Physician Practice

Q&A: Are our sign-in sheets HIPAA-compliant?

Physician Practice Insider, April 7, 2015

Q: Do we need to cross out patient names after they sign in for an appointment? My facility does not do this, as it contains only their names and other patients can see them sitting in the waiting room or walking in the hall.

A: It's a good idea to cross out patient names on sign-in sheets several times during the day. The Office for Civil Rights (OCR) has issued guidance (last updated March 14, 2006) noting that it is permissible to use sign-in sheets if the covered entity has implemented reasonable safeguards and the minimum necessary standard is addressed, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician). Just including patient names is usually considered incidental disclosure of protected health information.

Even patient names should not be left visible on a sign-in sheet if the treatment is in a setting where knowing the patient is being seen can disclose the diagnosis. For example, if the treatment provided is related to mental health or alcohol and chemical dependency, it should be considered sensitive and care should be taken to regularly block out patient names. On the other hand, if the sign-in sheet was used at a primary care clinic, knowing who signed in for an appointment is not likely to disclose a medical condition. Patients may be able to see each other in a waiting area, but that doesn't mean the patients know each other's names.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, originally answered this question in Briefings on HIPAA.

Most Popular