I had occasion to see my doctor this week. What for is irrelevant, but somewhat the premise of this discussion.
When I approached the registration desk of my physicians practice I was asked, in a loud voice: “Name”? I respond, “Les Jordan”.
“What doctor are you here to see”?
I respond with my physician’s name.
“Is your date of birth…” and states my date of birth out loud.
“Yes. That is me.”
“Are you still living at…” stating my full street address and zip code.
“Yes. I still live there.”
“Is your phone number…” and repeats my phone number for all the world to hear.
“Are you sill employed by Microsoft or have you changed employers?”
“I am still employed by Microsoft”.
“Is your insurance still through…” and named my insurance carrier.
“No change in my insurance info.”
“OK – Sign this release form and proceed down to…” now, it could have been Urology, Internal Medicine, Psychiatry, Cardiology or any number of specialties covered by that practice. Any one of which would have implied a smaller range of diagnosis and why I was at the doctor.
Think of what that in-take secretary just announced to the world:
- Name, Date of Birth, Address, Phone Number
- My employer
- My insurance carrier
- The Doctor I am seeing
- The specialty of the doctor – which implies a smaller range of diagnoses.
How much PHI was just revealed? As I look around me in the waiting area, I wonder if the person with the PDA or SmartPhone just recorded all that info. If they did, may it have been enough to violate my rights under HIPAA?
At this major practice in the Boston area and practices throughout the country, HIPAA may be violated every day simply by having their intake practice be verbal, not confidential and not electronic.