It is quite possibly a violation, depending on which hospital staff members have access to the patient system and whether or not the patient's Social Security number is being used as a patient identifier. However, if the screen is viewable by other patients, then this is almost certainly a HIPAA violation example.
In general, HIPAA mandates that technology or processes be used to prevent unauthorized individuals from viewing patients' Personal Health Information (PHI). This can necessitate encrypting the data, truncating portions of the PHI and/or limiting who has access to the data to begin with.
So with the example above, if a patient's Social Security number is being used as a unique identifier and only people who need to have access are permitted to it, the access is appropriately controlled and all of the above can be demonstrated to an auditor, which means the company is going to be in pretty good shape.
On the other hand, if some or none of the preceding is true, then there is a problem. Addressing this issue doesn't necessarily have to be expensive, however; installing privacy screens on relevant computer monitors or perhaps even changing the positioning of the monitors may take care of the problem.
Regardless, consider switching away from using Social Security numbers and developing a new patient identifier policy. SSNs were never intended to be used this way, and as I've said in previous columns, using SSNs definitely violates the spirit of the legislation.
For more information:
- Check out these key elements of a HIPAA compliance checklist.
- Read more about how to avoid HIPAA Social Security number violations.
This was first published in June 2009