HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

Communicating to Patients about HIPAA Privacy:
Have We Achieved Compliance or Complacency?

by Randa Upham, Consulting Editor, and D’Arcy Gue, Executive Vice President, Phoenix Health Systems

Why do we have HIPAA privacy? Certainly not because the industry wants to add more red tape to its already overburdened administrative healthcare processes. HIPAA is about ensuring that we protect patient rights as we increase our ability to share healthcare information. As we have implemented the HIPAA privacy requirements into our healthcare environments, the response by our workers has been varied. How well are our staff members complying with the privacy regulations? Can our covered entities call themselves “compliant”? And, in our quest for compliance, are we meeting the needs of our patients in this new HIPAA environment?

Attitude of Healthcare Practitioners & Workers About HIPAA

Although most healthcare practitioners have long been aware of the concept of patient confidentiality and have recently been provided focused HIPAA privacy training, many of those working within care settings seem less than knowledgeable (or committed to) the overall concept of helping patients understand their rights relative to protected health information (PHI). Anecdotal tales abound of the inconsistent, and sometimes bizarre, manner in which healthcare professionals display their understanding of the HIPAA privacy regulations.

It is not uncommon to hear doctors, nurses, and other practitioners use the phrase “all this HIPAA stuff” or “HIPAA nonsense.” For most, this does not reflect lack of respect for patients’ right to privacy but, rather, aggravation over the administrative processes that have been implemented to prove an organization’s compliance to the privacy regulations. One physician commented recently to us that “HIPAA is just more evidence that those bigwigs inside the Beltway have no clue about delivering healthcare.”

Most clinicians truly do understand and respect patients' rights regarding their health information; however, some questions exist whether the HIPAA privacy regulations are a positive addition to the industry. Many physicians, nurses, and other practitioners consider the privacy mandates to be cumbersome and intrusive to the process of providing healthcare. Strictly-speaking, HIPAA Privacy regulations do not apply to providing treatment (or payment and healthcare operations), but rather to protecting the electronic transmission of PHI, and sound confidentiality practices have been in place for a long time. Therefore, the lack of support for the new regulations from clinicians appears to be related to beliefs that HIPAA privacy has created additional (and unnecessary) administrative burdens that create annoyance and, sometimes, dangerous situations. Although clinicians may grumble with frustration over unnecessary measures to be followed in the name of HIPAA, it is the horror stories that clinicians will cite as reasons they lack respect for the legislation.

HIPAA message boards continue to identify news stories and anecdotes that report healthcare workers “blaming” HIPAA for their inability to provide certain information to patients. As an example, consider this recent story (http://seattletimes.nwsource.com/html/localnews/2001891032_hunt30m.html) where a man was told for 29 hours by hospital officials that it was because of HIPAA they could not give him any information about his mother’s emergency admission. In many similar incidents, staff members are not responding to patients in accordance with the privacy regulations. Let’s consider some routine interactions between patients and healthcare workers to examine whether there currently exists a true spirit of compliance with the intent of HIPAA Privacy or, instead, an atmosphere of complacency.

Notice of Privacy Practices

The HIPAA Privacy Rule intends for covered entities to inform patients of their rights relative to PHI. Providing a Notice of Privacy Practices (NPP) to explain how an organization handles a patient’s health information was a simple enough concept. It originally created much consternation for healthcare organizations but most will now report that their processes are in place and their patients have been informed of the organization’s practices for handling medical records and other health information.

But, let’s consider the NPP process from the patient perspective. Was the patient informed of their physician’s privacy practices? Did the patient realize what he was signing when asked to indicate that he had been provided the NPP? Does the patient now understand his rights under HIPAA relative to his protected health information (PHI)?

Industry literature contains many accounts of haphazard handling of the process for providing notification of privacy practices to patients. Stories abound relating how patients are given little or no information about what the NPP is intended to do. Anecdotal vignettes on listserves (including HIPAAlive) provide tales of patients being told to “just sign the form” with no further information about privacy given.

To further examine the current reality of patients’ experiences receiving NPPs, we conducted an informal straw poll about the “notification process.” Twenty (20) adults from various geographic regions around the country were interviewed and asked several questions about how they were informed of their practitioners’ privacy practices. Survey participants were asked:

  • Have you heard about HIPAA? What is it about?

    • Only about half of the respondents indicated that they had heard of the word “HIPAA,” but most then stated they weren’t really fully aware of its meaning. A few individuals who had “heard of HIPAA” thought it was “about privacy,” but the remainder of participants indicated they “weren’t sure” or that it was “about giving my records to my insurance company.”

  • Has your physician/dentist/other practitioner informed you of their privacy practices relative to your personal health information?

    • Most answered “no” to this question but several commented that they thought the receptionist had them “sign something about privacy”. Almost every respondent indicated that there was a focus on signing the form, not explaining anything about privacy. Several individuals said that they had been told “you need to sign this HIPAA thing”, while a handful of the respondents said that they thought the receptionist said the paper was about HIPAA and that their insurance company needed the signature.

    One of the discouraging aspects of hearing about patients’ experiences with receiving the NPP is the general confusion over what they were signing – most indicated they felt it was just “another one of those medical forms.” Few respondents actually had the form explained to them or engaged in any discussion about the organization’s privacy practices. Discussions with the survey participants (and many other patients) indicate that office personnel tend to be rather blasé about the NPP, offering little information. The information that is offered to the patient is often misleading – patients are told they need to sign “for HIPAA” or “for insurance.”

  • Did your (MD/dentist/other practitioner) provide you with a paper or document when they asked you to sign the document about being notified about privacy?

    • When asked if they had received (or been offered) any documentation on their doctor’s privacy practices, most of the participants were not sure. At least half of the respondents did not think there was any such “notice” (except for the form they were asked to sign). Many of the participants had to be asked specifically if they had signed any forms about the use of their medical records in order for them to recall whether they had signed forms or been informed about their privacy rights.

    Some of the survey participants indicated they believed they had been given a paper to read about privacy but did not really remember what it said nor if they had saved the paper for their records. Interestingly, many of those individuals asked about being provided a Notice of Privacy Practices commented that they think they received "something like that" but indicated they had not really read it since it was "confusing," "too long" or "just another one of those insurance forms."

The notion that the NPPs were confusing to our survey respondents comes as no surprise. In his article "Readability of HIPAA Privacy Notices," (http://www.benefitslink.com/articles/hipaareadability.pdf), Michael Hockhauser, Readability Consultant, suggests that communication problems over the NPP may have less to do with lack of using “plain language” and more to do with the amount of information. Citing “information overload”, Mr. Hockhauser indicates that because there are so many details in the privacy regulations many organizations have created lengthy documents to ensure they cover all aspects of their privacy practices. These comprehensive NPPs often end up overwhelming the patients who then don’t bother reading the notices. We agree with Mr. Hockhouser’s recommendation to use the “layered approach” where patients are provided a one-page, simple, bulleted list of key information about how the organization handles PHI.

HIPAA does allow an abbreviated version of the NPP that indicates a comprehensive explanation of the privacy practices is available upon request. Although there is much support for the layered approach within the industry, it appears many organizations have created complicated, wordy notices that are not understood by their patients. Adding insult to injury, many of the office workers assigned responsibility for providing the NPP to patients simply do not understand the NPP and avoid explaining office privacy practices by stating "we need to have you sign this for HIPAA" or "you need to sign you received this privacy thing." As long as the office worker obtains the sought after signature, the complacent manner in which the NPP is provided appears to be acceptable.

Patients Understanding of Their Rights Re: PHI

Of particular note on the straw poll is that the handful of the participants who clearly recognized they had been notified about privacy understood ONLY that their information could not be released to other parties without their permission. Almost all of the participants were confused over the question:

  • Do you understand all of the rights that you have with respect to your personal health information?

    • When it was explained that they had privacy rights beyond “release of their records”, all respondents stated that no other information (such as use of PHI in marketing or their right to amend their health records) had been discussed with them. It is understandable that patients would not have learned about all aspects of their rights if the NPP provided to them was so lengthy that they did not read it and if no one in the practitioner’s office described their actual privacy rights. Indeed, it appears that the energy dedicated to notifying patients about privacy practices is often devoted to getting a signature from patients as opposed to informing them about their rights concerning their PHI.

Public Display of NPP

In our straw poll, we also asked participants whether the NPP was posted in the offices of their practitioners. The responses to the next question were universally identical:

  • Have you seen a document posted in your (MD/dentist/practitioner’s) office that describes its privacy practices or informs you of your rights regarding your health information?

    • When asked this question, not one of the respondents could recall seeing such a notice displayed in their practitioner’s office. Several said that they were probably more focused on all the forms they had to sign instead of reading anything on the office walls.

HIPAA does not require that patients be made aware of posted NPPs. The intent of the regulation is that public notice of the NPP is given. Obviously, for the group of survey respondents, any NPPs that were posted in their practitioners’ offices did not catch their attention.

PHI Disclosure

Another important area of HIPAA privacy is disclosure of PHI. When asked about their understanding of how their physicians/practitioners could release information from their medical charts to other parties, a universal belief existed among the respondents that information from their charts could ONLY be released with their written permission. This group of patients had NO awareness that there were exceptions to the notion of "only with my written permission." Most indicated that they had not been informed at all about such a possibility. It should be noted that ALL of the respondents commented that they had signed forms allowing their records to accessed by their insurance companies (about a third of them confused this authorization with the NPP process).

Two individuals did indicate that they had signed a form giving consent to have their family members have information about their care but the other respondents stated there had been discussion of sharing information with their families.

Communication With Family Members

One area in the HIPAA literature that always draws attention is that of communicating with family members about a patient’s condition. The press provides us with amusing (and sometimes, worrisome) tales of how patients’ families have had difficulties obtaining information about them due to misinterpretations of the HIPAA regulations. In January of this year, the Washington Post published one such “horror story” (http://www.washingtonpost.com/wp-dyn/articles/A30267-2004Jan19.html) that exemplifies how bizarre handling communications with patients and families can become.

As reported in this very disturbing story, a man’s family was not informed that he had died as a result of a hit and run accident that occurred two minutes away from his home, even though he carried identification. The family thought he was missing for two weeks and only learned of his death when his wife received a bill for $17,000 from the hospital. There were questions raised about the current address of the man since it was not listed on his identification but somehow the hospital was able to forward a bill for services to the right address. When asked why they had not notified the family, hospital authorities cited federal confidentiality regulations as preventing them from doing so.

Tales of HIPAA-noia (as one of our HIPAAlive readers so eloquently phrased it recently), such as the one above, indicate the lack of privacy knowledge existing in the industry. More than a year after the privacy compliance date and in spite of much focused energy on privacy training, some health professionals and administrators appear to lack true understanding of the basic requirements.

Position statements made by the HIPAA Privacy Project (http://www.healthprivacy.org/usr_doc/HPP's_1st_Annual_HIPAA_Privacy_Check-Up.doc) maintain that the current administration "failed to provide effective technical assistance to healthcare providers and health plans" and that it "continues to fail to educate healthcare consumers about their rights and healthcare providers about their responsibilities." The criticism, levied this April, further points out that "Despite over 5,000 consumer complaints filed, not one civil penalty has been imposed by HHS. And, dozens of criminal complaints have been referred to DOJ, with no known penalties imposed."

Why do we hear such criticisms? Some complain that the current government is to blame while others point to the responsibility of individual healthcare organizations to ensure that employees have the information they need to comply with HIPAA, indicating there are abundant resources available to obtain current and valid information about these requirements.

Get the Facts!

The cry is often heard from healthcare workers that HIPAA privacy is confusing. In fairness to those who find the privacy regulations overwhelming, it is granted that the regulations are wordy and very extensive. Acknowledging that the privacy legislation is a "hefty set of documentation" does not, however, condone a lack of commitment to ensure we make every effort to comply.

The federal government maintains a site for the Office for Civil Rights that is intended to serve as a reference guide for the healthcare industry (http://www.os.dhhs.gov/ocr/hipaa/), which offers FAQs, educational materials, fact sheets, and links to other HIPAA sites. Just last month, this site featured an article describing how to use the OCR resources to debunk common HIPAA myths and announced a new listserve that will keep its membership informed of new updates to the site. There are also many resources sponsored by private associations and commercial agencies available to healthcare organizations and their workers to get the information needed to ensure each of us is protecting the privacy rights of patients.

Organizations should advise their workforces about those resources (including internal information and Internet websites) that it specifically recommends for knowledge and clarification of the privacy requirements. In today’s environment of information sharing, there is no excuse for complacency relative to obtaining correct information about privacy for healthcare information.

Moving Forward

It was always understood that HIPAA privacy would transition from an implementation focus to becoming part of the overall organizational culture. Like its predecessor, confidentiality, privacy would be thought of as an essential element of patient rights. It appears that objective has yet to be met – why?

  • In its energy to "meet the privacy deadline," "get the NPP distributed" and "provide privacy training," did the industry neglect to ensure that what its workers really understand privacy as it relates to their job responsibilities?
  • Many healthcare workers will comment that they "know all about HIPAA," but why do some then proceed to perform their roles in ways inconsistent with the Privacy Rule?
  • Why do we have so many intriguing HIPAA horror tales if healthcare workers are following the guidelines (and also using common sense)?

A concern is that the current level of compliance for HIPAA privacy within the industry is merely that of complacency. Most healthcare professionals and workers would not deliberately violate their patients’ rights relative to privacy. If violations are occurring within an organization, steps should be taken not only to remediate the particular situation but to ensure that all staff members understand such violations are not to be tolerated. As organizations conduct risk management activities, they must consider whether the level of adherence to the privacy requirements is truly where they want it to be and what they should do to improve it if it is not.

If the assertions made by the Health Privacy Project noted above are to be believed, the industry has failed in its attempt to establish a universal understanding of our responsibility to patient privacy. If the informal straw poll conducted as part of this article is any indication of the current reality, most patients are not aware of the actual privacy rights that HIPAA affords them. If the tales of HIPAA neglect circulating throughout the literature are to be believed and our healthcare workers do have only minimal understanding of HIPAA Privacy, then this observed level of complacency threatens to become the culture of our industry – which is far removed from the true intent of the HIPAA Privacy Rule.

Although the healthcare industry has spent extensive time and money implementing the privacy regulations, the general population of patients is confused about their actual rights and many (or at least some) healthcare workers see HIPAA privacy compliance as frivolous and have varying degrees of compliance. However, we must point out that the awareness of the issue of privacy for both patients and healthcare workers HAS been raised and considerable implementation efforts have occurred to set the stage for true integration of compliant privacy practices into our healthcare environments. We now have the opportunity to better educate our workforce members to help them communicate more effectively with patients to prevent complacency toward privacy rights being the acceptable mode of operation.

Randa Upham, Phoenix Health Systems' consulting editor, has nearly 25 years' experience in the Healthcare and Information Services industries with an extensive background in knowledge services, product development, clinical services, organizational management, software design, and educational planning. This article was co-authored by D'Arcy Guerin Gue, Executive Vice President, Knowledge Services and Business Development, Phoenix Health Systems.

Go to TOP