These guidelines are outlined in the HIPAA Privacy Rule–a set of national standards that must be met in order to regulate the access, uses, disclosures, and privacy of PHI. PHI is defined in HIPAA regulation as any demographic information that can be used to identify a patient. Common examples of PHI include a patient’s name, home address, telephone number, email address, financial information, insurance ID number, Social Security number, and any part of a patient’s medical record to name a few.
Understanding the HIPAA Privacy Rule
What is HIPAA Compliance? The HIPAA Privacy Rule is meant to ensure that PHI can be shared between authorized entities, while maintaining patient privacy.
Under the HIPAA Privacy Rule, health care providers can disclose PHI for the purposes of payment, treatment, and health care operations without a need for patient authorization. These three categories are fairly broad and account for many of the day-to-day needs that health care providers face while running their practice. The regulation created these exceptions so as not put an unnecessary burden on providers dealing with HIPAA compliance forms.
So in the case of payment, treatment, or health care operations, you are not required to obtain signed HIPAA release forms from your patients in order to ensure HIPAA authorization.
However, in all other scenarios where PHI will be released or disclosed, your practice must collect express authorization from your patients in the form of a signed HIPAA release form.
But what are some examples of instances when your practice would need to collect HIPAA release forms from your patients?
When is a HIPAA Release Form Required?
In the event that your practice requires a disclosure of PHI that is not covered by payment, treatment, or health care operations, then you must ensure that you obtain a HIPAA release form BEFORE any PHI can be disclosed. This is essential to both maintaining the privacy of your patients, and protecting your business from potential HIPAA violations and fines.
Some instances when a HIPAA release form is required include:
- Prior to any disclosure of PHI to a third party for any reason other than treatment, payment, or healthcare operations.
- Prior to any PHI that may be used in marketing or fundraising efforts.
- Prior to any PHI being shared for research purposes.
- Prior to the disclosure of any psychotherapy notes.
- Prior to PHI being disclosed or shared for monetary compensation.
What Must be Included on a HIPAA Release Form?
When you’re creating your HIPAA release form, there are several key provisions to keep in mind.
First, HIPAA regulation states that all communications with patients in regards to their rights under the law must be written in plain language. That means that the information must not contain jargon and must be clearly understandable. And though this may sound obvious, HIPAA regulation also states that the HIPAA release form must actually be made available for patients to read and review before obtaining their signature and authorization.
Below, we list some of the barebones essentials that your HIPAA release form should contain:
- You should describe the type of PHI that will be shared or disclosed.
- You should explain the purpose for this disclosure of PHI.
- You should identify the entity or persons with whom PHI will be shared.
- A date by which a patient’s consent will expire in relation to the disclosure they are authorizing.
- You must receive a patient’s dated signature accompanying all of the above requirements. If a patient is having a representative sign on their behalf, you must also obtain a description of their relationship to the patient and documentation of their authority to act on behalf of the patient.
Additionally, it’s important to include information educating the client about their rights in regards to the authorization for disclosures. HIPAA forms should state:
- Patients have the right to revoke the authorization for disclosures, including procedures for how they might revoke their authorization.
- Exceptions to a patient’s right to revoke their authorization.
- Any applicable information included in your Notice of Privacy Practices regarding revoking authorization for disclosures.
- The provider cannot retaliate or penalize the patient for failing sign the authorization.
- If PHI is shared under a patient’s authorization with a third party, that third party may redisclose that PHI. If the third party rediscloses that PHI, it will no longer be protected under the HIPAA Privacy Rule.
Putting it All Together
At the end of the day, putting together your own HIPAA release form can be complicated. Unless you are well-versed in the particulars of HIPAA regulation, you run the risk of creating an incomplete incorrect document that could jeopardize your patients’ rights to privacy. And in the event of a HIPAA audit, an improperly realized HIPAA release form could lead to a violation and subsequent HIPAA fine.
Protect your business and your patients with the HIPAA experts at Compliancy Group! Our dedicated Compliance Coach support paired with our web-based HIPAA compliance app, The Guard, gives users everything they need to confidently address their HIPAA compliance!