Drafting (& Delivering) the Perfect Privacy Policy Form
You’re likely inundated with privacy policies all day long—they pop up in a window on your laptop or mobile device as you’re browsing a website, or you may be required to acknowledge your acceptance before downloading an app or signing up for a online service.
In this increasingly digital world, our privacy has become more and more important to us. This isn’t so much a product of us not caring about our privacy in the past, but rather a result of our personal information being stored and potentially shared at an alarming rate.
It can sometimes feel like our every click or move is being tracked. (Have you ever had an ad pop up on social media for something you were just talking about—like, face-to-face talking about? Freaky.) This tends to make us feel one of two ways—either hypersensitive and protective about our information and behaviors, or unfazed by otherwise undetected invasions of privacy.
Regardless of your stance on data sharing, everyone can agree that our protected health information (PHI, for short) should remain protected and be shared with care.
That’s why giving your patients access to your practice’s privacy policies isn’t just good practice, it’s also required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The Privacy Rule
As part of HIPAA, patients have the undisputed right to be informed of their health care providers’ or health coverage providers’ privacy practices that are formed by the Privacy Rule.
According to the United States Department of Health & Human Services (HHS), the goal of the Privacy Rule under HIPAA is to “assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality healthcare and to protect the public’s health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the healthcare marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.”
Because each practice and personal care plan is different—information may need to be shared with other specialists for the patient to receive proper treatment, or data may need to be collected for research purposes—it is up to the healthcare provider to detail its privacy policies to the patient.
What is a Privacy Policy Form?
Though some practices may choose to fulfill this requirement with an easy-to-read notice posted in their office or included on a page on their website (you have to do this, by the way), the only way to truly ensure that patients understand your policies and protect your practice from claims otherwise is to have patients sign a privacy policy form.
A patient also has the right to request a copy of your practice’s privacy policies at any time, so it’s important that you have an efficient and professional way of providing this information.
We know what you’re thinking—another form. But trust us when we say that providing your patients with a clear and thorough explanation of your privacy policies is just as important as getting their consent of treatment or them signing a HIPAA release form.
The intent of a privacy policy form is to inform patients of exactly how your practice may use their protected health information and what other entities it may be shared with, if necessary.
That’s why we’ll run through everything you should consider including in your practice’s privacy policy form and how to best deliver it to new patients.
Provide Background
Before you get into the specifics of your practice’s privacy policies, you should first provide the patient some context around the purpose of the form.
This would include notifying the patient of their rights as protected under HIPAA and to inform them that you are disclosing how their medical information may be used or shared.
As we show you in this sample form, a simply paragraph to accomplish this may be:
“I am [or we are] required by the Health Insurance Portability & Accountability Act of 1996 (HIPAA) to provide confidentiality for all medical/mental health records and other individually identifiable health information in my possession. This Notice is to inform you of the uses and disclosures of confidential information that may be made by [BusinessName], and of your individual rights and [BusinessName]’s legal duties with respect to confidential information.”
It’s also a good idea to remind the patient to review the document carefully and notify the practice of any questions regarding PHI privacy, while also politely requesting that they provide their signature at the end to confirm their acceptance of your policies.
Disclose Potential Uses of Medical Records
Since you aren’t likely to personalize your privacy policy form for each patient and his or her personal situation (nor should you), it’s important to provide a number of possible occurrences that could call for the safe sharing of medical records.
Here are some examples of reasons why a healthcare provider might need to disclose PHI at their own discretion:
– Treatment: This includes sharing information with other specialists involved in a patient’s healthcare plan, or for any additional services needed.
– Payment: Information may need to be shared with an internal billing department or third-party billing vendor to properly bill patients and healthcare insurance plans.
– Healthcare Operations: This covers any internal needs to help a practice maintain a high level of care. This could include evaluating a team member’s performance or upgrading practice procedures.
– Appointment Scheduling: Administrative members of a practice may need access to treatment information so they can properly schedule appointments or follow-ups, or provide helpful appointment reminders to the patient.
– Research: If a research study has been approved by an authorized institutional review or a privacy board, then PHI may be shared for learning purposes, but with any identifying information redacted.
-Legal: A practice may need to disclose PHI if required to do so by federal, state, or local law. This could be for a number of reasons, including lawsuits, criminal cases, or government-mandated compensation programs.
Your practice may deem other circumstances necessary, in which case you should detail them on your privacy policy form. Please note that using PHI for any marketing purposes or disclosures that constitute a sale of information must be explicitly signed off on by the patient.
Closing & Signature
Reiterate to the patient that for any other circumstances not included on the privacy policy form you will reach out for written authorization.
It’s also important to remind the patient that they have the right to request their own medical records at any time.
At the end of the form, ask the patient to sign their name if they understand and agree to the terms of your privacy policy. As noted in our sample, you may choose to use a sentence along the lines of, “Please sign to indicate you understand our practice’s use of your information for treatment, payment, and healthcare operations as stated above.”
Delivering a Privacy Policy Form
Much like when we discussed consent to treatment forms, having the ability to share forms digitally is a huge advantage of both the patient and the healthcare provider.
For the patient, receiving a practice’s privacy policy form ahead of a scheduled appointment gives them the time needed to thoroughly review and understand the document. This is a better scenario than feeling the need to rush through it during check-in, and can significantly cut down on wait time.
Having the digital form also ensures that a patient has access to a copy of the privacy policy whenever they need, eliminating the need to ask for a paper copy (though they are certainly allowed to do so at any time) or the possibility of misplacing that document.
By using a trusted partner like IntakeQ, you can rest assured that all electronic forms are properly protected and secure under HIPAA-mandatory conditions. Plus, with the easy option to obtain signatures electronically, all the pesky “paperwork” can be handled in advance of an appointment at a time that is most convenient for the patient.
Free download: Quick tips for staying HIPAA compliant.
The Bottom Line
Failing to provide patients with a comprehensive privacy policy form can get you in a lot of hot water, plus it denies your patients the rights that they so clearly deserve.
Be sure to protect both your patients and your practice’s integrity by offering each new patient a detailed and easy-to-understand account of how their PHI could potentially be used. This will help to mitigate any misunderstandings or claims down the line, plus help secure your position as a loyal healthcare partner.
We here at IntakeQ are available to help create these forms for you, or take your existing paper documents and turn them into convenient electronic forms—all you have to do is ask!