When you mention the Health Insurance Portability and Accountability Act (HIPAA) to your staff, they should be able to tell you a summary of the law off the top of their head.

That’s because you’ve trained and retrained them on this subject every year since they started working for you. It’s a requirement that they understand how to operate your practice without exposing the sensitive information they handle on a daily basis.

However, oftentimes many healthcare practices go through their day without realizing that some of the most minor activities they do are potential HIPAA violations.

Sometimes practices get so caught up in trying to have the best, most personable experience as possible that they forget about some of the more intricate details of the HIPAA Privacy Rule.

Specifically, what I’m referring to is talking about patients using their name or sharing their personal information in some capacity. 

Here are a few examples of what I mean…

• Asking them for information out loud during their check-in process

• Calling them by their name to the front desk in your waiting room

• Leaving patient charts laying around on desks within view

• Creating a bulletin board that welcomes new clients using their name and address

• Gossiping about patients in online forums or to other employees

These smaller violations happen all of the time. Since they’re not as big headline grabbers as something like a ransomware attack, many healthcare providers might not place as much emphasis on stopping them.

But the government agencies that enforce this law won’t dole out a smaller penalty for something that seems small. A violation of HIPAA isn’t something to overlook, regardless of how minor it may seem.

In fact, violations of this caliber still result in massive fines. One instance that involved a gossipy text conversation exposing the information of a Walgreens pharmacy patient resulted in a $1,440,000 fine. 

So what can you do at your practice to stop oversharing? More specifically, how do you talk about patients without using their names?

• Enhance Your Patient Intake Forms

• Only Refer to First Names

• Forbid Gossip About Clients

• Restrict Social Media Usage

• Limit Access As Much As Possible

• Distribute, Educate and Update Policies

• Ensure a Clean Work Environment

• Conclusion

The first thing your clients do when they come in for their appointment is check-in at your front desk. During this exchange, they’ll usually receive a patient intake form.

This is a very sensitive document, it contains a lot of prompts and areas asking for your patient to include protected health information (PHI). Once they get this form, they’ll go back to your waiting room, fill it out and hand it back to your front desk employee.

At this point, the employee will confirm the information that the patient just filled out while they’re standing there. This is a risky situation.

If your employee or the patient talks too loudly during this process, they could inadvertently give out their sensitive information to the entire waiting room.

Furthermore, the risk is also there if this intake form is a physician piece of paper or packet. There’s a chance that your employee might forget about where they place it after the patient hands it to them. If this happens, it might end up left in a place that’s easily snooped on.

Luckily, there are a couple of options available that completely remove any risks during the intake process.

The first option is perfect if your staff and clients still prefer filling out a physical intake form, turn these documents into reusable whiteboards.

When you turn these necessary documents into a paper-sized whiteboard, your staff can erase the information after each patient. It’s a simple solution that reduces the risks associated with paper intake forms tremendously. It also, inadvertently reduces how much paper your office uses, which is great for the environment and your marketing strategy.

Our second option is for the more tech-savvy client demographic. As technology continues to improve within the healthcare industry, it opens up new opportunities for practices to improve their entire patient experience. As a part of that, you can host your intake forms online.

This option ensures security by only allowing their information sending through your website, without the need for any conversation. It also allows your clients to prepare for their appointment with you ahead of time, streamlining your waiting room.

Talking about your patients without using their names while speaking to them in your waiting room about their information is nearly impossible. But there are simple options available that you could implement today that decrease your risks tremendously.

You spend a lot of your time trying to increase your practice’s patient volume. When a new client steps foot into your office, you want them to feel welcomed and the first impression you make on them is important.

But you also have to be careful that you don’t go too far in your welcoming.

A popular decoration among many hospitals and local healthcare offices to greet their new clients is through a decorated bulletin board.

Although this is a great decoration for your waiting room that adds a nice flair of personality, it poses a risk.

When designing a bulletin board like this for your office, you may venture down the path of displaying your new patient’s names, where they’re from and a photo of them you grab from their social media. This is a slippery slope to a HIPAA violation.

If you include their first and last name, address, and what they look like without getting their expressed permission beforehand, you’re compromising their privacy. Thus, you’ll end up facing a fine.

If you want to do a bulletin board like this, keep it generic. Use only first names and don’t include any other information. Instead of using pictures like what teachers do when welcoming their new class.

This accomplishes the same purpose as the other board without any breach of confidentiality. It doesn’t have to be as hokey as a board made for Kindergarteners but you get the idea.

That’s only part one of this section.

There are other moments throughout the day where you may have to get a patient’s attention. What I’m referring to specifically is when you’re ready to bring them back to an exam room.

You likely have a staff member, aide, or nurse who calls patients back, checks their vitals and leads them to their room. It’s imperative that when this individual calls for a client sitting at your waiting room that they don’t call for that person by their full name. Although small, this is a breach of privacy.

Instead, train this employee to only call for people by their first name.

Certain instances might arise where people in your waiting room share the same name. If this occurs, the simplest solution is to include middle initials in your callouts as well. Doing so isn’t compromising.

Of course, it’s also possible that a patient may take offense when they’re called out by their first name only. The last thing you want to do is offend anybody right before their appointment. In order to avoid this situation, add titles to your callouts. Referring to someone as Miss. or Mr. adds a nice, respectful flair to trying to find the client you’re ready to see.

Healthcare is an inherently interesting topic.

Certain circumstances may arise where something happened to a patient, either an ailment, procedure, or frustration that you just HAVE to tell someone about.

However, this is how gossip at the workplace spreads. It also happens to be one of the most common form of HIPAA violations.

It’s in our nature to share information. Evidence of this claim comes from the ever-increasing social media landscape (more on this later).

You don’t want sensitive information to spread about your clients throughout your workplace, especially to individuals who aren’t qualified to hear it. To avoid this, set a zero-tolerance policy that lays out specific penalties for gossiping in the workplace.

On top of penalties, your policy should also layout how to gossip in the event that it happens. 

Unfortunately, even if you forbid gossip at the workplace it’s still going to take place at some point. This means you’ll have to let employees know what to do in the event that it happens.

If they’re the person spreading gossip, then they cannot refer to the patient’s name at all. Forbid any reference to the client’s first name, last name, or description to protect their identity. It doesn’t just stop at talking about patients without using names, there’s more that needs to take place.

Obviously, continue to reiterate that gossiping about patients isn’t allowed at your practice.

Social media is running rampant.

In fact, you could go to any of the most popular platforms and search healthcare and thousands of hospitals and practices have accounts that they update daily with new information.

We know that you shouldn’t completely ban the usage of these platforms at your practice because they can help spread the word about your organization.

We also know that one wrong share on social media about a patient without getting their permission prior to posting and you could face a massive fine. 

You don’t want to completely forbid the use of these platforms at your practice, otherwise, your practice might fall behind on current marketing trends and lose out on getting more foot traffic into your office.

Instead, you’ll want to restrict it’s usage to those individuals assigned to and allowed to use it on behalf of your organization. The fewer people that have permission to use social media on campus, the less risk involved with using these modern services.

Think about it, instead of trying to manage everyone posting TikTok content, only a select few will be able to post on a popular platform like that. Thus giving you the opportunity to train them on what is and isn’t allowed.

Imagine if one of your employees referenced a patient in one of their posts using identifiable information. This is not something you want to happen at your practice and it all goes back to the ideology of talking about patients without using their names.

One of the best ways to ensure that your team doesn’t overshare information to unauthorized individuals is to limit access as much as possible.

Your front desk team doesn’t need access to everything within your patient’s health records. Likewise, your marketing team leader doesn’t need access to sensitive data at all.

It’s great that your organization went paperless with its recording keeping years ago. But getting an electronic medical record (EMR) management system and transferring your physician data into the cloud aren’t the only two steps. You also have to dole out permissions based on job responsibilities.

This step actually goes beyond a suggestion, it’s a requirement.

The Information Access Management section within the HIPAA Security Rule contains multiple standards that explain the importance of limiting access to PHI to those only most necessary.

If you bring on a new team member and don’t give them a handbook that describes all of the do’s and don’ts of your organization, you can’t expect them to know what to do. In this case, they’re set up to fail.

Whenever an employee starts at an established company that has an HR department, they’re always handed an employee handbook on the first day. It’s then the employee’s responsibility to read and review what they’re given and usually sign each page in acknowledgment.

Healthcare practices aren’t any different in this aspect, regardless of their size or who they’re hiring.

In some cases, smaller practices have no choice but to hire their family members and closest friends to fill front-desk positions. Although that’s not recommended, it happens more often than the industry would like to admit.

Beyond distribution, you’ll also need to educate your staff on what’s expected of them when talking about patients or otherwise. Of course, you don’t want them to use a patient’s full name. You also don’t want them to overshare sensitive information.

Luckily, this is best done and accomplished through HIPAA training. In other words, you have the material to base what your employees need to know, now it’s just a matter of holding the sessions.

Finally, you also need to continually update your policies. Just a few decades ago, it was OK to write a company policy, leave it on a shelf somewhere in the office and forget about it. Those days are over. Policies are now looked at as living, breathing documents. In other words, you need to review them every so often and make adjustments as necessary.

Have you ever walked around an office and couldn’t help but peek at the documents laying on the desks as you continued down the hallways?

Of course, when we do this it’s not malicious. My point is that we all have wandering eyes to an extent.

This also means that your patients do too.

In other words, another way to stop oversharing any sort of sensitive data is by making sure your employees keep their workstations clean. That way there’s no need to worry about a patient accidentally looking at someone else's PHI while you try to sleep at night.

A “clean workstation” also means no Post-It notes along the sides of monitors. At our home offices, many of us write down account names and passwords on these little sticky pieces of paper so that they’re always there for our reference. After all, it seems like we need to remember about one million different accounts on a daily basis. But this can’t happen.

This ideology extends beyond workstations, though. It also means a clean work environment in general. One of the places that often gets forgotten about is the copier room.

Your team needs to make sure that if they print something, they have full intentions to walk to the printer immediately. Having stacks of printed paper with PHI on it just sitting on a shelf is essentially asking for a breach.

Talking about patients without using names is only one aspect of an entire compliance landscape that prevents oversharing PHI.

It’s only a matter of time before they audit your practice to see if you’re following the regulations and expectations placed on your industry. Once that you’ve established that landscape you’re setting yourself up for success in the eyes of governmental agencies.

You’ll no longer have trouble sleeping at night worrying about a looming HIPAA fine.