Q. Do patient sign-in sheets violate the HIPAA Privacy Rule? If they do not, does a recommended format exist?
A. Covered entities are responsible for limiting incidental disclosures. Using a patient sign-in sheet is allowed but can be perceived as not taking the necessary steps to limit incidental disclosure and a violation of the HIPAA Privacy Rule.
If you use a sign-in sheet, the information on the sheet should be kept to a minimum.
No preferred format exists, however, covered entities that use a sign-in sheet should very strictly limit the PHI to the following:
- the patient's name;
- the provider being seen;
- the arrival time; and
- the appointment time.