Notifying Patients about HIPAA Compliance

Section 1. Required Components of the Privacy Notice

Once all internal mechanisms are in place, the privacy policy should be finalized and a document drafted to educate patients on the policy changes and how they will be carried out by the covered entity on their behalf. This document is separate from the HIPAA authorization form that the patient will sign at the time of service, and serves as a notice of the company's overall policy on patient privacy.

The patient notification of the covered entity's privacy policy must be easy for the patient to comprehend, and must contain the following elements:

  • The covered entity must state in the patient notification that it is obligated by law to protect the privacy of the patient and limit disclosures of protected health information.
  • It must state that the covered entity is required to provide notice of their privacy practices, as well as state their legal obligation to adhere to protecting the patient's privacy as outlined therein.
  • The notification should detail the manner in which the patient's protected health information will be used or transmitted by the covered entity.
  • The policy must list the patient's rights under the privacy policy, including access to their records, amendments, and the right to file a complaint with the U.S. Department of Health and Human Services in the case of a privacy breach.
  • The notice must list the name and contact information of the individual responsible for fielding and resolving privacy complaints received by the covered entity.

Section 2. Notice of Privacy Practices Distribution

It is the responsibility of the covered entity to ensure that the privacy practices notice has been disseminated to all patients. Also, it is required that the covered entity provide a copy of its privacy practices to any party upon request.

Health care professionals with a "direct treatment relationship" to the patient, such as a doctor or psychologist, were required to have disseminated their privacy practice notification to patients by April 14, 2003.

To ensure that reasonable efforts are taken to broadcast the notice, the following guidelines should be met:

Interested in learning more? Why not take an online HIPAA Compliance course?
  • Patients who are seen in person should be given a copy of the notice at the first service encounter.
  • An automatic Web- or email-based copy of the notice should be furnished to those receiving electronic services from a covered entity.
  • For services delivered by phone, a copy of the notice should be mailed to the patient immediately after the phone encounter.
  • A copy of the privacy notice must be housed on any informational websites, or online treatment portals operated by the covered entity.
  • The notice of privacy policy should be posted in each facility and area in which patients are serviced, allowing ample opportunity to read and understand the policy.
  • In the case of an emergency, it is not practical to have the patient read the privacy notice before treatment. In this case, the patient should be provided with a copy of the privacy notice as soon as is realistic after treatment.

Joint Notice of Privacy Practices

Many health care providers operate within a medical group, or other organized health care facility, in which there are multiple practitioners. In this instance, the group can develop and distribute a joint privacy practice notice and be in compliance with the notification rules.

When issuing a joint notice, each practitioner is obligated to adhere to the policies outlined within, and to take responsibility for the protection of protected health information, as outlined in the joint privacy practices notification.

Health Plan Privacy Practices Notification

Health plans are also responsible for disseminating a privacy practices notice to members, detailing how they intend to use and safeguard their protected health information. Each plan has a specific compliance date and all members must be notified of the policy by that time.

When providing notice of its privacy practices, a health plan must ensure that:

  • All new plan participants receive a copy of the privacy practices notice upon enrolling in the health plan
  • A reminder is sent to current plan participants every three years, that the privacy policy is available upon request for review
  • The notice is addressed to the insured individual by name, which constitutes notice to any dependents listed with the health plan, such as a spouse or children.

Written Acknowledgment of Receipt From the Patient

In order to ensure receipt and review of the privacy practices notification, the covered entity should undertake efforts to secure written acknowledgment from the patient that they have read and understood the notice. This also serves as documentation of notification in the case of a patient complaint or audit by the U.S. Department of Health and Human Services.

The notice acknowledgment form is developed by the covered entity and contains language that affirms the patient's review and understanding of the information listed in the notice. If, for some reason, the covered entity is unable to secure acknowledgment from the patient, they are to thoroughly document the steps they took to notify the patient and the reason for the failure to retain written acknowledgment of receipt of the privacy notice. It is not required to attain a written acknowledgment from patients who are being treated on an emergency basis, as the circumstances usually do not allow it.

Food for Thought

Do you think the efforts outlined to disseminate the privacy notices are sufficient?

Do you think most patients fully understand the rights the privacy policy endows to them?


Drafting the HIPAA legislation, including the privacy policy, was a massive undertaking. Almost as weighty was the responsibility to ensure that all Americans receiving medical care were aware of the change in policy. However, by enforcing patient education as part of the law, it is more likely that health care providers will uphold its tenets.