Patient’s Guide to HIPAA – Basic Rights: A. Right to a Notice of Privacy Practices (FAQ 13 – 17)




You are reading the Patient’s Guide to HIPAA, FAQ 13-17

HIPAA Guide Quick Links:


The HIPAA rule defines seven patient rights, one of them is a right to a notice of privacy practices. This page includes all FAQs explaining this right (FAQ 13-17.)


A. Right to a Notice of Privacy Practices (FAQ 13 – 17)


FAQ 13: What is a HIPAA Notice of Privacy Practices?

The rule requires each covered entity, like a hospital, to publish a notice of privacy practices. The notice describes how each entity implements the rule. Notices from different health care institutions may look similar because the rule is the same for everyone. However, each notice will have some details (procedures, addresses, etc.) that are specific to the institution. If you want to learn more about health privacy, a notice of privacy practices is a good place to start. So is this FAQ!


FAQ 14: Why Are the Notices Long and Boring?

One answer is that the rule is long and complicated. Another answer is that lawyers write many of the notices. Often, lawyers write like…lawyers, and the results are sometimes complete, precise, and often incomprehensible. Some privacy notices – and not just notices for health – are deliberately written to be obscure. Even other lawyers can’t understand them. Not every organization really wants you to understand or exercise your privacy rights.

In the end, health privacy is a complex subject, and health records have quite a few uses and disclosures that you probably never thought about. All of these factors contribute to the length and complexity of the notices. But the notice is your friend and your guide if you want to pursue your rights.


FAQ 15: Should I Read the Notice?

Only if you want to. Every expert says that people should know their rights and understand privacy. We agree, but we recognize that people often don’t have the time or interest. Don’t feel guilty if you just don’t have the interest today to read the notice from your doctor, hospital, laboratory, pharmacy, etc. What is important is that the notice exists and that the record keeper who produced the notice has a privacy policy and – we hope – actually implements the policy appropriately.

The HIPAA requirement that each covered entity prepare a notice was a big advance in privacy protection. That remains true even if most patients never read the notice. The notice also tells a covered entity’s employees what the privacy rules are. That is just as important as telling patients what the rules are. In the past, employees often didn’t know whether there were privacy rules or what those rules stated.

To put it another way, you have privacy rights whether or not you know the details. Your rights do not depend on your level of understanding. You can do a better job of protecting your rights if you know more, of course.

Here’s what’s really important:

  • Read the notice when it matters to you. If you decide that you want a copy of your health records, that’s a time to read the notice and find out how to obtain the records.
  • If you think that there is an error in your record, read the notice and learn how to ask for a correction.
  • If you think that your records were improperly used or disclosed, read the notice to see if you are right.
  • If you have a privacy complaint, you can read about the complaint procedure that the rule provides.

When it makes a difference to you, get a copy of the notice and read it. That could be today or two years from now. You can always ask for a copy, even if you are no longer someone’s patient. If a provider or insurer maintains a website, it should post a copy of its privacy policy on the website. That may make it easier for you to find the notices that you need.


FAQ 16: What Are the Forms that My Doctor’s Office Asks Me to Sign?

The rule generally requires a health care provider to make a good faith effort to obtain an acknowledgement that each patient received the notice. Some people think that it is a dumb requirement and a paperwork burden, but that’s what the rule says. Signing a standard acknowledgement does not waive your rights.

You do not have to sign the acknowledgement. Your rights do not change if you sign or don’t sign. However, the requirement for a signature is poorly understood. Some receptionists think that a signature is mandatory, and they will hassle you if you don’t sign. Some will tell you that you must sign or you can’t see the doctor. That is wrong.

You can fight about signing the acknowledgement if you want. We suggest, however, that this isn’t a fight worth having. Save your energy for another battle. The acknowledgement – if that is all that the form contains – is meaningless. If you see something on the form that you don’t like, you can just cross it out. Odds are that no one will even look at what you did.

We hear that some doctors are asking patients to sign broader forms that limit the ability of patients to file malpractice suits, that prevent patients from talking about the doctor to other people or on the Internet, or do accomplish other things that benefit the doctor and not the patient. We suggest being very careful if offered these types of documents. We wouldn’t sign one.

What you really need to know:

When you visit your doctor’s office for the first time, someone should offer you a copy of the doctor’s notice. You may be offered the same notice on each visit because many offices find it easier to give every patient a notice on every visit rather than keeping track of first visits. Sometimes, the notice will be sitting on a counter or table. You have the right to take a copy home. Remember that you can always ask for a copy later or find it on the website of your doctor or insurer. If you don’t care about it today, it should be available to you later, even if you are no longer a patient of that doctor or covered by that insurer.

Your health plan also will provide you a notice, but the rules for getting you the notice are somewhat different for health plans. Patients really don’t need to know those rules. You probably received a health plan notice in the mail, but you may have ignored it. If you want a notice from your health plan, ask for it or look on the health plan’s website.

The 2013 changes to the HIPAA rule will result in changed privacy notices for just about every covered entity. You will be offered new notices or be told that they are available. Again, you can pay attention to the notices or wait until you have a particular reason to care about your health privacy rights.


FAQ 17: What Are the Most Important Parts of the Notice?

Almost any health privacy notice will tell you something that you probably didn’t know. For example, a notice is supposed to include examples of the uses and disclosures that a covered entity can make. These examples will likely be both enlightening and disturbing. The basic list of uses and disclosures is long to begin with, and that may be upsetting if you’ve never read about them before.

Most notices are quite similar because you have the same rights everywhere the rule applies. If you read one notice, you’ve generally read them all. However, there may be some variations here and there between notices from health care providers and notices from insurers. Differences in state law may result in different notices from covered entities in different states.

When you want to exercise your rights at a particular covered entity, the local procedures described in the notice are likely to be different in each notice. That’s when reading the notice may matter a lot. Each notice should describe the covered entity’s procedures for exercising patient rights. Make sure you follow any specified procedures. Otherwise, here are some notable features to look for:

• If the notice is for a hospital or other large institution, read the description of which institutions and providers are covered. We have a notice for a hospital that says that more than a dozen different institutions in three states are part of the same institution. That means that patient information can be readily shared among all the affiliated organizations without your consent. That ability to share records widely may not be unusual or should not always be troubling. Further, being able to obtain care at related institutions may be a good thing. Consider, however, if your cousin works in a health care facility in a nearby state. You may not realize that facility is connected to the health care provider that you see regularly. You might not be happy knowing that your cousin may have access to your record. It may or may not be lawful for your cousin to do so, but the possibility may be unnerving.

• A hospital can use your records in a limited way for fundraising. You have the right to tell the hospital not to use your records for fundraising. If you say nothing, then use of your records for fundraising is permissible. A 2013 change requires a covered entity to include in each fundraising communication a clear and conspicuous opportunity to opt-out of future fundraising communications. Exercising this opt-out right may not be of critical importance, but it helps everyone if some people exercise opt-out rights when they exist.

• Find the national security disclosure provision. A covered entity can disclose your records for just about any national security purpose. The rule does not require a warrant, court order, subpoena, or any procedure prior to the disclosure. We point this out because it is perhaps the most privacy-invasive of the HIPAA disclosure provisions. You are also invited to look for other broad and objectionable disclosure provisions in the notice. Don’t blame the hospital or doctor. The rule allows these disclosures to be made, and privacy notices usually reserve the right for a covered entity to make allowable disclosures. However, the disclosures are not necessarily mandatory. In other words, a doctor can disclose your record to the CIA, but the doctor can usually say no.

• Look for the provision that says a covered entity can change the notice at any time and with retroactive effect. This isn’t quite as bad as it looks because HIPAA limits the ability of a covered entity to change the policy. The covered entity must comply with HIPAA, and it cannot change the notice and take away your rights. However, if HHS changes HIPAA or if Congress passes new laws, then your rights can expand, diminish, or disappear. Most privacy policies elsewhere (such as on commercial websites like search engines or clothing retailers) are not based on formal legal requirements and are changeable at the discretion of the record keeper. Changes are not always bad, but it is okay to be a bit suspicious.

• Find the right to request alternate methods of communications. This right may be important to you, and the notice tells you how to exercise this right. We explain this right in full later. (See FAQs 25-28.)

• At the end of the notice is where your will probably find contact information for the covered entity’s privacy officer. If you have any questions or want to exercise your rights, the privacy officer for the covered entity is probably the first person to contact.

Roadmap: Patient’s Guide to HIPPA: Part 2: Basic Patient Rights: A. Right to a Notice of Privacy Practices (FAQ 13 – 17)

Jump to list of FAQs 1-65 | See all of Part 2