Prepared
for the Health Resources and Services Administration,
in consultation with the Office for Civil Rights,
and other offices and agencies within the U.S. Department
of Health & Human Services, Washington, D.C.,
and plain language specialists.
Section
I - Principles for Writing HIPAA Notices of Privacy Practices in
Plain English
Principles for Plain Language Privacy Notices Introduction
You
are writing a HIPAA Privacy Notice. Your dilemma is: It's a legal
document that must meet the intent and letter of the law, but it
also has to be in Plain Language.
If
you use these Principles you will:
- be
able to write it more quickly and easily,
- have
fewer revisions and editions.
These
Principles are intended as an aid to writers of Privacy Notices
and are not necessarily a guarantee to meet all of the legal requirements
of HIPAA. This guidance is intended solely to provide some helpful
hints for making a notice of privacy practices more readable. It
does not create any binding requirements for how a notice of privacy
practices must be phrased or structured.
The
Principles are presented in a "progressive format." That
is, the Plain Language process is arranged to flow from the most
general to the more detailed. There are advantages to using the
same format in your Privacy Notice. Sections in the Principles are:
Section
1. Introduction and preamble (an overview)
Section 2. Principles (individual principles)
Section 3. Examples for each principle using HIPAA content. (details)
Section 4. Appendices (very specific details)
The
Privacy Rule encourages, but does not require, writers to develop
a "layered" notice. The Preamble to the Final Modification
of August 14, 2002, Federal Register page 53243, says that a two
layered notice would satisfy notice requirements. The first layer
would be a short notice that summarizes individual's rights and
other information. The second layer would be longer and include
all the elements required by the Rule.
It
is possible to combine the "layered" format with the "progressive"
format, by using the elements of the "progressive" approach
in the second, longer, layer.
It
is important to remember that the Notice must include all the elements
that the Rule requires. You can find the details in the Rule. If
you are using the progressive approach the required elements can
be integrated in the relevant parts. The required elements are:
- Header with
specific language
- Uses and
disclosures
- Separate
statements for certain uses and disclosures
- Individual
rights
- Covered entity's
duties
- Complaints
- Contact
The
basis for the Principles is a mix of well known advice for Plain
Language. This "mix" is outlined in Suitability Assessment
of Materials (SAM).(1) Other resources
in health
care communication can be found at most State Health Departments.
Principles
1.
The Content of the Notice
The
HIPAA rules tell us the topics that must be in the Notice. A special
highlighted header on the purpose is also required. But the Notice
writer is free to arrange the order of the topics. And the rules
allow and encourage that other topics may be added. You may want
to place topics in the order of your patients' interest - with the
most interesting topic first. After the required statement, the
order may be:
a)
A preamble, including "What good is this Notice to me?"
(Examples)
b) What is a health care record? (Examples.)
c) Patient Rights. (Examples)
d) Who can see your record without asking you? (Examples)
e) Who can't see your record unless you give a written OK? (Examples)
A.
Preamble
A
preamble is helpful before giving the HIPAA content. The reasons:
-
Many won't see any personal benefits of the Privacy policy.
- The very concept of health care records and privacy may
not be familiar. (An explanation and visual may be needed to clarify.)
- Many won't grasp why and what they are asked to sign and what
use they can or should make of the Privacy Notice.
Appendix
A gives an example of a preamble that covers these points.
Appendix
B gives the text of the rules that describes in detail what
to include, how to deliver, and other things about the notice.
2.
Making the notice easy to read and understand
The HIPAA rules do not set a goal for readability level,
but many States have set goals for health care print materials.(2)
These range from 4th to 6th grade levels.
In comparison, many draft Privacy Notices written to date are about
16th grade (college grad level). (Note: The average readability
of this Principles document is at the 8th grade level.)
You
would like the readability of your Notice to be compatible with
the reading skill level of your patient population. The average
reading skill of adult Americans is about 9th grade level.
For people over 65, and for most minority groups, the average skill
levels are lower than 9th grade. (See Ref. 5 for reading
skills by age, gender, ethnic set.)
It is clearly the intent of the rules that patients be able to read
and understand the Notice. A suitable readability level is essential,
but that is only one of the necessary factors for understanding.
Because of the complexity of the Notice content, examples are needed
to explain what is meant by many of the privacy statements. In fact,
Section 164.520(b) of the rules requires that at least one example
be given for certain types of disclosures.
A.
To make the Notice easier to read
- Use
a conversational style. It is almost always easier to
read narrative than more formal styles of writing. (The rules
are written in formal/legal style: you must translate them.) For
the first draft, write it as you would say it. Tip: If you find
it hard to do this, try running a tape recorder while you tell
a person the Notice content as best you can from memory or from
a simple list of topics. Then transcribe and edit the tape. For
example:
- More
Formal Language
Covered entities must describe the right of patients to make
amendment of a protected health record if patient believes
the health information is incorrect or incomplete.
Conversational Style
If you think there is something wrong or missing in your health
record, you can ask that it be changed.
- Use
common words. Common words are better known to the public
and are often shorter. A Thesaurus of more common words for those
found in HIPAA is in Section II. (For these Principles we use
OK vs authorization, rules vs regulations, health care records
vs protected medical records, etc.)
- Use
shorter sentences. Keep the average
sentence to about 15 words or less. Try bullets for short lists.
(For example, in these Principles the average sentence length
is between 15 and 20 words.)
- Avoid
hyphens and compound words. These increase readability
level. For example: self insured vs self-insured; any one vs anyone.
- Give
examples to explain "problem" words.
Problem words - if you use them -are often those that describe
a concept, a category, or a value judgment
(CCVJ). Some words and phrases may be both a category and concept
depending on the context. If you use these kinds of words, add
an explanation or example to define them. Here are just a few
of the problem CCVJ words found in HIPAA:
For
example: "disclosures" usually means showing your health
care records to someone outside this organization. This can be
to another doctor treating you, or those paying for your treatment,
and others.
Concept |
Category
|
Value
Judgment |
disclosures |
disclosures
required by law |
adequate
notice |
access |
business
associates |
material
changes |
authorization |
covered
entity |
significant
number |
activities |
self-insured
groups |
reasonable
effort |
For example:
"disclosures required by law" means "When the law
demands that we show your health record to other people we will
do so. For example, we will report communicable diseases to the
appropriate health authorities as required by law. When the law
allows us to show your health record to other people, we will
show it when there are good reasons to do so. For example, to
assist those conducting worthwhile research."
For
example: "significant number" means -% or more of the
population speaks only some other language.
- Use
lower case rather than all capital letters .
Research tells us that text in all CAPS is harder and slower to
read, and harder to understand. The reason: Besides looking at
the letters in a word, we recognize words by their shape. For
example, " try" and "medical" are easier to
recognize and read than TRY AND MEDICAL.
With all CAPS the height of the letters is the same, so we lose
"shape of the words" as a reading cue. This slows reading
speed. For many, by the time they get to the end of a sentence,
they may have forgotten what they read earlier in that sentence.
Suggested remedy: To give emphasis or prominence, use bold and
larger font size with lower case letters (except where grammar
calls for a capital letter).
- Assess
readability. After drafting your Notice, assess its readability
level using one of the many formulas available.
B. To
improve understanding and to make it "look" easier to
read:
The rules
do not specify layouts, fonts, and other factors that can make the
Notice look easy to read. But if it looks hard to read, many patients
won't want to read it, won't bother to read it. And they won't understand
it. Many draft Notices written to date have long lists of items.
These look hard to grasp and to remember - and they are. Here are
ways to make it look easy to read and easier to understand:
- Allow
more white space by using wider margins. Double column
of text (like a newspaper format) can also give a more open look.
These layout devices will also shorten the line lengths to be
closer to 50 to 60 letters and spaces. That is easiest to read.
- Chunk"
long lists into smaller bites. Chunking makes the information
look less formidable, and helps the reader better understand and
remember. Look for logical groupings within the long list. Then
place these items under suitable descriptive sub headers. Appendix
C gives an example of chunking of one group of HIPAA topics.
- Consider
visuals as well as text in your Notice. The legal nature
of the HIPAA content and the absence of visuals in the rules do
not in any way limit the use of visuals - especially for examples.
Visuals can be used to explain a number of the HIPAA concepts.
For example, consider the stated HIPAA concept phrase: "a
health care record." Rough sketches of visuals that might
be included for explanation are:
Figure
1. Your health care record can be all of these:
(Show
a doctor holding up an x-ray to a light box.) |
(A
file folder with lots of papers in. A slot for "Name"___
on the cover.) |
(Two
sketches of . desk-top computers,with image on screens.
Show lightning flash between computers to show linkage.) |
An
x-ray |
A
folder of papers |
A
computer file |
- Use
large fonts and high contrast. Older readers tend to
need larger font sizes. Use at least 12 point font for your Notice.
And they need high contrast between ink and paper. For example,
black ink on white paper, or black on light yellow paper. Do not
use high gloss paper. It has a higher glare.
- Give
the context first, before giving the new information.
With the context first, it is easier to associate the information
with things we already know. If the context is last, we must carry
in short term memory all of the preceding information until we
get to the end of the sentence. By then, we may have forgotten
much of the information that went before.
Original:
Context last - Harder to read: (in italics)
"We
will also provide your physician or a subsequent health care provider
with copies of various reports that should assist with your treatment
once you are discharged from this hospital."
Rewritten:
Context first - Easier to read:
"Once
you are discharged from this hospital, your physician or
other health care providers will be treating you. We will give
copies of your health records to doctors and other health providers
to help them in treating you."
C.
Use Visuals that explain and clarify:
Readers
should be aware that the Privacy Rule does not require the use of
visuals, however, the research tells us that visuals help us understand,
and they are a great help to memory. (We remember the face - a visual,
but not the name - words). Visuals also "lighten" the
page appearance and make it more inviting. For the Privacy Notice,
simple visuals could be the examples that clarify the meaning of:
sharing
of your record by doctors and nurses treating you
paying
for treatment
running
the hospital or clinic
telling
about other health benefits and services
reminding
you of appointments
telling
you about treatment choices
including
you in the hospital directory
telling
family and friends
others
Use
simple line drawings. These work best because they convey the image
without background clutter. They are also less costly to make and
can be made and revised quickly. Even stick figure icons can greatly
improve memory.
Cue
the viewer: The patient needs to quickly grasp what to look at in
the picture. For example, if the visual is to show one doctor disclosing
a patient record to another for treatment, consider adding an arrow
pointing to the folder they are both sharing. The words, "talking
about your record" might be added to the arrow.(3)
Use
action captions: A short, action caption tells what the visual is
all about - its key point. For example, if a visual showed an appointment
slip, a caption might say something like, "To remind you when
to come back."
With
few exceptions, it is best to include a caption with each visual
and always locate the caption in the same place with respect to
the visual. If the layout of the text and visuals on the page clearly
associates the two, then the adjacent text may serve as the caption.
3.
Make it suitable for the culture.
First impressions: First impressions do count on how we
accept new things. The rules say nothing about a cover page for
the Notices. This gives you, the writer, a chance to create a cover
that projects a culture friendly image. Although this is not required
by the Privacy rule, you will find it helpful to make sure that
your notice responds to the culture of the readers. For example,
for a Native American population, consider a cover visual showing
a Native American patient. The cover might also show a doctor holding
or using a health care record. For a mix of ethnic groups (often
the case) show a mix of people from ethnic groups on the cover.
Match
the logic, language, experience of the culture: Write your Notice
with these three factors in mind. (But to really know if your draft
notice is culturally suitable, you will need to pretest your Notice
with a small sample of typical adults from that culture. One-to-one
pretesting is recommended. Appendix D outlines a pretesting protocol.)
Logic:
Each culture has its own logic with respect to health. For example:
It is the logic of many ethnic groups that "the doctor knows
best" and their logic and belief is never to question such
an authority figure - even if they think their record is wrong.
One remedy: The Notice may have to take pains to make such questioning
easy for the patient (perhaps by modeling some questions) and/or
show by example (a visual?) that it is OK to do so.
It
is logical to think in the here and now, rather than future possibilities.
Thus, it may be hard to grasp the logic of showing a patient's health
record to a funeral director, or to law enforcement. (Does it mean
I'm going to die, or be arrested?) For these, and other less likely
disclosures, consider grouping them under a sub-header and adding
a short explanation. For example: "When law demands or allows
us to we would show your health record to other people. Sometimes
when there are good reasons to do so, we could show them."
Language:
Although many words and terms used in regulations such as HIPAA
need translation for any culture, care must be taken so that terms
are correctly used. Many words are best explained by an example.
For example: "Health Oversight Authorities" such as health
inspectors, and other government people who check our hospitals
and clinics."
Metaphors
can be misleading in any culture. For example, one draft Notice
says that the health record serves "as a tool for education
of health care professionals." But in millions of minds, tools
are things like hammers, saws, drills. They may think, how could
the pieces of paper be like those?
Experience:
The content of the Notices presupposes a number of special skills
in literacy, problem solving, and experience. That is, the reader
has to be able to do certain tasks or have some prior
knowledge or experience.
For
example, the tasks and experience needed for patients to exercise
their right to limit disclosure of some part of their health care
records include:
1.
Understanding that they have a right to do this, and the limits
of that right.
2. Have experience with the process and carry out the required actions.
(Write a request, know who to send it to, etc.)
3. Know how to verify that their request was honored, and protest
if it was not.
For
each of the Patient Rights, consider doing a simple task analysis
similar to that shown above. That will help you to see if your patient
population is likely to have the needed experience and skills to
exercise those rights. If they do not, then we suggest that additional
helpful advice be included. This may be in the Notice itself or
in a supplementary piece. Insight into the skills of the US population
as a whole, as well as that of several minority groups can be obtained
from the National Adult Literacy Survey (NALS).(4)
4.
For those with very limited reading skills
Even
the most carefully prepared Privacy Notices are likely to be over
the heads of about twenty percent of the adult American population.
A copy of the Notice may be given to the patient with the hope that
someone at home will read and explain it. Another option is to "tell"
the Notice content or use another media. This might be a talk, an
audio tape, a pictorial series, or a video tape. For some, an interactive
web site may be suitable.(5) This
is not a requirement of the rule, but is something you may want
to consider.
In
all these media, many of the Principles in the pages above will
apply. Some new principles must be added:
For
factual content, limit the audio tape or video to no more than
about eight minutes. Five minutes is better. Otherwise listeners
forget most of the facts.
Use a story
as the fabric to allow you to over-weave the factual HIPAA content.
People can remember the factual information better in the context
of a story.
In the audio
or video, refer to the written Privacy Notice document. Tell
or show how it is a key document, and how to use it.
Conclusion:
There is no really easy way to produce a highly suitable Privacy
Notice for all populations. The cultures and the subjects are too
complex for it to be easy. But you can use the above Principles
to make the work less frustrating and more effective. Also, your
Privacy Notice will be understood by a greater number of your patient
population.
Section II - Thesaurus of Plain Language
Words and Phrases for HIPAA Notices of Privacy Practices
This
thesaurus of plain language privacy words and phrases is designed
to help you write HIPAA notices that will be more readable and understandable.
This document identifies technical and legal language that might
be hard for most people to understand, and suggests more common
words and phrases. But because the same word may have different
meanings, not every plain language word or phrase will work for
every writer.
You
have to deal with both regulatory and language issues in writing
your privacy notices. These suggested words and phrases do not give
you legal protection, so you should have a lawyer review your final
version. While this Thesaurus does not provide a legal safe harbor,
it will help you comply with HIPAA's plain language requirements.
Privacy
notice words and phrases |
Plain
language words and phrases |
A |
|
...abide
by... |
...agree
to... |
We
will accommodate all reasonable requests. |
We
will meet/agree to all reasonable requests.
|
The
information on or accompanying
the
bill will include information... |
Your
bill will include information.. |
accrediting
agency ... |
reviewing
agency; licensing agency... |
acknowledged |
accepted;
recognized; approved |
adverse
events |
injuries;
bad reactions |
...after
the delivery of treatment.. |
...after
you've been treated... |
alternative
|
choice
|
amend
|
change
|
...appropriate
government authority... |
...government
department... |
assist |
help
|
...as
soon as reasonably practicable... |
...as
soon as we can... |
attorney
|
lawyer |
audit
|
review;
inspect; look at |
authorization
|
your
written permission; your written approval |
...authorized
public or private entity to assist in disaster relief... |
...government
agency or charity authorized
to help with disaster relief... |
...authorizing
disclosures |
...allowing
us to share information... |
|
|
B |
|
...before
any costs are incurred... |
...before
we do anything that has a cost attached... |
|
|
C |
|
certify |
confirm
in writing |
...collaborating
with... |
...working
with... |
...collect
and maintain... |
...get
and keep... |
committed |
promised |
...communication
source... |
...source
of information... |
communicates
|
tells;
let you know |
The
use or disclosure will be made in compliance
with the law. |
Your
health information will be used or shared
according to the law. |
comply
with the rule |
obey
the rule; doing what it tells us to do... |
...coordination
or management of care... |
...coordinating
your care; making sure you
get the care you need... |
correctional
institution |
jail
or prison |
...contact
you at work instead of at home or vice
versa... |
...contact
you at work or home... |
...court
order, subpoena, warrant, summons or similar process... |
...court
order; legal demand... |
covered
entities |
Health
plans, health care clearinghouses that
process your health information and your
health care providers (such as doctors,
hospitals and clinics) that have to comply
with these privacy rules. |
|
|
|
|
D |
|
...deceased
person... |
...dead
person; someone who died... |
...de-identified
information... |
...information
from which key data that identifies you has been removed... |
demographic
|
personal
statistics; personal information |
...designee
of this facility... |
...employee
who has been identified; employee that we have identified |
determine(s) |
decide(s) |
...disclose
information... |
...share
information; give; tell... |
...disclosures
we will make... |
...information
we will share... |
|
|
E |
|
effective
date |
...takes
effect on... |
...employee
review activities... |
...
employee review (evaluations)... |
...employees,
staff and other hospital personnel... |
...hospital
personnel; people who work at the hospital... |
enable |
...allow;
make possible... |
ensure |
...make
sure... |
entities |
facilities;
institutions; organizations |
...established
protocols... |
...has
rules... |
evaluate |
measure;
rate |
examination |
exam |
...exercise
your rights... |
...use
your rights... |
...except
as described... |
...except... |
...exceptions,
restrictions, and limits... |
...limits... |
...experienced
adverse events... |
...been
injured or hurt... |
|
|
F |
|
...facility
planning and marketing... |
...business
planning... |
...family
can be notified about your condition, status and location... |
...your
family can be told about your health and where you are... |
...family
member or personal representative |
...family
member who is your legal representative
for health care... |
...file
a written complaint... |
...write
or e-mail a letter of complaint... |
...filing
a complaint... |
...complaining... |
...for
the purpose... |
...to... |
|
|
G |
|
...governmental
entity or agency... |
...to
(from, for, etc., as appropriate) the
government... |
|
|
|
|
H |
|
...health
care operations... |
...health
care operations, including management
of organization or facility... |
health
care professionals |
...people
who care for you; doctors, nurses; and others who care for
you |
..health
information we have is incorrect... |
...health
information is wrong... |
We
may disclose protected health information to a health
oversight agency for activities authorized by law, such
as audits, investigations, and inspections. |
We
can share your health information with agencies that audit,
investigate, and inspect health programs for the public's
health. |
...health
record is physical property... |
...health
record belongs to... |
hereby |
Do
Not Use |
honor |
follow,
abide by |
We
may use and disclose medical information about you for hospital
operations. |
We
may share your medical information to run the hospital. |
|
|
I |
|
...identifiable
information... |
...personal
information that can identify you... |
...identify
or locate a suspect, fugitive, material witness or missing
person... |
...to
identify or find someone who is a suspect, fugitive, material
witness, or missing person |
...in
an emergency situation... |
...in
an emergency... |
incomplete |
lacking |
incorrect |
wrong |
...Indian
Health Service facility... |
...Indian
Health Service/IHS clinic or hospital... |
indicate |
tell
us |
...individually
identifiable health information... |
...information
about your health care that identifies you... |
individual(s) |
patient(s) |
...individual
right... |
...a
person's right... |
...information
is kept by or for the hospital... |
...hospital
keeps the information... |
...information
on or accompanying the bill... |
...information
with your bill... |
...inmate
of a correctional institution... |
...prisoner... |
inspect
and receive a copy |
get
a copy...ask for a copy...see and get a copy |
...in
the following instances... |
...in
these cases... |
|
|
J |
|
...judicial
administrative proceeding... |
...legal
proceeding such as a court case... |
|
|
L |
|
law
enforcement |
police,
FBI Officers, and others who enforce laws |
legal
options |
legal
choices |
legal
requirements |
the
law |
Licensure |
being
licensed |
|
|
M |
|
maintained |
kept |
...make
new provisions effective... |
...make
changes effective... |
material
change |
significant
change |
...may
otherwise be at risk for...
contracting or spreading the disease or condition. |
...might
catch your disease or spread it... |
medications |
drugs;
medicines |
...members
of the clergy... |
clergy,
for example, priest, minister or rabbi... |
monitor |
review;
track |
|
|
N |
|
...next
of kin... |
...close
relatives |
notify |
tell
you/tell us |
...not
required to agree... |
...don't
have to agree... |
|
|
O |
|
...obligations
we have... |
...our
responsibilities... |
observations |
...reports... |
obtain
a paper copy |
get
a copy |
obtaining |
getting |
...other
duties authorized by law... |
...other
duties that the law allows them to perform... |
...other
purposes permitted or required by law... |
...other
purposes that the law allows or requires... |
otherwise |
if
not |
|
|
P |
|
...past,
present or future physical or mental health
and related health care services... |
...all
your health services... |
...pertaining
to victims of a crime... |
...being
a crime victim... |
physical
property |
property
of; belongs to |
physician |
doctor |
...plan
for future care or treatment... |
...care
plan... |
...policies,
procedures, practices... |
...our
rules and standards... |
...post
marketing surveillance information... |
...study
drug safety... |
...potentially
endangering... |
...possibly
hurting... |
...private
insurance payers... |
...insurance
company... |
procurement |
getting |
...protected
health information... |
...personal
medical information that is protected by the rule... |
...protect
the privacy of your health information... |
...protect
your health information... |
protocols |
rules |
...provide
your treatment... |
...treat
you... |
...provided
consent... |
...given
consent/permission... |
provider |
doctor,
nurse, or other provider of health care |
...providing
assistance with your health care... |
...helping
you (with your health care)... |
provisions |
...arranging
for... |
...psychotherapy
information compiled in a reasonable,
or use in, reasonable anticipation, or
use in a civil, criminal, or administrative
proceeding... |
...psychotherapy
notes that might be used in a court case
or another legal proceeding... |
|
|
R |
|
rebuttal |
response;
answer; contradict |
regulation |
rule |
...release
information... |
...give
out your information... |
religious
affiliation |
religion |
...request
a correction/amendment... |
...ask
us to change; ask us to correct... |
...request
a restriction... |
...ask
us not to ... |
...we
are required to abide... |
...we
must... |
restrictions |
limits |
revised |
new;
changed |
revision |
change |
...revoke
your written authorization... |
...withdraw;
take back; tell us not to... |
|
|
S |
|
...submit
your request in writing... |
...write
a letter... |
...substantial
communication barrier... |
...communication
problem... |
...suspected
violation... |
..possible
violation... |
|
|
T |
|
thereof |
Do
Not Use |
...to
support business activities services;
of your doctor's practice... |
...for
your doctor's business
business services your doctor buys to run his practice...
|
...training
of medical students... |
...training
medical students... |
...treatment
alternatives and options... |
...treatment
choices... |
...treatment
and services you receive... |
...care
you receive; your care... |
...types
of uses and disclosures... |
...how
we share; with whom we share; and how the information is used |
|
|
U |
|
...unable
to agree to a requested restriction... |
...can't
agree with your request... |
...understanding
utilization review activities... |
...reviewing
health services... |
...under
the custody of law enforcement... |
...in
legal custody... |
...unless
otherwise permitted or required by law as described below... |
...unless
allowed or required by law... |
...upon
your request... |
...if
you ask... |
...use
or disclose... |
...use
or give out; share; release... |
...undertaking
utilization review activities..
|
...reviewing
our work... |
|
|
W |
|
...when
required to do so by federal, state, or
local law... |
...when
required by law; when the law requires...
|
...where
we can make improvements in our care and services... |
...how
we can improve our care... |
written
complaint |
a
letter or e-mail |
...you
must do so in writing... |
...write
a letter or e-mail... |
Appendix
A - Example of a Preamble for a Direct Treatment Provider
This
Privacy Notice tells you about your rights about your health care
records. You get a copy of this Privacy Notice to keep for yourself.
You can look at this copy anytime to see what use is made of your
health care records and who gets to see them. A new government rule
requires that we give you this Privacy Notice to sign.
Our
policy has always been to keep your records safe. Your records are
usually kept in a folder of papers with your name on it. Your records
can also be stored in a computer. Your records tell what treatments
and tests you have had, and what decisions the doctors have made.
(Note:
A figure could be inserted here to graphically show what the health
care records may look like.)
This
Privacy Notice is in four parts:
1.
What your health care records are, and Your Rights about those
records,
2.
Who can see them without your written OK.
3.
Who can not see them unless you give a written
OK.
4.
Our policies to protect health care records.
Appendix B
Section
164.520 - Notice of Privacy Practices for Protected Health Information
OCR/HIPAA
Privacy Regulation Text
October 2002
(a) Standard: notice of privacy practices.
(1) Right to notice.
Except as provided by paragraph (a)(2) or (3) of this section, an
individual has a right to adequate notice of the uses and disclosures
of protected health information that may be made by the covered
entity, and of the individual’s rights and the covered entity’s
legal duties with respect to protected health information.
(2) Exception for group
health plans.
(i) An individual
enrolled in a group health plan has a right to notice:
(A) From
the group health plan, if, and to the extent that, such an individual
does not receive health benefits under the group health plan
through an insurance contract with a health insurance issuer
or HMO; or
(B)
From the health insurance issuer or HMO with respect to the
group health plan though which such individuals receive their
health benefits under the group health plan.
(ii) A group
health plan that provides health benefits solely through an insurance
contract with a health insurance issuer or HMO, and that creates
or receives protected health information in addition to summary
health information as defined in § 164.504(a) or information
on whether the individual is participating in the group health
plan, or is enrolled in or has disenrolled from a health insurance
issuer or HMO offered by the plan, must:
(A) Maintain
a notice under this section; and
(B)
Provide such notice upon request to any person. The provisions
of paragraph (c)(1) of this section do not apply to such group
health plan.
(iii) A group
health plan that provides health benefits solely through an insurance
contract with a health insurance issuer or HMO, and does not create
or receive protected health information other than summary health
information as defined in § 164.504(a) or information on
whether an individual is participating in the group health plan,
or is enrolled in or has disenrolled from a health insurance issuer
or HMO offered by the plan, is not required to maintain or provide
a notice under this section.
(3) Exception for inmates.
An inmate does not have a right to notice under this section, and
the requirements of this section do not apply to a correctional
institution that is a covered entity.
(b)
Implementation specifications: content of notice.
(1) Required elements.
The covered entity must provide a notice that is written in plain
language and that contains the elements required by this paragraph.
(i) Header.
The notice must contain the following statement as a header or
otherwise prominently displayed: "THIS NOTICE DESCRIBES HOW
MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW
YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
(ii) Uses
and disclosures. The notice must contain:
(A) A description,
including at least one example, of the types of uses and disclosures
that the covered entity is permitted by this subpart to make
for each of the following purposes: treatment, payment, and
health care operations.
(B)
A description of each of the other purposes for which the covered
entity is permitted or required by this subpart to use or disclose
protected health information without the individual’s written
authorization.
(C)
If a use or disclosure for any purpose described in paragraphs
(b)(1)(ii)(A) or (B) of this section is prohibited or materially
limited by other applicable law, the description of such use
or disclosure must reflect the more stringent law as defined
in § 160.202.
(D)
For each purpose described in paragraph (b)(1)(ii)(A) or (B)
of this section, the description must include sufficient detail
to place the individual on notice of the uses and disclosures
that are permitted or required by this subpart and other applicable
law.
(E)
A statement that other uses and disclosures will be made only
with the individual's written authorization and that the individual
may revoke such authorization as provided by § 164.508(b)(5).
(iii) Separate
statements for certain uses or disclosures. If the covered entity
intends to engage in any of the following activities, the description
required by paragraph (b)(1)(ii)(A) of this section must include
a separate statement, as applicable, that:
(A) The
covered entity may contact the individual to provide appointment
reminders or information about treatment alternatives or other
heath-related benefits and services that may be of interest
to the individual;
(B)
The covered entity may contact the individual to raise funds
for the covered entity; or
(C)
A group health plan, or a health insurance issuer or HMO with
respect to a group health plan, may disclose protected health
information to the sponsor of the plan.
(iv) Individual
rights. The notice must contain a statement of the individual’s
rights with respect to protected health information and a brief
description of how the individual may exercise these rights, as
follows:
(A) The
right to request restrictions on certain uses and disclosures
of protected health information as provided by § 164.522(a),
including a statement that the covered entity is not required
to agree to a requested restriction;
(B)
The right to receive confidential communications of protected
health information as provided by § 164.522(b), as applicable;
(C)
The right to inspect and copy protected health information as
provided by § 164.524;
(D)
The right to amend protected health information as provided
by § 164.526;
(E)
The right to receive an accounting of disclosures of protected
health information as provided by § 164.528; and
(F)
The right of an individual, including an individual who has
agreed to receive the notice electronically in accordance with
paragraph (c)(3) of this section, to obtain a paper copy of
the notice from the covered entity upon request.
(v) Covered
entity’s duties. The notice must contain:
(A) A statement
that the covered entity is required by law to maintain the privacy
of protected health information and to provide individuals with
notice of its legal duties and privacy practices with respect
to protected health information;
(B)
A statement that the covered entity is required to abide by
the terms of the notice currently in effect; and
(C)
For the covered entity to apply a change in a privacy practice
that is described in the notice to protected health information
that the covered entity created or received prior to issuing
a revised notice, in accordance with § 164.530(i)(2)(ii),
a statement that it reserves the right to change the terms of
its notice and to make the new notice provisions effective for
all protected health information that it maintains. The statement
must also describe how it will provide individuals with a revised
notice.
(vi) Complaints.
The notice must contain a statement that individuals may complain
to the covered entity and to the Secretary if they believe their
privacy rights have been violated, a brief description of how
the individual may file a complaint with the covered entity, and
a statement that the individual will not be retaliated against
for filing a complaint.
(vii) Contact.
The notice must contain the name, or title, and telephone number
of a person or office to contact for further information as required
by § 164.530(a)(1)(ii).
(viii) Effective
date. The notice must contain the date on which the notice is
first in effect, which may not be earlier than the date on which
the notice is printed or otherwise published.
(2) Optional elements.
(i) In addition
to the information required by paragraph (b)(1) of this section,
if a covered entity elects to limit the uses or disclosures that
it is permitted to make under this subpart, the covered entity
may describe its more limited uses or disclosures in its notice,
provided that the covered entity may not include in its notice
a limitation affecting its right to make a use or disclosure that
is required by law or permitted by § 164.512(j)(1)(i).
(ii) For the
covered entity to apply a change in its more limited uses and
disclosures to protected health information created or received
prior to issuing a revised notice, in accordance with § 164.530(i)(2)(ii),
the notice must include the statements required by paragraph (b)(1)(v)(C)
of this section.
(3) Revisions to the
notice. The covered entity must promptly revise and distribute its
notice whenever there is a material change to the uses or disclosures,
the individual’s rights, the covered entity’s legal duties, or other
privacy practices stated in the notice. Except when required by
law, a material change to any term of the notice may not be implemented
prior to the effective date of the notice in which such material
change is reflected.
(c)
Implementation specifications: provision of notice. A covered entity
must make the notice required by this section available on request
to any person and to individuals as specified in paragraphs (c)(1)
through (c)(3) of this section, as applicable.
(1) Specific requirements
for health plans.
(i) A health
plan must provide notice:
(A) No later
than the compliance date for the health plan, to individuals
then covered by the plan;
(B)
Thereafter, at the time of enrollment, to individuals who are
new enrollees; and
(C)
Within 60 days of a material revision to the notice, to individuals
then covered by the plan.
(ii) No less
frequently than once every three years, the health plan must notify
individuals then covered by the plan of the availability of the
notice and how to obtain the notice.
(iii) The
health plan satisfies the requirements of paragraph (c)(1) of
this section if notice is provided to the named insured of a policy
under which coverage is provided to the named insured and one
or more dependents.
(iv) If a
health plan has more than one notice, it satisfies the requirements
of paragraph (c)(1) of this section by providing the notice that
is relevant to the individual or other person requesting the notice.
(2) Specific requirements
for certain covered health care providers. A covered health care
provider that has a direct treatment relationship with an individual
must:
(i) Provide
the notice:
(A) No later
than the date of the first service delivery, including service
delivered electronically, to such individual after the compliance
date for the covered health care provider; or
(B)
In an emergency treatment situation, as soon as reasonably practicable
after the emergency treatment situation.
(ii) Except
in an emergency treatment situation, make a good faith effort
to obtain a written acknowledgment of receipt of the notice provided
in accordance with paragraph (c)(2)(i) of this section, and if
not obtained, document its good faith efforts to obtain such acknowledgment
and the reason why the acknowledgment was not obtained;
(iii) If the
covered health care provider maintains a physical service delivery
site:
(A) Have
the notice available at the service delivery site for individuals
to request to take with them; and
(B)
Post the notice in a clear and prominent location where it is
reasonable to expect individuals seeking service from the covered
health care provider to be able to read the notice; and
(iv) Whenever
the notice is revised, make the notice available upon request
on or after the effective date of the revision and promptly comply
with the requirements of paragraph (c)(2)(iii) of this section,
if applicable.
(3) Specific requirements
for electronic notice.
(i) A covered
entity that maintains a web site that provides information about
the covered entity’s customer services or benefits must prominently
post its notice on the web site and make the notice available
electronically through the web site.
(ii) A covered
entity may provide the notice required by this section to an individual
by e-mail, if the individual agrees to electronic notice and such
agreement has not been withdrawn. If the covered entity knows
that the e-mail transmission has failed, a paper copy of the notice
must be provided to the individual. Provision of electronic notice
by the covered entity will satisfy the provision requirements
of paragraph (c) of this section when timely made in accordance
with paragraph (c)(1) or (2) of this section.
(iii) For
purposes of paragraph (c)(2)(i) of this section, if the first
service delivery to an individual is delivered electronically,
the covered health care provider must provide electronic notice
automatically and contemporaneously in response to the individual’s
first request for service. The requirements in paragraph (c)(2)(ii)
of this section apply to electronic notice.
(iv) The individual
who is the recipient of electronic notice retains the right to
obtain a paper copy of the notice from a covered entity upon request.
(d)
Implementation specifications: joint notice by separate covered
entities. Covered entities that participate in organized health
care arrangements may comply with this section by a joint notice,
provided that:
(1) The covered entities
participating in the organized health care arrangement agree to
abide by the terms of the notice with respect to protected health
information created or received by the covered entity as part of
its participation in the organized health care arrangement;
(2) The joint notice
meets the implementation specifications in paragraph (b) of this
section, except that the statements required by this section may
be altered to reflect the fact that the notice covers more than
one covered entity; and
(i) Describes
with reasonable specificity the covered entities, or class of
entities, to which the joint notice applies;
(ii) Describes
with reasonable specificity the service delivery sites, or classes
of service delivery sites, to which the joint notice applies;
and
(iii) If applicable,
states that the covered entities participating in the organized
health care arrangement will share protected health information
with each other, as necessary to carry out treatment, payment,
or health care operations relating to the organized health care
arrangement.
(3) The covered entities
included in the joint notice must provide the notice to individuals
in accordance with the applicable implementation specifications
of paragraph (c) of this section. Provision of the joint notice
to an individual by any one of the covered entities included in
the joint notice will satisfy the provision requirement of paragraph
(c) of this section with respect to all others covered by the joint
notice.
(e)
Implementation specifications: Documentation. A covered entity must
document compliance with the notice requirements, as required by
§ 164.530(j), by retaining copies of the notices issued by
the covered entity and, if applicable, any written acknowledgments
of receipt of the notice or documentation of good faith efforts
to obtain such written acknowledgment, in accordance with paragraph
(c)(2)(ii) of this section.
Standards
for Privacy of Individual Identifiable Information
(45 CFR Part 160 and 164)
Appendix
C - Chunking of long lists
Long
List from Privacy Rule
(Allowable Disclosures)
- provide
for your treatment
- information
for payment
- health
care operations
- business
associates
- directory
- notifications
- communicate
with family
- interpreters
- research
- funeral
director
- procurement
organizations
- marketing
- appointment
reminders
- treatment
alternatives
- Food
and Drug Administration
- workers
compensation
- public
health
- correctional
institutions
- law
enforcement
- member
of the military
- health
oversight authorities
- non-violation
notices
- disclosures
by whistle blowers
- investigation,
audits
Revised
(with Chunking) List from Privacy Rule
(Allowable Disclosures)
For
your medical treatment and payment
- provide
for your treatment
- tell
you of treatment alternatives
- appointment
reminders
- evaluate
your care
- information
for payment
- business
associates
For
your personal reasons
- communicate
with your family
- notify
people
- be
listed in a directory
- for
workers compensation
- get
an interpreter for you
- notify
a funeral director
For
other reasons that help improve health
- research
- procurement
organizations
- marketing
- public
health
- Food
and Drug Administration
Other
special uses
- law
enforcement request
- correctional
institutions
- members
of the military
- non-violation
of notice
- disclosure
by whistle blower
- investigation
or audits
Appendix
D - A simple protocol for Pretesting draft Privacy
Notices
The
purpose of pretesting is to find any problem areas in the draft
Privacy Notice while it is still in draft form. The problems can
then be addressed before wide use of the Notice.
The
following steps outline how to pretest on an individual basis. These
steps can be carried out in less than one week time.
1.
Decide what are the most important concepts and pieces of
information in your draft Privacy Notice. What is most
important for the reader to know and understand how to do? (For
some, that might be to understand the concept of their medical record,
and the fact that they can have a say in who sees it.)
2.
Write open ended questions that would show that
readers understand these key concepts and pieces of information.
For example, "Tell me what you understand your medical record
to be. What is it?" (At least 5 questions, but not more than
10.) Prepare a sheet(s) that lists the questions and spaces to record
- verbatim - the readers' responses.
3.
Write a brief description that explains to the
test givers the purpose and process of the pretest. Test givers
might start out by explaining that the writers of the Notice are
trying to make the Privacy Notice easy to understand. "We'd
like you to read the Notice, and then we will ask you a few questions
about what you have read. It will take only a few minutes. There
is no right or wrong, we want to know what you understand about
the Notice."
4.
Sample size and recording responses: Select a sample
size of at least 30 individuals. Ideally, they would consist of
10 each from three different parts of your patient population.
5.
Analyze the responses, and make appropriate changes
in the draft Notice and/or provide supplementary instruction as
needed.
References
1.
Doak, Doak, Root. Teaching patients with low (or any)
literacy skills. J.B.Lippincott Co., Philadelphia, Pa. 1996, pp
49-58.
2.
Matthews TL, Sewell JC. State Official's Guide to Health Literacy.
2002. The Council of State Governments, PO Box 11910, Lexington,
Ky. 40578-1910.
3.
Wileman RE, Visual Communicating. Educational Technology Publications,
Englewood Cliffs, NJ, 07632, 1993, p. 24. Also, Ref. 1, Ch. 7.
4.
Kirsch IS, Jungeblut A, Jenkins l, Kolstad A. Adult Literacy
in America. National Center for Educational Statistics, US Dept.
Of Educ. Wash D.C., Sept. 1993.
5.
Beyond the Brochure: Alternative approaches to effective health
communication. 1993. AMC Cancer Research Center, 1600 Pierce St.,
Denver, CO, 80214. (In cooperation with the Centers for Disease
Control and Prevention. Agreement No. U50/CCU806186-03)