The Privacy Rule stipulates that a valid HIPAA authorization form must be completed before using or disclosing Protected Health Information for a purpose not otherwise allowed by the Rule. This article discusses the circumstances in which an authorization may be required and what constitutes a valid HIPAA authorization form.
The HIPAA Privacy Rule protects the privacy of individually identifiable health information by limiting uses and disclosures of Protected Health Information (PHI). The limitations on uses and disclosures are summarized in five categories by the Privacy Rule:
- Required uses and disclosures of Protected Health Information.
- Uses and disclosures for treatment, payment, or healthcare operations.
- Uses and disclosures for which a HIPAA authorization form is required.
- Uses and disclosures requiring an opportunity for the individual to agree or object.
- Uses and disclosures for which neither an authorization nor the opportunity to agree or object is required.
The Privacy Rule categorization of uses and disclosures can be confusing inasmuch as it implies all uses and disclosures of PHI are allowed except those for which a HIPAA authorization form is required. However, that is not the case as the following descriptions explain.
Required uses and disclosures of PHI
There are generally two circumstances in which the use or disclosure is required – when access to PHI is required by the Department of Health and Human Services (HHS) for a compliance review, and when an individual exercises their rights to access PHI maintained about them by a Covered Entity or Business Associate or request an Accounting of Disclosures.
There are limitations to these required uses. HHS can only request access to PHI “pertinent to ascertaining compliance with the applicable administrative simplification provisions”, while individuals can only request access to PHI maintained in a designated record set. Similarly, limitations exist in what PHI should be included in an Accounting of Disclosures.
Additionally, further uses and disclosures of PHI may be required if a state law pre-empts HIPAA. In many states Covered Entities are required to disclose PHI to report child abuse, neglect, or domestic violence. It may also be the case that mandatory disease reporting is required by public health authorities during a public health event such as the COVID-19 pandemic.
Immediate PDF Download
Disclosures for treatment, payment, or healthcare operations
There can sometimes be a misconception that all disclosures of PHI for treatment, payment, or healthcare operations are permitted by the Privacy Rule – but this is not the case. For example, disclosures of PHI for treatment purposes are only permitted when there is a “treatment relationship” between the entity making the disclosure and the entity receiving the PHI.
Disclosures of PHI for healthcare operations cover a multitude of events from business planning and the development of clinical guidelines to training future healthcare professionals and resolving internal grievances. There seem to be few limitations to when PHI can be disclosed for healthcare operations, provided PHI disclosed in these operations remains within a Covered Entity.
However, with regards to what PHI can be disclosed in this category, the Privacy Rule includes an exception to the Minimum Necessary standard for treatment purposes, but not for payment or healthcare operations purposes. Therefore, all disclosures of PHI for payment and healthcare operations purposes must be limited to the PHI required to achieve the intended purpose.
Uses and disclosures for which a HIPAA authorization form is required
The Privacy Rule standard relating to when a HIPAA authorization form is required (§164.508) is one of the reasons people get confused about permissible uses and disclosures. This is because the standard states “Except as otherwise permitted or required by this subchapter [the Privacy Rule], a Covered Entity may not use or disclose PHI without an authorization that is valid under this section.”
This standard is not only unfortunate in its placement – coming after “permitted and required” uses and disclosures, but before disclosures for which an authorization is not required – but also neglects to acknowledge that some required uses and disclosures exist outside the Privacy Rule – for example, in the General Provisions relating to Compliance and Investigations (Part 160, Subpart C).
Furthermore, this standard is light on details – stipulating that a HIPAA authorization form is required for the disclosure of psychotherapy notes, the use of PHI for marketing, and the sale of PHI. All other uses and disclosures of PHI that require a HIPAA authorization form – for example, disclosures to the media for a public interest story – are not covered.
Uses and disclosures requiring an opportunity to agree or object
This is another section of the Privacy Rule that can cause confusion about when a HIPAA authorization form is required because it stipulates the circumstances in which a Covered Entity can orally inform an individual that they have the right to agree or object to a use or disclosure, and orally accept the individual´s agreement or objection.
The events for which an opportunity to agree or object are limited to partial disclosures to a hospital directory, to members of the clergy, and to third parties who ask for the individual by name. Such disclosures can also be made without giving an individual the opportunity to agree or object if the individual is incapacitated and the disclosures are considered to be in the individual´s best interests.
Nonetheless, in these circumstances, some Covered Entities ask individuals to complete a HIPAA authorization form – or at least document that an opportunity to object has been provided and the individual has not taken advantage of it. While useful “for covering one´s back” unnecessary documentation reduces efficiency and creates more administration for medical personnel.
Times when neither an authorization nor the opportunity to agree or object is required
The uses and disclosures for which neither an authorization nor the opportunity to agree or object is required appears to be simply more permissible uses and disclosures. There are pages and pages of such uses and disclosures in the Privacy Rule – some of which overlap with the previously mentioned required disclosures for reporting child abuse, neglect, or domestic violence.
Many uses and disclosures in this section have limitations on them beyond the minimum necessary standard. For example, a Covered Entity may only disclose to an employer information the employer requires to comply with OSHA reporting requirements in the event of a work-related illness or injury. Similar limitations apply with regards to the immunization of minors and disclosures to schools.
However, while this section lists more permissible uses and disclosures, it also contains some prohibitions. If, for example, an individual is undergoing medical treatment for a condition that has led to them committing a violent crime, PHI collected by the Covered Entity from the individual during the course of the treatment cannot be disclosed to law enforcement officials.
When is a HIPAA Authorization Form Necessary?
Other than in the examples provided above, there are not that many obvious circumstances in which a HIPAA authorization form would be necessary. However, the failure to obtain a valid HIPAA authorization form when one may be perceived to be necessary could result in complaints to HHS´ Office for Civil Rights – whether justified or not – for alleged violations of the Privacy Rule.
For this reason, when a Covered Entity or Business Associate conducts a risk assessment ahead of implementing safeguards to comply with the Administrative Requirements of the Privacy Rule (§164.530), it is recommended that any uses or disclosures of PHI not expressly permitted by the Privacy Rule are reviewed to determine whether a HIPAA authorization form is necessary.
If it is determined necessary for a use or disclosure of PHI to be supported by a HIPAA authorization form, forms should be created and procedures should be developed for how to complete the forms so they are valid. Workforces must be trained on the occasions when a HIPAA authorization form is necessary and shown how to complete and document an authorization form to ensure it is valid.
One further recommendation is to include any additional occasions when an authorization is required in the Notice of Privacy Practices beyond those required by the Notice of Privacy Practices standard (§164.520). This standard states a Notice of Privacy Practices must include:
“A description of the types of uses and disclosures that require an authorization under §164.508(a)(2)- (a)(4) [psychotherapy notes, marketing, and the sale of PHI], a statement that other uses and disclosures not described in the notice will be made only with the individual’s written authorization, and a statement that the individual may revoke an authorization.”
By determining which uses and disclosures of PHI should be supported by a HIPAA authorization form, training the workforce, and including the additional occasions in a Notice of Privacy Practices, Covered Entities can avoid unnecessary complaints to HHS´ Office for Civil Rights – thus reducing the amount of wasted time acknowledging and responding to the complaints.
What Should a HIPAA Authorization Form Include?
The objective of asking an individual to sign a HIPAA authorization form is to get their informed permission to use or disclose PHI for a purpose not expressly permitted by the Privacy Rule. Therefore, the individual needs to understand what is being disclosed, what the disclosure is for, and who the disclosure is being made to – and be comfortable with the use or disclosure.
Consequently, the HIPAA authorization form should be written in clear English (or the native language of the individual). It should warn the individual that any PHI used or disclosed with their authority may be further used or disclosed by the recipient, and possibly without the protections of the Privacy Rule in place depending on the proposed use or disclosure.
The individual should be told they have the right to revoke the authorization along with details of how they can exercise that right and the form should list any exceptions to the right to revoke. The form should also include an expiration date or event (i.e., end of a trial if the date is unknown) when the authorization is terminated and the PHI can no longer be used or disclosed.
Finally, the HIPAA authorization form should state that the covered entity may not condition treatment, payment, enrollment, or eligibility for benefits on whether the individual signs the authorization. The form should be signed and dated by the individual or the individual’s representative. If a representative is signing the form, the relationship with the individual must be detailed along with a description of the representative’s authority to act on the individual´s behalf.
Regional and Use Case Variations on Authorization Form Templates
While it is possible to download a HIPAA authorization form template and use it in its downloaded format, some Covered Entities operating in locations where state laws pre-empt HIPAA, or where additional information is required, may find it necessary to design a HIPAA authorization form more appropriate to the purposes for which an authorization is being sought.
For example, in New York, a separate HIPAA authorization form has been designed by the New York State Office of Court Administration for when PHI is released for disclosure in litigation. In Connecticut, the Department of Mental Health and Addiction Services has designed a form appropriate for individuals with psychiatric conditions, and in Texas, the standard HIPAA authorization form has been amended to comply with Texas´ Medical Records Privacy Act.
Consequently, while a HIPAA authorization form template may be suitable for some Covered Entities, it will not be suitable in its unedited format for all. Covered Entities unsure about what should be included in their HIPAA authorization forms should seek professional compliance advice.
The core elements of a valid authorization include: A meaningful description of the information to be disclosed. The name of the individual or the name of the person authorized to make the requested disclosure. The name or other identification of the recipient of the information.What is the minimum necessary rule guides healthcare providers to? ›
The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information.What is an example of HIPAA authorization? ›
I hereby authorize use or disclosure of protected health information about me as described below. I understand that the information used or disclosed may be subject to re-disclosure by the person or class of persons or facility receiving it, and would then no longer be protected by federal privacy regulations.Can you fill out a HIPAA form online? ›
HIPAA-Compliant Online Forms Made Easy
Trusted for years by physician offices, medical centers and regional healthcare systems, Cognito Forms makes it easy to build and manage HIPAA-compliant online medical forms.
Is electronic signature allowed under HIPAA? Yes. HIPAA does not mandate that documents be signed in a particular way. Instead, the law is focused on ensuring PHI is handled properly.How do I get HIPAA authorization? ›
- A description of the PHI.
- The name of the person making the authorization.
- The name of the person or organization who is authorized to receive the PHI.
- A description of the purpose for the use or disclosure.
- An expiration date for the authorization.
- The signature of the person making the authorization.
Does HIPAA Authorization Need to be Notarized? No, a HIPAA Authorization does not need to be notarized. In fact, you don't even need a witness to see you sign the form.What is required for HIPAA verification? ›
Under the HIPAA Privacy Rule, a provider, before disclosing PHI to someone who requests it, must verify that person's identity and authority. This rule applies when that person's identity or authority are not already known to the provider.What are three requirements of HIPAA's minimum necessary rule? ›
- Disclosures required by law.
- Uses or disclosures for which an authorization is secured in accordance with the HIPAA Privacy Rule.
- Uses or disclosures that are required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) regulations.
HIPAA Certification Exam:
You need to pass the 12-question test (Six questions per chapter) with 70% to receive the Certified HIPAA Privacy Associate (CHPA®) certification.
HHS initiated 5 rules to enforce Administrative Simplification: (1) Privacy Rule, (2) Transactions and Code Sets Rule, (3) Security Rule, (4) Unique Identifiers Rule, and (5) Enforcement Rule.What 3 types of disclosures do not require patient authorization per HIPAA? ›
A covered entity is permitted, but not required, to use and disclose protected health information, without an individual's authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) ...Should you allow HIPAA authorization? ›
Should I sign this “HIPAA Authorization” for release of my medical records? No, you should not sign the HIPAA authorization for the release of your medical records. Often, the insurance company will act as though they cannot begin to decide how much money to offer you until they have all of your medical records.How long is a HIPAA authorization valid? ›
Q: How long does an authorization remain valid? A: It remains valid until the expiration date/event, unless the patient revokes it beforehand in writing. A revocation doesn't affect actions your organization took while the authorization was still valid.How often should a patient fill out a HIPAA form? ›
We recommend reviewing your authorization forms every few years or so however, to confirm none of the data has changed and anytime an outside event would require a new form (such as a name change, patient who turns 18, or other scenario).How to fill out an authorization to release personal health information? ›
- The name of the person or entity authorized to make the request (usually the patient)
- The complete name of the person or entity to receive the protected health information (PHI)
- A specific description of the information to be used or disclosed, including the dates of service.
Why do I have to sign a form? The law requires your doctor, hospital, or other health care provider to ask you to state in writing that you received the notice. The law does not require you to sign the “acknowledgement of receipt of the notice.”Can a HIPAA authorization be combined with other documents? ›
(i) An authorization for the use or disclosure of protected health information for a research study may be combined with any other type of written permission for the same or another research study.Is email HIPAA approved? ›
Email is HIPAA compliant provided all the necessary safeguards are in place to ensure the confidentiality, integrity, and availability of PHI, a Business Associate Agreement is signed with the email service provider, and members of the workforce are trained on email best practices to mitigate the risk of an email being ...Can you send HIPAA information via email? ›
Patients can send their own information in any way that they deem appropriate, including via unencrypted email. Patient communication is best done through MyChart, but we recognize that not all patients use MyChart.
Therefore, a verbal authorization is allowed under the HIPAA Privacy Rule for those individuals involved in the care of an individual.Who needs HIPAA authorization? ›
A HIPAA authorization is a form that must be completed by a patient or a health plan member when a Covered Entity wishes to use or disclose PHI for a purpose not permitted by the Privacy Rule.What is the HIPAA Acknowledgement signature from patients? ›
By signing this authorization, I acknowledge that the information used or disclosed pursuant to this authorization may be subject to re-disclosure by the person(s) whose name(s) are written below, and the information, once disclosed, will no longer be protected by the rules created in HIPAA.What is the difference between consent and authorization? ›
A: “Consent” is a general term under the Privacy Rule, but “authorization” has much more specific requirements. The Privacy Rule permits, but does not require, a CE to obtain patient “consent” for uses and disclosures of PHI for treatment, payment, and healthcare operations.What are the 4 HIPAA requirements? ›
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and.
The Health Insurance Portability and Accountability Act (HIPAA) lays out three rules for protecting patient health information, namely: The Privacy Rule. The Security Rule. The Breach Notification Rule.What is the first requirement of the HIPAA security Rule? ›
The HIPAA Security Rule requires physicians to protect patients' electronically stored, protected health information (known as “ePHI”) by using appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of this information.What is an example of a minimum necessary standard in HIPAA? ›
Examples of Minimum Necessary Standard Violations
Similarly, a physician would require access to a patient's medical history as part of assessing the patient or providing treatment, but would not require access to the back end of a patient database or access to Social Security numbers.
A passing score is seventy percent (70%) or more correct answers.How long does a HIPAA assessment take? ›
Medium-sized organizations are difficult to estimate, because they vary so much in size. But generally, from beginning to end, HIPAA will likely take you 1-2 years. Because medium-sized entities usually have multiple locations, start a PHI flow chart to speed up your process.
The Certified HIPAA Administrator™ exam fee is $495. The Certified HIPAA Professional exam fee is $695.What are the 5 most common violations to the HIPAA privacy Rule? ›
- Losing Devices. In the last decade, over 800 device loss or theft incidents have been reported. ...
- Getting Hacked. ...
- Employees Dishonestly Accessing Files. ...
- Improper Filing and Disposing of Documents. ...
- Releasing Patient Information After the Authorization Period Expires.
Examples of HIPAA Privacy Rule Exceptions:
Public health, and in emergencies affecting the life or safety. Research. Judicial and administrative proceedings. Law enforcement.
HIPAA allows reporting of communicable diseases, child abuse, violent injuries, and other mandatory public health reports, as well as to prevent crimes by the patient.What Cannot be disclosed under HIPAA? ›
Your health information cannot be used or shared without your written permission unless this law allows it. For example, without your authorization, your provider generally cannot: Give your information to your employer. Use or share your information for marketing or advertising purposes or sell your information.What is HIPAA compliant authorization form? ›
A HIPAA authorization form gives covered entities permission to use protected health information for purposes other than treatment, payment, or health care operations.Can HIPAA authorization be revoked? ›
Answer: A research subject may revoke his/her Authorization at any time. The revocation must be in writing. An oral discussion between the subject and member of the research team does not revoke a HIPAA authorization.Is there a standard HIPAA form? ›
To understand your legal duties as a covered entity, or your rights as a patient, you should become very familiar with these legal documents. The two most standard HIPAA forms are privacy forms (a.k.a. “notices of privacy practices”) and authorization forms (a.k.a. “release forms”).What is a signed authorization form? ›
An authorization form is a document that is duly endorsed by an individual or organisation which grants permission to another individual or organisation to proceed with certain actions. It is often used to grant permission to carry out a specific action for a fixed period of time.What does signing a HIPAA form mean? ›
A HIPAA authorization form gives covered entities permission to use protected health information for purposes other than treatment, payment, or health care operations.
A Medical Records Release Form typically includes information about: The patient or their representative. The organization who holds the records. The organization or individual requesting access.What document must be signed to release medical information? ›
An authorization to release the information, signed by the patient, is required before records may be released, but most health care providers incorporate the release into the patient registration form so that information can be provided in a timely manner.Should I accept HIPAA authorization? ›
Should I sign this “HIPAA Authorization” for release of my medical records? No, you should not sign the HIPAA authorization for the release of your medical records. Often, the insurance company will act as though they cannot begin to decide how much money to offer you until they have all of your medical records.How long is a signed HIPAA form good for? ›
Under HIPAA, your site must retain the authorization for at least six years after the subject has signed it. Covered entities may use or disclose health information that is de-identified without restriction under the Privacy Rule.What is the difference between consent and authorization in HIPAA? ›
A: “Consent” is a general term under the Privacy Rule, but “authorization” has much more specific requirements. The Privacy Rule permits, but does not require, a CE to obtain patient “consent” for uses and disclosures of PHI for treatment, payment, and healthcare operations.What is a patient authorization form? ›
The authorization form (sometimes called a patient HIPAA consent form), essentially serves as a handy dandy permission slip allowing a practice or business associate to use or disclose protected health information (PHI) in the ways a patient wants their data used.What is a HIPAA waiver of authorization form? ›
Waiver of the HIPAA authorization requirement from the IRB. A waiver is a request to forgo the authorization requirement based on the fact that the disclosure of PHI involves minimal risk to the participant and the research cannot practically be done without access to/use of PHI.What situations allow for disclosure without authorization? ›
More generally, HIPAA allows the release of information without the patient's authorization when, in the medical care providers' best judgment, it is in the patient's interest. Despite this language, medical care providers are very reluctant to release information unless it is clearly allowed by HIPAA.What document allows the release of a patient's private medical information? ›
The medical record information release (HIPAA) form allows a patient to give authorization to a 3rd party and access their health records. The release also allows the added option for healthcare providers to share information. A medical release form can be revoked or reassigned at any time by the patient.Is a patient's written authorization to release information required? ›
Answer: No. The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual's authorization, to another health care provider for that provider's treatment of the individual.
A HIPAA-compliant HIPAA release form must, at the very least, contain the following information: A description of the information that will be used/disclosed. The purpose for which the information will be disclosed. The name of the person or entity to whom the information will be disclosed.