A completed HIPAA release form must be handed over by a patient before their protected health information can be disclosed to other individuals or groups, except in the case of routine disclosures for treatment, payment or healthcare operations allowed by the HIPAA Privacy Rule.
The HIPAA Privacy Rule (45 CFR §164.500-534) became enforceable on April 14, 2001. The chief aim of the HIPAA Privacy Rule is to see to it that the privacy of patients is safeguarded while allowing health data to flow freely between authorized individuals for certain healthcare tasks.
The HIPAA Privacy Rule permits HIPAA-covered entities (healthcare providers, health plans, healthcare clearinghouses and business associates of covered entities) to use and share individually identifiable protected health information without an person’s consent for treatment, payment and healthcare operations. In all scenarios, when individually identifiable protected health information needs to be shared, it must be kept to the ‘minimum necessary information’ to achieve the aim for which the information is shared.
The Privacy Rule also allows patients the right to access the health data formulated, stored or maintained by their healthcare providers. Patients are allowed to obtain the data in a covered entity’s designated data set – a group of records managed by the covered entity that is used to make decisions about a patient’s healthcare. Patients are also permitted to change or update certain information held by a covered entity if it is discovered to be wrong. Such requests should be obtained from a patient with a hard copy maintained.
Covered entities are not obligated to obtain permission from patients for routine disclosures for treatment, payment or healthcare operations, although some covered entities still opt to do so. This gives them with an extra level of security in the event of a privacy complaint or audit.
Such authorizations list when protected health information will be used by the covered entity, the entities to which that information will be shared, and the times under which information will be used and disclosed. Essentially, such an authorization is the same as much of what is detailed in a covered entity’s Notice of Privacy Practices.
When is a HIPAA Release Form Necessary?
A HIPAA release form must be handed over by a patient before their protected health information is made available for any purpose other than those detailed in 45 CFR §164.506, which are specifically covered in 45 CFR §164.508 and summarized below:
- Before the disclosure of PHI to a third party for reasons other than the provision of treatment, payment or other standard healthcare operations – E.g. disclosing information to an insurance underwriter
- Before PHI being used for marketing or fund-raising purposes
- Before PHI being provided to a research organization
- Before psychotherapy notes being disclosed
- Before the sale of PHI or sharing that involves remuneration
What Data Should be Listed on a HIPAA Release Form?
A HIPAA-compliant HIPAA release form must, as a minimum, include the following information:
- A description of the data that will be used/disclosed
- The reason that the information is required
- The identity of the person or entity to whom the information will be disclosed
- An expiration date or expiration event when permission to use/disclose the information is withdrawn. For example, an expiration event may be when a research study is finished
- A signature and date that the permission is signed by an individual or an individual’s representative. If a representative is completing the form, the relationship with the patient must be detailed along with a description of the representative’s authority to act on behalf of the individual
The HIPAA release form must also have statements that advise the person of:
- Their right to withdraw their authorization
- Any exceptions to the individual’s right to withdraw the authorization
- Details of how the authorization can be withdrawn
- To the extent that an individual’s right to withdraw authorization is included in the notice required by § 164.520 (Notice of Privacy Practices)
- That the covered entity may not change treatment, payment, enrollment or eligibility for benefits on whether the individual signs the permission
- That there is possibility for information shared under the terms of the authorization to be shared later by the recipient and no longer protected by 45 CFR Part 164, Subpart E
A HIPAA release form must be composed in simple language and a copy of the signed form should be given to the patient.