A completed HIPAA release form must be received from a patient prior to their protected health information being shared with other individuals or groups, except in the case of standard disclosures for treatment, payment or healthcare operations allowable under the HIPAA Privacy Rule.
Explanation of the HIPAA Privacy Rule
The HIPAA Privacy Rule (45 CFR §164.500-534) became enforceable on April 14, 2001. The primary aim of the HIPAA Privacy Rule is to enshrine the privacy of patients while allowing health data to move freely between authorized people for certain healthcare procedures.
The HIPAA Privacy Rules permit HIPAA-covered groups (healthcare providers, health plans, healthcare clearinghouses and business associates of covered entities) to use and share individually identifiable protected health information without an individual’s expressed consent for treatment, payment and healthcare procedures. In all instances, when individually identifiable protected health information needs to be shared, it must be restricted to the ‘minimum necessary information’ to meet the purpose for which the information is disclosed.
The Privacy Rule also allocates patients the right to access the health data created, kept or maintained by their healthcare groups. Patients are allowed to obtain the data in a covered body’s designated data set – a group of records maintained by the covered body that is used to make decisions regarding a patient’s healthcare. Patients are also allowed to alter certain information held by a covered body if it is found to be incorrect. Such requests should be submitted by patient in writing.
Covered bodies are not required to obtain consent from patients for routine disclosures for treatment, payment or healthcare operations, although some covered bodies still opt to do so. This gives them with an extra level of protection in the event of a privacy complaint or audit.
Such authorizations list when protected health information will be used by the covered body, the groups to which that information will be shared, and the circumstances under which information will be used and shared. Basically, such an authorization copiees much of what is listed in a covered entity’s Notice of Privacy Practices.
When is a HIPAA Release Form Necessary?
A HIPAA release form must be sought from a patient prior to their protected health information being released for any purpose other than those listed in 45 CFR §164.506, which are specifically accounted for in 45 CFR §164.508 and summarized below:
- Before the disclosure of PHI to a third party for reasons other than the provision of treatment, payment or other standard healthcare procedures – E.g. releasing information to an insurance underwriter
- Before PHI being used for marketing or fund-raising reasons
- Before PHI being provided to a research group
- Before psychotherapy notes being released
- Before the sale of PHI or sharing that involves payment
What Information Should be Listed on a HIPAA Release Form?
A HIPAA-compliant HIPAA release form should, at a minimum, include the following details:
- A description of the data that will be used/shared
- The reason for which the information will be shared
- The identity of the person or body to whom the information will be shared
- An expiration date or expiration event when permission to use/disclose the information ends. For example, an expiration event may be when a research study is finally finished
- A signature and date that the authorization is completed by a person or an individual’s representative. If a representative is completing the form, the relationship with the patient must be listed along with a description of the representative’s authority to act on behalf of the patient.
The HIPAA release form must also have statements that advise the person of:
- Their right to withdraw their authorization
- Any exceptions to the person’s right to withdraw the authorization
- Details of how the authorization can be withdrawn
- To the extent that an individual’s right to withdraw authorization is included in the notice required by § 164.520 (Notice of Privacy Practices)
- That the covered body may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual completes the authorization
- That there is a chance information disclosed under the terms of the authorization can be further disclosed by the recipient and no longer safeguarded by 45 CFR Part 164, Subpart E
A HIPAA release form must be written in simple language and a copy of the completed form should be given to the patient.