If you’ve been managing your HIPAA program manually, maybe even using an old HIPAA binder, you probably associate HIPAA with a lot of paperwork. While most of your HIPAA program can now be tackled digitally (and with a time-saving partner, hint hint), there are some papers that are 100% still relevant – like the HIPAA Authorization Form. 

What is a HIPAA Authorization Form, and when do I need one? 

Having a signed HIPAA Authorization Form is one of the many requirements under the Privacy Rule. The authorization form (sometimes called a patient HIPAA consent form), essentially serves as a handy dandy permission slip allowing a practice or business associate to use or disclose protected health information (PHI) in the ways a patient wants their data used. 

Now, just to clear things up, there ARE times you can disclose PHI WITHOUT an authorization form – namely, for regular healthcare payment, treatment, and operations. This means that patients can be treated without an authorization form and that you can share their data as necessary to conduct business without penalties under HIPAA. There are some additional specific scenarios where you don’t need a signed authorization form to share PHI, but most important to note are when you DEFINITELY should have a consent form signed. This includes when PHI is used or disclosed:

• In any way otherwise not permitted by the HIPAA Privacy Rule 
• For marketing purposes
• Related to psychotherapy notes other than for specific healthcare operations 
• Includes substance abuse and treatment records 
• For research purposes
• AND ESPECIALLY prior to the sale of PHI 

Without getting the green light from the patient (in writing) in any of these circumstances, your practice can get into some pretty big trouble. 

What should be included on the HIPAA Authorization Form itself?

If you’re thinking of a lengthy legal document, you’re actually in for some good news – the Authorization Form can be short, sweet, and to the point as long as it covers the following key pieces:   

• The name of the person(s) or business (aka your practice) authorized to make the requested use or disclosure
• The name of any third parties to whom the practice may make the requested use or disclosure
• A description of the specific information that may be used or disclosed 
• A description of the purpose for the requested use or disclosure 
• The expiration date or a specific expiration event when the form will expire (such as when they are no longer a patient)
• And of course, the patient’s name, signature, and date that the form was signed

In addition to the specific elements that must be included within the document, there are also a few statements that should be outlined including:  

• The patient’s right to revoke the authorization in writing 
• The practice’s ability to still use their PHI for normal healthcare operations, and that statement that treatment is not conditioned upon the authorization form
• Any exceptions to the patient’s right to revoke authorization (for example, if the practice has already taken action in reliance on the authorization)

How long does the authorization remain valid?

The Authorization form remains in effect until the listed expiration date or event that was listed when the patient signed the form. We recommend reviewing your authorization forms every few years or so however, to confirm none of the data has changed and anytime an outside event would require a new form (such as a name change, patient who turns 18, or other scenario). The patient also has the ability to change their mind at any time, and can revoke their authorization (in writing) whenever they choose.

Why do I need one?

You don’t have to be an expert on the ins and outs of HIPAA to know that it’s main focus is to protect the privacy and security of patient information. The authorization form helps to do just that – limit patient information to the organizations or individuals designated by the patient to receive their health conditions, insurance information, and any other sensitive data housed within your practice. By getting a form signed from each patient, you’re protecting both the patient and your practice to best disclose information as designated and without any surprises.     

After last year’s enforcement trend centered around patient right of access along with the recent proposal to modify the HIPAA Privacy Rule (with some specific changes related to patient authorization and the Notice of Privacy Practices), giving your practice a head start on meeting important HIPAA standards now is key. If you aren’t using an authorization form, there’s no better time like the present to start implementing a form that fully complies with the Department of Health and Human Services requirements.