May physician’s offices use patient sign-in sheets in the waiting rooms?
Yes. Covered entities, such as physician’s offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. Types of tests or other potential diagnostic information should not be called out or used in waiting areas. The HIPAA Privacy Rule explicitly permits the incidental disclosures that may result from this practice. For example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet. However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician).