healthcare reception

What can patients see on your reception desk?

Brand Barney, Security Analyst at SecurityMetrics
By: Brand Barney
Your reception desk might be one of the most vulnerable locations in your entire organization. Why? Every patient you treat walks up to the reception desk and discusses their visit with the receptionist for at least a minute or two. What do they see when their eyes wander around that reception desk? What do they hear? What can they grab? Take a photo of?

SEE ALSO: Snapshot of HIPAA and Healthcare Data Security

Check out this video for a 90-second summary of this reception desk HIPAA problem.

HIPAA violations on reception desks

healthcare receptionI’ve seen some pretty wild HIPAA violations from the viewpoint of both auditor and patient. The most common violations I see at reception desks are things like:
  • Seeing the receptionists’ open computer with the day’s schedule, complete with full patient names
  • Computer, EHR, and Wi-Fi passwords written on sticky notes, stuck to a computer monitor (in plain view to the public!)
  • Patient records on clipboards by the keyboard and easily viewable
  • Keys (probably to a back office) within arm’s reach
  • Bulletin boards with new patient names and notes about patients
  • Unopened charts which still identify name and address of patients
  • Patient messages for the doctor written on a pad of paper next to the phone on the reception desk, and in full view
  • Recently received faxes of health insurance data left in plain view on the desk
  • Recently printed scripts left sitting on the desk in plain view
  • Unshredded patient records thrown in a trashcan shared by receptionists and waiting room patients
  • Patient charts placed in clear door chart holders, clearly viewable to anyone walking by
Each situation I described above is either a HIPAA Privacy Rule or HIPAA Security Rule violation. All it takes is one patient or workforce member to report a single one of those violations and get you on the Office for Civil Rights’ (OCR) audit radar.

subscribe for more healthcare security articles

Even worse, what if someone with malicious intentions saw your Wi-Fi password so conveniently displayed on your desk, and decided to hack in and steal patient data? Do you have the technical measures in place to know if this has happened, or is happening?

Stopping reception desk HIPAA violations

Receptionists have tried to convince me that as long as the information is upside down to the patient, it’s not a HIPAA violation. That is false, and truthfully ridiculous. A quick picture of that upside down patient data can quickly be turned right side up, or even snatched right off the desk.
You can do a lot to mitigate the risk that your reception desk fosters, but the most important is employee training.
Receptionists, doctors, and nurses won’t leave patient information in plain view on reception desks if they have extensive training explaining why. I truly believe that healthcare professionals care about the data that they are working with, but I don’t think that they understand how they impact the security of that sensitive data.
Here are some more ideas that will help you keep your reception desk free and clear.
  • Stand where your customers check in, walk the path they walk, and see if you can see any sensitive information, in any form.
  • Stand at the reception desk and try to locate any administrative information that might assist a hacker to gain access to your system (like your EHR password)
  • If you ever write something on paper, immediately turn it over, or place it in a locked drawer
  • Pull out your phone, put in on the desk. What can you take photos of? I always recommend that you have a no phone policy at the front desk policy.
Many HIPAA impermissible disclosures are related to human error, and occur by accident. However, that also means most instances are avoidable. With the right procedures and training in place, you should be able to make sure your reception desk area is violation-free and HIPAA compliant.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

HIPAA Learning Center


  1. One of the damnedest things is the amazing pomposity of clerical front office staff and receptionists (sometimes not even high school grads) demanding a full description of conditions and symptoms from patient calling or asking in person to make an appointment. This severely violates the patient's privacy rights and leads to dangerous medical decisions and/or advice made by the least competent bureaucratic level in a medical office. TOO OFTEN, THE LONGER they work there, the more prone to make medical decisions and to want to trade in medical information. The risk to the patient's privacy is obvious. But far worse is the full blown Napoleonic Complex many develop, producing favoritism, antagonism and the imbecilic issue of bad medical advice. And still worse, the discussion of patients and their conditions in jest, in derision or a self-serving manner seem to me like grounds for dismissal of that clerical person. While it is now clear that medical practices are made or broken, more by the traits of the non-medical front office clerical staff with whom patients interact, and despite the fact that a sick person anxiously seeking medical care should not be submitted to a receptionist's personality traits or serve as an outlet for the receptionist's mood, too often this is the case, encouraged by the common practice of calling patients by their first name without ever asking permission to do so. Indeed, practices do seem to be made or broken by the front office and, worst still, imbecilic favoritism and priority is practiced based on the “I am Caesar” sense of some little clerk. A patient, ill and anxious, should not be subjected to the thuggery and social deficiency of unskilled minimum wage receptionists in a physician's office. It is too deleterious to the critical doctor-patient relationship. Illness and the associated anxiety deserved professional and compassionate interaction when all a patient wants and needs to do is see the physician.

    1. You make some solid point! We feel your frustration, and agree that "many HIPAA impermissible disclosures are related to human error, and occur by accident. However, that also means most instances are avoidable."

  2. “ASurvivor” made excellent points! I would like to offer another example of a HIPAA violation by a poorly trained front office clerk. My spouse and I go to the same medical practice. Once, when he went there alone, he asked for a printout of my office visits for the year, which included a specific diagnosis code and definition. I had purposely NOT listed him in my medical records as a person who could have access to my private health information. The clerk apparently ignored this and handed him my info just because he wanted it. When I found out, I reported this HIPAA violation to the practice manager. The clerk was soon fired. My point is this: Just because two patients are married, that does not make it legal to share one patient’s info with the other.