A completed and signed HIPAA release form must be obtained from an individual before their protected health information can be distributed to other people or groups, except in the case of routine disclosures for treatment, payment or healthcare operations allowed by the HIPAA Privacy Rule.
HIPAA Privacy Rule Summary
The HIPAA Privacy Rule (45 CFR 164.500-534) became enforceable on April 14, 2001. The primary aim of the HIPAA Privacy Rule is to ensure the privacy of patients is secure while allowing health data to flow freely between authorized people for certain healthcare activities.
The HIPAA Privacy Rule permits HIPAA-covered bodies (healthcare providers, health plans, healthcare clearinghouses and business associates of covered entities) to use and share individually identifiable protected health information without an individual’s expressed consent for treatment, payment and healthcare operations. In all instances, when individually identifiable protected health information needs to be shared, it must be restricted to the ‘minimum necessary information’ to achieve the purpose for which the information is shared.
The Privacy Rule also allocates to patients the right to access the health data created, stored or maintained by their healthcare suppliers. Patients are allowed to obtain the data in a covered entity’s designated data set – a group of records maintained by the covered body that is used to make decisions about a patient’s healthcare. Patients are also allowed to change certain information held by a covered body if it is discovered to be wrong. Such requests should be submited from a patient in writing.
Covered bodies are not required to obtain permission from patients for routine disclosures for treatment, payment or healthcare treatments, although some covered bodies still choose to do so. This provides them with an extra level of protection in the event of a privacy complaint or review.
Such authorizations list when protected health information will be used by the covered body, the bodies to which that data will be disclosed, and the circumstances under which information will be used and shared. Basically, such an authorization duplicates much of what is listed in a covered entity’s Notice of Privacy Practices.
When is a HIPAA Release Form Necessary?
A HIPAA release form must be received from a patient before their protected health information is shared for any purpose other than those listed in 45 CFR $164.506, which are specifically covered in 45 CFR $164.508 and summarized below:
- Before the sharing of PHI with a third party for reasons other than the provision of treatment, payment or other standard healthcare operations – E.g. sending information to an insurance underwriter
- Before PHI being used for marketing or fund-raising reasons
- Before PHI is shared with a research group
- Before psychotherapy notes being released
- Before the sale of PHI or sharing that involves payment
What Information Should be Listed on a HIPAA Release Form?
A HIPAA-compliant release form should, at the very minimum, include the following information:
- A description of the information that will be used/shared
- The purpose for which the data will be shared
- The name of the person or body to whom the information will be shared
- An expiration date or expiration event when permission to use/disclose the information comes to an end. For instance, an expiration event may be when a research study is finished
- A signature and date that the authorization is signed by an person or a person’s representative. If a representative is signing the form, the relationship with the patient must be listed along with a description of the representative’s authority to act on behalf of the individual.
The HIPAA release form must also list statements that warn the individual of:
- Their right to withdraw their authorization
- Any exceptions to the individual’s right to withdraw the authorization
- Details of how the authorization can be withdrawn
- To the extent that an individual’s right to withdraw authorization is included in the notice necessary by § 164.520 (Notice of Privacy Practices)
- That the covered body may not condition treatment, payment, enrollment or eligibility for benefits on whether the perrson complete and signs the authorization
- That there is a possibility for information disclosed under the terms of the authorization to be re-shared by the recipient and no longer secured by 45 CFR Part 164, Subpart E
A HIPAA release form must be written in simple language and a copy of the completed and signed form should be given to the patient.