A patient-signed HIPAA release form should be secured before sharing the protected health information (PHI) with other people or providers, except in the event of scheduled disclosures for therapy, payment or healthcare operations allowed by the HIPAA Privacy Rule.
Brief summary of the HIPAA Privacy Rule
The HIPAA Privacy Rule (45 CFR §164.500-534) was enacted on April 14, 2001. The main objective of the HIPAA Privacy Rule is to make sure the privacy of patients is safeguarded while permitting health data to move freely between authorized people for selected healthcare procedures.
The HIPAA Privacy Rule permits HIPAA-covered entities (healthcare companies, health plans, business associates of covered entities and healthcare clearinghouses) to utilize and disclose individually identifiable protected health information (PHI) with no consent from the individual for treatment, payment and healthcare operations. In all instances, if individually identifiable protected health information is to be disclosed, information should be limited to the minimum necessary that will serve the purpose for which the information is shared.
The Privacy Rule also states that patients have the right to access their health data that is created, stored or maintained by their healthcare providers. Patients are allowed to get the information kept by a covered entity and is used for deciding concerning a patient’s healthcare. Patients may request in writing the modification of selected information kept by a covered entity in case it is discovered to be wrong.
It is not required for covered entities to acquire permission from patients whenever there are routine information disclosures for payment, treatment or healthcare operations, though several covered entities still opt to do so. This provides them with an extra level of safety in case there are privacy complaints or audits.
Patient consent typically describes when PHI will be used by the covered entity, to whom the information will be disclosed, and under what instances the information will be used and disclosed. Basically, it duplicates what is already described in the Notice of Privacy Practices of the covered entity.
When is a HIPAA Release Form Required?
A HIPAA release form should be acquired from a patient before disclosing their PHI to a third party for any reason besides those specified in 45 CFR §164.506, which are particularly covered in 45 CFR §164.508. These instances include what are stated below:
- any reason other than providing treatment, payment or other standard healthcare operations
- disclosing patient information to an insurance underwriter
- sharing of PHI to be used for purposes of marketing or fund-raising
- Prior to PHI is given to a research organization
- Prior to disclosing psychotherapy notes
- Prior to the sale of PHI or sharing which involves remuneration
What Information Must be Mentioned on a HIPAA Release Form?
A HIPAA-compliant HIPAA release form should include the following details:
- A description of the information that would be used/shared
- The reason for which the patient information will be shared
- The name/s of the person or entity to whom patient data will be shared
- The date or event when authorization to use/disclose the information is terminated, such as, the completion of the research study
- The signature and date the authorized individual or an individual’s representative signs the form. In case a representative is signing the form, the relationship with the patient should be specified along with the explanation of the representative’s authority to take action on behalf of the patient.
The HIPAA release form should also state statements that tell the individual about:
- Their right to revoke their consent
- Any exclusions to the individual’s right to revoke the consent
- Specifics of how the consent may be revoked
- To the level that an individual’s right to revoke consent is contained in the notice necessitated by § 164.520 (Notice of Privacy Practices)
- That the covered entity might not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the consent
- That there is prospective for information disclosed under the terms of the consent to be redisclosed by the recipient and no more protected by 45 CFR Part 164, Subpart E
- A HIPAA release form should be penned in simple language and a copy of the signed form ought to be provided to the patient.