Providers customize form for giving notice of rights

Length varies, depending on wording

Notifying patients of their privacy rights under the Health Insurance Portability and Accountability Act (HIPAA) is one of the tasks that fall most squarely onto the shoulders of access managers.

The final HIPAA privacy rule allows hospitals to forego the original written consent requirement for patient information disclosure, but in turn specifies that staff must obtain signatures indicating that patients have received notice of their privacy rights.

Privacy notices being developed by providers she’s familiar with range anywhere from two to 12 pages, says Mary Staley, MBA, PT, vice president of HIPAA operations for the Houston-based consulting firm Healthlink Inc. "That just depends on how the lawyers have worded it, and that’s not to say they won’t be revised again to be five pages."

Touro Infirmary has managed to include the necessary information in a one-page, front-and-back form, notes Wade Wootan, JD, the facility’s risk manager, but it’s written in 10-point font. "Normal font, normal print, it would be seven to eight pages."

A variety of templates for the privacy notice can simply be found by typing the words "HIPAA privacy notice" into an Internet search engine, adds Liz Kehrer, CHAM, system administrator for patient access at Centegra Health System in McHenry, IL.

A quick glance at the web, for example, yielded an eight-page privacy notice for Jackson Health System in Miami. The notice could be read in English, Spanish, or Creole, and contained such headings as "Who Will Follow This Notice," "Our Pledge Regarding Medical Information," "How We May Use and Disclose Medical Information About You," "Special Situations," and "Your Rights Regarding Medical Information About You."

"You can customize [the form], but various components have to be included," Kehrer says. "There are two choices. You can give out the form every time the person registers, or you can have a mechanism to identify when one has been issued."

Keep from overwhelming patients

If any of the information on the form changes between patient visits, she points out, another notice would have to be issued and another signature obtained. One of the requirements, for example, is that the notice must include the name and telephone number of the person at the hospital who can be contacted if the patient feels his or her rights have been violated, Kehrer adds. That means that a staffing change would make the form obsolete.

"[Providers] are only required to give the notice the first time they contact the patient post-April 14, and then when the form is changed," explains Staley. "Most [providers] say they can’t monitor that every time, so whenever possible, they’ll document receipt of that notice."

Many organizations, she adds, simply are adding the privacy rights notice to the "sign here, sign there" ritual in which patients already participate.

Ohio State University Medical Center is working to find a way to keep from overwhelming patients with multiple privacy notices, says Shannon Haager, assistant director of patient access services. "As a health system that is closely integrated with private physician offices, we are trying to figure out if there’s a way to simplify the process so the patient is not getting the notice at the physician’s office and the hospital."

In some instances, she notes, a patient might see the physician, and then walk next door to a hospital lab. "Are there ways to streamline the process so the patients doesn’t receive [a privacy notice] everywhere they walk in the door?"

The question being looked at, Haager says, is how to "put some flags in the system so we know if the patient has just been given the notice next door. How do we do the customer-friendly thing?"

With most customer handouts, she adds, "we find about 25% [of the material] left behind in the lobby."