True story: One of Karen’s Medicare patients, upon receiving an EOB, called Medicare & denied being in her office for a particular date of service. This triggered an audit threat (potential fines, jail time, etc.). Fortunately, Karen produced her manual sign-in sheet to prove the patient had indeed been in the office. Audit avoided. Over the years, I’ve seen such scenarios duplicated regularly: manual sign-in sheet saves the day.
Now, as of a few years ago, several chiropractic software packages have begun to tout use of a magnetic card which the patient swipes when she arrives at the office, enters a treatment room, etc. These systems suggest that you can automate the entire visit process (a great idea). Now, suppose the scenario above comes to pass in your office and you’re using this type of system. You print a computer generated list and provide it in response to Medicare’s initial request. Medicare asks how the printout was generated. You explain that you have a magnetic swipe system. And Medicare asks who is in control of
generating/programming the magnetic cards provided to the patients. You explain that your office programs them (just like a hotel’s front desk). In other words, you’re in full control of the patients’ “signature” that’s being offered as “proof” to avoid an audit. Medicare decides to press ahead with a full audit…
There’s no case law with regard to such a scenario. But over the years I’ve been in contact with the FBI Computer Forensics team and have spoken with more than one State Attorney General during investigations. The bottom line is that you can’t shrug-off the sign-in sheet as a valuable tool. If the sign-in sheets are handled manually, keep them in a loose-leaf binder or scan them in by date. Alternatively, use a product like OffiSign-In that actually stores the patient’s electronic signature separately for each visit.
The law firm of Drinker Biddle reviewed this issue extensively for us. Though there’s no case law yet (no surprise), the attorney who researched it (a full partner at the firm who has litigated major case law) indicated she wouldn’t want to have to defend against this issue if the doctor’s only physical evidence of various visits was dependent on a card swipe system.
So… this is a situation where… before we attempted to add a new “feature” to ECLIPSE — one doctors occasionally request — we spent thousands of dollars with one of the largest law firms in the USA in an attempt to determine whether it was safe to do so. How many companies that you work with actually care enough to research whether you’re protected from possible consequences of using their products? And how many of you don’t even bother to think about it in the quest to automate every aspect of your practice?
Finally, for those of you who’ve been told otherwise, sign-in sheets are indeed HIPAA compliant. This has been noted in multiple places. Here’s a quote from the DHHS website:
“For example, a hospital visitor may overhear a provider’s confidential conversation with another provider or a patient, or may glimpse a patient’s information on a sign-in sheet or nursing station whiteboard. The HIPAA Privacy Rule is not intended to impede these customary and essential communications and practices and, thus, does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards.”
And another direct quote from the DHHS FAQ to answer the question: May physicians offices use patient sign-in sheets or call out the names of their patients in their waiting rooms?
“Yes. Covered entities, such as physician’s offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The HIPAA Privacy Rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet. However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician). See 45 CFR 164.502(a)(1)(iii).”