- The HIPAA Privacy Rule protects patient data while still enabling sharing between authorized entities for treatment, operations, or payment purposes. For reasons other than these, covered entities and their business associates must seek authorization from the patient via a signed HIPAA release form.
- The HIPAA release form should be written in plain language and have specific elements and statements to be valid. The patient should get a copy of the form after signature.
- Disclosure of PHI for reasons other than those specified in the HIPAA Privacy Rule without a signed HIPAA form amounts to a HIPAA violation, which attracts heavy financial penalties.
According to the HIPAA Privacy Rule, HIPAA-compliant covered entities and their business associates can release and utilize protected health information (PHI) for purposes of treatment, payment, or healthcare operations without an individual’s consent. However, in all situations, when such private information has to be revealed, it should be in accordance with the HIPAA minimum necessary standard so that the purpose of disclosure is achieved.
The HIPAA minimum necessary standard mandates that covered entities should put in reasonable efforts to make sure that PHI access is restricted to the least amount required to fulfill the purpose of the disclosure, request, or use.
For sharing of PHI with other organizations or individuals for reasons other than treatment, healthcare operations, or payment, the patient must provide authorization via a signed HIPAA form, otherwise known as a HIPAA authorization form to release medical information form.
In this article, we will explain everything you need to know about a HIPAA release form, read more on HIPAA compliance checklist.
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule (45 CFR §164.500-534) came into effect on April 14, 2001, and its main purpose is to establish standards to protect the privacy of medical records and PHI while enabling health data to be transmitted freely between authorized individuals for specific healthcare activities.
It also enables patients to get access to the medical data that healthcare providers have created, preserved, or stored. They are allowed to get the data present in the “designated data set” of a covered entity, which is a collection of medical records the covered entity preserves that permits it to make healthcare decisions about a patient.
In addition, patients can make corrections to specific information a covered entity maintains if they find it to be erroneous. They should submit requests for correction in writing to the covered entity.
Even though covered entities don’t have to seek patient consent for the standard release of information for payment, operations, or treatment, some entities may do it nevertheless. These authorizations outline:
- When the covered entity will use the PHI
- To which organizations the PHI will be disclosed
- The context in which the PHI will be either disclosed or used
This gives them an extra layer of protection in case of a HIPAA audit or patient complaint.
HIPAA authorization, via a HIPAA release form, is required when PHI is shared with another entity or individual for any reason other than that given in Title 45 Section 164.508, which could be:
- Disclosing psychotherapy notes
- Selling PHI or revealing it in such a manner that involves payment
Below is a sample HIPAA authorization form:
What elements should the HIPAA release form have?
A HIPAA release form should be drafted in plain language and should contain specific elements and statements to be valid. The patient should be given a copy of the form after signatures have been made.
The HIPAA release form should have the following core elements:
- A depiction of the PHI
- The reason why the PHI will be shared or utilized
- The name or other specific identifier of the individual or entity who will receive the PHI
- The name or other specific identifier of the individual or entity giving the authorization
- An expiration event or date for the authorization
- A signature of the person providing the authorization
In addition, the HIPAA release form should also have statements that notify the patient of the following:
- Their power to rescind their consent
- Particulars of how they can rescind their consent
- Exceptions to the patient’s right to rescind their consent
- The covered entity cannot put conditions of payment, enrollment, treatment, or eligibility for benefits to obtain the signed HIPAA release form.
- The PHI released to the recipient after consent may be reshared by the receiving entity, which will not be safeguarded by Title 45 Section 164, Subpart E.
What is a HIPAA violation?
HIPAA violations occur when the acquisition, use, access, or disclosure of PHI puts the patient at significant personal risk. Unfortunately, HIPAA violations occur frequently and we hear of violations committed by healthcare providers, hospitals, and health plans in the news.
The OCR levies severe financial penalties for HIPAA violations on a sliding scale or may even consider the violation a criminal act. Fines range from $100 – $50,000+ per incident depending on the severity of the violation.
What are the uses of the HIPAA release form?
You will need to obtain a HIPAA release form for the following seven purposes:
- When a third party asks for PHI
You need to obtain a patient’s consent via a signed HIPAA form before sharing PHI with a third party, who may need it for a variety of reasons. E.g. A family member may need access to help them make treatment decisions should be included in HIPAA certification form for family members.
However, for purposes of standard treatment, healthcare operations, and payment, you don’t need to obtain consent via a HIPAA release.
- Marketing or fund-raising activities
In general, if you share any type of patient information on social media that will enable people to identify the person, you are violating HIPAA. However, in certain cases, such as when recovering or ill patients are shown in advertisements of healthcare institutions when requesting donations or when patients share a video or written testimonial talking about their experience undergoing a corrective or cosmetic treatment, you need to obtain a signed HIPAA form that authorizes you to do so.
However, if a patient shares their experience face-to-face, they don’t need to sign a HIPAA release form.
- Before sharing PHI with a research group
You need to obtain a signed medical release form before sharing PHI with research organizations.
- When the HIPAA release form has expired
If the expiry date or expiry event specified in the HIPAA release form has been reached but you still need to use the PHI, you have to obtain a new signed form.
- When the patient rescinds a previously-signed HIPAA release form
A patient has the right to revoke their consent at any time. In such cases, you have to obtain a new signed HIPAA release form.
- When a HIPAA release form is incomplete or incorrect
If information is missing or incorrect, you will have to seek fresh consent with a new form.
- When permission is given in concurrence with other permissions
Some shady entities attempt to sneak clauses into a long statement or form because people tend to sign without reading the entire form. HIPAA strictly prohibits such trickery.
HIPAA release forms cannot be aggregated with other authorizations. If it has been unintentionally done, a fresh HIPAA release form should be obtained that authorizes the disclosure of medical records.
HIPAA release form examples
Take a look at the following examples of HIPAA-compliant release forms:
- Rutgers University
- New York State Department of Health
- The State Of California-Health and Human Services Agency
- University of Washington
- American Bar Council
HIPAA regulations are complicated but a lack of knowledge is not a valid defense against OCR investigations, especially if a breach in PHI administration has occurred. HIPAA violations attract financial penalties on a sliding scale depending on the severity of the violation.
FAQ: HIPAA release form
- What is the HIPAA release form?
The HIPAA release form is signed consent obtained from a patient by a covered entity or their business associate before sharing information with a third party for any reason other than treatment, standard healthcare operations, or payment.
- How to fill out a HIPAA release form?
You need to fill out four of seven sections in a HIPAA form:
- Section 1 = name of the healthcare provider authorized to release the PHI and name of the person or entity authorized to receive it
- Section 2 = time period covered by the authorization and what type of information is authorized to be disclosed
- Section 4 = how long the authorization remains valid
- Section 7 = name and signature of patient or their representative, date of signing, the relationship of the representative to the patient
- How to get a HIPAA release form?
You can create digital HIPAA release forms using HIPAA-compliant form builder software like JotForm, Typeform, or DocuSign. You can restrict form field entry to prevent input of inaccurate information. Such software also includes a Business Associate Agreement (BAA) which is necessary when you need to disclose PHI. Patients can digitally sign such HIPAA release.