Should you even take the risk?

Tod Ferran, CISSP, QSA
By: Tod Ferran
My stance on patient sign-in sheets is that unless there is a valid business reason for having them, don’t do it. In all the healthcare audits I’ve conducted, I have yet to see a valid business reason.

The biggest security risk these sign-up sheets pose is directly related to other people in the waiting room. There are family members, neighbors, friends, and other patients in that waiting room.

As ridiculous as it sounds, patients stalking other patients can happen. It’s as easy as looking at the visitor sign up sheet and Googling a last name, address, or phone number. Don’t let your organization become the poster child for what not to do!

Does the HHS allow patient sign-in sheets?

Luckily, this age-old question has been answered by the Department of Health and Human Services (HHS) FAQ.

“Yes, covered entities…may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited.”


So what does ‘appropriately limited’ mean?

The HHS goes on to say, “These incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician).”

SEE ALSO: What Are Addressable HIPAA Requirements?


Why even take the chance of a HIPAA violation?

Here’s my opinion as a security professional: Why even take the chance of a potential problem? Covered entities are responsible for limiting incidental disclosure, right? In many cases, the nature of a physician’s specialty may inappropriately disclose a patient’s condition. For example, a woman signing in at an obstetrician’s office, or someone signing in at a psychiatrist’s office.

Alternatives to patient sign-in sheets

If there is a business case for signing patients in, such as to provide proof of attendance for the collection of co-pays, there are a variety of options I consider more secure that don’t involve the traditional patient sign-in. I’ve seen receptionists check patients in on the EMR system, or even open up an Excel file and type each patient’s name in as they arrive.

I believe it’s only a matter of time before patient sign-in sheets are no longer compliant.
Tweet: It’s only a matter of time before patient sign-ins are no longer compliant. http://bit.ly/1tgl0Q2 via @SecurityMetrics #HIPAATweet
As soon as something bad happens due to one, we will see the HHS change their stance. From purely a security standpoint, it is an easy vulnerability to mitigate. So why even take the chance?

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.

Wednesday, August 20, 2014