We are continuously bombarded with commercialized communication – everything is a sales pitch, everything is clickbait, everything is designed to scream for your attention and your dollars.
So instinctively we know that the most effective communications are those bits of authenticity that break through – the welcoming feel and focus of personalized service and direct communication.
And yet we throw that all out when it comes to disclaimers and notices.
I recently switched to a new medical provider, and they really do their best to communicate in a way that’s authentic and comfortable. Cozy space, friendly staff, a pre-service meeting with your provider in a quiet meeting space rather than an exam room.
But then they hand you the same “Notice of Privacy Practices” paperwork that you’d get anywhere else.
Now, the paperwork is important. It outlines an individual patient’s rights and the obligations of the provider under HIPAA and related regulation with the goal of ensuring that the patient is protected.
But when everyone uses the same standard boilerplate, it really calls into question how effective it could possibly be. That friendly staff at the clinic? They know to hand over the paperwork (or at least to offer it.) They’ve certainly seen it from their own care providers.
But I strongly suspect they, and most everyone in their position, have never thought about it from the position of the provider. You get the boilerplate policy, search-replace the details that are specific to you, hopefully have a lawyer make sure it doesn’t have any gaps, and you’re done.
But should you be?
For example, in the US any health care provider is required to have Business Associate Agreements between the provider and any third party vendor who may have access to protected health information. The language is virtually the same in every privacy notice I’ve ever read:
We may share your protected health information with third party “business associates” that perform various activities (e.g., billing, transcription services, accounting services, legal services) for the practice. Whenever an arrangement between our office and a business associate involves the use or disclosure of your protected health information, we will have a written contract that contains terms that will protect the privacy of your protected health information.
As a patient, the key things in this block of legalese are simple:
- The doctor I’m seeing doesn’t do everything in-house. They have outside service providers do things for them. Okay, fair enough.
- Sometimes that stuff the providers will do means they have to know some of my personal health information. Seems obvious.
- The doctor will in those cases have a contract that says the information has to be protected. Okay.
So that’s all good, right? Privacy is an important issue for people, and your patients deserve to know their information is protected.
But is this the best way to do that? Especially if you’re concerned about authentic communication?
And for that matter, if you’re going to authentically communicate to your patients that you’re going to be taking these steps to protect their privacy, are you confident your policies and procedures actually do that?
The core of that clause above is the idea that when a medical practice shares personal information with third parties for business reasons, they’ll ensure the information is protected and stays private. But I’ve read almost as many Business Associate Agreements as I have Privacy Notices, and those are usually boilerplate too.
So how should you, a conscientious, aware, authentic communication-minded care provider address this issue?
Step one: make it a standard practice to read the Business Associate Agreements.
And not just as the owner or manager of the practice. Talk about them with your staff.
Ask questions. Think about the information being shared, whether it’s necessary or not, and if so what steps should be taken to protect it.
Ask how you feel about your information, or that of your family, friends, and loved ones, being shared this way.
Expect the provider to take this issue seriously, not as a check-the-box compliance measure but instead as a core part of their service delivery.
Step two: train your staff to be able to talk to your patients about their privacy protection.
Give them the information, tools, and confidence to able to communicate effectively with patients who have concerns in the days following major breach announcements.
They need to know how your practice protects their privacy.
Step three: take the boilerplate and rewrite it.
You don’t need (and really shouldn’t) change what it says – you really do need to protect your practice, and this helps.
But you can say it in ways that match the tone and style of your practice, and give your patients the assurance that this isn’t just a burden you suffer but something you’re doing to ensure their safety and security beyond the medical care you provide.
Authentic communication and effective processes and policy go hand in hand. Both involve thoughtful consideration, recognition that details matter, and an awareness that extra effort and attention pay off in customer care and service delivery.