CMA: Notice, Acknowledgement & Restriction Requests

Disclaimer:  CMA/PrivaPlan PrivaGuide: Notice, Acknowledgement, Restriction Requests, and Confidential Communications.

The information provided in this document does not constitute, and is no substitute for, legal or other professional advice.  Users should consult their own legal or other professional advisors for individualized guidance regarding the application of the law to their particular situations, and in connection with other compliance-related concerns. 

PrivaGuide: Notice, Acknowledgement, Restriction Requests and Confidential Communications
By Lesley Berkeyheiser and David Ginsberg




The HIPAA Privacy Rule requires that patients be notified of the ways in which protected health information (PHI) may be used or disclosed.  It is also a HIPAA requirement that you allow the patient to make special requests concerning the ways in which their personal information will be handled.  Specifically, this means:

You must provide a “Notice of Privacy Practices” that explains how you intend to use PHI to carry out treatment, payment and health care operations.
If you have a direct treatment relationship with the patient (i.e. you meet with the patient face-to-face) you must make a good faith effort to obtain a written acknowledgement from the patient that the notice of privacy practices has been provided.
You must consider any restriction requests made by your patient (i.e. patient requests to use or disclose PHI in a manner different than you describe in your notice of privacy practices).
You must accommodate reasonable requests for confidential communications with your patient (i.e. patient requests that communications be by alternative means or at alternative locations).

How to do this:

In this section we document some practical suggestions for meeting the core HIPAA privacy requirements.  “Implementation” suggestions relate to the initial steps you take to get into HIPAA compliance. “Maintenance” suggestions relate to on-going activities that must be accomplished on a recurring basis.  Your implementation policy and procedure documentation should be based upon your specific needs and on your understanding of how the HIPAA privacy regulation applies to you.

The sample procedures included in this PrivaGuide will help you do the following:

  1. Create a notice of privacy practices for your organization.
  2. Provide the notice of privacy practices to your patients.
  3. Obtain written patient acknowledgement that the notice has been provided.
  4. Allow your patients to request restrictions on how you use or disclose their PHI.
  5. Allow your patients to request the use of confidential communications channels.

Patients have basic privacy rights that must be protected.

There are six basic rights that HIPAA confers on subject individuals (i.e. patients or health plan members). These rights are:

  1. NOTICE – the right to be informed about uses and disclosures of PHI.
  2. CHOICE –the right to deny permission for certain uses and disclosures of PHI.
  3. INSPECTION –the right to review his or her own PHI.
  4. AMENDMENT –the right to request changes to PHI that is inaccurate or incomplete.
  5. AUDIT- The right to receive an audit or accounting of certain classes of disclosures of a patient’s PHI
  6. REDRESS –the right to complain about perceived violations of their privacy, and to have these complaints taken seriously.

There are some exceptions to each of these rights. (For example, a patient cannot stop you from reporting a gunshot wound.)  However, these rights form the core of HIPAA privacy protection.

Purpose determines the form of permission needed.

The form of patient permission needed to use or disclose PHI is not determined by the type of information disclosed, or who makes the disclosure, or to whom the disclosure is made.  The required form of permission is dictated solely by the purpose of the disclosure.

There are three types of patient permission:

  1. NONE – No permission is needed for uses and disclosures to carry out treatment, payment or health care operations; “public purpose” uses and disclosures; or for disclosures to the subject individual himself or herself.
  2. VERBAL AGREEMENT – If you want to list a patient in a hospital directory or discuss a patient’s condition discussed with family friends or others who are involved in the patient’s care, you must obtain permission. Verbal permission is sufficient for either of these scenarios.
  3. WRITTEN AUTHORIZATION – A signed authorization is required for any commercial purpose, such as marketing, fundraising or sending pre-employment physical results to a prospective employer.


The first step in obtaining a patient’s permission to use or disclose PHI is to provide a notice of privacy practices.  The notice of privacy practices describes how your organization intends to use or disclose PHI. Specifically, the notice lists the uses and disclosures of PHI for treatment, payment, and health care operations.  It also lists disclosures that are for “public purposes,” such as cooperation with law enforcement, public health authorities, and courts of law.  If you intend to use or disclose PHI for fundraising, these uses and disclosures must also be included in the notice. Other elements which must be included if they are to be effective include:

  • Retroactive application of changes to the privacy policy.
  • Requirement that the following requests be in writing to be effective.
  • The patient’s rights to access their PHI and to request special privacy protections.
  • The patient’s right to amend their PHI.
  • The patient’s right to have alternate confidential communications channels used for contact.
  • The patient’s right to an “accounting of disclosures under certain circumstances.
  • The patient’s right to complain about how their privacy has been handled.

The notice of privacy practices must be available for your patients to review on request. If you have an office location where patients are treated, you must post the notice where patients may read it (for example, in the waiting room).  If requested, you must also provide copies of the notice that patients may take with them.

Implementation Suggestion:  Create the notice of privacy practices.


1. Review the PHI Inventories you created in PrivaPlan Stat step 2. The PHI inventory is the most important step in your HIPAA Privacy and Security Compliance program. The inventory helps your organization know the “who,” “what,” and “where” of PHI as it is used and disclosed in your organization. The inventory forms identify:

  • Every item of PHI in your organization
  • Who uses the item (and for what purpose).
  • How the item is disclosed, for what purpose, by whom and to whom.

Review the uses and disclosures inventory. On these forms you should have indicated the “purpose” of the PHI item, specifically if the item is for “treatment,” “payment,” or “health care operations.”

You are not required to provide the notice of privacy practices every time the patient visits your office. If you have provided the notice to the patient once, you have met your HIPAA obligation, until you change the notice. At that point you must post the new notice and make copies available if requested.  Similarly, once you have obtained an acknowledgement that the notice has been provided, you never have to obtain this acknowledgement again.

Produce three lists of uses and disclosures based on these three categories (treatment, payment, and health care operations). You may want to summarize rather than list every individual use or disclosure. For example, if you send blood tests and urine specimens to separate laboratories, you would list all of these as one type of disclosure under the “treatment” category.

The fact that your organization uses and discloses PHI for treatment, payment or health care operations must be included in the notice of privacy practices along with at least one example of each type of use or disclosure.  (You are required to describe each purpose for which PHI may be used or disclosed without patient authorization; but you are required to give examples only for treatment, payment or health care operations uses and disclosures.)

Your examples might look like this:

  • Treatment Example-“If you are being treated by another treatment provider, we may discuss your case in order to coordinate care between us.  The kinds of health care information we may disclose about you in such circumstances could include your diagnosis, x-ray reports, lab results etc…” 
  • Payment Example – “If you are covered by health insurance we may disclose diagnostic and treatment details to your insurance provider in order to obtain payment for services rendered.”  
  • Health Care Operations Example – “Your medical records may be chosen at random to be inspected by persons who conduct quality assurance reviews to ensure that high standards of care are being maintained.”

Include uses/disclosures by your business associates. 

Remember that your business associates often “borrow” PHI to perform work on your behalf. (They also may “borrow” forms of permission that you have obtained such as verbal agreements or authorizations.)  Include these uses and disclosures in your notice. Some examples of business associates are billing services, collection agencies, and consultants who might help with coding and practice management.

2. Review the notice of privacy practices template in the Document Templates section. The notice requires that you describe in “sufficient detail” your uses and disclosures for treatment, payment and health care operations.  The notice template includes these three sections (items 1, 2 and 3 beginning on page2).  Fill in these sections with descriptions of the uses and disclosures that you identified in the previous step.

3. Delete those items in the notice template that do not apply to your organization. For example, if you do not publish a patient directory (hospitals generally do this, but not small practices), delete the reference to “directories” in the notice template.  Do not delete any section of the notice template unless you are absolutely sure that it does not apply to you.  With respect to the section list of your patient’s rights, wait to complete these until you have completed your procedures and forms associated with each right to ensure consistency in your documents.

4. Complete additional customization steps. Wherever words appear in brackets (such as “[organization name]”), fill in the data that is appropriate for your organization.  Read the legal disclaimer and customization instructions at the beginning of the document and then delete them.  (This information is for your use in customizing the document; it is not intended to be read by your patients.)

5. Review special notes. Review every section of the template document that is enclosed in square brackets and written in a bold font (i.e. “[Note: …]”).  These are notes that may change how you customize your notice of privacy practices.  Pay particular attention to the very first note.  It says that the notice of privacy practices is not in final form until all of your organization’s privacy practices are clearly understood.  This means that if you change the manner in which PHI is used or disclosed as part of your compliance effort, the notice may have to be altered to reflect these changes.  Delete these notes once you have read them and taken the appropriate action.

6. Publish the Notice in other languages. If you have a large patient population that speaks another language (other than English) you may need to publish the Notice in their language. A Spanish version of the Notice can be found in the document templates section. You will need to customize this version in the same way you customized the English language version of the Notice. It is especially important that you include the examples of uses and disclosures so that the Spanish Notice is equivalent to your English Notice.

Clinical Research

If your organization conducts clinical research trials, you may periodically review patient charts to determine “candidates” for these trials. This can be considered routine “treatment” in that you will make a clinical trial available to your patients. A good use of the notice of privacy practices is to inform your patients (or their personal representatives) that you may, occasionally, review their medical records to determine if they are, potentially, candidates for a clinical trial. However, actually enrolling a patient in a clinical trial would require a signed authorization.

Implementation Suggestion: Provide the notice to existing and future patients.

HIPAA requires that you provide the notice. “Provide” can mean any one of several things:

  • Physically giving a copy of the notice to a patient at the time the patient appears for treatment.  If you maintain a physical service delivery site, HIPAA has clarified that providing the notice means to actually “give” the patient or their personal representative the notice. This is also the most effective way to ensure that they have actually received the notice.  We recommend that you make it part of your documented procedure to give each patient a copy of the notice and obtain a signed acknowledgement that you did so during the first visit to your office after the privacy compliance date (April 14, 2003).  This eliminates any confusion as to whether or not the patient was given an opportunity to review the notice. You do not have to provide the patient with a copy to take with them, unless they specifically request a copy.
  • Posting a copy of the notice in a clear and prominent place such as a waiting room.  HIPAA requires that if you maintain a physical service delivery site, your notice must be posted prominently at that site.  Also, if you maintain a web site that describes your services, you must post your notice on the web site.
  • Make changes as needed.  HIPAA requires that if your uses and disclosures change you must promptly change your notice. In fact you cannot change practices until you change your notice! The revised notice should replace the posted notice as well as the copy that you give new patients or established patients who have not previously been given the notice and acknowledgement form.  You do not have to get patient acknowledgment again.
  • If you are a hospital based provider and your hospital has decided that it will permit the use of a joint notice in its “Organized Health Care Arrangement,” you can use the “joint notice” developed by your hospital. In this case the hospital will provide the notice. Please review their joint notice to determine if it is complete (you can use this PrivaGuide and the Notice of Privacy Practices template as a benchmark).

Understand your obligations to provide the notice

Physicians and other health care providers who are “direct treatment providers” are obligated to provide the notice to their patients. Furthermore, if the direct treatment provider also maintains a physical service delivery site they have an obligation to post the notice and to also obtain a written acknowledgement of receipt. If you are a hospital based provider, or if some of your care is delivered in a hospital, skilled nursing facility or other facility, the facility may satisfy the notice requirement by providing a “joint notice”. This only satisfies the notice requirement for your care in the facility. If the patient is subsequently seen in your practice you will need to give them your notice and seek a written acknowledgement.

However, if the hospital or facility does not provide a joint notice, you are obligated to provide your notice as soon as practicable

Many practices are printing the notice as a “brochure” so that it has a more appealing presentation to their patients. This is perfectly acceptable. However, be wary of using any notice template that has not been customized to reflect your privacy practices and California law!

1)     The first step is to determine how you will initially distribute the notice. We recommend that a printed copy of the notice be given to the patient or their personal representative during their first appearance after the HIPAA privacy compliance deadline if you have not already done so before the compliance deadline. You will want to print sufficient copies of the notice to ensure that you always have enough on hand. At the time you provide the notice you should request that the patient sign an acknowledgment form.  The acknowledgment form certifies that they have received their copy of the notice.  However, you are not required to obtain a new acknowledgment or to provide a new copy of the notice each time a patient visits your office. 

2)     Remember that if you publish the notice electronically (for example, on a web site) you must keep some hardcopies in the office. Some organizations may choose to provide the notice electronically. However, you will need to have sufficient printed copies for those patients who request a hard copy. It is a HIPAA requirement that you must provide a hardcopy version of the notice when patients request it.

3)     Determine how your organization will communicate changes in your notice of privacy practices. The notice of privacy practices contains a statement that uses and disclosures of PHI are subject to change.  We strongly recommend that you include a statement that the terms of the notice are subject to change. If you do not have this statement in your notice of privacy practices, HIPAA prevents you applying future changes to PHI you have created or received prior to the change, thus creating an administrative nightmare.  (The sample notice in the “\PrivaPlan\Document Templates” folder contains this statement.). You do not need to give patients who have already received your notice a copy of the new notice, unless they request one. On the other hand, if your privacy practices have changed substantively, you may choose to give or offer the new notice as a matter of good communication.

4)     Determine the best environment and location to review the notice. When a patient arrives for their visit, they can be handed the notice with an explanation of its purpose. They may have questions or may request certain restrictions. You may want to designate a private location to discuss these questions or restriction requests.

5)     Determine who will discuss the notice with the patient. It should be someone well versed in the organization’s operations and privacy practices (i.e., the HIPAA compliance program). For this reason, we suggest that your designated Privacy Official generally handle all questions. If the Privacy Official is also the Office Manager, consider the impact this will have on productivity and his or her ability to perform other routine tasks.


6)    Determine the best place to post the notice. Generally a “clear and prominent” place is the waiting room area. Some organizations are planning on posting a copy of the notice in each exam room. However, this may be problematic if it creates questions and additional physician time with the patient.

Maintenance Suggestion:  Keep copies of past notices of privacy practices.

It is a HIPAA requirement that you be able to produce copies of any notice published within the past six years.

Am I an Indirect Treatment Provider?

HIPAA divides treatment providers into two groups: Direct treatment providers, who must provide a notice and obtain an acknowledgement, and indirect treatment providers, who don’t.  It is sometimes hard to tell what your relationship is to the patient, however.

Here’s what the regulations themselves have to say:

Direct treatment relationship:

Direct treatment relationship means a treatment relationship between an individual and a health care provider that is not an indirect treatment relationship.

Indirect treatment relationship

Indirect treatment relationship means a relationship between an individual and a health care provider in which:

  • The health care provider delivers health care to the individual based on the orders of another health care provider; and
  • The health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the individual.

Essentially what this means is that if another office tells you to do a treatment procedure (say, a radiological test) and you usually report the results to the other office and not the patient, this is an indirect treatment relationship.  Everything else is a direct treatment relationship.

It is always permissible under HIPAA to hand out a notice of privacy practices and attempt to get an acknowledgement from anyone you want to, however, so if you are in doubt, you may want to think about giving them a notice anyway.



HIPAA requires not only that you provide a notice of privacy practices; you must also make a good faith effort to obtain a signed acknowledgement that the notice has been provided.

Implementation Suggestion: Determine whether or not the acknowledgement requirement applies to your organization.

1.     Not every physician or provider is required to obtain a signed acknowledgement. For example, if you are an indirect treatment provider, you are not required to obtain acknowledgement.  An example of an indirect treatment provider might be an anesthesiologist who is called in to provide anesthesia during surgery. Also, there is no requirement to obtain acknowledgement from inmates of penal institutions.  Health plans and health care clearinghouses are never required to obtain acknowledgment that the notice of privacy practices has been provided.

2. If the patient does not want to sign the acknowledgement or you are not able to obtain the acknowledgement for any other reason, record on the acknowledgment form the reasons why the acknowledgement could not be obtained and place this form in the patient’s chart. However, you may proceed with treating the patient.

3. Customize the acknowledgement form. A sample acknowledgement form can be found at the end of the Notice of Privacy Practices template

4. Modify your procedures for obtaining the acknowledgement. The Procedure Manual contains a sample procedure for obtaining and maintaining the acknowledgement form. Modify this for your organization.


An essential part of the patient’s right of choice is the right to request restrictions on your intended uses and disclosures of PHI as described in your notice of privacy practices.  For example, a patient may express their wish that physicians-in-training not be present during a physical examination. Or, a patient might request that a malpractice carrier representative not view his or her medical records as part of a “quality audit.”  A restriction request is any request in which a patient asks that their PHI uses and disclosures be different from those outlined in the notice of privacy practices. The covered entity is not required to agree to the restriction request, but must consider all restriction requests fairly.  It is important to have a process in which all accepted restriction requests are well documented.  The sample restriction request form, entitled “Request for Special Privacy Protections, under Document Templates, contains a section for documenting restriction requests.  It also contains a statement informing the patient that this is a complete list of active restriction requests and that all previous requests are obsolete.  HIPAA does not strictly require that restriction requests be included in a specific form. However, we believe it is a good policy because it helps you to keep track of active restriction requests.

A patient (or the patient’s personal representative) may introduce new restriction requests at any time. According to the HIPAA privacy regulation, the new requests do not automatically void the previous requests.  For example, if you received five restriction requests on five different occasions, all five requests would be in effect until the patient revoked each of them individually.  This provision of the HIPAA privacy regulation creates a situation that could be very difficult for you to manage.

We recommend that you keep all restriction requests in a single document in the patient’s file. This document should include a statement that this is a complete list of restriction requests and that all previously signed documents are no longer active.  (The “restriction request” template form contains this language.) This procedure will make it easier to know which restrictions are in effect for a given patient at a given time.

Implementation Suggestion: Determining which PHI Uses and Disclosures Can Be Restricted

1)     Determine in advance which restriction requests you cannot accommodate. There are some uses and disclosures that you are not able to restrict because of an operational problem or philosophical issue.  No legal or contractual obligation can be restricted.  For example, a patient may not want you to disclose their medical record to their health plan under any circumstance.  However, this request is not realistic since their health plan probably has the right to review their PHI. This “right” is often built into the Participating Provider Agreement that the provider signs.

2)     If not prohibited per number 1, consider administrative problems created by the request, and whether voluntarily, your staff can manage the restriction. There are some restrictions that you can and will honor. Therefore, it is important to consider how you will be able to restrict these uses and disclosures. HIPAA is specific about this. It is a HIPAA requirement that if your organization agrees to a restriction request you must follow through and actually restrict these items. Once you have determined “how” you can perform this restriction from an operational standpoint, write down the procedure. For example, if you believe you can effectively restrict the disclosure of patient satisfaction surveys to a health plan, you might write a procedure stating, “All patient satisfaction surveys are kept in a separate file. When a patient requests that we restrict this information, the survey is pulled from the file and a note is placed prominently on the survey, indicating the restriction.”

Here is how you can do steps 1 and 2: Review the PHI Uses and Disclosures Inventory forms (created in PrivaPlan Stat step 2). Make a list of any uses or disclosures that you might be willing to restrict, if requested to do so. The Privacy Official will be able to refer to this list any time a restriction request is received.  However, the Privacy Official will still have to consider any instruction requested which does not appear on either list, and determine whether it can be legally and administratively accommodated.

3)  If the request is from the patient’s personal representative, determine whether the request should be honored.  See the section on handling requests from personal representatives in the “Procedures Manual Template” under the procedure for “Individual Permission Processing.”

Implementation Suggestion: Make changes to your staff training and new staff orientation program to ensure that everyone understands the way a restriction request is handled. 

Implementation Suggestion: Determine the be st way to alert all members of your staff (including physicians or providers) that a restriction request is on file. An easy way is to create a colored chart label that is attached to the front of the patient chart. If you use an electronic medical record, determine if there is an alert that can be attached to the actual record or item being restricted, or if there is a way to create an alert that a restriction request exists.

Implementation Suggestion: Develop a procedure for reviewing a “new” restriction request from an established patient, who already has an approved restriction request on file. To do this, always be sure to review the restriction request form on file for evidence that an existing restriction request is present.

Implementation Suggestion: Have the patient sign a new restriction request form whenever you agree to a new restriction request or make changes to previously accepted requests. If the patient makes a new restriction request, or revokes an old request, have the patient sign a new restriction request form that details all restriction requests that are in effect. This new restriction request form voids any previously signed restriction request forms and contains a complete list of all restrictions that are to be in effect as of the date of the signing.  (Note:  HIPAA does not require that you obtain a new restriction request form each time you accept a new restriction request.  In fact, it is not even a requirement that the patient submit restriction requests in writing.  We suggest this approach because there is less chance for confusion about which restrictions are in effect for a given patient at a given time.)

Maintenance Suggestions:

When a patient requests a restriction, review the prepared list of uses or disclosures that you might be willing to restrict.  If the restriction request is for one of the items you cannot accommodate, inform the patient that you do not agree with the restriction.  (HIPAA does not require that you give a reason for rejecting a restriction request.  We recommend that you explain your reasons to the patient so that there is no question that you carefully considered the request and to prevent a complaint.)  At this point the patient may:

  • Revoke their request.
  • Modify their request so that it reflects those items that you can accommodate.
  • Decide to seek care elsewhere.
  • Decide to keep the restriction on file, even though they have been informed that you cannot comply with their request.

The results of the above process should be documented as follows:
1.     If the restriction request is denied, there is no HIPAA requirement that it be documented.  We recommend that you go beyond the HIPAA requirements and document the fact that the restriction was requested but not accepted so that there can be no confusion later concerning which restriction requests are in effect.  We have included a reviewer’s section in the sample restriction request form for this purpose.

2.     If the patient’s request is accepted, include the restriction in the appropriate section of a new restriction request form, copy any existing restrictions from the current restriction request form and have both parties sign as appropriate.

If your office has more than one staff member, it is important to have periodic “awareness” training sessions regarding the importance of honoring restriction requests. Be sure to conduct this periodic training with the physician or provider staff as well. (Every member of your work force must be trained to recognize restriction requests when they hear them. For example, a patient may not say directly, “I have a restriction request.” However, the patient may say something like, “Do the trainee doctors have to be in the room?)
File the restriction request in the medical record (chart). We suggest indicating any restrictions with a colored label placed somewhere on the chart.  This is not a HIPAA requirement, but we recommend this practice because there is less chance of making a mistake if there is a visible indicator on the patient’s chart.

 Keep copies of all approved restriction requests for a minimum of six years (starting from the last date that the restriction was in effect.)
Where possible note the restriction on the actual PHI item.  For example, if the restriction is on disclosing laboratory forms, place a note in the lab form section of the chart or use the note feature in most billing software systems.


Another basic right is the right to request that communications be done through confidential channels (i.e. by alternative means or at alternative locations).  For example, a patient may request that messages not be left on voicemail or that he be called at his work number rather than at home.  It is a HIPAA requirement that a health care provider must accommodate all reasonable requests for confidential communications and may not ask the patient to explain why the request has been made.  It is also a HIPAA requirement that a health plan must accommodate all reasonable requests for confidential communications if the plan member states that improper disclosure of the information would endanger him or her.

Implementation Suggestions:

The first step is to determine the common ways that you “communicate” PHI to patients or their personal representatives. Usually this is by telephone, for example notification of test results, appointment reminders or callbacks. If you use email to communicate with patients, this is another “communication channel”.  Review the PHI Inventory forms completed in Stat step 2. Make a list detailing how these different types of PHI are communicated. You can use simple letter codes beside the inventory item. For example, “P” might stand for “by telephone” and “L” might stand for a letter or written notice.

Review this list to determine if it is possible to communicate this information by alternative means or at alternative locations. For example, the patient might want their billing statement sent to their business address. However, if your computerized billing system can only contain one address for the patient, and that address must (for insurance claims purposes) be their residence address, you may not be able to honor this request. Note:  Be very careful about refusing requests for confidential communications.  The confidential communications requirement differs from the restriction request requirement in one important way:  Health care providers must accommodate reasonable requests for confidential communications. You may determine whether or not a confidential communication request is reasonable based solely on the level of administrative difficulty involved in accommodating the request.  You may not ask the patient to explain their reasons for making the request.

“Communication” can be subtle!

Some practices send out postcards as appointment reminders. This type of open communication can subtly disclose PHI. Many practices are abandoning the postcard and using an envelope instead, but even the return address on an envelope can betray confidential information

On the list of PHI communication items, indicate which ones your organization can realistically change to accommodate a confidentiality request. [Customize the “Confidential Channel Communication Request” and “Response to Request for Confidential Communication Channel” forms under Document Templates to reflect these conclusions].

If the request is from the patient’s personal representative, determine whether the request should be honored. See the section on handling requests from personal representatives in the “Procedures Manual Template” in the Policies and Procedures section under the Individual Permission Processing Procedure.

Train all staff on how to address all patient requests for a different means of communicating their PHI to the Privacy Official who will give the patient a copy of the requested form.

Special requests apply to authorized uses and disclosures, too.

Even if you have obtained an authorization from the patient to use or disclose protected health information for purposes other than treatment, payment or health care operations (for example, for marketing purposes), the patient still has a right to request restrictions on how the information will be used and to request that communications be done through confidential channels.

Maintenance Suggestions:

How will staff be alerted to an alternate mode of communication? Consider the use of colored chart labels when a special communication request is in place. If you use an electronic medical record determine how the software can flag and alert users to the alternate communication request.

Ask patients to “pre-complete” mailing labels for confidential communication requests. Sometimes a patient will request that you use a different address for confidential, written communications. If your practice is small enough and this process makes sense, consider having the patient complete a series of mailing labels ahead of time and clip these to the inside of the chart.
You can ask patients to pay a reasonable charge for alternate communication. For example, a patient who requests overnight delivery of results and appointment reminders could be asked to pay associated charges.

“Communication” can be subtle!

Some practices send out postcards as appointment reminders. This type of open communication can subtly disclose PHI. Many practices are abandoning the postcard and using an envelope instead, but even the return address on an envelope can betray confidential information.


About the Authors:

This PrivaGuide has been greatly improved and customized by the California Medical Association. Specifically, the work of Catherine I. Hanson, Vice President and General Counsel of the CMA and Steven M. Fleisher, Esq. of Fleisher and Associates.

Lesley Berkeyheiser

Ms. Berkeyheiser has over twenty years experience in the healthcare industry, most of it involving managed care, including direction and management of healthcare operations at various renowned health plans. She is Principal and founder of The Clayton Group, LLC, an independent consulting company specializing in healthcare issues including Health Insurance Portability and Accountability Act of 1996 (HIPAA) preparation work, business development and technology.   She either has created and/or maintains ownership in various HIPAA remediation products, including HIPAA training products, (PrivaPlanED), Gap Analysis (PrivaPlan), and HIPAA Policies and Procedures (Clayton MacBain HIPAA Templates) and actively participates as Co-Chair for Security and Privacy, and was past Leader of the Vendor Technologies Interdependencies subgroup of the workgroup for Electronic Data Interchange Strategic National Implementation Process (WEDI SNIP). This gives her an extensive and current knowledge of HIPAA remediation solutions.

Ms. Berkeyheiser can be contacted at The Clayton Group, 53 Bethel Road, Glen Mills, PA 19342.  Telephone: (610)-558-3332.  Email:

David Ginsberg

Mr. Ginsberg is President of PrivaPlan Associates, Inc. and is one of the founders.

David Ginsberg is a healthcare consultant with over twenty-five years experience. Most currently he organized and is Executive Director of the Colorado Physician Network, a statewide network of 2500 physicians. Mr. Ginsberg was also Vice President of Intellectron/Medcobill a large regional physician practice management and billing company providing services to over 1000 physicians in California; during this time he implemented the second Medicare electronic claims transmission program of its kind and pioneered an EDI solution for Medicaid.

Mr. Ginsberg has expertise in managed care operations, IPA development, and physician-hospital strategic planning, practice management consulting, and compliance issues.

Mr. Ginsberg can be contacted at David A. Ginsberg Consulting, 3 Monte Alto Way, Santa Fe, NM 87508.  Telephone:  877-218-7707.  Email:

Related Posts

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates