Question: How should a same-day surgery program proceed if a patient agrees with only portions of the privacy notice?

Answer: "A patient does not agree or disagree with the Notice of Privacy Practices," says John C. Gilliland II, an Indianapolis attorney. "It is a notice of the provider’s privacy practices, not something to which a patient must agree."

The provider must give a copy of its Notice of Privacy Practices to the patient and attempt to obtain the patient’s written acknowledgment that he or she received it, he says. If the written acknowledgment cannot be obtained, the provider must document the efforts it made to obtain the patient’s acknowledgment and why the acknowledgement was not obtained, he adds. The form that the patient is asked to sign is an acknowledgment of receipt of the privacy notice, not of agreement or understanding, he adds.

Question: When a patient asks a same-day surgery program to restrict the disclosure of information beyond that provided in the program’s privacy notice, does the same-day surgery program have to comply?

Answer: "No, the provider does not have to comply," says Gilliland. An individual has the right to request restriction on the use and disclosure of his or her protected health information, he points out. However, the provider does not have to comply, if the patient’s request goes beyond the program’s normal disclosure restriction, he adds.

Question: Can a same-day surgery program post thank-you letters from patients on a bulletin board that can be seen by staff and other patients?

Answer: "In my opinion, they cannot post the letters unless the letters are de-identified so they no longer constitute protected health information," says Gilliland. "De-identification" is a process under the privacy rule by which health information is made to no longer be individually identifiable, he explains. "Typically, it requires removing all of 18 identifiers stated in the privacy rule including names, geographic subdivisions smaller than a state, most zip codes, telephone numbers, and medical record numbers," he says.

Question: If a same-day surgery program regularly keeps a chart by the patient’s bedside during the preoperative period, does that violate HIPAA regulations?

Answer: There is nothing wrong with keeping the chart by the patient’s bedside during the pre-operative period, but reasonable efforts should be taken to avoid incidental disclosure on information in the chart to nonstaff who might be in the area, Gilliland explains.

"If nonstaff are not in the area, then it’s not a problem at all," he points out. "If nonstaff may be in the area, reasonable steps to avoid incidental disclosures could be as simply as having a blank cover sheet over the chart that must be lifted to read information on the chart." 


John C. Gilliland II, Attorney-At-Law, Gilliland & Caudill, 6650 Telecom Drive, Suite 100, Indianapolis, IN 46278. Telephone and fax: (317) 616-3647. E-mail: