Modifying potential privacy risks

March 5, 2004

In addition to implementing written policies and procedures, are there other changes I need to make to ensure that my office is HIPAA compliant?

Q:In addition to implementing written policies and procedures, are there other changes I need to make to ensure that my office is HIPAA compliant?

A: Yes. You must also implement, as necessary, other commonsense privacy policies and practices appropriate to the situation. To identify gaps in privacy, start by conducting an office walk-through. Be especially alert to such potential risks as public sign-in sheets that include unnecessary medical information; publicly visible computer screens and fax machines; public conversations on personal health topics between staff and patients; and easily visible medical charts.

Take reasonable steps to modify these potential risks. For example, if you believe that patients in an adjoining exam room might overhear your conversations, you might consider hanging wall coverings to help muffle the sound. You wouldn't be required under HIPAA to construct soundproof walls or break your lease, though.

Similarly, not every exchange of patient information overheard or seen by others is a violation of HIPAA. Indeed, the Privacy Rule permits information to be used and disclosed for the purposes of treatment, payment, and healthcare operations. It also permits "incidental disclosures"—disclosures that occur as a result of an otherwise permitted use, and despite reasonable safeguards having been adopted.