Health Information Management

Q&A: HIPAA-compliant sign-in sheets

HIM-HIPAA Insider, June 8, 2010

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Q. Do patient sign-in sheets violate the HIPAA privacy rule? If they don’t, does a recommended format exist?

 A. Covered entities are responsible for limiting incidental disclosure. Using a patient sign-in sheet may be perceived as not taking the necessary steps to limit incidental disclosure and a violation of the HIPAA privacy rule. 
 
Also, if a significant number of patients receive treatment for specially protected mental or physical conditions, a sign-in sheet may inappropriately disclose a patient’s condition. This creates an even higher likelihood that a sign-in list violates state privacy laws and other more stringent federal privacy laws.
 
It is a good idea not to use a patient sign-in list. Covered entities that use one should reasonably ensure that they regularly replace signed sheets with blank sheets and not just cross out patient names. Crossing out the patients’ names usually does not make them unreadable.
 
No preferred format exists. However, covered entities that use a sign-in sheet should very strictly limit the PHI requested from patients who sign it.
 
Editor’s note: This question was answered by Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, in the June issue of Briefings on HIPAA.



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular