What You Need to Know About HIPAA Consent Forms

A signed HIPAA consent form must be obtained from a patient before their protected health information (PHI) can be shared with any other individuals or organizations, except in the case of routine disclosures for treatment, payment or healthcare operations as permitted by the HIPAA Privacy Rule. The disclosure of medical records without a HIPAA authorization form is a HIPAA violation.

A HIPAA consent form is a legal document that authorizes covered entities to disclose protected health information that is not permitted by the HIPAA Privacy Rule. The form must be retained as proof that the authorization was obtained in writing to waive certain Privacy Rule restrictions.

When Must HIPAA Authorization be Obtained?

A HIPAA authorization form is required before:

• A covered entity can use or disclose PHI whose use or disclosure is otherwise not permitted by the HIPAA Privacy Rule or for reasons other than the provision of treatment, payment or other standard healthcare operations.
• A covered entity can disclose PHI to a research organization.
• A covered entity can use or disclose psychotherapy notes.
• A covered entity can sell or share PHI.
• A covered entity can use or disclose PHI for marketing or fundraising purposes.
• Note: Prior authorization for marking is not required when:

o Communication occurs face to face between the covered entity and the individual; or

o When the communication includes a promotional gift of nominal value.

What Information Must a HIPAA Authorization Contain to be Valid?

The law requires that a HIPAA authorization form contain specific “core elements” to be valid.

These HIPAA Consent Form elements include:

• A description of the information to be used or disclosed.
• The purpose for which the information will be disclosed.
• The name of the person or entity to whom the information will be disclosed.
• The name of any third parties to whom the covered entity may make the requested use or disclosure.
• An expiration date or expiration that relates to the individual or the purpose of the use or disclosure.
• The date and signature of the individual.

The HIPAA release form must also include the following information:

• The individual’s right to revoke the authorization in writing.
• Any exceptions to the individual’s right to revoke the authorization.
• Details of how the authorization can be revoked.
• That the covered entity may not condition treatment, payment, enrolment or eligibility for benefits on whether the individual signs the authorization.
• That there is potential for information disclosed under the terms of the authorization to be redisclosed by the recipient and no longer protected by the HIPAA Privacy Rule.
• The HIPAA release form must be written in plain language, and a copy of the signed form should be provided to the patient.

Want to know more about HIPAA? Ask the experts at MedSafe.

If you have questions about HIPAA consent forms or HIPAA training contact the experts at MedSafe. MedSafe is the nation’s leading one-stop resource for outsourced accreditation and healthcare compliance solutions. For over 20 years, we have been providing peace of mind to hospital groups, private practices, and their business associates. Our suite of onsite and online services, including OSHA, HIPAA, Corporate Compliance and Code Auditing, equip your practice with the necessary tools and skills to achieve and maintain regulatory & billing compliance. MedSafe takes a hands-on approach and works directly with your team to uncover issues and define suitable solutions.