Healthcare Reception Desks: Breeding Ground for HIPAA Compromise

What can patients see on your reception desk?

Check out this video for a 90-second summary of this reception desk HIPAA problem.

HIPAA violations on reception desks

I’ve seen some pretty wild HIPAA violations from the viewpoint of both auditor and patient. The most common violations I see at reception desks are things like:

• Seeing the receptionists’ open computer with the day’s schedule, complete with full patient names
• Computer, EHR, and Wi-Fi passwords written on sticky notes, stuck to a computer monitor (in plain view to the public!)
• Patient records on clipboards by the keyboard and easily viewable
• Keys (probably to a back office) within arm’s reach
• Bulletin boards with new patient names and notes about patients
• Unopened charts which still identify name and address of patients
• Patient messages for the doctor written on a pad of paper next to the phone on the reception desk, and in full view
• Recently received faxes of health insurance data left in plain view on the desk
• Recently printed scripts left sitting on the desk in plain view
• Unshredded patient records thrown in a trashcan shared by receptionists and waiting room patients
• Patient charts placed in clear door chart holders, clearly viewable to anyone walking by

Each situation I described above is either a HIPAA Privacy Rule or HIPAA Security Rule violation. All it takes is one patient or workforce member to report a single one of those violations and get you on the Office for Civil Rights’ (OCR) audit radar.


Even worse, what if someone with malicious intentions saw your Wi-Fi password so conveniently displayed on your desk, and decided to hack in and steal patient data? Do you have the technical measures in place to know if this has happened, or is happening?

Stopping reception desk HIPAA violations

Receptionists have tried to convince me that as long as the information is upside down to the patient, it’s not a HIPAA violation. That is false, and truthfully ridiculous. A quick picture of that upside down patient data can quickly be turned right side up, or even snatched right off the desk.

You can do a lot to mitigate the risk that your reception desk fosters, but the most important is employee training.

Tweet

Receptionists, doctors, and nurses won’t leave patient information in plain view on reception desks if they have extensive training explaining why. I truly believe that healthcare professionals care about the data that they are working with, but I don’t think that they understand how they impact the security of that sensitive data.
Here are some more ideas that will help you keep your reception desk free and clear.

• Stand where your customers check in, walk the path they walk, and see if you can see any sensitive information, in any form.
• Stand at the reception desk and try to locate any administrative information that might assist a hacker to gain access to your system (like your EHR password)
• If you ever write something on paper, immediately turn it over, or place it in a locked drawer
• Pull out your phone, put in on the desk. What can you take photos of? I always recommend that you have a no phone policy at the front desk policy.

Many HIPAA impermissible disclosures are related to human error, and occur by accident. However, that also means most instances are avoidable. With the right procedures and training in place, you should be able to make sure your reception desk area is violation-free and HIPAA compliant.
Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.