Revenue Cycle Management
COVID-19
Reimbursement
Diabetes Awareness Month
Risk Management
Patient Retention
Staffing
Medical Economics® 100th Anniversary
Coding and documentation
Business of Endocrinology
Telehealth
Physicians Financial News
Cybersecurity
Cardiovascular Clinical Consult
Locum Tenens, brought to you by LocumLife®
Weight Management
Business of Women's Health
Practice Efficiency
Finance and Wealth
EHRs
Remote Patient Monitoring
Sponsored Webinars
Medical Technology
Billing and collections
Acute Pain Management
Exclusive Content
Value-based Care
Business of Pediatrics
Concierge Medicine 2.0 by Castle Connolly Private Health Partners
Practice Growth
Concierge Medicine
Business of Cardiology
Implementing the Topcon Ocular Telehealth Platform
Malpractice
Influenza
Sexual Health
Chronic Conditions
Technology
Legal and Policy
Money
Opinion
Vaccines
Practice Management
Patient Relations
Careers

Modifying potential privacy risks

March 5, 2004

Article

In addition to implementing written policies and procedures, are there other changes I need to make to ensure that my office is HIPAA compliant?

Q:In addition to implementing written policies and procedures, are there other changes I need to make to ensure that my office is HIPAA compliant?

A: Yes. You must also implement, as necessary, other commonsense privacy policies and practices appropriate to the situation. To identify gaps in privacy, start by conducting an office walk-through. Be especially alert to such potential risks as public sign-in sheets that include unnecessary medical information; publicly visible computer screens and fax machines; public conversations on personal health topics between staff and patients; and easily visible medical charts.

Take reasonable steps to modify these potential risks. For example, if you believe that patients in an adjoining exam room might overhear your conversations, you might consider hanging wall coverings to help muffle the sound. You wouldn't be required under HIPAA to construct soundproof walls or break your lease, though.

Similarly, not every exchange of patient information overheard or seen by others is a violation of HIPAA. Indeed, the Privacy Rule permits information to be used and disclosed for the purposes of treatment, payment, and healthcare operations. It also permits "incidental disclosures"disclosures that occur as a result of an otherwise permitted use, and despite reasonable safeguards having been adopted.