Compliance vs. Communication: Readability of HIPAA Notices (Hochhauser)

Reprinted with permission of Clarity, No. 50, Nov. 2003.

By Mark Hochhauser
Psychologist; consultant on document readability and writing style


2003 HIPAA privacy notices

In April 2003, patients in the US began receiving Health Insurance Portability and Accountability Act (HIPAA) privacy notices from their doctors, hospitals, clinics, pharmacies, and other "covered entities" that use their personal health information. HIPAA privacy notices were designed to inform patients of their privacy rights regarding their personal health information, and what they could do to limit the "use and disclosure" of that information.

As part of the HIPAA regulatory guidelines (Section 164.52(b)-Content of Notice), privacy notices were to be written in "plain language" (Final Privacy Rule Preamble. II. Section-By-Section Description of Rule Provisions,

They are not. The regulations tell writers that "A covered entity can satisfy the plain language requirement if it makes a reasonable effort to: organize materials to serve the needs of the reader; write short sentences in the active voice, using "you" and other pronouns; use common, everyday words in sentences; and divide materials into short sections." (p. 137, Final Privacy Rule Preamble). These modest requirements proved insufficient to get HIPAA writers to use plain language. The requirements were essentially ignored.

As part of my consulting work with the US Department of Health and Human Services, I downloaded and analyzed six privacy notices and 31 online privacy notices ( I found them to be written at an average 2nd-4th year college-reading levels. Patients will have a very hard time understanding the notices. The typical writing style used too many words per sentence, too many complicated sentences, and too many uncommon words.

While federal guidelines require HIPAA notices to be written in plain language and offer some suggested guidelines about plain-language writing strategies, there are no penalties if organizations do not write their notices in plain language. Also, the regulations did not include any examples of materials actually written in plain language.

In the aftermath of HIPAA, companies are issuing bizarre press releases, touting that they are "HIPAA compliant"- even though their notices are virtually incomprehensible to the average reader. For these companies, being compliant means that they have appropriate measures in place to protect patients' health information, not that they've written plain-language privacy notices. So they are "compliant" and "non-compliant" at the same time.


The legal need to "comply"

An employee of a state agency dealing with HIPAA emailed me: "However, the language required by the law and regulation make it near impossible to comply with regulations and make this a readable document." To that, a colleague in a federal agency dealing with HIPAA replied: "What a cop out"-seeing that argument simply as a rationale for not writing notices in plain-language.

The only language required verbatim in the notices is the all-capitalized header that must accompany all privacy notices:


"Comply with regulations" is the key phrase. When HIPAA rules first came out, various health associations had law firms write sample notices that the associations made available to their members. From the very beginning, notices were written to comply with federal regulations, not to communicate privacy rights to patients. Many of the notices looked or sounded alike, probably because the health-care organizations simply used (sometimes with only minor changes) the examples that their professional associations had developed.

But this was not the goal of HIPAA regulations. Each health-care organization was supposed to develop its own unique notices. That they did not is testimony to the complexity of HIPAA regulations. For example, they cover 187 single-spaced pages in the Federal Register: Standards for Privacy of Individually Identifiable Health Information; Final Rule (, and a further168 pages in the Final Privacy Rule Preamble II: Section-by-section description of rule provisions ( In addition, these 355 pages were only a small part of all HIPAA regulations which were developed in the Clinton Administration and changed by the Bush Administration. Health-care organizations clearly believed that to reduce the likelihood of being non-compliant and getting into trouble with the federal government, the safest thing to do was to use the language of their health-association law firms. If law firms approved the language, then it must be all right, even if it wasn't "plain language."

Lawyers try to protect their clients from legal problems. It's not surprising, then, that the HIPAA notices, which are written with much legal input, tend to reflect legal language rather than patient language. Unfortunately, it may be almost impossible for most HIPAA privacy notice writers to communicate in language that is both legally compliant and understandable to patients. I've had several HIPAA privacy notice writers tell me that "The lawyers made us use this language." So legal input (and legal language) trumps plain language. It is interesting how much influence lawyers have over the content of materials written for consumers. Lawyers seem to be the final judge of what's acceptable or unacceptable, and no other employee in the organization seems to be able to override those judgments.

But this perspective of legal language over plain language is not unique to HIPAA. About two years ago, I also reviewed 61 Gramm-Leach-Bliley financial privacy notices that were supposed to inform consumers of their financial privacy rights. These notices were written at about a 3rd-4th year college reading level. They had too many complicated sentences and too many uncommon words ( And so I was not surprised that both HIPAA notices and the financial privacy notices were unreadable, because the same emphasis of compliance over communication was at work in both settings. In fact, I do not believe that federal regulators can pass any law requiring consumer privacy notices to be written in ways that consumers can understand.


Reading vs understanding

In the spring of 2002, a US Food and Drug Administration speaker at a clinical trials conference said that the FDA was requiring clinical-trial consent forms (which may include HIPAA privacy information) to be written at a sixth-grade reading level, but was not able to offer any rationale for that requirement. Let me make some comments on that. First, I doubt that anyone in the federal bureaucracy can write a consent form at a sixth-grade reading level; anyone who recommends that kind of writing should be required to provide an example. Second, on the basis of Rudolf Flesch's Reading Ease Score, a consent form written at a sixth-grade level would have to average about 14 words per sentence and 139 syllables per 100 words. Since consent forms are a combination of both legal and medical jargon, writing to meet that criterion is virtually impossible. While some medical terms can be made simpler, they probably can't be made simple enough to reach a statistical sixth-grade reading level.

Behind such "write to the formula" recommendations is the assumption that if you write at a lower grade level more people will understand. However, this assumption has not been borne out by the research studies.(1-8) These studies assessed the impact of re-writing consent forms, patient education materials and jury instructions from higher grade levels to lower grade levels. The results are mixed. Sometimes comprehension is better, sometimes it isn't. But subjects in many of these studies tended to be college-educated, among whom the impact of plain language might be less evident.

Writing at a sixth-grade level does not mean that materials can be understood by anyone with sixth-grade education-that's a common misconception. It does not take into account changes in psychological development and how thinking skills change from concrete to abstract during adolescence. Not everyone develops into an adult with good abstract thinking skills, so readers at any age may be concrete thinkers who simply will not be able to understand abstract information in HIPAA privacy notices, financial privacy notices, informed-consent forms, patient-rights documents, etc-regardless of the grade level at which they are written. Readability and understanding are not the same.


Less information = more understanding

Readability formulas do not measure information overload. (However, I find the total number of words, sentences, and syllables/word provided by some readability software to be very helpful in estimating the amount of information readers have to process.) With changes in technology since readability formulas were developed, many writers have suggested that our technologically advanced culture can give people more information than their brains can process and understand. Different writers use different terms-"information overload" (Alvin Toffler), "information fatigue syndrome" (David Lewis), "data smog" (David Shenk), "information anxiety" (Richard Wurman). These terms try to capture what happens when readers are confronted with more information than they can easily process.

Informed-consent forms are "cognitively complex." The FDA regulates clinical trials, and requires each consent form to contain eight basic elements of informed consent (purpose, risks, benefits, etc) and six "when appropriate" elements.9 Add to that five HIPAA elements, and recipients have to read and understand a consent form that includes 13-19 pieces of information (See Table #1 on next page).


Table #1: FDA Required Elements of Informed Consent

Eight basic elements

  • A statement that the study involves research, an explanation of the research purposes and expected duration of the subject's participation, a description of procedures to be followed, and identification of experimental procedures.
  • A description of any reasonably foreseeable risks or discomforts to the subject.
  • A description of any benefits to the subject or to others which may reasonably be expected from the research.
  • A disclosure of appropriate alternative procedures or courses of treatment, if any, that might be advantageous to the subject.
  • A statement describing the extent to which confidentiality of records identifying the subject will be maintained and noting the possibility that the FDA may inspect the records.
  • For research involving more than minimal risk, an explanation as to whether any compensation and any medical treatment are available if injury occurs and, if so, what they consist of, or where further information may be obtained.
  • An explanation of who to contact for answers to pertinent questions about the research and research subjects' rights, and who to contact in the event of a research-related injury to the subject.
  • A statement that participation is voluntary, that refusal to participate will involve no penalty or loss of benefits to which the subject is otherwise entitled, and that the subject may discontinue participation at any time without penalty or loss of benefits to which the subject is otherwise entitled.

Six additional elements of informed consent to be used when appropriate:

  • A statement that the particular treatment or procedure may involve risks to the subject (or to the embryo or fetus, if the subject is or may become pregnant) which are currently unforeseeable.
  • Anticipated circumstances under which the investigator may terminate the subject's participation without the subject's consent.
  • Any additional costs to the subject that may result from participation in the research.
  • The consequences of a subject's decision to withdraw from the research, and procedures for orderly termination of participation by the subject.
  • A statement that significant new findings developed during the course of the research which may relate to the subject's willingness to continue participation will be provided to the subject.
  • The approximate number of subjects involved in the study.

HIPAA-related elements of informed consent (still evolving)

  • Use and disclosure of personal health information for research.
  • Use and disclosure of research information for treatment, payment, and facility administration.
  • Access to information relating to your participation in the study.
  • Right to decline/withdraw authorization.
  • Expiration of authorization

At this point, reading-grade levels are almost irrelevant. Instead of helping people make an informed decision, too much information often leads to increased stress, confusion, impaired judgment, helplessness, and paralysis through analysis.


Informed-consent forms and HIPAA - some suggested improvements

Because medical information about human subjects in clinical trials can be shared with drug companies, federal regulatory agencies, contract research organizations, insurance companies, and the like, clinical trial consent forms will have to include a HIPAA notice as part of the informed consent process. Moreover, because consent forms suffer from the same language problems as HIPAA notices, a summary might help readers understand these incredibly complicated materials.

Table #2 is an example an informed-consent summary that could give prospective subjects an overview of a clinical trial10. I have been told by some in the clinical trial industry that it's too simple and doesn't include enough information. My response is that it's supposed to be simple. Would you rather have a subject read the summary or sign the consent form without reading it at all?

Too much information is an especially serious problem for older readers. President Clinton asked medical researchers to include more elderly subjects in clinical trials. But research shows some age-related declines in cognitive skills. These include short-term memory, long-term memory and reasoning-all beginning at about age 60-65. At the very time researchers are trying to recruit older subjects, those potential subjects will be starting to experience cognitive declines that may make it more difficult for them to understand the research-consent process!

And so it is with HIPAA. A large percentage of hospital patients are Medicare patients aged 65 and older. Many will be completely overwhelmed by the cognitive demands of trying to read and understand typical HIPAA privacy notices, especially those printed in tiny type.


Table #2: Informed Consent Summary

What's the purpose of this study?This is an experiment to compare two cancer drugs for your bone cancer.
What's the procedure?You'll get an experimental drug or standard treatment, blood tests, physical exams for 6 months.
What are the risks of being in this study?Side effects-fever, weakness, loss of appetite. Your cancer might not get better.
What are the benefits of being in this study?You probably won't benefit. But your involvement may help others with bone cancer.
Can I choose alternative treatments with existing cancer drugs? Yes. You can choose standard medical  treatment instead.
Is information about me kept confidential? Yes. Your name will not appear in any publications. We may share information with government agencies.
Who should I contact if I have any questions?Dr. Smith at 555-123-4567 or Dr. Jones at 555-987-6543 for questions about your rights as a subject.
Is my participation voluntary?Yes. You may leave the study at any
time without losing any benefits.

When HIPAA rules were being developed, an early strategy required patients to sign that they understood their HIPAA privacy rights. By the time the final rules came out, that requirement was changed to having patients sign only that they had been given their HIPAA notice-not that they understood it. Had the "sign here that you understand" requirement been kept, millions of Americans would have signed HIPAA notices that were actually incomprehensible. They had to sign; without that signature they could not be medically treated. But aside from collecting and counting signatures, and concluding that everyone understood their HIPAA rights because they said they did, what's the point of asking people to sign a document they don't understand? That would be compliance without communication.


What rights do patients have if they don't understand those rights?

This conflict of "compliance versus communication" pervades other areas of health care as well. In my home state of Minnesota, HIPAA privacy notices are given to patients along with other written materials (see my HIPAA report at For example, clinic and hospital patients receive a 10-page, 4,221 word "Minnesota Patient Bill of Rights" booklet describing patient rights under Minnesota and federal law. The Minnesota rights section is written at about fourth-year college level; the federal rights section is written at graduate-school reading level. However, when combined with HIPAA notices (which are handed out separately, because patients have to sign that they received a HIPAA notice), these three patient-rights documents total about 6,500 words (the equivalent of about 26 double-spaced pages of text)-about 30 minutes of reading time for average readers.

Re-writing such documents in plain language is almost impossible. The Minnesota Association of Patient Representatives tried to have the patient "Bill of Rights" written in plain language. Because it had to be done through the legislative process, they were told that patient representatives could give patients a more understandable document without giving them the original legislative version. But the Association could not get help to rewrite it in a way that would assure accuracy-as determined by the legislature. Even if they could, patients would have to be given both original and revised versions. If both Minnesota and federal laws were rewritten, would patients read all four documents? If HIPAA notices were rewritten, would patients read all six documents? And so in Minnesota, hospitals and clinics comply with state law by giving patients copies of their "Patient Bill of Rights"-even if patients can't understand those rights.


Typing versus document design

Although federal HIPAA regulations required plain language, they also stated: "We do not require particular formatting specifications, such as easy-to-read design features (e.g., lists, tables, graphics, contrasting colors, and white space), type face, and font size" (p 137 of the Final Privacy Rule Preamble). I was not surprised, therefore, to hear that one health-care organization shrank their HIPAA notice down to about 3 pages by simply reducing the font size! Nothing like making readers squint to read about their privacy rights.

Document-design features-such as the amount of white space in margins and between paragraphs, font size, the number of fonts, the use of illustrations, highlighted text or text in boxes, etc-can make a big difference in a document's appeal to the reader. Without any formatting specifications, most HIPAA privacy notices were simply typed, not designed.


The layered design

Federal guidelines suggested a "layered notice," as long as the key elements were included in the HIPAA notice given to patients. In this way, HIPAA requirements could be met by giving patients both a short notice that briefly summarized their rights, and a longer notice that contained all the required elements. Some support for this suggestion came from financial privacy notice research, where consumers said they didn't want to read six single-spaced detailed pages; couldn't the writers give them a shorter summary? But this recommendation was optional, not required, and I have seen only one HIPAA privacy notice (Kodak) using a layered design. In a layered design, the first layer of the privacy notice would be something like my one-page bullet point example below (Table #3). For readers interested in more details, the next few pages would be the typical HIPAA notice (the 2nd layer). Federal regulations require that the header "THIS NOTICE DESCRIBES..." be in all-capital letters; plain-language guidelines did not apply.

It would be wonderful if HIPAA privacy notice writers could develop a one-page summary of HIPAA. But there's such an emphasis on compliance that many health care organizations simply are afraid that a one-page summary doesn't give enough information, and that they might be sued for being "non-compliant." I've been told that my one-page summary isn't feasible because it doesn't provide enough information! That's why it's a one-page summary, not a six-page single-spaced document. Others have developed one-page privacy notice summaries-they include the Atlanta Law Firm of Hunton and Williams ( and Eastman Kodak. Has any organization been sued because their information was too easy to understand? In 2001, a federal agency employee told me-in relation to financial privacy notices-"You can't be sued for telling the truth."


The importance of consumer psychology

Is it fair to say that nobody can comply with the notice requirements and still communicate clearly? If so, is it because the ideas are too complex or there are too many pieces of information? The answers to these questions are "yes" and "no."

It's probably impossible to develop a privacy notice that can be understood by 100% of the population. Admitting that, a goal for policy makers and federal regulatory agencies is to consider what percentage of the population they'd like to be able to read and understand a privacy notice-100%? 75%? 50%? 25%? 5%?


Table #3: Summary Notice of HIPAA Privacy Practices



Summary of your Privacy Rights

We may share your health information to:

treat you
get paid
run the hospital
tell you about other health benefits & services
raise funds
include you in the hospital directory
tell family and friends about you
do research

We may use your health information for:

health and safety reasons
organ and tissue donation requests
military purposes
worker's compensation requests
law-enforcement requests
national-security reasons
coroner, medical-examiner or
funeral-director us

You have the right to:

get a copy of your medical record
change your medical record if you think it's wrong
get a list of whom we share your health information with
ask us to limit the information we share
ask for a copy of our privacy notice
complain in writing to the hospital if you believe your privacy rights have been violated

When I talked with someone at a federal regulatory agency about testing the 2001 financial privacy notices, the response was: "We never thought of that." All the effort went into developing the notices, and none into measuring the their outcome.

Policy makers are thinkers and writers, not researchers and evaluators. From a political standpoint, decisions are often made for reasons that have nothing to do with measures of success or failure.

But if you're an evaluator, an evaluation strategy is a key part of project development and implementation from the very beginning. If you're not an evaluator, you may try to figure out how well a program works after it's been in place for a while. Many times that just can't be done. I've worked with too many clients who bring me in at the end of a project and want me to help them figure out if it worked or not; usually there's no way to answer that question adequately, because the program wasn't developed with evaluation in mind.

Privacy concepts are complicated with many pieces of information. But research would show how much privacy information people actually understood. I'm not aware of any research on that topic. The federal agencies seem naively to assume that if it's written in plain language, everyone will understand it. That's nonsense. You can't write anything that everyone will understand. Intuitively, you'd think that plain language would make it more understandable; but you need evidence to support that belief. The federal agencies appear unaware of the potential problem of information-overload in privacy notices, and how the amount of information may be more important than the (plain) language in which those notices are written.

In short, federal agencies are recommending only one strategy, with no specific evidence to support it. But is plain language enough? What about document design issues? What do consumers want? No one has asked the public what kind of privacy notices they'd prefer to read, or done studies on the kind of privacy notices they really do read. Without consumer testing, plain language recommendations will not prove very effective.

Privacy-notice writers should be working with marketing experts in their organization, to conduct research into privacy notices the way they conduct market research on other corporate products and services. For example, consumer-testing could evaluate several different privacy notice formats. What do consumers understand? What don't they understand? Is there a "best" format that all financial and health-care institutions could use as a template? Without any evidence-based standard, how can companies develop privacy notices that consumers can read and understand? The only way to do that is to involve consumers as a key part of the privacy notice design and writing process.


Is it ethical to give people information they can't understand?

There are ethical implications in giving people information they cannot understand and act on, particularly when the presumed goal of that information is to enable people to make informed choices based on what they believe is best for them. On the one hand, policy makers and regulators argue that patients need more and more information so they can make better decisions. On the other hand, if information = empowerment, what are the ethical consequences of giving people incomprehensible information and then expecting them somehow to make better choices based on information they can't understand?

Unreadable information is unethical because it takes away the ability of patients to make a truly "informed" choice. At best, patients make choices that are uninformed or misinformed-not informed. How can they make informed decisions if they can't understand the information upon which those decisions are supposed to be based? Patients can't be expected to make good decisions based on bad information.

© M Hochhauser 2003

Further Reading

1. Davis, T.C., Holcombe, R.F., et al (1998) Informed Consent for Clinical Trials: A Comparative Study of Standard versus Simplified Forms. Journal of the National Cancer Institute, 90(9), 668-674.

2. Cardinal, B.J. (2000) (Un)Informed Consent in Exercise and Sport Science Research? A Comparison of Forms Written for Two Reading Levels. Research Quarterly for Exercise and Sport, 71(3), 295-301.

3. Young, D.R., Hooker, D.T. & Freeberg, F.E. (1990) Informed Consent Documents: Increasing Comprehension by Reducing Reading Level. IRB: A Review of Human Subjects Research, May-June 1990, 1-5.

4. Davis, T.C., Bochini, J.A., Fredrickson, D., et al (1996) Parent comprehension of polio vaccine information pamphlets. Pediatrics, 97(6 Pt 1), 804-810.

5. Davis, T.C., Fredrickson, D.D., Murphy, A.C., et al (1998) A polio immunization pamphlet with increased appeal and simplified language does not improve comprehension to an acceptable level. Patient Education & Counseling, 33(1), 25-37.

6. Coyne, C.A., Xu, R., Raich, P., et al (2003) Randomized, Controlled Trial of an Easy-to-Read Informed Consent Statement for Clinical Trial Participation: A Study of the Eastern Cooperative Oncology Group. Journal of Clinical Oncology, 21(5), 836-842.

7. Masson, M.E.J. & Waldron, M.A. (1994) Comprehension of Legal Contracts by Non-Experts: Effectiveness of Plain Language Redrafting. Applied Cognitive Psychology,

8. 67-85. 8. Charrow, R.P & Charrow, V.R. (1979) Making Legal Language Understandable: A Psycholinguistic Study of Jury Instructions. Columbia Law Review, 79, 1306-1374.

9. Food and Drug Administration. Information Sheets for Institutional Review Boards and Clinical Investigators (FDA, Rockville, MD, 1995)

10. Hochhauser, M. (2002) The Informed Consent-How Literate Is Your Research Participant?-and "Therapeutic Misconception" SoCRA Source, August 2002, 34-37.


Mark Hochhauser PhD is a consultant in Golden Valley, Minnesota, USA. A psychologist by profession, he researches, writes and consults on document readability and writing style. He has written extensively about readability issues and HIPAA privacy notices, online privacy, informed consent, health plan membership materials, HMO report cards, and ethical issues in clinical trials.