[ Friday, April 07, 2017 ]
A question from the audience:
Q: At our group therapy counseling sessions, we have the clients sign in on a
sign in sheet that is passed around once group therapy starts. No one but the
clients in group, the therapist, and the billing department sees the sign in
sheet. We are required by the state agency we serve to have a sign in sheet, and since we bill insurance, we need to be able to provide documentation for insurance purposes (proving the patient attending the group therapy session, in case we get audited). The
sign in sheet asks for client's initials, DOB, and time in and out of group, and has to be signed by the person so it is authentic and
can't be said it is forged. A client in group, who is a lawyer, stated
this was a breach of HIPAA. Is it?
A: It’s group therapy; doesn’t person A know the name (or initials) of person B
and person C, without seeing it on the sign-in sheet? Don’t they know
when the person came into the room and left the room? I guess person A
now knows the age person B, and what their signature looks like, but the real
PHI here is the fact that persons B and C are getting therapy, and person A
already knew that, since it's group therapy!
Sign-in sheets and waiting rooms are always places where PHI can
be inadvertently disclosed. Some person’s presence in a waiting room
gives you some implicit information about their health condition, which means
that every waiting room in the world is a potential HIPAA violation. So
what’s the answer? No waiting rooms? Make the waiting room so dark
nobody can see who else is in there? Hand out Halloween masks to everyone
when they come in so nobody can recognize anyone else? Obviously, that’s
silly. And it’s even sillier when the patients in the waiting room then
go into a group healthcare session together, where they get to know even more
PHI about each other.
Instead, a covered entity medical provider should do what it can
to minimize disclosures in the waiting room, while recognizing that some amount
of disclosure is naturally going to occur. Sign-in sheet should not have
any information that’s not necessary, like addresses, social security numbers,
or diagnosis/medical complaint information. When calling patients from
the waiting room, staff should use the minimum information (say “Mr. Prescott?”
when calling the patient in, not “Dak Prescott, quarterback for the Dallas
Cowboys, we’re ready to give you your treatment for your embarrassing
STD”). But none of that would make much of a difference when a group of
folks in the waiting room all come in together to get their healthcare services
as a group, where all the same information (and much more) is going to be shared anyway.
Given that, it sounds like you are keeping the sign-in sheets to
the minimum information. However, if you want to be overly sensitive, you
could have each group therapy member sign a separate sign-in sheet with the
same information (initials, DOB, in/out time, signature), so that nobody sees
anyone else’s PHI. But I don’t think that’s really necessary, if the
information is going to be shared in person anyway.
Jeff [11:24 AM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template