Connect with us
HIPAA's Gaping Loophole: A Privacy Myth
[Fiction based on fact.]
Late on a Friday afternoon a couple months ago when I heard a noise in the waiting room, I went to the reception window to see whether a patient I expected might have arrived early. A middle-aged man standing there, leaning on papers on the counter, asked if one of the psychotherapists who shares the office was there. When I responded that she was with a client, he asked me whether I would be willing to sign for a subpoena. I told him I would not and returned to my office. I called my patients to warn them with whom they might unexpectedly find themselves sharing the waiting room. They rescheduled rather than take the risk that this individual might recognize them.
HIPAA and related state statutes and case law provide penalties for unauthorized release of identifiable patient information, even, I believe, addressing the sign-in sheets some physicians used to keep at the reception window. But I know of no law or rule to prevent someone else in a waiting room from recognizing a patient.
Here's a (probably incomplete) list of people who might recognize you as you sit in my waiting room.
People who have business there:
Letter carriers, delivery people, attorneys, court reporters, people from neighboring offices, other patients and their: kids, partners, parents, friends, and other people they care for.
People who need not have business there, at least during office hours:
Cleaning and maintenance people, walk-ins, solicitors (despite the signs that tell them to stay away), the landlord.
People who need not have business there:
Process servers, federal agents.
I have visited at least one office where the exit from the solo physician 's office bypassed the waiting room. But even with this arrangement patients arriving early or on the wrong day, and many of the others listed above might see you waiting or entering. And the cost of building could be prohibitive.
Going back many years (pre-HIPAA) an agent from some federal agency or other appeared in my waiting room, showed his badge, and told me I should hand over records of a patient who apparently had applied for a job with the agency. He informed me, wrongly, that I did not need to obtain the patient's authorization to release the records. I have heard similar stories from at least two other psychiatrists, both of which took place since HIPAA took effect. In all these cases the agencies could have requested records by mail rather than sending an agent.
We will never likely enjoy complete health privacy. Telemedicine promises reduction in waiting room appearances but opens the possibility of electronic hacking or eavesdropping. But government agencies should respect privacy concerns and alter policy and procedures accordingly. We can try to schedule patients we have reason to believe might know each other when they will not present at the same time. We can try to schedule non-patients when patients will not be present. But realistically we cannot assure privacy in waiting rooms.
On the evening described above I glanced into the waiting room as I was preparing to leave. Even though my office mate had signed for the subpoena, the process server still sat reading. When my office mate asked him whether he had any further business there, he replied that he wanted to finish an article he had started to read. I thought briefly about demanding that he leave, but I was on my way out, no one else was waiting, and I figured no one really needed my intervention.