Over the years I have done several interviews for articles about HIPAA compliance. I recently did an interview for an HCPro article, “Physician offices: Tackle a different set of privacy training challenges.” (Sorry, this is not publicly posted to my knowledge.)
Well, today I received a message about this article from a clearly agitated reader, whose name (of course) I am not including in the following message…
“Good morning.
I just finished reading your article in a complimentary issue of Briefings on HIPAA.
I disagree with one of your identified “violations”—Healthcare workers calling out the full names of patients in the waiting room….
Many of our patients are elderly and/or debilitated from their disease process and treatment. As a nurse, I have gone to the waiting room and called out for “Mary” and had “Harry” get up and start following me to an exam room. This mistake is easily caught. However, we have also had patients who answer to the wrong first name …get back into an exam room and the mistake is not caught so quickly. We have been told by our previous Corporate Management legal department that to ensure the treatment of the correct patient, calling out the first and last name is acceptable as long as no other pertinent information is provided…i.e. “Mary Smith with non-resectable stage 4 colorectal Cancer”. What would be the expectation in large ER waiting rooms??? Assign numbers like the hardware store?? “
Good questions and points!
I thought my response to the individual may be useful to those of you who have pondered this same issue. Got a difference of opinion? Let me know!
“Dear {message sender}
Thank you for your message. The article obviously hit a nerve with you! And rightly so if you are in the trenches dealing with medical care while also trying to comply with numerous laws and regulations. Certainly the fact that you took time to write your message to me indicates your concern and expressed frustration.
It is good that you have discussed this with your legal counsel; and certainly is it appropriate for him or her to provide the best legal opinion as it applies to your own unique organization. Every covered entitiy (CE) has a different environment and different patient care circumstances, and the HHS specifically has expressed more than once that the purpose of HIPAA is not to unnecessarily inhibit patient care.
To address HIPAA requirements, and to help cover your organization whenever full names are called out for all to hear, hopefully your lawyer, or whomever your privacy officer is within your organization, has documented why your clinic or hospital has determined that it is a reasonable activity to call out full names in violation of the HIPAA requirement to protect the full identities of patients. Such documentation will help in the event some of your patients submit a complaint to the Department of Health and Human Services (HHS) about HIPAA non-compliance.
Some CEs have argued that the HIPAA allowance to include a patient’s full name within a facility directory allows the name to also be called out in a room with other individuals. However, listing a name in a directory and calling out a full name in a room of people, and then seeing the individual who responds to the name and allowing the others in the room to now identify the person by name and by site is a much different matter. Additionally, HIPAA provides patients with the chance to opt-out of inclusion within such a directory. See § 164.510 Uses and disclosures requiring an opportunity for the individual to agree or to object. If this is the CE’s reasoning for calling out full names in front of other waiting patients, then did the CE give the patient to opportunity to ask not to have his/her full name called?
Others have argued that calling out a full name is part of the treatment, payment, or health care operations (TPO). However, the other side of this is the argument that the process by which a patient goes to an examination room is not actually part of TPO. Certainly this is a nit to pick with the regulation. There could probably be good cases to make on both sides of the argument (this *IS* TPO versus this is *NOT* TPO). This would be covered under § 164.512 Uses and disclosures for which an authorization or opportunity to agree or object is not required. There has been much expressed concern from the public, in conversations I’ve had with patients in medical centers, along with various published news articles over the past several years, about doing such practices (calling out their full name in a room full of strangers and having everyone turn and look at them) without their explicit consent to do so.
Keep in mind that a patient’s name is defined as one of the types of protected health information (PHI) under HIPAA. HIPAA addresses restricting access to PHI, and so also to the full name. § 164.502 Uses and disclosures of protected health information: general rules covers the ways in which PHI may and may not be disclosed. With regard to full names being called in waiting rooms, I’ve spoken with multiple lawyers and compliance officers who reference the following passage:(b) Standard: Minimum necessary
(1) Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.So, it can also be argued that calling out a patient’s full name was not exemplary of making a reasonable effort to limit the PHI to the minimum necessary to request the patient to proceed to the treatment area.
Again, the determination must be made based upon careful consideration of the CE’s specific situation, and at the opinion of informed legal counsel for each particular CE.
HIPAA compliance, as with most laws and regulations, is not a cut and dry, black and white process. Compliance is dependant upon the unique risks inherent to each CE’s facility.
In many waiting rooms and emergency room settings, the need to call out full names has been eliminated in various ways. Here are some of those ways:
- Some clinics and hospitals call out the first name and then only the first initial of the last name. E.g., Rebecca H.
- Other providers call out the first name and middle initial, or first name and middle name, completely eliminating the last name. E.g., Rebecca L. or Rebecca Lynn
- In yet other clinics and hospitals, the patient is asked at the time they check in what name they want to be used to call out in the waiting room, and then that name, which may or may not be their valid or full name, is used to call the patient and is also noted on their charts for the attending nurses to use. Often an alias or nickname is used. Getting this information from the patient is a form of consent that would be in compliance with HIPAA.
- And yes, growing numbers of organizations do now use those same types of number machines as are used in department stores.
I appreciate that you disagree with having the full name called as being listed as a HIPAA violation, but that is how the law is generally interpreted by a wide range of HIPAA lawyers. While many people have indicated this is not convenient, many more individuals who are patients like having their full name kept from being revealed within a roomful of other strangers, or acquaintances, whom they do not want to have hearing or recording in some way that they were in the hospital or clinic on a certain day at a certain time.
I know when I am in a clinic or hospital in a metropolitan area, I always request not to have my full name called. I don’t know who else is in that waiting room, or even if they are there for legitimate patient care. With medical identity theft increasing it is not improbable that some crooks may be hanging out in crowded waiting rooms to get PHI to use for fraud and criminal purposes.
If you are in a small community, where the waiting rooms typically have few people and the patients all know each other, then this may not be an issue. I grew up in a very small, rural community, and not only did everyone in the medical clinic I used know my full name, they also knew where I lived, my phone number, my parents, my pets, my grade point average, etc.
Again apply HIPAA requirements as is practical to your situation. However, when I am providing information for a published article, or giving an interview and am asked to provide advice about the general requirements of HIPAA, I must provide direction for the general requirements along with indicating (which I try to do with every interview) that each CE should discuss their own unique situation with their own legal counsel, using the provided information, to make the best compliance decision.
Hopefully there are checks in place to ensure the identity of patients beyond calling out the patients’ full names; especially if your clinic knows that there is a tendency for some patients to answer to the wrong names. If the patients are incapacitated to this degree, it certainly seems like a good procedure to at least ask the patient, once the patient has joined you on the walk to the exam room, to confirm their full name prior to continuing on to treatment.
I hope this has provided clarification for you.
Thanks again for sharing your thoughts!
Best regards,
Rebecca”
Tags: awareness and training, HIPAA, Information Security, IT compliance, IT training, patient privacy, PHI, policies and procedures, privacy training, protected health information, risk management, security training