HIPAA Waiting Rooms

The HIPAA Privacy Rule prevents the unauthorized use or disclosure of PHI. The issue of physician offices’ calling out names of patients in waiting rooms, implicates the HIPAA Privacy Rule. The subject of HIPAA and patient waiting rooms discussed below.

HIPAA Waiting Rooms: What is the Primary Purpose of Calling Out Names?

Generally, the HIPAA Privacy Rule permits the use or disclosure of PHI without patient authorization, when the use or disclosure is for payment, treatment, or healthcare operations.  

The calling of patient names may constitute disclosure of protected health information. PHI is defined as health data that is created, received, stored, or transmitted by HIPAA-covered entities, in relation to the provision of healthcare, healthcare operations and payment for healthcare services. 

HIPAA Waiting Rooms

A patient’s name, when called out, is called out in relation to the provision of healthcare – to treatment. When the name is called, the patient is alerted to the fact that he or she must go from the waiting room to a treatment room. The calling of the patient’s name may also also made to alert additional healthcare personnel (other than the person calling the name) that the person is entering a treatment room. These alerts are treatment-related.  Since a name is a PHI identifier, and the name is called out (“transmitted”) in relation to treatment, the calling out of the name may constitute use or disclosure of PHI. 

HIPAA Waiting Rooms: Incidental Disclosure of PHI

Under HIPAA, use or disclosure of PHI, for the purpose of calling a patient’s name in a waiting room, without patient authorization, is generally permitted. Several conditions must be met for this general rule to apply.

When a name is called, other patients may hear the identity of the person whose name is called. Such disclosures are referred to as incidental disclosures.  The HIPAA Privacy Rule explicitly permits the incidental disclosures that occur from a primary use or disclosure that is permitted by the Privacy Rule.

 
To state the general rule, an incidental disclosure is permitted if it is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and if it occurs as a result of another (primary) use or disclosure that is permitted by the HIPAA Rule. 

Incidental disclosure of PHI is defined as:

  • Secondary disclosure, that
  • Cannot reasonably be prevented, and
  • Is limited in nature, and that 
  • Occurs as a result of another, primary use or disclosure that is permitted by the HIPAA Privacy Rule.

However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard. 

HIPAA Waiting Rooms: What are Reasonable Safeguards?

The Privacy Rule requires a covered entity to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), including reasonable safeguards to protect against any intentional or unintentional use or disclosure in violation of the Privacy Rule. Reasonable safeguards include such actions and practices as securing locations and equipment; implementing technical solutions to mitigate risks; and workforce training

HIPAA Waiting Rooms: What is the Minimum Necessary Standard?

Under the HIPAA minimum necessary standard, covered entities must make reasonable efforts to ensure that access to protected health information (PHI) is limited, per the HIPAA Privacy Rule, to the minimum amount of information necessary to fulfill or satisfy the intended purpose of a particular disclosure, request, or use. 

Application of these rules to the calling out of patient names in waiting rooms reveals that the calling out of patient names is permitted without patient authorization.

The secondary use or disclosure, in this instance, is hearing of the patient’s identity by other patients. This disclosure, given it is made in a waiting room that holds multiple patients, cannot be reasonably avoided. The disclosure is limited in nature – the provider’s office, consistently with the minimum necessary standard, is simply calling out the patient’s name. (The disclosure may be found to be less limited were the office to call out treatment details in addition to the patient’s name.). Finally, the secondary disclosure – the “overhearing” – only occurs as a result of the treatment purpose.

Conclusion

Provided the covered entity has implemented appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), including reasonable safeguards to protect against any intentional or unintentional use or disclosure in violation of the Privacy Rule, the calling out of the names is permitted under HIPAA.