Patient-Friendly HIPAA Privacy Policies

By Ronald L. Scott

The Health Insurance Portability and Accountability Act (HIPAA) privacy regulations provide in part that “an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity’s legal duties with respect to protected health information.  See 45 C.F.R. 164.520(a).

I recently visited a physician to obtain a routine flight physical and was asked to sign a two-sentence form stating that I had received and read the physician’s privacy policy.  Since physician office visits often involve substantial waiting time, I asked to see the actual privacy policy referred to on the form.  I was handed a two-sided 8 ½ X 11 sheet but realized after reading the second page that something was missing.  Upon my request, the receptionist then located the remaining pages (about six more two-sided pages).  The policy refereed to “HIPAA” several times before it actually explained what the acronym stands for.  Although the policy described in reasonably accurate terms the way that the physician would use patients’ medical information, the language was technical enough to put off any but the most persistent reader.  While waiting, I observed several other patient’s reactions to the privacy notice.  Most simply signed the form without comment.  A few asked to see the policy but stopped reading before finishing the first page.  One man asked to see the policy and was handed the multi-page document.  He commented that he should have arrived a day early for his appointment to have time to read the “paperwork.”

Initially, I was quite critical of the particular physician’s implementation of the HIPAA requirements, but after re-reading the actual regulations, it is clear that patient-friendly implementation of the regulations is challenging.

The final HIPAA regulations allow a physician to use or disclose protected health information for most reasonable purposes such as treatment or insurance reimbursement without obtaining the patient’s consent.  As originally drafted, physicians were required to obtain patients’ consent for such disclosures, and the final version of the regulations still allows consent to be obtained even when it is not required. Where consent is obtained, the regulations require that the consent document must be no longer than one page, written in plain language, signed and dated by the patient or patient’s representative and include statements that the protected health information will be used for treatment and insurance reimbursement purposes.  The consent must also advise that the patient has the right to review the physician’s privacy notice, to request restrictions on disclosures of certain protected health information, and to revoke the consent at any time.  I don’t believe the form I was asked to sign was a “consent” form.  It seemed more intended to advise patients to read the physician’s notice of privacy policy.

While obtaining consent is optional, a physician is obligated to provide a rather extensive “notice of privacy policy” to meet the requirements of 45 C.F.R. 164.520(b).  For example, the notice must prominently state: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”  The regulations contain several other requirements for the mandatory notice, so depending on how information is actually used and disclosed by a physician, the “notice” would be hard to write in less than several pages.  Depending on the circumstances, the regulations provide that the notice may sometimes be provided via email, sent in written form, or posted on a wall in the waiting room of the physician’s office. Since a 14-page document would not be very easy to read (or look very attractive) if posted on a wall, perhaps the only reasonable alternative is to make written copies of the notice available to patients.  When lawyers draft notices of privacy policies, they may be inclined to merely parrot the regulatory language.  While this approach may satisfy minimal legal requirements it may not be very patient-friendly.  Hopefully, some providers will find better ways to meet the statutory requirements in a way that will invite patients to actually read and understand the notices.