Oral Privacy and HIPAA: We Really Need to Talk

by Jodi Jacobs

Oral privacy is not a new need or requirement in healthcare. However, because it is now backed by a federal mandate, it is receiving newfound attention. With the passing of the April 14, 2003, deadline for HIPAA compliance, hospitals, pharmacies, clearinghouses, physician’s offices, military medical bases, life insurers, information systems vendors, and other related healthcare facilities who used the “wait and see” approach to HIPAA are now searching for solutions to provide oral privacy to protect personal health information (PHI).

Why is Oral Privacy Important?

Oral privacy is only one part of the exhaustive HIPAA regulations but is easily one of the more difficult concepts. Consider the many healthcare-related conversations that go on every day in any hospital, pharmacy, or other healthcare providing organization. The number of possible oral privacy violations could be staggering. Unless healthcare providers implement a reasonable solution that creates a safeguard for these conversations, healthcare providers are at the mercy of every open mouth.

Although it may seem daunting, securing oral privacy is not as difficult as you may think. Although initially focused on electronically communicated healthcare information, the original HIPAA privacy laws also covered oral communications. Many felt that by regulating oral communications the Department of Health and Human Services (HHS) had exceeded the legislative mandate. Others were concerned with the difficulty of being able to meet and comply with the oral privacy regulations.

What Does the Rule Say?

In an effort to clarify these provisions, HHS amended the privacy rules in August 2002 and published guidance on December 2, 2002, which further explained the oral communication provisions. The new rules explicitly permit an incidental oral disclosure that:

  • cannot reasonably be prevented
  • is limited in nature
  • is a by-product of an otherwise permitted use

HHS clarifies that the privacy rule is not intended to stop healthcare providers from talking to their patients or with each other and reestablishes that the primary consideration of all healthcare providers must be the appropriate treatment for their clients. The privacy rule does not require that healthcare facilities be retrofitted to provide sound proof or private rooms. However, they are required to provide reasonable safeguards to protect PHI that is communicated orally. “Reasonable safeguards” are understood to mean that covered entities must make reasonable efforts to prevent uses and disclosures of oral information not permitted by the rule. Incidental disclosures are only allowed to the extent that the covered entity has applied reasonable safeguards.

Industry Practices and Standards

In the absence of stringent guidelines for safeguarding PHI, HHS has indicated that it will look at what other “prudent” professionals are doing to protect oral privacy when determining whether a covered entity has taken adequate measures to avoid having conversations overheard.

In regard to industry-accepted measurements for oral privacy, industry standards for speech (oral) privacy such as those set by the American Society of Testing and Materials (ASTM) have existed for decades. ASTM has been providing quantifiable practices, tools, and measurements to assess speech privacy levels. For years, speech privacy professionals have used ASTM standards to establish acceptable and unacceptable levels of normal and confidential speech privacy for business and healthcare facilities alike.

ASTM measures speech privacy by using an articulation index (AI). AI represents how all elements in and properties of a space affect the ability to understand speech. AI is expressed as a decimal value between 0 (speech is unintelligible) and 1.00 (speech is completely intelligible). An AI of .20 or less will result in a space that provides normal to confidential speech privacy.

It is important to understand that a conversation is considered private if it is an unintelligible conversation (one that cannot be discernible) to a nonparticipant. This type of conversation will not jeopardize the oral privacy rights of an individual.

The Correlation Between Oral Privacy and Best Practices

A correlation can be seen between the HIPAA mandate for oral privacy and the speech privacy methods used for over 30 years by industry professionals. On one hand you have federal legislation requiring oral privacy and on the other you have industry-accepted methods and measurements for achieving speech privacy. To secure oral privacy, you must have speech privacy. They cannot exist without the other.

Meeting the New Oral Privacy Standards

Meeting the new oral privacy standards can be as simple as implementing a common-sense approach to speech privacy. In fact, you may be able to meet the new privacy standards by applying a two-part solution that is straightforward and time tested.

To provide speech privacy as part of a comprehensive privacy plan, healthcare providers must have a quality ceiling tile in place. Ceiling tiles that feature higher noise reduction coefficient (absorption) and ceiling attenuation class properties are available in a variety of styles and materials. To fully meet the new oral privacy standards, sound masking should be added in order to introduce an unobtrusive, ambient background sound into the space. Sound masking is usually installed in the area between the ceiling tile and the deck above, known as the plenum, and is set one to three decibels above conversational speech. Sound masking works by gently raising the ambient background sound level and enables conversations to take place with an established degree of privacy.

As of April 14, 2003, everyone has a right to oral privacy with concern to his or her PHI. The OCR will be accepting complaints for alleged violations of the HIPAA privacy rule by covered entities. A fact sheet is available at the OCR Web site at www.hhs.gov/ocr/privacyhowtofile.htm. Violations are expensive- penalties for non-compliance can cost providers up to $250,000 and up to 10 years in prison. As a federal issue, oral privacy has certainly become something to talk about.

Jodi Jacobs is the marketing director for Lencore Acoustics Corp, a firm providing sound masking systems to office and healthcare environments. She can be reached at (516) 223-4747 or via e-mail at jjacobs@lencore.com.


Article citation:
Jacobs, Jodi. "Oral Privacy and HIPAA-We Really Need to Talk." In Confidence 11:6 (June 2003), p.4-5.