If your organization is governed by some (Business Associates) or all (Covered Entities) of the Privacy Rule, it is necessary to obtain a valid release form for HIPAA compliance before Protected Health Information (PHI) is used or disclosed for a purpose not required or permitted by the HIPAA Administrative Simplification Regulations.
The HIPAA Administrative Simplification Regulations contain the standards Covered Entities and Business Associates must comply with to protect the privacy of individually identifiable health information. Most of the relevant standards are contained within the Privacy Rule, but some required disclosures of PHI (for investigations and compliance reviews) are contained within the General Provisions (Part 160).
Other than when required for investigations and compliance reviews, Covered Entities are required to disclose PHI when individuals exercise their rights of access or rights to request an accounting of disclosures, or when a state law mandates a disclosure to report child abuse, neglect, or domestic violence. All other uses and disclosures of PHI are either “permitted” or must be supported by a valid release form.
Permitted Uses and Disclosures of PHI
The Privacy Rule permits covered entities and business associates to use and share PHI without a release form for HIPAA for treatment, payment, and healthcare operations. In addition, there are some use cases for which an individual should be given an opportunity to agree or object, and others for which neither an opportunity to agree or object nor a release form are required. These use cases include, but are not limited to:
- Uses and disclosures required by law
- Uses and disclosures for public health activities
- Uses and disclosures for health oversight activities
- Disclosures for judicial and administrative hearings
- Disclosures to employers to fulfill OSHA reporting requirements
In all cases – except when PHI is being used or disclosed for treatment purposes – all disclosures of PHI must adhere to the minimum necessary standard. This standard stipulates that the amount of PHI disclosed must be the minimum necessary to achieve the objective of the disclosure. With regards to disclosures for treatment purposes, these are only permitted when two or more covered entities have a treatment relationship with the same individual.
When is a Release Form for HIPAA Compliance Necessary?
A release form for HIPAA compliance is necessary for any use or disclosure of PHI not required or permitted by the Administrative Simplification Regulations and specifically the Privacy Rule. Some examples of when a release form for HIPAA compliance is necessary are listed in §164.508.
However, this is not an exhaustive list and covered entities and business associates should conduct a risk assessment to identify any events in which PHI may be disclosed when not required or permitted. If events are identified in which a release form may be necessary, these should be included in workforce training along with the procedures for obtaining non-standard authorizations when necessary (for example, to comply with state privacy and security regulations).
An example of an event not covered in §164.508 which should have been identified in a risk assessment occurred in 2016, when staff at the New York Presbyterian Hospital allowed a TV crew into the ER to film two patients that had been injured in an accident. Although obscured from the cameras, the patients could be identified by the TV coverage. HHS Office for Civil Rights investigated the privacy violation and fined the New York Presbyterian Hospital $2.2 million.
What Should be Included on a Release Form for HIPAA Compliance?
A release form for HIPAA compliance must, as a minimum, provide the following information to the individual:
- A description of the PHI being used/disclosed.
- The reason the PHI is being used/disclosed.
- Who the PHI is being disclosed to/used by.
- A date or event, after which the release form is no longer valid.
- The individual´s right to revoke the release form.
- How the individual can revoke the release form.
- That eligibility and benefits are not subject to the release of PHI.
- That PHI may be further shared by the recipient and that, if so, may no longer be protected by the Privacy Rule.
The release form must be signed and dated by the subject of the PHI or their personal representative. If a personal representative signs the release form, their authority to sign must be stated on the release form. A copy of the form must be given to the individual and the original document retained for at least six years after the expiry date or event noted on the release form.
Download Release Form for HIPAA
(Word document, 21Kb)