The HIPAA Privacy Rule (45 CFR §164.500-534) became enforceable as of April 14, 2001. The main purpose of the HIPAA Privacy Rule is to make sure the privacy of patients is always secure while meaning that health data can flow freely between authorized persons for certain healthcare activities.
The HIPAA Privacy Rule means that HIPAA-covered entities (healthcare providers, health plans, healthcare clearinghouses and business associates of covered entities) are in a position to use and share individually identifiable protected health information without an individual’s authorization for treatment, payment and healthcare operations. In all instances, when individually identifiable protected health information needs to be shared, it must be restricted to the ‘minimum necessary information’ to achieve the purpose for which the information is shared.
The Privacy Rule also allocates patients the right to access the health data created, stored or managed by their healthcare providers. Patients are allowed to obtain the data in a covered entity’s designated data set – a group of records maintained by the covered entity that is used to make decisions regarding a patient’s healthcare. Patients are also allowed to amend certain information kept by a covered entity if it is found to be incorrect. Such requests should be received from a patient in writing.
Covered entities are not obligated to obtain consent from patients for regular disclosures for treatment, payment or healthcare operations, although some covered entities still opt to do so. This gives them with an additional level of protection in the event of a privacy complaint or audit.
Such authorizations list when protected health information will be used by the covered entity, the entities to which that information will be given, and the times when information will be used and disclosed. Basically, such an authorization duplicates much of what is included in a covered entity’s Notice of Privacy Practices.
When is a HIPAA Release Form Necessary?
A HIPAA release form has to be obtained from a patient prior to their protected health information being sharedfor any purpose other than those listed in 45 CFR §164.506, which are specifically covered in 45 CFR §164.508 and summarized here:
- Before the disclosure of PHI to a third party for purposes other than the provision of treatment, payment or other standard healthcare operations – E.g. sharing details with an insurance underwriter
- Before PHI is put to use for marketing or fundraising reasons
- Before PHI being given to a research organization
- Prior to psychotherapy notes being shared
- Before the sale of PHI or sharing that includes some form of remuneration
What Data Should be Listed on a HIPAA Release Form?
A HIPAA-compliant HIPAA release form has to, as a minimum, include the following information:
- What information that will be used/disclosed
- The aim for which the information will be shared
- The identity of the person or entity to whom the information will be disclosed
- A final expiration date or expiration event when consent to use/disclose the information is no longer valid. For instance, an expiration event may be when a research study is finished
- A signature and date that the authorization is confirmed by an individual or an individual’s representative. If a representative is completing the form, the relationship with the patient must be listed along with a description of the representative’s authority to act for the patient.
The HIPAA release form must also have statements that inform the individual of:
- Their right to revoke their permission
- Any exceptions to the individual’s right to revoke the permission
- Details of how the authorization can be taken back
- The extent that a person’s right to withdraw permission is included in the notice required by § 164.520 (Notice of Privacy Practices)
- That the covered entity may not condition treatment, remuneration, enrollment or eligibility for benefits on whether the person completes the authorization
- That information can be disclosed under the terms of the authorization to be redisclosed by the recipient and no longer safeguarded by 45 CFR Part 164, Subpart E
A HIPAA release form must be created using simple language and a copy of the signed form should be given to the patient.