HIPAA, Incidental Uses and Disclosures, & Sign-in Sheets

By Michael Dorausch, D.C.

Disclaimer: The information contained here is provided free of charge. It is intended for informational purposes only and should not be construed as legal advice or a substitution for obtaining legal advice from an attorney licensed in your state.

Using sign-in sheets in the front office, incidental uses and disclosures.
It is my opinion that sign in sheets will be fine as long as the standards below are met. Chances are your sign in sheet has the day, date, place for a signature, and maybe a place for time on it. I don’t see any reason why that would not be satisfactory as a sign-in sheet does play an essential role in ensuring that individuals receive prompt and effective health care. However, if your sign in sheet also requests additional information such as why an individual is in the office (sciatica, herniated disc, subluxated C1, hemorrhoids, etc.) you may be crossing the line. Read the information below to get a better understanding of how your office may be effected.

Background: Many customary health care communications and practices play an important or even essential role in ensuring that individuals receive prompt and effective health care. Due to the nature of these communications and practices, as well as the various environments in which individuals receive health care or other services from covered entities, the potential exists for an individual’s health information to be disclosed incidentally. For example, a hospital visitor may over hear a provider’s confidential conversation with another provider or a patient, or may glimpse a patient’s information on a sign-in sheet or nursing station whiteboard. The HIPAA Privacy Rule is not intended to impede these customary and essential communications and practices and, thus, does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. Rather, the Privacy Rule permits certain incidental uses and disclosures of protected health information to occur when the covered entity has in place reasonable safeguards and minimum necessary policies and procedures to protect an individual’s privacy.

How the Rule Works
General Provision:
The Privacy Rule permits certain incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. See 45 CFR 164.502(a)(1)(iii). An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule. However, an incidental use or disclosure is not permitted if it is a by-product of an underlying use or disclosure which violates the Privacy Rule.

Reasonable Safeguards A covered entity must have in place appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures. See 45 CFR 164.530(c). It is not expected that a covered entity’s safeguards guarantee the privacy of protected health information from any and all potential risks. Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business. In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, such as the nature of the protected health information it holds, and assess the potential risks to patients’ privacy. Covered entities should also take into account the potential effects on patient care and may consider other issues, such as the financial and administrative burden of implementing particular safeguards.


planetc1.com-news @ 12:19 pm | Article ID: 1045167548