Why Patients Won't Understand Their HIPAA Privacy Notices (Hochhauser)

Mark Hochhauser
Readability Consultant


I downloaded and analyzed six HIPAA privacy notice examples and 31 HIPAA privacy notices. Using several readability tools, I found that they were written at 2nd-4th year college reading levels -- instead of in plain language as required by federal HIPAA regulations. Patients will have a hard time understanding the notices because the writing styles use too many words per sentence, too many complicated sentences and too many complicated and uncommon words. A one-page "Summary Notice of HIPAA Privacy Practices" may help readers deal with the information overload created by the many elements required by HIPAA.

How readable are HIPAA Privacy Notices?

I downloaded and analyzed six HIPAA privacy notice examples and 31 HIPAA privacy notices using several software programs including Prose, WStyle 1.6, Grammatik 6.0, Key Grammar Checker, Reader 1.2 and Text Analyser. These programs calculated reading grade level, the Flesch Reading Ease Score, writing style, sentence and vocabulary complexity and word frequency and commonness.

Instead of being written in plain language as required by the HIPAA regulations, the 31 privacy notices average a 2nd-3rd year college (grade 14.5) reading level, rating them as "difficult" on the Flesch Reading Ease Score.

It is possible that some organizations evaluated the readability of their HIPAA privacy notices by relying on the Flesch-Kincaid readability formula in Microsoft Word. Unfortunately, Microsoft's version of the Flesch-Kincaid formula is flawed, scoring no higher than grade 12, regardless of the actual grade level! Average readers will find these notices hard to understand, especially the elderly and those whose primary language is not English.

Recent Census data shows that about 85% of adults have a high school degree. About 25% have one or more college degrees. Despite these levels of educational attainment, literacy research shows that many people read three-to-five grades lower than their highest level of educational attainment. Thus, it's not unusual for someone with a high school diploma to be reading at a 7th to 9th grade reading level. Because of that gap, literacy experts recommend that materials written for the general public be at about a junior high reading level.

In August, 2002, I analyzed HIPAA Privacy Notices examples from six health organizations because these organizations had developed sample HIPAA notices for their members. Although the federal government encouraged organizations to develop their own HIPAA notices, I believed that many would simply adapt their HIPAA notice from their professional organizations or from the many HIPAA privacy notice vendors. If hospitals and clinics simply used the examples provided by professional organizations, both the examples and individual patient notices should be very similar. In March, 2003, I analyzed 31 HIPAA Privacy Notices and compared them to the six sample notices. Based on eight features, both the examples and patient notices were almost identical.

Table 1: Readability Analysis of 6 HIPAA Privacy Notice Examples and 31 Patient Notices


Flesch Reading
Ease Score





6 Examples






31 Notices







Word FrequencyMost frequent Next frequent Neither
 2,000 words2,000 - 5,000 words  List

6 Examples




31 Notices




The Flesch Reading Ease Score is:

Very Easy = 90 - 100

Fairly Difficult = 50 - 60

Easy = 80 - 90

Difficult = 30 - 50

Fairly Easy = 70 - 80

Very Difficult = 0 -30

Standard = 60 - 70



Both sets of documents were written at "difficult" reading level, at about a 2nd - 4th year college reading level, with complicated sentences and vocabulary. About 80% of the words in the two sets of documents were among the most frequent 2,000 words in English, about 9% were in the next 2,000 - 5,000 frequent words, and about 12% were on neither list, which means that HIPAA notices tend to have large percentage of words that are uncommon to most people.

Why elderly patients will have a hard time understanding HIPAA notices

Across all age groups, people 65 and older have the lowest literacy scores, with an average educational attainment between 11th and 12th grade. Seventy year-old patients (born in 1933) with an average 11th-12th grade education completed their education about 1951. Table 2 shows the educational attainment of the population across the age span based on March 2000 US Census Data.

Table 2: Educational attainment of the US Adult Population

Educational attainment (2000)


Educational attainment (2000)








Less than 9th grade








9th - 12th grade (no diploma)








High school graduate








Some college/Associate degree








Bachelor's degree








Advanced degree








Some plain language criteria

Words per sentence: 26 and 24

One plain language factor is the number of words per sentence. Research suggests that to be easily understood, documents should average about 15-20 words per sentence. When sentences get too long (over 40 words), readers may forget the beginning of the sentence by the time they get to the end. The 6 HIPAA examples averaged 26.2 words per sentence, the 31 HIPAA privacy notices averaged 24.2 words per sentence. Since 12% of the words were on neither list of the most common words, that means that each sentence contains about 3 uncommon words.

Concrete everyday words: Above average for both

Reader 1.2 software calculated word "commonness," for which a normal score is 1,450. A lower score means that the notice has many common words, a higher score that the notice has many uncommon words. The average score for the 6 examples was 1,778 and 1,594 for the 31 notices--above average for both.

Sentence Complexity: 71/100 and 72/100

Grammatik 6.0 measures "sentence complexity" based on the number of words and clauses in a document--with a maximum "very complex" score of 100. The 6 examples averaged a sentence complexity score of 71, the 31 notices a 72.

Examples of complicated sentences from 31 HIPAA Privacy Notices

"Examples of these activities include obtaining accreditation from independent organizations like the Joint Commission for the Accreditation of Healthcare Organizations, the National Committee for Quality Assurance and others, outcomes evaluation and development of clinical guidelines, operation of preventive health, early detection and disease management programs, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives, and related functions; evaluations of health care providers (credentialing and peer review activities) and health plans; operation of educational programs; underwriting, premium rating and other activities relating to the creation, renewal or replacement of health benefits contracts; obtaining reinsurance, stop-loss and excess loss insurance; conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; business planning and development; and business management and general administrative activities, including data and information systems management, customer service, resolution of internal grievances, and sales, mergers, transfers, or consolidations with other providers or health plans or prospective providers or health plans." (169 words)

"At [XYZ] we may use or disclose Protected Health Information for purposes of treatment, obtaining payment, and our health care operations without Your Consent or Your Authorization under the following three circumstances; (1) when you require emergency treatment; (2) when we are required by law to treat you and we attempt to obtain Your Consent, but are unable to obtain it and (3) when we attempt to obtain Your Consent but are unable to obtain it due to substantial barriers to communicating with you (e.g., you are unconscious or otherwise incapacitated) and we reasonably infer that you would have consented in the absence of the barriers." (106 words)

"Your health information may be used for research purposes, but only if (1) the privacy aspects of the research have been reviewed and approved by a special Privacy Board or Institutional Review Board and the Board can legally waive patient authorizations otherwise required by the Privacy Regulations; (2) the researcher is collecting information for a research proposal; (3) the research occurs after your death; or (4) if you give written authorization for the use or disclosure." (76 words)

"This will occur to the extent the disclosure is (a) required by law (b) agreed to by you or your personal representative or, (c) authorized by law and we believe the disclosure is necessary to prevent serious harm to you or to other potential victims, or, if you are incapacitated and certain other conditions are met, a law enforcement or other public official represents that immediate enforcement activity depends on the disclosure." (69 words)

"This right applies to disclosures made by us except for disclosures to carry out treatment, payment, or health care operations as described in this Notice or incidental to such use to you or your personal representatives pursuant to your authorization for our directory, or other notification purposes, or to persons involved in your care or for certain other disclosures we are permitted to make without your authorization." (67 words)

"An accounting of disclosures does not describe the ways that your health information has been shared within and between the hospital and the facilities listed at the beginning of this notice, as long as all other protections described in this Notice of Privacy Practices have been followed (such as obtaining the required approvals before sharing your health information with our doctors for research purposes)." (64 words)

"If you do not object to these disclosures or we can infer from the circumstances that you do not object or we determine, in the exercise of our professional judgment, that it is in your best interest for us to make disclosure of information that is directly relevant to the person's involvement with your care, we may disclose your protected health information as described." (64 words)

"Before we use or disclose medical information for research, the project will have been approved through this research approval process, but we may, however, disclose medical information about you to people preparing to conduct a research project, for example, to help them look for patients with specific medical needs, so long as the medical information they review does not leave the hospital. " (62 words)

"We will mail you a list of disclosures in paper form within 30 days of your request, or notify you if we are unable to supply the list within that time period and by what date we can supply the list, but this date will not be exceed a total of 60 days from the date you made the request." (60 words)

"You may request in writing that Provider give you an accounting of the entities to whom your personal information was discloses in the past two years, and for the past six years if the disclosure was not for treatment, payment, health care operations, authorized by your signature, or other situations as required by law." (54 words)

"If you choose to sign an authorization to disclose your PHI, you can later revoke that authorization in writing to stop any future uses and disclosures (but only to the extent that we haven't already taken any action relying on the authorization)." (42 words)

"We are permitted to use PHI without your written authorization, or opportunity to object, in certain situations, and unless prohibited by a more stringent state law, including:...(27 words)

Readability Plus software classifies sentences into eight categories, recommending that most sentences be classified as simple, normal and narrative, with very few sentences classified as difficult, pompous, or complicated. Unfortunately, over half the sentences in the six privacy notices were classified as difficult, pompous or complicated, and 19% were simple, normal, or narrative, as shown in Table 3.

Table 3: Types of sentences in six HIPAA privacy notices

% sentences

Type of sentence


Simple: Short sentence with short words


Normal: Short sentence with a few long words


Narrative: Medium length sentence with a few long words


Foggy: Medium length sentence with several long words


Wordy: Sentence with too many words to understand


Elegant: Fairly long sentence with several long words


Difficult: Fairly long sentence with many long words


Pompous: Too many words to understand + too many long words


Complicated: Fairly long sentence with too many long words

Vocabulary Complexity: 58/100 and 58/100


Grammatik 6.0 measures "vocabulary complexity" based on the number of syllables in a document and a comparison to a word list of unusual or difficult words--with a maximum "very complex" score of 100. Both the 6 examples and 31 privacy notices averaged a vocabulary complexity score of 58.But what are common and uncommon words? Table 4, a "Word Frequency Analysis of 6 HIPAA Privacy Notices with all words that occurred four or more times in the six notices, is based on "The Educator's Word Frequency Guide" which calculated word frequency based on 17 million words from about 61,000 text samples from over 6,000 written materials used in American schools and colleges. If patients don't read very much, they probably will not come across many of these uncommon words that can be found at the bottom of this list. .

Table 4: Word Frequency Analysis of 6 HIPAA Privacy Notices--all words that occurred four or more times in the six notices

Word Frequency


10,000/million words

a, and, in, is, it, of, that, the, to

3,000/million words

an, all, are, as, at, be, but, by, for, from, have, not, on, one, or, their, this, when, with, you

1,000/million words

about, after, also, any, been, can, do, get, has, how, if, long, made, make, may, more, must, new, only, other, our, out, see, so, such, then, these, time, use, used, we, where, which, who, will, work, your

300/million words

asked, best, certain, change, course, example, family, food,  form, give, government, human, information, making, means, name, once, order, part, person, right, set, should, state, under, upon, us, want, without

100/million words

action, activities, addition, already, ask, believe, bill, board, business, call, care, carry, case, death, except, federal, following, friends, general, health, include, interest, involved, law, laws, materials, national, necessary, needed, notice, object, office, paper, party, pay, personal, physical, plan, present, practice, provide, research, rights, section, send, sent, sign, service, services, specific, students, subject, support, taken, team, terms, third, types, used, using, whom, workers, written

30/million words

address, administration, agency, agree, apply, appropriate, asking, authority, benefits, circumstances, civil,  communication, condition, contract, copy, crime, decisions, department, describe, described, determine, disease, drug, effective,  established, extent, foreign, hospital, individuals, insurance,  legal, limited, listed, location, mail, maintain, management,  medical, member, military, obtain, occurred, organizations,  otherwise, perform, please, post, product, professional,  programs, protect, protected, provided, purposes, quality,  receive, received, records, require, required, respect, related, relative, respect, response, safety, security, situations, statement, tissue, treat, treatment,  unable, unless, visit

10/million words

abuse, access, agencies, alternative, amendment,  appointment, approval, approved, assist, authorities,  believes, consent, consistent, criminal, director, duties,  emergency, engaged, ensure, file, identify, institution, marketing, operations, organ, patients, payment, reasonable, representative, request, requirements, review, secretary

3/million words

accompanying, administrative, anticipation, applicable, associates, authorized, compensation, compliant, compliance, defects, deny, designated, disability, enforcement, facility, funeral, inspect, neglect, physicians, premises, proceeding, privacy, proposal, provision, relates, relevant, religious, repairs, requested, requests, reviewed, revised, violated, violation

1/million words

abide, adverse, affiliation, billing, directory, disclosed, entity, Medicare, notify, recalls, restriction, surveillance


accrediting, authorization, correctional, disclose, disclosure, donation, fundraising, healthcare, notification, notifying, oversight, procurement, protocols, provider, rebuttal, revoke, subpoena


Writing Style: Poor and Weak

WStyle writing analysis program rated the 6 examples as "poor"; the 31 notices as "weak," with 2 notices being "satisfactory," 13 as "weak," and 16 as "poor."

A document design problem

Our health plan sent us a "Member Privacy Notice." It's 3 1/2 pages long (single-spaced), but does not have any page numbers. The notice refers to the health plan simply as "Provider" (not "the Provider") so there are sentences such as:

  • What types of personal information does Provider collect?
    When you enroll or renew with Provider, the consent provided on your enrollment application allows Provider and its business associates to collect, maintain, use and share your personal information to provide service to members, manage our business, or conduct related activities.
  • With whom does Provider share information? How many people will read this and think that they're members of the "Provider health plan?"

Plus, the notice includes a "Medical authorization letter" that's written at about a 3rd year college reading level. Neither the "Member Privacy Notice" nor the "Medical Authorization Letter" came with any type of introductory letter or explanation; indeed, there was no logo and no corporate letterhead on either document. One section should have been placed elsewhere in the Notice; additional grammatical errors suggest that the documents were not written or proofread very carefully. Or maybe they bought a generic HIPAA privacy notice and neglected to replace the generic "Provider" with the name of the health plan.

Comparing HIPAA privacy notices to other privacy notices

In 2001, I analyzed 60 financial privacy notices that were distributed to consumers as a requirement of the Gramm-Leach-Bliley (GLB) Act. The HIPAA notices are written only slightly better than the GLB notices. www.privacyrights.org/ar/GLB-Reading.htm  

Readability Factors

31 HIPAA Notices

60 GLB Notices

Flesch Reading Ease



Reading Grade Level



Sentence Complexity



Vocabulary Complexity



Writing Style



What rights do patients have if they don't understand their rights?

HIPAA privacy notices may be given to patients along with other written materials. For example, in Minnesota, patients are given a 10-page, 4,221 words "Minnesota Patient Bill of Rights" booklet that describes patient rights under Minnesota and federal law. However, this booklet is not well written, making it difficult (if not impossible) for most patients to understand. And will patients take the time to read three documents totaling 6,500 words describing their patient "rights?"

Readability of Minnesota patient documents

Average Readability Factors

Bill of Rights

Rights Under
Federal Law

HIPAA Notice

Document Length

2,752 words

1,469 words

2,269 words

Flesch Reading Ease

15/Very Difficult



Reading Grade Level

Graduate School

4th-Year college

2nd-3rd yr college

Writing Style




Sentence Complexity




Vocabulary Complexity




Most frequent 2,000 words




Next frequent 2k-5k




Neither List




Re-writing such documents in plain English may be almost impossible. A patient representative at a Minneapolis hospital told me that the Minnesota Association of Patient Representatives tried to have the patient "Bill of Rights" written in more understandable language. Because that had to be done through the legislative process, they were told that patient representatives could not provide a more understandable document without also providing the original as written by the legislature. The Association could not get help to re-write it in a way that would assure accuracy--as determined by the legislature. Even if they could, that might mean giving patient an original version and a revised version. If both Minnesota and federal laws were re-written, would patients read all four documents? If HIPAA Notices were re-written, would patients read all six documents?

Less information = more understanding

Legislators, policy makers, and writers believe that HIPAA Notices written in plain language will be easier to understand than if written in legal and bureaucratic language. But that may not be true. Plain English may help readers understand fairly short, non-technical documents, but the HIPAA privacy regulations are very complex. Communication problems may have less to do with plain language than with information overload. There are so many required elements in HIPAA that writing the Notice in plain language won't help comprehension much, since readers still have to understand all of the required elements. The amount of information may be more important than the grade level at which it's written. One way to increase understanding is to use a "layered" approach, which includes a one-page HIPAA summary and the longer HIPAA privacy notice. Here's an example of what a HIPAA Privacy Notice Summary might look like.

Summary Notice of HIPAA Privacy Practices



We may share your health
information to:

We may use your health
information for:

  • treat you

  • get paid

  • run the hospital

  • tell you about other health benefits & services

  • raise funds

  • include you in the hospital directory

  • tell family and friends about you

  • do research

  • health and safety reasons

  • organ & tissue requests

  • military purposes

  • worker's comp. requests

  • lawsuits

  • law enforcement requests

  • national security reasons

  • coroner, medical examiner or funeral director use

You have the right to:

  • get a copy of your medical record

  • change your medical record if you think it's wrong

  • get a list of whom we share your health information with

  • ask us to limit the information we share

  • ask for a copy of our privacy notice

  • complain in writing to the hospital if you believe your privacy rights have been violated


Flesch, R. (1949) The Art of Readable Writing. New York: MacMillan. Hochhauser, M. (2001) Lost in the Fine Print: Readability of Financial Privacy Notices. Posted on the Privacy Rights Clearinghouse Website, July 2001. Text Analyzer. Profile 1: Word Frequency Text Profiler for the first 2000 and next 2000 - 5000 Most Frequent Words. Zeno, S.M., Ivens, S.H., Millard, R.T. & Duvvuri, R. (1995) The Educator's Word Frequency Guide. Brewster, NY: Touchstone Applied Science Associates.