Compliance Glossary

A HIPAA authorization form, often called a HIPAA release form, is a document patients sign with their healthcare providers. It grants permission for the provider to use or share their protected health information (PHI) for specific reasons. These reasons include:

• Treatment
• Payment
• Healthcare operations

When is HIPAA authorization required?

HIPAA authorization is required in specific situations outlined by 45 CFR §164.508:

• When using or disclosing PHI is not permitted by the HIPAA Privacy Rule
• When using or disclosing psychotherapy notes exceptions: for specific treatment, payment, or health care operations)
• Before selling protected health information.
• When using or disclosing PHI for marketing purposes (exception: for face-to-face communication or promotional gifts of nominal value)
• When using or disclosing substance abuse and treatment records
• When using or disclosing PHI for research purposes

About HIPAA

The HIPAA Privacy Rule, in effect since April 14, 2003, established guidelines for using and disclosing health information. Covered entities like healthcare providers, health plan providers, and others can share this information under certain conditions, such as for treatment, payment, healthcare operations, or reporting issues like domestic abuse.

Hence, when a covered entity needs to use or disclose PHI for a purpose not permitted by the Privacy Rule, it must obtain HIPAA authorization. The patient or health plan member grants this consent and allows the entity to share PHI for a purpose otherwise prohibited by HIPAA Rules.

Also Read: An Overview of the HIPAA Privacy Rule