Corporate Compliance

Compliance Q&A: HIPAA violation?

Compliance Monitor, September 28, 2011

Q. An outpatient physical therapy clinic verifies a patient’s benefits prior to his or her first visit. When the patient arrives, front desk staff review the patient’s insurance benefits and out-of-pocket costs. Other patients may sometimes overhear some of the conversation. Is this a HIPAA violation?

A. The HIPAA Privacy Rule defines this as an incidental disclosure, not a violation of the Privacy Rule. Covered entities are required to limit incidental disclosures as much as feasible. When discussing PHI with a patient at the intake desk, providers should establish a buffer zone between the intake desk and the next patient waiting to check in. Providers will often use a sign and ask waiting patients to remain behind the sign until it is their turn to check in.

Most signs found in physician offices and hospitals usually state that the purpose of this practice is to protect the privacy of the patient checking in. This isn’t always feasible because of the office configuration and does not always eliminate incidental disclosure of PHI. However, it is an appropriate practice that limits incidental disclosure. (See 45 CFR 164.530[c][2][ii].)

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. Apgar has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. He is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum. 

Most Popular