Proper Methods of Informing Patients of HIPAA Compliance

This article will cover the responsibility of the covered entity to provide the patient with a copy of their privacy policy, which outlines their adherence to HIPAA guidelines. We will discuss the specific components to be included, as well as the means of dissemination.

Section 1. Required Components of the Privacy Notice

We have covered the internal changes and documentation that is required to comply with HIPAA in great detail. Once all internal mechanisms are in place, the privacy policy should be finalized and a document drafted to educate patients on the policy changes and how they will be carried out by the covered entity on their behalf. This document is separate from the HIPAA authorization form that the patient will sign at the time of service, and serves as a notice of the company's overall policy on patient privacy.

The patient notification of the covered entity's privacy policy must be easy for the patient to comprehend, and must contain the following elements:

  • The covered entity must state in the patient notification that it is obligated by law to protect the privacy of the patient and limit disclosures of protected health information.
  • It must state that the covered entity is required to provide notice of their privacy practices, as well as state their legal obligation to adhere to protecting the patient's privacy as outlined therein.
  • The notification should detail the manner in which the patient's protected health information will be used or transmitted by the covered entity.
  • The policy must list the patient's rights under the privacy policy, including access to their records, amendments, and the right to file a complaint with the U.S. Department of Health and Human Services in the case of a privacy breach.
  • The notice must list the name and contact information of the individual responsible for fielding and resolving privacy complaints received by the covered entity.

Section 2. Notice of Privacy Practices Distribution

It is the responsibility of the covered entity to ensure that the privacy practices notice has been disseminated to all patients. Also, it is required that the covered entity provide a copy of its privacy practices to any party upon request.

Health care professionals with a "direct treatment relationship" to the patient, such as a doctor or psychologist, were required to have disseminated their privacy practice notification to patients by April 14, 2003.

To ensure that reasonable efforts are taken to broadcast the notice, the following guidelines should be met:

  • Patients who are seen in person should be given a copy of the notice at the first service encounter.
  • An automatic Web- or email-based copy of the notice should be furnished to those receiving electronic services from a covered entity.
  • For services delivered by phone, a copy of the notice should be mailed to the patient immediately after the phone encounter.
  • A copy of the privacy notice must be housed on any informational websites, or online treatment portals operated by the covered entity.
  • The notice of privacy policy should be posted in each facility and area in which patients are serviced, allowing ample opportunity to read and understand the policy.
  • In the case of an emergency, it is not practical to have the patient read the privacy notice before treatment. In this case, the patient should be provided with a copy of the privacy notice as soon as is realistic after treatment.

Joint Notice of Privacy Practices

Many health care providers operate within a medical group, or other organized health care facility, in which there are multiple practitioners. In this instance, the group can develop and distribute a joint privacy practice notice and be in compliance with the notification rules.

When issuing a joint notice, each practitioner is obligated to adhere to the policies outlined within, and to take responsibility for the protection of protected health information, as outlined in the joint privacy practices notification.

Health Plan Privacy Practices Notification

Health plans are also responsible for disseminating a privacy practices notice to members, detailing how they intend to use and safeguard their protected health information. Each plan has a specific compliance date and all members must be notified of the policy by that time.

When providing notice of its privacy practices, a health plan must ensure that:

  • All new plan participants receive a copy of the privacy practices notice upon enrolling in the health plan
  • A reminder is sent to current plan participants every three years, that the privacy policy is available upon request for review
  • The notice is addressed to the insured individual by name, which constitutes notice to any dependents listed with the health plan, such as a spouse or children.

Written Acknowledgment of Receipt From the Patient

Interested in learning more? Why not take an online HIPAA Compliance course?

In order to ensure receipt and review of the privacy practices notification, the covered entity should undertake efforts to secure written acknowledgment from the patient that they have read and understood the notice. This also serves as documentation of notification in the case of a patient complaint or audit by the U.S. Department of Health and Human Services.

The notice acknowledgment form is developed by the covered entity and contains language that affirms the patient's review and understanding of the information listed in the notice. If, for some reason, the covered entity is unable to secure acknowledgment from the patient, they are to thoroughly document the steps they took to notify the patient and the reason for the failure to retain written acknowledgment of receipt of the privacy notice. It is not required to attain a written acknowledgment from patients who are being treated on an emergency basis, as the circumstances usually do not allow it.

Food for Thought

Do you think the efforts outlined to disseminate the privacy notices are sufficient?

Do you think most patients fully understand the rights the privacy policy endows to them?


Drafting the HIPAA legislation, including the privacy policy, was a massive undertaking. Almost as weighty was the responsibility to ensure that all Americans receiving medical care were aware of the change in policy. However, by enforcing patient education as part of the law, it is more likely that health care providers will uphold its tenets.
Patient Rights and Access to PHI
In this article, we will review patient rights, including the right to access and amend PHI found in their patient records, as well as the right to restrict disclosures and request an accounting of any disclosures made.

Section 1. Patient's Right to Access PHI

Under the privacy rule, the patient reserves the right to freely access their protected health information that is housed in the entity's designated record set. The "designated record set" is composed of the records maintained by the covered entity for the purpose of decision-making, diagnosis, treatment or billing purposes. In the case of a health plan, this would include information regarding enrollment, claim payment data and case management information.

At any time a patient is able to request and review the information held on file by a covered entity to verify accuracy, or to update their own records. Patients should not be restricted from requesting or obtaining their health records, and there should be a clear process and instructions provided to the patient on how to do so.

There are a few cases in which the release of PHI to the patient is restricted, as detailed below:

  • The patient is not able to access psychotherapy notes
  • Health information compiled to be used in court
  • Laboratory results that are prohibited based on the Clinical Laboratory Improvement Act (CLIA)
  • The data compiled by some research studies
  • Situations in which the health care provider feels the patient may use the data to harm himself or another. However, the patient is able to have the decision reviewed by another licensed medical professional for a second opinion.

Patients should make requests for access to PHI in writing, or complete a form provided by the facility. The establishment is allowed to charge a reasonable fee to cover the administrative costs of sending the records, such as copies and postage.

Section 2. Amendments to PHI

There are instances where a patient's medical record may be incomplete or contain incorrect information. In the case that the patient wants to dispute information in their record, or petition for an inclusion, they have that provision under the privacy rule.

The covered entity must outline a process in which the patient is able to request an amendment to their personal health information. This may include making the request in writing, filling out a specific form, etc. Also, it is customary to request documentation to support the request for amendment of the record.

Timely Notification

The covered entity must review the request for amendment and supporting documentation in a timely manner and notify the patient of the determination. Notice must be sent to the patient within 60 days, advising them of the outcome of the amendment request, which will usually be one of the following:

  • Approval of the amendment request, in which case the covered entity is required to update the record. Also, the covered entity should disseminate the updated information to any health care providers or individuals who are involved in the care or oversight of the patient, and for which the updated information may affect that care. The patient should supply the contact information for any such persons.

The covered entity should also identify any business associates to which they have supplied the data, which is now to be amended, and have their records updated, especially if they are relying on this information to complete their job functions.

  • Denial of the amendment request must be delivered to the patient in writing, outlining the reasons for denial. The patient must also be informed that they can submit a written statement disagreeing to the denial and the reasons why.

Also, if denied, the patient may ask that the covered entity send a copy of the amendment request and subsequent denial with any future disclosures, so that the new health care professional knows that they disagree with the contents of their patient record. The patient is also allowed to submit a letter of disagreement with the determination, which becomes a part of their patient record. The covered entity may or may not draft a rebuttal to the letter of disagreement.

  • Delay of the determination due to internal processes, requests for additional information, etc. If the determination will be extended past the 60 day time frame, the covered entity is allowed a (one time) 30-day extension. However, the patient must be notified of this in writing within the original 60-day time frame. The covered entity must outline the reasons for the delay and the time frame in which a determination is expected.

A covered entity is within their rights to deny an amendment request in the following circumstances:

  • The medical record was not created by the covered entity. However, if the patient can prove that the originator of the record is unavailable or unable to amend the record, the petitioned covered entity may elect to amend it.
  • The information that the amendment refers to does not exist in the patient's file.
  • The information is not privy to inspection under the access clause of the privacy policy.
  • The record in question is accurate and complete as it is.

In the case of denial, the covered entity must still include in the patient record the original request for amendment, their denial and the statement of disagreement, if one is submitted by the patient.

Right to Request an Accounting of Disclosures

There is a plethora of personal information that is held by various entities, such as health care providers, employers, and government. A conscientious consumer or patient will want to periodically check their personal records to find out who they have been sent out to and for what reason.

The privacy rule allows patients to request an accounting of who a covered entity has disclosed their personal health information to. Patients were able to request records for up to six years, but the law has changed to require that only three years of data be provided. However, the covered entity can restrict accounting to the date that the privacy rule was implemented. A covered entity is not required to include disclosures associated with treatment, payment, and health care operations. Most other disclosures must be accounted for, with the exception of:

  • Disclosures to the individual, of his or her own protected health information
  • Disclosures made based on an authorization signed by the patient
  • Disclosures for the facility's internal directory, or other notification purposes
  • Disclosures made for the creation of a limited data set
  • Disclosures that are incidental to one for which there is an authorization on file
  • Disclosures made for the purposes of law enforcement, national security, and health oversight may be temporarily exempted from accounting. A date range of the exemption must be furnished to the covered entity by the applicable agency.
  • Disclosures that were made prior to the HIPAA compliance date (14 April 2003 for large entities, one year later for small ones).

Proposed updates to the privacy rule will allow the patient to also receive an accounting of access to their PHI. This means that each instance of access to the patient record by the covered entity, their business associates, or other parties, must be logged and can be requested by the patient. If implemented, this update will be rolled out in 2013.

Requests to Restrict Disclosures

A patient may elect to restrict disclosures of their personal health information to the bare minimum required to diagnose, treat, and receive payment. A patient is able to petition a covered entity to restrict use and disclosure of PHI to TPO situations or notifying immediate family in the case of changes in treatment, major illness, or death. The covered entity is not obligated to agree to the restrictions, but if they do, they are required to uphold them, with the exception of required emergency treatment.

Food for Thought

Have you ever needed to access your patient records?
Did you find the process seamless or cumbersome?

Do you think that the accounting of disclosures rule will limit the amount of information a covered entity shares with others?


The privacy rule was drafted with the understanding that patients have a right to access their own health information and should be able to do so freely. Also, patient records may not be completely accurate and the policy allows for patients to amend records they find to be in error. This creates empowerment on the part of the patient and core confidence in the accuracy and validity of their health data.