Notice me – communicating patient privacy rights through effective notices

by Penelope Hughes, Maya L. Frazier 9 minutes read

Published in The Clarity Journal 75 – 2017

Penelope Hughes and Maya Frazier

Privacy plays a vital role in society, and the concept of health information privacy has persisted for a particularly long time, with providers’ obligation to protect the privacy of their patients dating back to the Oath of Hippocrates. Even in today’s world, as individuals engage and share more and more information online, they still value and hold dear Brandeis’ “right to be let alone.” Information sharing and data collection has increased across a myriad of industries, and in the area of health care, the adoption of electronic health records has significantly expanded the sharing and storage of individuals’ health information online. However, along with this growth in online engagement comes an increased likelihood that individuals’ information will be collected and shared in ways they may not anticipate. In such an environment, privacy notices take on a critical role, especially when sensitive information, such as health records, are at issue.

The Obama Administration’s 2012 Consumer Privacy Bill of Rights identified ‘transparency’ as a pivotal privacy right of individuals in the modern digital economy. Specifically, the Administration notes “consumers have a right to easily understandable and accessible information about privacy and security practices.” The globally recognized Fair Information Practice Principles (FIPPs), developed in the 1970’s and the foundation of many international privacy frameworks, also include notice and disclosure of information practices as a key principal. Similarly, the FTC’s “fair information practice codes” include notice as one of five core principles of privacy protection – “the most fundamental principle is notice.” The report continued, “without notice, a consumer cannot make an informed decision as to whether and to what extent to disclose personal information.” Additionally, there are a number of academic studies documenting the need for easily understandable privacy notices.

Privacy notices can be difficult to design and implement effectively. In the case of privacy notices related to health information, there are specific content requirements that must be included in notices posted by health care providers and others subject to the Health Insurance Portability and Accountability Act (HIPAA). However, complex technical privacy notices often have the unintended consequence of leaving individuals in the dark about the very practices they are meant to communicate. Rather than reading the content, individuals often blindly sign, hit ‘accept’, or outright skip privacy notices. Particularly in the health care space, where the information involved is sensitive, individuals need easier to understand notices to correctly ascertain how their information is being used, secured and shared. Clearer notices can also aid individuals in exercising their statutory rights to access their own health information and become more engaged in their health care, thus improving their health outcomes. A recent Office of the National Coordinator for Health Information (ONC) blog stated that “individuals with access to their health information are better able to monitor chronic conditions, adhere to treatment plans, find and fix errors, and directly contribute their [health] information to research.” Given the necessity for understandable and user-friendly privacy notices, ONC along with the Office for Civil Rights (OCR), which enforces HIPAA, launched a model Notice of Privacy Practices (NPP) project to develop model privacy notice content to be used by health care providers and other HIPAA covered entities nationwide. This article will explore the process of developing the model Notices of Privacy Practices (Model NPPs), the goals of the project, its key components, and results.

“Complex technical privacy notices often have the unintended consequence of leaving individuals in the dark about the very practices they are meant to communicate”.

Background

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides individuals with a variety of rights and protections in regard to their health information. In particular, the Privacy Rule provides individuals with rights over their health information, such as the right to access a copy of their health records, and outlines how their health information may be utilized and disclosed.14 Under HIPAA, covered entities (CEs) – health plans, health care clearinghouse, and certain health care providers – are required to provide a notice of privacy practices (NPPs) explaining this information to individuals.

NPPs outline individual rights with respect to protected health information (PHI), how CEs use and disclose PHI, CEs legal responsibility in regard to PHI, and contact information for individuals looking for more detailed information about a CEs privacy policy. However, given the complex nature of NPPs, individuals may misunderstand their health information rights or opt to not read the notices at all. Privacy notices, across all industries, tend to be long, complex, and overloaded with legalese,15 and consequently are often ignored.16 Research shows that privacy notices are “more difficult to understand than the average issue of the New York Times17 and even people with advanced, professional degrees struggle to grasp their contents.18 This is particularly concerning in the case of NPPs, which communicate important information about individuals’ health data and health rights.

Goal of project

ONC and OCR recognized that model NPP language based on the requirements of HIPAA could be helpful in presenting this very important information in a way that would be easier for individuals to understand and act upon. While CEs have considerable discretion in how they present the information required in an NPP, the content is fairly sophisticated and technical, and could create challenges for the average person to understand. For example, the NPP must describe and include examples of permitted uses and disclosures of PHI for treatment, payment and operations purposes; describe other purposes for which the covered entity is permitted or required to disclose PHI; and, describe an individual’s rights with respect to PHI. ONC and OCR thus focused on taking the language and content required by the HIPAA Privacy Rule and creating a customizable template with simplified but accurate language that could be used by CEs to produce an easy to understand notice that would still satisfy the HIPAA requirements.

When creating the model NPP language, two goals were particularly important: creating understandable content and enabling readers of the notice to have   the knowledge necessary to take appropriate action relative to their health care information. As described earlier, research has found that notices of privacy practices are often not read by individuals, and even when they are read, they are poorly understood. Preliminary consumer testing of privacy notices of health care providers conducted as part of the project similarly indicated that consumers often don’t bother reading the notice and misunderstand the content. For example, Maya serves as a privacy policy program analyst for the Office of the Chief Privacy Officer within the Office of the National Coordinator for Health Information Technolo- gy at the U.S. Department of Health and Human Services.

Maya provides analyses on privacy policies and regulation related to health information technology and produces vari- ous educational resources for stakeholders, namely small- mid-size physician providers. Maya has also collaborated with various ONC offices to produce the forthcoming Model Privacy Notice.

NOTES

  1. Rothstein, Mark, The Hippocratic Bargain and Health Information Tech- nology. Journal of Law, Medicine & Ethics, 2010
  2. Timeline: A History of Privacy in America https://www.scientificamerican. com/article/timeline-a-histo- ry-of-privacy/; Madden, Mary and Rainie, Lee. Americans’ Attitudes About Privacy, Security and Surveillance, http://www.pewinternet. org/2015/05/20/ameri- cans-attitudes-about-priva- cy-security-and-surveillance/, 2015; see also Raine, Lee and Duggan, Maeve, 3. Sce- nario: Health information, convenience and security http://www.pewinternet. org/2016/01/14/scenario-health-information-conve- nience-and-security/, 2016; Martin, Kristen, Privacy Notices as Tabula Rasa :

An Empirical Investigation into How Complying with a Privacy Notice Is Related to Meeting Privacy Expectations Online, Journal of Public Policy & Marketing, 2015; Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global

Digital Economy https:// www.whitehouse.gov/sites/ default/files/privacy-final.pdf

  • ONC Data Brief, https:// www.healthit.gov/sites/ default/files/oncdatabrief-phy- sician-ehr-adoption-motiva- tors-2014.pdf, 2014
  • Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Inno- vation in the Global Digital Economy https://www.white- house.gov/sites/default/ files/privacy-final.pdf, 2012
  • Id.
  • Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress https:// www.ftc.gov/reports/ privacy-online-fair-infor- mation-practices-elec- tronic-marketplace-feder-

al-trade-commission

  • Federal Trade Com- mission. Privacy Online: A Report to Congress,1998 https://www.ftc.gov/sites/ default/files/documents/ reports/privacy-online-re- port-congress/priv-23a.pdf
  • Id.
  • Martin, Kristen. Privacy Notices as Tabula Rasa: An Empirical Investigation into How Complying with a Privacy Notice Is Related to Meeting Privacy Expectations Online, Journal of Public Policy & Marketing, 2015

10 See 45 CFR §164.520

11 Martin, Kristen. Privacy Notices as Tabula Rasa:

An Empirical Investigation into How Complying with a Privacy Notice Is Related to Meeting Privacy Expec- tations Online, Journal of Public Policy & Marketing, 2015; Liu, Fei et al., A step towards usable privacy

policy: Automatic alignment

some participants in the consumer testing group believed that the NPP was a form telling them that their information is kept private, when in reality it describes how information is used and shared. Therefore, when developing the model language for the NPP, one important goal was to create an NPP that consumers would be more likely to read and understand.

A second goal was to create an actionable notice. Beyond simply comprehending the language of the notice, it is important for individuals to also understand their health information rights and how to act on those rights – for example, by requesting a copy of their health information. As such, the project sought to create model NPP language that would be easy for individuals to digest and act on after reading the notice. Preliminary consumer testing conducted for the project found that individuals respond positively to the concept of health information rights and want to learn more about that topic. Testing also found that when individuals understand that they have these rights, they are more motivated to take action. To make the language more actionable, the NPP project focused on identifying issues around health information rights that may be difficult or hard for patients to understand, and then clarifying and simplifying that language.

Strategy

Developing model NPP language that presents complex, regulatory-required language in a way that is easy for individuals to understand and act on is an ambitious goal, and it required a thoughtful strategy with significant amounts of user-testing and iterative design. ONC contracted with Kleimann Communication Group to conduct these activities and develop the model notice. The project had multiple phases, including context setting, identifying ways to best present this information to individuals, and conducting multiple rounds of cognitive testing with iterative refinement of the design. These major phases, and related key findings, are described in more detail below.

When setting the context, the contractor first conducted a thorough literature review. The literature review identified important recurring themes, including that NPPs are often too long and complex, individuals do not understand them, and because they often have no clear narrative flow, individuals are not inclined to act on them. Additionally, the contractor conducted initial focus groups that confirmed and echoed these findings. For example, participants in the initial focus groups indicated that they do not generally read NPPs, and that they misunderstand them, often believing the NPP states that their information will be kept private. A key finding during this phase was the strong interest participants have in their health information rights, and in particular the right to inspect and request a copy of their health information. Participants felt this information was the most important aspect of the NPP. Upon learning about their health information rights, participants indicted they were motivated to take action.

“Developing model NPP language that presents complex, regulatory-required language in a way that is easy for individuals to understand and act on is an ambitious goal, and it required a thoughtful strategy with significant amounts of user-testing and iterative design.”

During the formative design phase, the contractor explored the best ways to present NPP information to individuals, focusing on the key messages and content that needed to be emphasized. This included focusing on how to present information about HIPAA and health information rights in a way that would inspire individuals to take action. As part of this phase, the contractor held multiple design meetings and developed a variety of prototypes for testing.

And finally, during the cognitive testing and iterative design phase, the contractor developed and refined the final product. Cognitive testing was quite extensive, including a pre-testing round and four additional rounds of focus group testing in different areas of the country, with an average of seven participants per focus group. After each round of testing, data and input from the focus group was analyzed to identify important insights and patterns related to how participants were understanding the notice content and how likely they were to act upon it. The results of each round of testing were used to refine and improve the design of the NPP until reaching the final iteration.

Project Results

The final model NPP content and design achieved the major goals of being both understandable and actionable. The model language was well-received by stakeholders and successfully balanced providing accurate information based on the HIPAA regulation requirements while using content more easily understandable to the average person. For example, the required content was broken down into simple organizational buckets entitled “Your Information”, “Your Rights,” and “Our Responsibilities,” and the language within each section was simplified based on multiple rounds of consumer testing. Also, the model language and design was made more action oriented by listing “Rights” in the order of importance to individuals and phrasing them as actionable steps that individuals could take. The first item listed under “Rights” on the notice states “You can ask to see or get an electronic or paper copy of your medical record and other health information we have about you. Ask us how to do this.” By making this content and design choice, it is easier for individuals to understand their right to get a copy of their health information and take the appropriate steps.

As further evidence of the success of the project, the target audience for the model NPPs, health plans and health care providers, responded well to the design. Reviews of the NPPs found them easy to read and useful, as well as a helpful baseline and convenient way for CEs to comply with the HIPAA requirements.19 The model NPPs have been continually accessed and downloaded since their release, and since being posted they have been downloaded over 200,000 times.

It is clear that multiple rounds of focus group testing with appropriate audiences and the incorporation of an iterative design process were critical components in this project and key to creating a successful final product. Also important was the involvement of OCR, the federal agency with regulatory and enforcement authority regarding HIPAA and its notice of privacy practices requirement. Combined, this careful attention to the language and design of NPPs achieved the goal of engaging the consumer and presenting useful, usable notice content about health information practices and important rights while fully complying with regulatory requirements. Hopefully the availability of this resource will result in more individuals understanding and acting on the rights they have with respect to their health information, in particular by requesting a copy of their own health information and becoming more engaged in their health care.

of privacy statements, Carnegie Mellon University Research @CMU, 2014; Balebako, Rebecca, et al., The impact of timing on the salience of smartphone app privacy notices, Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, 2015

12 45 CFR §164.524

Access of individuals to pro- tected health information.

13 DeSalvo, Karen, and Samuel, Jocelyn. Empower- ing Patients: New Videos to Promote Access to Elec- tronic Health Information, https://www.healthit.gov/ buzz-blog/consumer/ empowering-patients-vid-

eos-promote-access-electron- ic-health-information/, (2016)

14 See 45 CFR §164.520

McDonald, Aleecia and Cranor, Lorrie. The cost of reading privacy policies, I/S: A Journal of Law and Policy for the Information Society, 2008

Martin, Kristen. Privacy Notices as Tabula Rasa: An Empirical Investigation into How Complying with a Privacy Notice Is Related to Meeting Privacy Expectations Online, Journal of Public Policy & Marketing, 2015

Id.

Id.

Gold, Kimberly. OCR Publishes Model Notice of Privacy Practices, Health Law and Policy Matters, 2013; see also Adam Greene, HHS Issues Model Privacy Notices, Davis Wright Tremaine LLP Privacy and Security Law Blog, 2013.