10 tips to help registration departments remain HIPAA-compliant

Do not talk about the patients you register, look at the files of patients you did not register, or leave your computer unattended with a patient’s registration file open. These are just some of the major rules that patient access representatives must follow to remain HIPAA-compliant and protect patients’ privacy.

“Your front desk staff touch with HIPAA at all different levels,” says Lisa Simmons, CHAM, manager of patient access at West Virginia University Hospitals, Inc., in Morgantown. “Obviously, the first part is the patient confidentiality part. The next part that they struggle with, that we have to spend a lot of time educating them on, is understanding when you can share information in the context of your job.”

As a patient access manager, you can never have too many reminders and training sessions regarding HIPAA. The following are 10 tips you can give staff members to help them remember to protect patients’ privacy:

1. Never share unauthorized information. Do not share information, even with a family member, unless the patient approves it. However, exceptions can made if:

A representative leaves for the day and needs to hand over the case to another representative

A representative must share the file with a clinician who needs to review the case

“I think the most important thing for HIPAA is that they know that they can’t share patient information with anyone [unless it is authorized],” says Linda Southard, patient registration manager at Rogue Valley Medical Center in Medford, OR. “Whatever they’re working on is just for their eyes only. So they don’t talk about what they’re seeing on schedules, or if they’re working in the ER, they don’t converse about what they see come into the emergency room. It’s all very confidential.”

2. Inform the patient about the hospital directory. Ask the patient whether he or she would like to be included in the facility’s directory. Some facilities give patients a number they can share with their relatives or friends that allows them to get information about their care. Patients can forgo the privilege of being in a directory by filling out a no-information form. Sandy Green, CHAM, system director of patient access at the corporate office of Christus Health System in Irving, TX, says her team distributes a HIPAA form that includes:

Acknowledgement that the patient received his or her HIPAA rights notification, which is usually a handout or brochure

Whether the patient opts out or agrees to be published for internal usage

3. Make no exceptions for the patient’s family members. Even if you are bombarded for information from visitors who say they are family, you must remain steadfast in protecting the patient’s rights. Only visitors approved by the patient may obtain information. This is a particular challenge at children’s hospitals, where family members such as stepfathers or guardians bring a child to a hospital but have no legal right to sign off on care.

“We have very irate fathers because they can’t [sign],” says Jo Ann Tomes, manager of admitting at Cincinnati Children’s Hospital Medical Center. “They’re the ones that brought the child in, but they don’t have legal responsibilities, so they can’t sign for them. Even if they have the insurance, they still can’t sign for treatment.”

4. Never leave a computer screen or paperwork in plain view. Turn paperwork over when you leave your desk and put it away at the end of the day. Also, lock your computer screen when you leave your desk. Work under your own login name and log off when you are done.

“A place where I have to be really, really careful is my discharge desk in the emergency department because it sits out in a lobby where people can easily stand around the desk and they can look at the screen,” Simmons says. “So it’s important to have the screen saver on so you don’t have the peripheral vision to be able to see the appointment.”

5. Keep your voice down. In some hospitals, it is impossible to keep a conversation solely between a registrar and a patient because of space constraints. Some registrars take small steps to help keep the process private by keeping their voices down, never asking for Social Security numbers unless they have to, and not yelling out patients’ names unless necessary.

“I think they just have to be aware of the tone of voice,” Green says. “Most of the admitting areas are kind of wide open anyway, with the average public having access to them … You don’t realize that I’m on the phone talking to somebody about this or that, you know, that somebody very easily can be overhearing me.”

6. Don’t look up patient information without consent. Most facilities have systems that track who goes into a patient’s files. If a patient gives you information about his or her case in an informal conversation, that is one thing. But never ask about his or her information in general or look into his or her files without consent. Facilities have had to terminate registrars who go into files of patients they did not register.

7. Shred all documents. The trash is the worst place to discard a document that contains patient in-formation. Shred all documents and throw them into a recycle bin, which is not as public as a trash bucket in the ER.

8. Validate patient identification. Because of the potential for insurance identification fraud, registrars must be thorough in checking patients’ identification.

Double-check birth dates and picture IDs if your system has that capability. When possible, most facilities preregister patients to help them get through the system and on file more quickly. But even when a physician’s office helps you preregister a patient, double-check the patient’s information.

“When somebody gives you their ID and insurance card, you’re not particularly comparing pictures because people don’t always look like they did when they had their driver’s license done,” Green says. “But it’s become now another whole thing that admitting needs to do as far as [identifying] the patient and verifying that the person who is presenting is the person that’s in front of you.”

9. Verify patient identification over the phone. Ask for a patient’s Social Security number, birth date, and anything that would help establish his or her identity over the phone before proceeding. If you are prompted to leave a message, simply identify yourself and request a callback.

10. Forward all media inquiries. High-profile patients, whether local or national public figures, will attract media. The best thing to do is to forward all inquiries to your organization’s marketing or media relations department.