5 ways to comply with HIPAA oral privacy regs

When an orthopedic resident was paged repeatedly to assess a patient with an open fracture of the forearm, he failed to respond. The resident was paged multiple times and took more than an hour to get to the ED. When he finally arrived, instead of apologizing for his delay, he began to loudly explain to the patient and his family that he was unaware of the urgency of the situation, recalls Peter Alan Bell, DO, FACOEP, FACEP, professor of emergency medicine at Ohio University College of Osteopathic Medicine in Columbus. "In a loud and clear voice, he criticized the staff’s treatment and questioned their competency," Bell says.

Furthermore, the resident loudly discussed the extent of the injury, treatment, and potential complications, he adds. "His residency program director and I discussed this," he says. "Needless to say, his behavior was not condoned, and he received counseling." This is a potential violation of the Health Insurance Portability and Accountability Act’s (HIPAA’s) oral privacy requirements, which go into effect April 14, 2003. (To obtain the regulations, see "Resources" at the end of this article.) Penalties are severe, with civil penalties of up to $25,000 for each requirement violated, and criminal penalties of up to $50,000 and one year in prison for obtaining or disclosing protected health information.1,2

Consider another example of a potential HIPAA violation: When a thoracic-vascular surgeon suspected an aortic aneurism in an 89-year-old man, he discussed the plan of care, the risks, and the probability of success in full earshot of other patients. "He was loud enough for patients at a half dozen beds to hear, plus the staff at the adjacent nursing station," Bell says. When asked why he was speaking so loud, he replied that this was a risky operation and he wanted witnesses. "I suggested he lower his voice," he says. The patient and his three children all had good hearing, he says. "The nurse would serve as his witness on the surgical consent form, and he could list the risks on the form for the patient to sign," Bell says. "If he was really concerned, he should ask the children to sign as well."

Don’t ignore oral privacy

You may wrongly believe that it’s impossible to give patients oral privacy in the hectic ED environment, says David Sykes, PhD, vice president and lead consultant for HIPAA compliance for Acentech, a Cambridge, MA-based consulting firm specializing in noise control. "ED managers often assume that it’s too expensive a problem to solve, and therefore, they ignore it," Sykes says. That’s a mistake, he says. "It’s in the patient’s best interest and your best interest to fix this," Sykes says.

Here are effective ways to comply with HIPAA requirements for oral privacy:

1. Encourage staff to be discreet.

Bell says, "I believe that we all could do a better job lowering our voices or stepping away from the bedside or main flow of people to discuss cases."

2. Consider simple design changes.

Remodeling the ED is not a HIPAA requirement, Bell stresses. "However, it certainly seems prudent that we take into consideration simple changes that would enhance confidentiality," he says. Bell gives these examples to improve oral privacy:

  • using cubicles or screens in open areas;
  • doing triage in a room adjacent to the waiting area;
  • using physician dictation cubicles to replace open desk areas that allow dictations to be overheard;
  • placing clear plastic screens by nursing stations and desks.

3. Limit access of visitors.

Visitors pose the greatest risk of breach of confidentiality, but limiting access is not that difficult, Bell says. "Locked EDs are now the standard," he adds. "Defining how many visitors are allowed per patient and use of a visitors badge system can control flow." Security personnel can help by ensuring that a visitor’s badge matches the patient they are visiting, and if not, asking visitors to leave, Bell points out.

4. Ask staff to put themselves in the patient’s shoes.

It helps to remind staff to consider the issue of privacy from the ED patient’s perspective, he says. "Patients put on a gown, lay down on a gurney, and subject themselves to a full work-up/evaluation," he says. "Add inadequate pain control, and the picture is almost complete." Consider the embarrassment of having the details of whatever brought you to the ED broadcast to others, he says. "It’s not a pleasant feeling," Bell says.

5. Use sound-blocking tools to mask noise.

The following are effective and inexpensive solutions to block conversation in the ED waiting room, treatment areas, and hallways, says Sykes. (To obtain information about these tools and products, he recommends accessing www.google.com and doing a search using key words "HIPAA sound masking.")

  • Use portable "white noise" machines. "You can buy very useful, HIPAA-compliant sound-masking devices for as little as $100 that will take care of a waiting room, and they can simply be plugged into a wall," says Sykes. (See "Resources" at the end of this article for a list of manufacturers.)
  • Switch to ceiling tiles with a higher noise-reduction rating.
  • Use sound-absorbent curtains or cubicle panels between beds. (For more information, see "Resources.")

If you put a panel between two beds, you can prevent a patient from hearing a doctor talk to another patient in the next bed, Sykes says.


1. 45 CFR §160.306 and §160.312 (2000) for Civil Enforcement.

2. 42 USC 1320d-6 (HIPAA Sec. 1177) for Criminal Enforcement.


For more information about compliance with oral privacy regulations, contact:

• Peter Alan Bell, DO, FACOEP, FACEP, Professor of Emergency Medicine, Ohio University College of Osteopathic Medicine, 1087 Dennison Ave., Columbus OH 43201. Telephone: (614) 297-4207. Fax: (614) 298-2638. E-mail: bell@exchange.oucom.ohiou.edu.

• David Sykes, PhD, Vice President, Acentech, 33 Moulton St., Cambridge, MA 02138. Telephone: (617) 868-8866. Fax: (617) 499-8074. E-mail: david.sykes@remington-group.com.

A guidance document for compliance with HIPAA’s Medcal Privacy — National Standards to Protect the Privacy of Personal Health Information regulations is available, titled Office of Civil Rights Guidance Explaining Significant Aspects of the Privacy Rule — Dec. 4, 2002. The document can be accessed free at www.hhs.gov/ocr/hipaa/privacy.html. The final rule was published in the Feb. 20, 2003, Federal Register, and can be downloaded at no charge at www.cms.hhs.gov. Click on "HIPAA," "HIPAA Administrative Simplification," and scroll down to "HIPAA Security Standards Final Rule Published."

The Sonet Acoustic Privacy System includes a sound generator and two sound-masking emitters that can be placed on the wall, desk, or ceiling. Each sound generator can be expanded to cover a wide range of office and waiting room sizes. A variety of units ranging in cost from $144.95 to $999.95 can be ordered at http://store.yahoo.com/earplugstore. Click on "HIPAA Products and Information," "Sonic Acoustic Privacy System."

The Oasis System is a miniature, ceiling-mounted acoustical privacy system for health care facilities. The Oasis Master Control unit costs $375 each. For more information, contact Ergonomic Resources, 412 Long Cove Court, Allen, TX 75002. Telephone: (877) 474-3746 or (972) 678-2190. Fax: (972) 678-2192. E-mail: sales@ ergo-2000.com. Additional information about sound masking products compliant with privacy regulations is available on the company’s web site (www.ergo-2000.com). Click on "White Noise/Soundmasking."

Noise-reducing and sound-masking ceiling systems are available from Armstrong World Industries. A selection can be viewed on the company’s web site (www.armstrong.com.) Click on "Commercial Ceilings," and under "Browse ceilings by . . . " click on "Performance Attribute," "Acoustics." For more information, contact Armstrong World Industries, Attention: BPO Customer Service Center, P.O. Box 3210, Lancaster, PA 17604. Telephone: (877) 276-7876.

Sound Curtains are sound-absorbent barriers that can be installed with ceiling- or floor-mounted hardware. For more information, contact: Unger Technologies, 15370 Herriman Blvd., Noblesville, IN 46060. Telephone: (888) 213-4711. Fax: (317) 774-1911. E-mail: info@eNoiseControl.com. Web: www.enoisecontrol.com.

A variety of sound control curtains, ceilings, and wall panels are available from Acoustical Surfaces, including portable enclosures and screens. For more information, contact: Acoustical Surfaces, 123 Columbia Court N., Suite 201, Chaska, MN 55318. Telephone: (952) 448-5300. Fax: (952) 448-2613. E-mail: sales@acousticalsurfaces.com. Web: www.acousticalsurfaces.com.