient visible to anyone who walks by.
Possible safeguards may also include: limiting the information disclosed over the system, such as referring the patients to a reception desk where they can receive further instructions in a more confidential manner
HCP Response: In our opinion, and this is by no means legal advice, each practice should take steps to evaluate their needs and determine reasonable safeguards for PHI, including check-in procedures. This may include the following: partitions on desks to limit sound transmission, asking for physical identification such as a driver's license so that identities can be confirmed visually rather than obtaining information orally, limiting the volume level of the oral communication containing PHI. As long as practices are implementing reasonable safeguards to limited communication and transmission of PHI, they are in compliance with HIPAA privacy rules.