Safe & Sound with Marianne Kolbasuk McGee

Making Privacy Notices User-Friendly

Contest Solicits Ideas for a Better Approach

Notices of privacy practices, as required by HIPAA, aren't widely understood by consumers - if they even bother to read their dense language. Federal regulators are trying to change that.

See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture

For starters, two agencies of the Department of Health and Human Services - the Office for Civil Rights and the Office of the National Coordinator for Health IT - recently developed a new model for making paper notices of privacy practices easier to understand.

Now the agencies are upping the ante by asking for help in developing a digitized version of the notices. They're offering $15,000 in prize money for the best patient-friendly design.

ONC and OCR's new Digital Privacy Notice Challenge is calling for designers, developers and patient privacy experts to submit an online notice of privacy practices that is "compelling, readable, and understandable by patients and easily integrated into websites," ONC Chief Privacy Officer Joy Pritts writes in a blog promoting the effort.

"Using the model paper notices as a baseline for content and format, health IT developers must think outside-the-box in creating an online version that helps break down barriers for patients taking greater control of their healthcare," Pritts says. The open-source NPP generator will live on GitHub - a website where developers can share code - and will be available for free so that any organization can implement it on its website, she notes.

HHS deserves credit for drumming up fresh ideas for presenting dull material. After all, it's important for patients to read and understand these notices, which explain how healthcare providers use and disclose consumers' protected health information.

Makes Sense

The move toward digital NPPs makes a lot of sense, privacy and security experts say.

"More and more patients and health plan members get their information online, so the digital version is growing in importance," says Kate Borten, principal of consulting firm The Marblehead Group. "And it needs to be simplified, just as the paper models are, with information broken down into blocks with graphics, and with the use of plain language."

Consumer privacy advocate Deven McGraw says offering clearly written, web-based NPPs is critical as more health data is digitized.

"Consumers transact a lot of business digitally and expect to be able to do so with their healthcare providers as well," says McGraw, director of the Center for Democracy & Technology's health privacy project, and chair of the Privacy and Security Tiger Team that advises ONC's HIT Policy Committee. "As the degree of digital connectivity between providers and patients increases, it becomes even more important to adapt routine patient communications like the NPP to the digital realm."

Contest Details

The deadline for submitting your ideas for the contest is April 7. A review panel will determine the winning entries in May.

Winning entries must demonstrate:

  • Accurate use of content from paper NPP;
  • Use of best practices in presenting Web content for public consumption;
  • Visual appeal;
  • Capacity to customize content and link to other relevant content.

What do privacy experts want to see in a digital NPP design?

"I like what HHS did with the model NPP - but it needs to be adapted to a digital context, where there is less space within a single view to convey information but more opportunity to leverage the capacity to link to more information - thus, no need to put it all on one page," McGraw says.

As for me, I'm no Web developer, so you won't see me entering the contest. But as a patient and consumer, I'd like to see embedded links to definitions of terms commonly found in NPPs. For instance, what activities are considered "marketing" of protected health information? What's considered a "disclosure" of PHI?

If patients have easy access to clear explanations of terms that get sprinkled into these NPPs, that could help improve comprehension and perhaps prompt patients to ask their healthcare providers meaningful questions about where their PHI might flow.

Another option that should be considered for the digital NPPs is including embedded URLs that allow patients to easily connect to an organization's privacy officer to securely submit a question about the notice - or file a privacy complaint. Hot links directing patients to OCR's HIPAA complaint website or to additional HIPAA information would be helpful, too.

What are your ideas for improving NPPs? We'd like to hear from you.



About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.