If your organization is required to comply with the HIPAA Privacy Rule, a valid HIPAA release form must be obtained from an individual before their protected health information can be used or disclosed for a purpose not permitted by the Privacy Rule.
The HIPAA Privacy Rule (45 CFR §164.500-534) became effective on April 14, 2001. A primary aim of the Rule is to protect the privacy of individually identifiable health information while allowing data to flow freely between authorized individuals for treatment, payment, and healthcare operations.
The Privacy Rule permits HIPAA-covered entities (most healthcare providers, health plans, and health care clearinghouses) and business associates of covered entities to use and share protected health information without an individual´s consent in many use cases.
In addition to treatment, payment, and healthcare operations, these use cases include, but are not limited to:
- Uses and disclosures required by other state and federal laws
- Disclosures about abuse, neglect, or domestic violence
- Uses and disclosures for public health activities
- Uses and disclosures for health oversight activities
- Disclosures for judicial and administrative hearings
- Disclosures to employers to fulfill OSHA reporting requirements
The Privacy Rule also allows individuals to request access to health information maintained by covered entities and business associates in designated record sets, and to request an accounting of disclosures to ensure their PHI is being used and disclosed within the limits set out by the Privacy Rule.
When is a HIPAA Release Form Necessary?
A valid HIPAA release form must be obtained from an individual before their protected health information is made available for any purpose other than those permitted by the Privacy Rule. Some examples of when a HIPAA release form is necessary are included in 45 CFR §164.508 and summarized below:
- Before PHI being used for marketing or fund-raising purposes
- Before PHI being provided to a research organization
- Before psychotherapy notes being disclosed
- Before the sale of PHI or sharing that involves remuneration
Covered entities and business associates should conduct a risk assessment to identify any other occasions when a HIPAA release form is necessary and ensure all members of the workforce are advised of these occasions to prevent avoidable complaints to HHS´ Office for Civil Rights and subsequent compliance investigations.
What Data Should be Listed on a HIPAA Release Form?
A compliant HIPAA release form must, as a minimum, include the following information:
- A description of the information that will be used/disclosed.
- The reason the information is required.
- The identity of the person or entity to whom the information will be disclosed.
- An expiration date or expiration event when the authorization to use/disclose the information will no longer be valid.
- The signature of the individual or their personal representative. If a representative is signing the form, their authority to sign must be included on the form.
The HIPAA release form must also include statements that advise the individual of:
- Their right to revoke the authorization
- Any exceptions to the right to revoke the authorization
- Details of how the authorization can be revoked
- That the covered entity may not change treatment, payment, enrollment, or eligibility for benefits on whether the individual signs the authorization
- That there is possibility for information shared under the terms of the authorization to be further shared by the recipient and that, if shared, may no longer protected by the Privacy Rule.
A copy of the HIPAA release form must be given to the individual and the original document retained for at least six years after the expiry of the authorization.
Download HIPAA Release Form
(Word document, 20Kb)