Make patients’ HIPAA information practical, easy to deliver, and concise

Contact info, format, and Q&A material make content more meaningful

Health care facilities have been working diligently to meet new guidelines under the Health Insurance Portability and Accountability Act (HIPAA) requiring that patients be informed of their rights to privacy and how the institution handles protected health information.

Beginning April 14, the written notice of privacy practices must be handed to the patient at the first point of service in the health care system whether in hospital admission, the emergency room, or clinic. Patients must sign a form that acknowledges the receipt of the notice.

The law is clear on what points must be included in the document. It does not, however, provide instruction on how the material should be formatted, says Mike Lynch, MPA, director of corporate compliance at University of Missouri Health Care in Columbia. The HIPAA Task Force at this facility created a two-page document to give to patients.

A committee at Fairview-University Medical Center in Minneapolis is designing a brochure to give to patients, and the University of Washington Medical Center in Seattle has written a seven-page Notification of Privacy document that patients will receive along with a one-page executive summary. While the law does not require that the information be explained to patients, most health care facilities are including a telephone number to call for more details.

"We don’t believe that staff at our registration points are equipped time wise or knowledge wise to answer any questions about what this means, so my phone number is listed at the top of the brochure. If patients have questions about the information, they can contact me," says Lois Bergstrom, MBA, RHIA, Fairview privacy director.

Cezanne Garcia, MPH, CHES, manager of patient and family education services at the University of Washington approached the HIPAA committee at her facility to ask permission to develop a frequently asked questions (FAQ) sheet as a supplement to the privacy notice. The sheet not only will help patients understand the official document but will provide a tool for staff who may be asked questions that they can’t answer.

"The FAQ tool will help staff give appropriate and accurate responses to the questions that might come up," says Garcia.

She has solicited the aid of a nursing student to help with the project and asked permission from a manager to approach patients in a waiting room with the eight-page document. About 50 patients will be asked to read the document and circle the information that they don’t understand. They also will be asked what questions they have after reading the document.

"If we start hearing the same kind of questions and issues coming up, we will stop the survey. But if we hear new questions, we will keep going until we have talked to 50 patients," says Garcia.

The FAQ tool will provide such information as where patients can go to get a copy of their medical records and what sort of fee is involved. It will cover practical information that HIPAA does not require be included in the notice. The HIPAA committee also will use the information from the survey to clarify confusing language in the document whenever possible, says Garcia.

Covering the facts

There are six privacy rights that must be covered in the notice, says Bergstrom:

  1. Patients have a right to access their health information.
  2. Patients have a right to file a complaint if they think their privacy has been violated. They can approach the privacy director at a health care facility or contact the Office for Civil Rights in Washington, DC.
  3. Patients have the right to request an amendment to their health information. If patients disagree with something a caregiver wrote, they could file a correction or amendment, says Bergstrom. The health care facility can disagree with the patient, but if the patient then files a rebuttal, the health care facility has to include documentation of the dispute in the record.
  4. Patients have the right to request restrictions on the use or disclosure of their health information. "They may ask us not to give any information to their family, and that would be a restriction we would try to honor," says Bergstrom. However, if they said they didn’t want anyone but the attending physician to look at their record, the request wouldn’t be reasonable because other members of the health care team would need access, she says.
  5. Patients have a right to request confidential communications. For example, they may want information such as test results sent to their place of business rather than their home address.
  6. Patients have a right to an accounting of disclosures. Upon request, health care facilities must produce a list of agencies or organizations for patients that received information about their medical care outside authorized releases or normal operations, says Bergstrom. For example, in Minnesota, certain information is released to state or public health authorities without the patient’s knowledge, such as birth reporting, communicable disease, abuse or neglect reporting, and drug overdoses.

"If you look at the privacy regulations, they clearly spell out what has to be in the privacy notice," says Bergstrom. The differences from institution to institution would be how each provides the services required by law, she explains.

To determine what to include in the document to be distributed at University of Missouri Health Care, Lynch, and the HIPAA Task Force looked at several documents from other institutions. One was 11 pages and went into great detail with examples.

"It was a good document and completely explained what people needed to know, but the problem was when you hand people 11 pages when they are about to receive services, they aren’t in the frame of mind to read anything," says Lynch.

Instead, they decided to format their Notice of Privacy Practices after a two-page document they had looked at. They just added information that was pertinent to their facility and had 200 people throughout the organization read it to make sure it covered all the information required.

For example, patients are informed that the health care facility does research and that they may be asked to participate in a research study. They also are told that as a teaching organization students will be exposed to their medical information.

The brochure on privacy at Fairview is modeled after the health care institution’s Patient Bill of Rights. When completed, it will have a lot of section headings for easy reading and a signature page that will go in patients’ records to record that they received the information. The privacy information is summarized as much as possible on that page, says Bergstrom.

The notice of privacy practices brochure will be printed in five languages such as the Patient Bill of Rights in order to reach the non-English-speaking population served. There may be a recording made for visually impaired patients.

When patients receive the two-page document at University of Missouri Health Care, they will indicate that it has been given to them by signing on a line that has been added to the conditions of service form, or consent form, signed by patients at the health care facility.

Spanish is the only other language in which the document will be printed. If a patient speaks a language other than Spanish or English, staff will access an interpreter through the AT&T Language Line and have the document read.

Looking closely at practices

For some patients, the first point of service is contact with a nurse on a triage telephone system at the health care institution, says Lynch. People call to discuss their symptoms and find out whether they should make an appointment with their physician. "HIPAA allows us to mail the sheet to someone within 24 hours, and that meets our requirements," says Lynch.

Follow-up with patients through the nurse triage line is more difficult. The nurses now must select details they gleaned from their first conversation and work that into the conversation during a follow-up call to make sure they are talking to the right person before discussing medical issues, he says.

The institution considered creating a form that patients would sign when attending any sort of group therapy session whether for mental health or chronic disease to indicate that they understood that others in the group would have access to their medical information during discussion. "We found out that under the HIPAA rules, their very presence indicates that they agree and consent to be there," says Lynch.

Some patients like to receive e-mail messages concerning medical matters yet the Internet is not a secure method of communicating confidential information, says Bergstrom. As a result, patients will be given a consent form before e-mail is used as a form of communication.

While committees at health care institutions have devoted a lot of time to creating a document that patients will understand, the notice of privacy practices only is a small part of the HIPAA regulations. The task force at University of Missouri Health Care has been in place for three years. During that time, it has created 18 new policies, amended 40 policies, and designed staff training.

"There is a whole range of issues we have had to deal with, and the notice of privacy practices has been one of the easier issues," says Lynch.


For more information about creating and distributing the notice of privacy practices document, contact:

• Lois Bergstrom, MBA, RHIA, Fairview Privacy Director, Fairview-University Medical Center, 2450 Riverside Ave., MB533, Minneapolis, MN 55454. Telephone: (612) 672-5647. E-mail:

• Cezanne Garcia, MPH, CHES, Manager, Patient and Family Education Services, University of Washington Medical Center, 1959 Pacific St. N.E., Box 358126, Seattle, WA 98195. Telephone: (206) 598-8424. E-mail:

• Mike Lynch, MPA, Director of Corporate Compliance, University of Missouri Health Care, Columbia, MO. E-mail: