HIPPA Help Needed!!

I have recently started a new job at a Dentists Office in Oklahoma and hope someone can answer if these are HIPPA violations or not…
A co-worker believes it’s ok to throw a patients name and phone number away in regular trash
When an insurance company (let’s say BC/BS- Although all insurances do this) sends the dental office the Explanation of Benefits showing what they allowed and what they will pay for- unlike the EOB the insurance sends to each of us at our homes - the one we rec only has our information on it- but when an insurance sends the EOB’s to the Drs office- if multiple patients with the same carrier (BC/BS,HEALTHCHOICE,AETNA,ETC…) have been seen around the same time - the ins carriers save time- money- paper and put multiple patients on the same EOB showing the breakdown and amounts- the insurance companies will then write ONE CHECK totaling all of the claims- my coworker believes it’s ok to scan the EOB with multiple patients names into all of the charts WITHOUT covering the other names up because the Insurance sent them to the office that way- I don’t think you can and that its a huge HIPPA no- no- can anyone clarify this for me before I take it to my new boss- (sorry message is so long)

First off, it’s HIPAA.

For your first question, I don’t believe it’s OK to toss patient information in the trash, it should be shredded.

For your second question, sorry no clue. Doesn’t sound quite kosher though.

Legal advice is best suited to IMHO.

General Questions Moderator

#1 is a HIPAA violation. If someone goes dumpster diving and finds such information, the business could face a large fine or even an attempt at blackmail. It should be shredded. As a matter of routine, almost everything should be shredded just to make sure that nothing slips out.

#2. Are you saying that other patients can see each other’s paperwork? If so, big HIPAA violation.

Here’s a tool that might help your office.

As I understand HIPAA, if patient identifying information is printed, it must be disposed of by shredding. If it says John S. it is not identifying the patient. If it says John Smith, it is. But it’s always better to err on the side of caution. #1 is problematic, even if not a straight up violation. Which I think it is.

#2 is less clear. I understand your co-worker’s desire to not have to copy the document multiple times and redact each one. Can you not contact the insurance and tell them you need these forms for the individual patient?

The better question is, why not just talk to your new co-worker instead of running to the boss on your second day of work and tattling?

Big HIPPA violation. Both cases.

i got the impression that the OP did talk to the co-worker, who was wrong on both counts.

I, too, get those dang multiple-patient EOBs. The insurance company won’t separate them. However, you can go online and print EOBs by patient.

I pay bills for an insurance company, and when the providers disagree and send our own EOBs back with re-evaluation paperwork, they redact the names of all the other patients on that EOB. The one that we sent them, with our own claimants on them.

Yes, redact those mofos.

Your coworker is dangerously wrong.


You have to shred, redact, or otherwise destroy **all **patient information. End of story. In the case of the chart, it would be appropriate practice to black out the names of all other patients on the EOB, in case a patient asked for a copy of his or her chart.

Source: I helped implement HIPAA for one of the Medicare contractors and have worked in health insurance for 20 years.

#1 is a straight up textbook HIPAA violation. You are not making an effort to protect PHI.

#2 is not yet a HIPAA violation, but provides a big invitation to an accidental mass violation. If someone requests their records and gets the PHI of other patients with it, each other patient’s PHI is an individual HIPAA violation with its own fine. Last I checked, that was minimum $10,000 apiece for clinics and offices (for willful neglect), $50,000 maximum per violation. So if you’ve got 10 names on there, 9 of which belong to other patients, that single sheet of paper is a $90,000 to $450,000 potential fine you’re looking at. Now, if your HIPAA administrator absolutely positively trusts every single employee to redact at the time of copying, that’s their call. Me, I don’t even trust myself that much.

Devil’s Advocate here, and I’ll point out I’m totally out of my depth: haven’t read the law, not a lawyer, all that stuff

it depends.
If you write a patient’s name and phone # on a post-it note, that’s not really a “medical record” even if you did it in a Doctor’s office It doesn’t even prove they are a patient, just that you wanted to make note of their name and number.

That said, I always advocate erring on the side of caution. I once had to write down the Social Security Numbers of three co-workers (and their names, so I knew which was which) while dealing with some paperwork, and when I was finished with them I tore off the bit of paper where I had written them and took it outside to one of the ashtrays we keep so customers can put their cigarettes out before entering the building and I burned it to ash. I made sure it was not just burned browned paper where some forensic chemist could tell which parts had ink on it, it was powder.
Because I wanted to be 100% sure that if evil doers got those SSNs, it wasn’t because of me.

If I worked in a medical facility (Doctor’s office or such), I’d shred everything. No piece of paper goes out to recycle without being shredded. Or burned.

It’s OK for insurance to send these out because presumably the same person is going to go down the list and update everyone’s account balance, from patient A to patient Z. Filing them like that is not OK because someone pulling records for an issue with patient A can see B through Z.

Having said that, when paper EOBs were still allowed, I’d see providers sending these lists in to us. Half the time they just circled the relevant name rather than redact the non-relevant names.

(Also, if you send some paper to an insurance company, please circle instead of using highlighter. Everything gets scanned by the low-wage mail office clerks before the rest of us see it. Generally the highlighter makes a mess of the black and white scan, and then we have to have them hunt down the original paper and send it to us which obviously takes time)

My wife worked for a large medical clinic (payroll, billing and HR) and she agrees with you on #1, not so much on #2. The EOB’s should go in the patient’s billing record, not medical record. The billing record should never be seen except by those that work in the clinic, there is never any reason to release that information. No patients should have access to any of the billing record info except for the bills sent to the patients. Any other info the patient needs concerning billing should come from the insurance company. She said she never saw the release of the EOB’s the clinic received from the insurance companies to any patents.

We’ve been required to release them upon subpoena on occasion. It’s fairly rare, but it happens. (I work for a small home health company. Perhaps we’d have different procedures if we had more lawyers on board.)

But yes, she’s right that they belong in the billing file, not the medical file. I’ve found some small clinics don’t keep them separate, though. Not sure if that’s a breach or a policy difference.

I agree with this. One could just as well write down the name and number of their plumber or hairdresser and then put it in the trash at the doctor’s office. On a common sense basis, name+no. in the trash is meaningless. It could more or less happen to anyone anywhere for any reason. Is it actually a HIPAA violation for someone associated with a health care provider to do it if it happens to be a patient?

What if it’s a potential patient, e.g. someone called with a question but hasn’t actually made an appointment or been there yet?

What if they’ve made a first appointment but haven’t yet come in?

(I’m asking out of curiosity as to exactly what the actual law/regulation is. Please don’t respond “the safe thing to do is not take any chances.” I get that. But I’d like to know precisely what HIPAA stipulates, if that’s possible to know.)

#1 is not a HIPAA violation unless there is some kind of health information coupled with the patients’ names and phone numbers. If your medical office specializes in treating nothing but skin diseases of the little left toe, I suppose someone could make a case. But generally, the mere fact that X person has contact with the office of a medical establishment means zippo. Could be a salesperson, or a guy picking up his wife’s X-rays, or Sammy delivering pizza. And the HIPAA Q&A explicitly allows you to have patients "sign in"in using both first and last names on a sign-in sheet that others will view, as long as the sign-in sheet doesn’t require the patients to reveal medical info coupled with their names. Name–Time In: Okay. Name–Time In–Reason for Visit : Not Okay.

By the way, it’s perfectly acceptable to use the patient’s full name when calling him or her from the waiting room. There have been some scary mix-ups when Jennifer 2 answered for Jennifer 1 (who was in the ladies’ room) and wound up getting the wrong medical procedure.

#2 is not okay. A patient has a right to see his or her own medical records. If those medical records include a document which shows other patients’ names and medical information(!!!), that’s a HIPAA violation.

Don’t know about you, but I occasionally run into people I know when I go to the doctor. Unless you think we’re all supposed to have our own secret, private entrance and then stay in booths until called, knowledge of identity alone is not the problem. HIPAA means: don’t tell anyone except the patient, his or her doctor, other medical personnel who need to know, and anyone explicitly authorized by the patient (like the insurance company) about the patient’s health or medical information. Whether it’s terminal cancer or an ingrown toenail.

AuntPam is correct, sort of. Not every scrap of paper in a doctor’s office is protected health information. It’s stuff that includes demographic information in conjunction with health information. But a name on a check-in sheet is not okay if visible to other patients because it indicates that the patient is being treated at that facility (in context).

In theory, somebody going through your trash might infer that a piece of paper with patient demographic information means that patient was treated in your facility. Most doctor’s offices are pathological about violations and aren’t lawyers, so they go above and beyond. Nothing wrong with that, of course.

HIPAA does not excuse you from disclosing billing or medical records pursuant to a lawful subpoena. The only thing you don’t have to disclose without a court order (rather than an administrative subpoena) or patient release is STD or mental health information, at least in this state.