HIPAA Forms Explained: Privacy and Authorization
Whether you are a patient or a covered entity (e.g. health organization), you will undoubtedly come into contact with a variety of HIPAA forms. To understand your legal duties as a covered entity, or your rights as a patient, you should become very familiar with these legal documents.
The two most standard HIPAA forms are privacy forms (a.k.a. “notices of privacy practices”) and authorization forms (a.k.a. “release forms”).
The HIPAA privacy form is by far the most common of the two. In fact, according to HIPAA’s Privacy Rule, all covered entities should be making an effort to obtain patient signatures on privacy forms. The HIPAA privacy form is a document that outlines the manner in which a patient’s PHI (protected health information) may be disclosed to third parties (e.g. health clearinghouses). Patients who sign one of these forms legally acknowledge that they have understood the provider’s privacy practices.
If you are a patient, you should receive a HIPAA privacy form on your first visit to a new health provider.
HIPAA release forms, also known as authorization forms, are a less common, but equally necessary consideration for covered entities and patients alike.
Simply put: without explicit legal permission (a signed HIPAA authorization form), no civilian can access your PHI. This applies to a patient’s parents, children, spouse, friends, coworkers, employers, etc. HIPAA release forms allow patients to authorize their health provider to disclose information to a civilian third party of their choosing.
Below is a deeper examination of the two types of standard HIPAA forms. We will examine why these forms are necessary, and how they impact both covered entities and patients alike.
HIPAA Privacy Form Detailed
In order to understand the necessity of HIPAA privacy forms, you must first understand HIPAA’s privacy rule.
Health providers deal with a lot of sensitive information about their patients—illnesses, prescriptions, past medical procedures, insurance bills, etc. If this information never had to leave your doctor’s office, the laws for medical disclosure would be a lot simpler. In the real world, however, health organizations must work in close concert with a variety of third parties (like insurance companies and health clearinghouses) to ensure that you are getting the coverage you are eligible for and the treatment that you need.
Due to the complexity of the healthcare infrastructure, it would be nearly impossible to ask for a patient’s permission every time a health provider needed to share medical information with another party. For purposes of enrollment, coverage, treatment, and billing, your PHI would be requested many dozens of times a year. Yet, there are real risks in giving third parties access to such sensitive, private information.
This is what HIPAA’s privacy rule seeks to remedy.
As outlined in our HIPAA Compliance Checklist article, covered entities (or any party that will have access to a patient’s PHI) must follow a large quantity of rigid guidelines to ensure that sensitive patient information remains secure and confidential.
Specifically singled out by HIPAA, healthcare providers that have a direct treatment relationship with patients are required by law to disclose their privacy practices. These disclosures come in the form of a “notice of privacy practices.”
Implications for Health Providers
Most covered entities are exempt from the “notice of privacy practices” requirement. This requirement only applies to entities that have a direct treatment relationship with individuals (e.g. clinics, private practices).
As stated in HIPAA’s Privacy Regulation Text, health providers with a direct treatment relationship with individuals must:
…make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice. If an acknowledgment cannot be obtained, the provider must document his or her efforts to obtain the acknowledgment and the reason why it was not obtained. Source: HHS
In practical terms, if this rule applies to you, you must provide every patient with a privacy form and request his or her signature.
The importance of obtaining a signature is twofold:
1. Educating the patient about how his or her PHI is being used.
2. Limiting the liability of your organization in the case of a civil suit.
Implication for Patients
Chances are that you have signed half a dozen HIPAA privacy forms without realizing it. They are one of the many forms that you are asked to fill out on your first visit to a doctor.
According to HIPAA’s Privacy Rule, you are not required to sign these documents.
Although the receptionists handing you these forms may not be fully aware of this fact, you are under no legal obligation to give your signature (HHS).
One potential reason for refusing to sign a HIPAA privacy form is to keep your options open in the case of a violation. If you signed a privacy form, it will be much harder to sue the health provider if the confidentiality of your PHI was broken. Although this is an unlike possibility, it is a possibility nonetheless.
Ultimately, the decision of signing is up to you. If you are legitimately worried about privacy violations, you can read more about the policies HIPAA has in place to protect your information.
HIPAA Release Form Detailed
While certain HIPAA policies allow health providers to give PHI to third party businesses (for enrolment, billing, etc.), there are many administrative, physical, and technical safeguards in place to keep the data confidential. The same breadth of protections is impossible to enforce on civilians.
The HIPAA Privacy Rule allows patients to keep their health conditions, insurance information, health transactions, etc. completely confidential.
This law stipulates that disclosure of this information to a third-party individual is completely up to the discretion of the patient. This discretion is exercised through the help of HIPAA release forms.
Simply: HIPAA release forms give patients full power over choosing who can access their health information (parents, children, spouses, friends, etc.)
In order for an release form to be legally valid, it must inform the patient of the following:
• The patient has the right to revoke an authorization at any time.
• Authorization forms are completely voluntary.
• There is a chance that the person you are choosing to trust with your information might disclose it to someone else.
Amongst other requirements, the authorization must also be written in plain language, as to be fully comprehensible to the patient.
Assuming that the form meets all the above requirements, it still cannot be considered valid until the following criteria have been met:
• The information being disclosed must be described in a specific and meaningful fashion.
• The purpose of each disclosure must be outlined.
• The name of the person who is authorizing disclosure, and the name of the person(s) receiving the authorization must be clearly printed.
• An expiration date or expiration event (after which disclosures can no longer be made) must be specified.
• The patient must date and sign the document.
Implications for Health Providers
If you work on behalf of a covered entity, as defined by HIPAA, you are legally obligated to keep all PHI confidential. Any requests for PHI by a patient’s spouse, family, etc. must be denied, unless the patient has signed a legally binding release form.
HIPAA’s privacy rule demands that, in order for authorization to be considered valid, the release form must A) provide specific legal information about HIPAA’s Privacy Rule, and B) detail the nature of information being disclosed, the purpose, to who, and for how long. Additional criteria may need to be met.
Your organization must also be careful to account for individual state laws. While in most cases HIPAA requirements supersede those of state law, there can be exceptions. In the case of a state privacy law being more stringent than that of HIPAA, for example, you are legally obligated to follow the state standard.
In addition to carrying HIPAA authorization forms, your offices must have all relevant state forms as well.
Implications for Patients
Except under very special circumstances, no one will be able to access your PHI without your permission. If you wish for your health information to remain hidden from your family, friends, etc., don’t sign any disclosure forms. Also note that, while some health providers may ask you to fill out a “next of kin form” or a HIPAA form, you are under no obligation to do so.
There are many circumstances under which you may want someone to have access to your PHI. For example, if a family member or friend is helping you make payments on medical bills, it might be useful for them to see what they’re paying for. In another scenario, you may be too ill to deal with the bureaucracy of constant treatment, and may need help from a spouse or family member.
Implications for Individuals Caring for Patients
The default mode of health privacy is this: unless the patient makes a conscious effort to give someone access, the PHI will remain private. Even if you are the spouse of a patient, PHI will be inaccessible to you until your husband/wife authorizes you.
Final Thoughts on HIPAA Forms
Despite the typical nonchalance that HIPAA forms are treated with by providers and patients alike, they are a vital component of the patient/provider relationship.
For better or worse, HIPAA’s Privacy Rule has been carefully drafted to give patients the final say over the disclosure of their PHI. While this may create difficulties for covered entities and the loved ones of patients, it is ultimately necessary.