August 2001 Bulletin

Basics of Notice of Privacy Practices

By Janice G. Cunningham

The Department of Health and Human Services (HHS), under a mandate in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), issued regulations pertaining to patient privacy. Now that the privacy regulations have become final, orthopaedic practices are scrambling to be compliant by April 14, 2003.

Of all the requirements, the regulations dealing with patient consents seem to be causing much confusion for orthopaedic practices. Orthopaedic surgeons and administrators believe they will need a separate consent to release information each time they send a bill or communicate with a referring physician.

The regulations will require planning and preparation initially. However, once your practices policies and forms are in place, you will find that the consent requirements are not as cumbersome as you might think.

The regulations require that patients be provided with advanced written notice of the practice’s policies and procedures regarding the use and disclosure of protected health information. This Notice of Privacy Practices is the starting point for patient Consents and Authorizations under HIPAA.

In addition to describing the orthopaedic practice’s policies regarding the use and disclosure of protected medical information, the Notice must also explain the practice’s legal duties and the patient’s rights. The language of the Notice must be clear and must contain:

Orthopaedic practices should begin to develop the Notice of Privacy Practices now. Although the requirements may be cumbersome initially, the Notice, once developed, should require updates only as internal policies or the laws change.

Note that if your orthopaedic practice maintains a web site, a copy of the Notice must be prominently displayed. The Notice may be given to patients electronically, but only if they consent in writing to receive it in this medium.

Consents vs. Authorizations

All patients must be given the Notice of Privacy Practices. In addition, patients will need to execute a Consent or an Authorization, unless an exception exists. Exceptions include:

There are a few instances where an orthopaedic patient may be given the opportunity to agree or object verbally to the release information. These limited circumstances include situations where hospitals verify admittance and provide the room number or general condition of a patient, for example.

Health care information that does not identify or for which there is no reasonable basis to believe will identify a patient individually is not protected by the privacy regulations. If, for example, you aggregate certain statistics, you do not need a Consent or Authorization.

Note that these HIPAA privacy Consents and Authorizations differ from the informed consent orthopaedic practices obtain for treatment and/ or procedures. The privacy Consents and Authorizations deal with the use and disclosure of protected health information only. Orthopaedic practices will still need to obtain informed consent where appropriate.

While both the Consent and the Authorization have specific requirements, which are discussed later, the Authorization is much more involved. Determining whether you need a consent or an authorization hinges on the intended use or disclosure of the protected health information.

The privacy regulations make a distinction between protected information that will be used or disclosed for treatment, payment or health care operations as opposed to any other use or disclosure. For these three critical uses, a consent is required. For all other uses, including research, fundraising and marketing, a much more specific Authorization is needed.

Fortunately for typical orthopaedic practices, most, if not all, disclosures or uses of protected health information will fall into one of the three big categories:

Treatment. The Consent will cover communications between and disclosures to referring orthopaedic surgeons and specialists, hospitals and other healthcare facilities, and other providers for providing treatment.

Payment. The Consent will cover typical payment related activities such as verification of coverage, pre-certifications, referrals, claims processing and the like.

Health care operations. The Consent will cover certain administrative and management activities such as compliance monitoring, quality improvement, and business planning for the provider.


Once you have determined that a patient’s protected health care information will only be used or disclosed for treatment, payment or health care operations purposes, you must have the patient sign a written Consent. A new Consent need not be executed for each disclosure or use, so long as the Notice of Privacy Practices, which is referenced in the Consent, covers all of the possible disclosures or uses pertaining to treatment, payment or health care operations. If you make a change to your policies, you must then update the Notice and will need to notify patients.

Thus, so long as these activities are in the Notice, orthopaedic practices may send share medical information with other health care providers for treatment purposes, send reminder cards to patients and even notify patients with the same diagnosis of new treatment options that may be available without obtaining a separate consent.

The Consent must be written in plain language and must be separate from the Notice itself. The Consent must:

Note that an orthopaedic practice may refuse to accept a patient who refuses to sign the Consent or who wishes to place additional limitations on the practice. Providers may not refuse to accept a patient for refusal to sign an Authorization.


Authorizations are required for uses or disclosures of protected health information for purposes other than treatment, payment or health care operations. Typically, these may involve disclosures for research, marketing or fundraising.

Authorizations must include:

Because Authorizations are very specific, patients must complete a separate form for each use or disclosure. An orthopaedic surgeon may not condition treatment on whether or not a patient will execute an Authorization for a particular purpose.

Obtaining patient consent prior to the release of confidential medical information is not a new concept for orthopaedic practices. The HIPAA privacy regulations standardize the process. Although the requirements seem cumbersome at first, once the appropriate forms have been developed, most orthopaedic practices adapt quickly.

©2001, The Health Care Group®

Janice G. Cunningham, JD, is a consultant and attorney with The Health Care Group and Health Care Law Associates, P.C., based in Plymouth Meeting, PA.

Home Previous Page