April 19, 2016
Wait a minute - last week you addressed an "open" office structure. What about waiting rooms?
Waiting rooms, as opposed to a treatment area (which was the area under discussion in last week's discussion), falls under the "by-product exception" under HIPAA, which is illustrated in below. It is through the following illustration by The Office for Civil Rights that guides us towards allowed v. disallowed disclosures. Here is what OCR has to say about "by-product" disclosures (see opinion on OCR website)
A hospital customarily displays patients' names next to the door of the hospital rooms that they occupy. Will the HIPAA Privacy Rule allow the hospital to continue this practice?
The Privacy Rule explicitly permits certain incidental disclosures that occur as a by-product of an otherwise permitted disclosure—for example, the disclosure to other patients in a waiting room of the identity of the person whose name is called. In this case, disclosure of patient names by posting on the wall is permitted by the Privacy Rule, if the use or disclosure is for treatment (for example, to ensure that patient care is provided to the correct individual) or health care operations purposes (for example, as a service for patients and their families). The disclosure of such information to other persons (such as other visitors) that will likely also occur due to the posting is an incidental disclosure.
Incidental disclosures are permitted only to the extent that the covered entity has applied reasonable and appropriate safeguards and implemented the minimum necessary standard, where appropriate.See our section on Incidental Uses and Disclosures. In this case, it would appear that the disclosure of names is the minimum necessary for the purposes of the permitted uses or disclosures described above, and there do not appear to be additional safeguards that would be reasonable to take in these circumstances. However, each covered entity must evaluate what measures are reasonable and appropriate in its environment. Covered entities may tailor measures to their particular circumstances.
The acknowledgement by OCR that some disclosures are necessary for patient care, for sure, has its limits. However, for those of us looking to fall on the safe side of the compliance spectrum, be assured to know that OCR does recognize reasonable disclosures.