Front Desk HIPAA Compliance: Essential Guidelines for Healthcare Facilities

There you are at the hospital, waiting your turn at the front desk. While you wait, you hear some of the information the front desk worker is writing down from another patient before setting up their appointment.

For example she loudly repeats the patient’s name, height, weight, blood pressure, address, age, how many weeks pregnant she is, while everyone in the room hears the conversation.

Do you think it counts as a reception/front desk HIPAA violation?

If so, can it be mitigated?

And how?

In this blog post, we talk about what HIPAA violations are, why front desks are a common place for them to happen, what kinds of violations happen at front desks, how to stop them, and more.

Understanding HIPAA for Front Desk and Reception

The US Department of Health and Human Services (HHS) passed HIPAA, which stands for the Health Insurance Portability and Accountability Act, in 1966. It is a federal law that affects the health care business. It makes the healthcare system work better by setting national standards for keeping a patient’s identifiable health information private and safe when it is used for internet transactions.

The Office of Civil Rights is in charge of HIPAA and handles reports about breaches of privacy and security. OCR is only able to act if:

• In the last six years, the violation took place.
• The group is required by law to follow the HIPAA rules.

Most common violations of HIPAA:

➜ The Department of Health and Human Services (HHS) says that one of the most common HIPAA violations is not having good access controls in place.

➜ Device theft is also a leading cause of the loss of protected health information (PHI) in institutions with lax security and physical device rules.

HIPAA Compliance Act Rules

The HIPAA compliance act has three rules that must be followed to set the national security standards for keeping patient health information safe.

1). The Privacy Rule sets the rules for protecting all health information that can be used to identify a specific person. This includes credit card numbers, social security numbers, and medical records, which includes prescriptions, procedures, conditions, diagnoses, and more.

2). The Security Rule sets standards for safeguarding electronic protected health information (ePHI) and focuses on rules that are unique to protecting digital data.

3). The Breach Notification Rule says that covered entities and business partners must tell the government about any breach of unsecured protected health information (PHI).

What actions at the reception desk could lead to a HIPAA violation?

HIPAA Privacy and Security Rules can be broken in many ways, and even one violation by a member can land you in an audit by the Office of Civil Rights and a fine. We’ve talked about some common violations that happen at the front desk of a healthcare center:

⚠️ In-sight patient sheet with all their healthcare data

⚠️ Overheard communication of the receptionist trying to verify the patient details

⚠️ Unturned or uncovered computer screens at reception desk with patient appointments such as name, age, location, etc

⚠️ Different passwords of EHR and WiFi on sticky notes glued at the board or screen publicly

⚠️ Open and unattended files of patients at the desk

⚠️ Patient sign-in sheet placed publicly

⚠️  Patient records thrown in trash without being properly discarded

⚠️ Names, addresses, and social security numbers of patients saved within patient records

⚠️ Piled copies of patients’ health insurance cards on the desk

⚠️ Patient messages for the doctor noted down next to the phone

⚠️ Printed prescriptions waiting for pick-up

Each of these above mentioned situations is a front desk HIPAA violation that needs to be handled carefully so that private data is not put at risk.

Why are front desks or reception areas prone to HIPAA violations?

You see, front desks and other greeting areas are known for being places where HIPAA violations often happen for a number of reasons. The front desk of an office is most likely to break HIPAA rules because it has all the medical records and data from a patient right there on the table, sometimes in plain sight. Anyone who comes to the front desk with bad motives can cause your office severe penalties.

Many HIPAA breaches happen at front desks or reception areas for the following reasons:

• Uneducated or untrained staff
• Overheard conversations between patient and receptionist, receptionist and doctor, etc
• Unshut computer screens displaying sensitive information
• Uncovered or unattended documents at the front desk
• No barriers between waiting room and reception area

Penalties and Criminal Charges against Front Desk HIPAA Violations

Penalties are based on how bad the violation was and are split into four levels based on things like intent, number of people affected, type of violation, effects, and so on.

HIPAA breaches are punished at the following levels, which are run by the Office of Civil Rights (OCR):

Penalty Tier	Culpability Type	Penalty Charged per Violation
Tier 1	Unaware of the rule	$100 – $50,000
Tier 2	Not deliberate violation	$1000 – $50,000
Tier 3	Willful negligence – rectified within 30 days	$10,000 – $50,000
Tier 4	Willful negligence – not rectified within 30 days	$50,000

Some of the worst cases of HIPAA violations in history:

⛔ In 2015, Anthem Inc. was hit with a $115 million class-action lawsuit for putting the ePHI of about 79 million people at risk. This is thought to be one of the biggest healthcare data breaches ever.

⛔ Two workers of Memorial Healthcare System stole the PHI and PII of more than 115,000 patients without permission. They were charged with internal breach and have to pay a $5.5 million penalty.

HIPAA Rules for Clinic Front Desks and Waiting Areas

Protected health information (PHI) must be kept private and safe according to HIPAA rules. Front desk workers are very important for making sure that HIPAA rules are followed because they are often the first point of contact for penalties.

Identifying the patient

• Use the right ways to make sure the patient is who they say they are (photo ID, date of birth, etc.).
• Make sure that the patient’s information in the medical record is correct and up to date.

Keep things secret

• Protect the privacy of all PHI, such as patient names, medical problems, and treatment plans.
• Do not talk about patient information in public or with people who are not allowed to hear it.
• When talking about patients in public places, use code words or names.
• If you write something on paper, put it away or turn it over.

The patient consent

• Get permission from the patient to use and share PHI.
• Give people a copy of the Notice of Privacy Practices and tell them what rights they have under HIPAA.

Controls for access

• Only allow authorized individuals to view PHI.
• Make sure that computers are locked when no one is using them.
• Make your passwords strong and change them often.

The sharing of PHI

• Only give PHI to people who are allowed to see it, as HIPAA rules say.
• Get the patient’s permission or agreement before disclosing information that isn’t allowed by law.
• Destroy PHI papers properly to stop people from getting to them without permission.

Rule of Minimum Necessity

• Only give out the bare minimum of information needed to get the job done.
• Do not share too much private patient health information

Safety for electronic PHI

• Protect electronic data with encryption and firewalls. Put in place technology safeguards to keep electronic PHI safe from people who shouldn’t have access to it.
• Update and patch software often to fix security issues and holes

Notification of Breach

• Report any breaches of PHI to the appropriate authorities and the people who were impacted.
• Follow the HIPAA rules for reporting a breach.

The infrastructure

• The reception room needs to be separated by opaque glass so that no one else can hear or see what is being said.
• To follow HIPAA’s rules for privacy, security, and breach notification, the front desk and the waiting room must be separate or an acceptable distance apart.

Training and education

• Front desk workers should be trained on HIPAA rules and best practices on a regular basis.
• Make sure that your team knows how important privacy is and what will happen if they break HIPAA.
• Make employees responsible for following HIPAA rules.

Does my healthcare facility need to follow the HIPAA front desk policies?

Compliance with HIPAA rules is required for any company or healthcare facility that handles electronic Protected Health Information (ePHI). Protected Health Information (PHI) that is saved, sent, received, or put together electronically is called ePHI. This ePHI is covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

Now, the groups that have to follow HIPAA rules are covered entities (anyone offering treatment, payment, or operations in healthcare) and business associates (anyone who has access to patient information and helps with treatment, payment, or operations). These include:

• Healthcare providers (hospitals, doctors, dentists, etc.)
• Health insurance providers
• Healthcare clearinghouses
• Business associates of covered entities (e.g., billing companies and document storage companies)
• Pharmacies
• Long-term care facilities
• Research institutions
• Public health authorities
• Employers
• Schools and universities

If the compliance requirements are not fulfilled and you operate one of these above-mentioned businesses, it is likely that you may be held liable for HIPAA violations.