Q&A: Patient information visible at registration desk

Q: While at an appointment, I noticed a staff member place patient folders in a stand on top of the counter at the registration desk, easily accessible to anyone nearby. I noticed a receipt sticking out of one folder, and I could read the patient's name, last four digits of his or her Social Security number, and diagnosis/billing codes. Is this a HIPAA violation, since anyone walking by could read this information, or is it just a bad practice?

A: HIPAA requires that covered entities minimize and mitigate incidental disclosures such as the one you describe. The practice should not leave documents where those who are not authorized to access them could do so and should not speak of details where unauthorized persons may overhear. The practice would be required, based on a complaint you might voice, to do a risk ­assessment of the incident to determine if it is an actual breach. The key to that assessment would be determining whether you could have reasonably retained the information you saw. That you could view the patient's Social Security number is concerning. Depending on where the organization is located, you may also have to comply with state-specific notification requirements. Bottom line: It is definitely a poor practice and quite possibly a breach that would require notification to HHS and to the patient whose information you saw. I would recommend you report it to the organization so they can rectify this potential problem.

Editor's note: Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, N.H., provided this answer. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Heidi Samuelson at hsamuelson@hcpro.com.