A HIPAA form can be one of several documents. In many cases, a HIPAA form is another name for an authorization form that allows a use or disclosure of PHI not otherwise permitted by the Privacy Rule. However, the term could also relate to (among other things) the documentation of a privacy request or an acknowledgement of the receipt of a Notice of Privacy Practices.
It is not always straightforward to interpret the terminology used in HIPAA due to the Department of Health & Human Services (HHS) wanting to allow covered entities and business associates to be flexible with HIPAA compliance while reducing the regulatory burden. When organizations adopt their own HIPAA terminologies, interpretations can become that much harder.
A case in point is the term “HIPAA Form”. The term is not used in the HIPAA Administrative Simplification Regulations – probably so as not to confuse paper and electronic documentation. Nonetheless, the term has become widely used in the healthcare industry and beyond to describe several types of documents; and, in some cases, the same document with different names.
Authorizations, Releases, and Waivers
Using an Internet search as a source, the most common use of the term HIPAA Form is to describe a HIPAA authorization form. A valid HIPAA authorization form is required for uses and disclosures of PHI described in §164.508 of the HIPAA Privacy Rule and for uses and disclosures of PHI not specifically required or permitted in any other HIPAA Privacy Rule standards.
Confusingly, a HIPAA authorization form is not always described as such. It can be described as a HIPAA release form, a HIPAA waiver form, or a medical release form – the last of which can a different purpose than authorizing uses and disclosures of PHI. There is also a degree of confusion when it comes to the difference between an authorization and consent.
HIPAA Authorizations vs Consent
As described above, an authorization is required to use or disclose PHI for a purpose not required or permitted by the Privacy Rule. There are also cases in which an individual should be given an opportunity to agree or object to a disclosure of PHI (see §164.510). While consent in these cases can be provided or refused verbally, it is a best practice to document consent.
The reason it is a best practice to document consent is that, for example, if a healthcare provider discloses a patient’s PHI to a family friend on the basis of verbal consent, and the family friend further discloses the PHI against the patient’s wishes, the patient could contest they ever gave their consent. This is why it is always best to document consent – on a HIPAA form!
Privacy and Other Patient Requests
Under §164.522 of the Privacy Rule, patients have the right to request privacy restrictions for PHI so it is not used (for example) for research, training, or underwriting purposes. Such requests must be complied with when a patient has paid for their own treatment and the request must be documented on a HIPAA form designed for such purposes
The same standard also allows patients to request confidential communications. Requests must be made in writing and accommodated whenever reasonable. As requests originate from patients, it may not be necessary to have a HIPAA form to comply with confidential communication requests, but this depends on each covered entity’s administrative processes.
Acknowledging the Receipt of a Notice of Privacy Practices
Healthcare providers that have a direct treatment relationship with a patient are required to provide a Notice of Privacy Practices no later than the date of the first service delivery and – other than in emergency circumstances – obtain an acknowledgement of receipt. In most cases, healthcare providers provide patients with a prepared HIPAA form to acknowledge receipt.
Because it is not always possible to obtain an acknowledgement of receipt, the Privacy Rule allows healthcare providers to “make a good faith effort to obtain a written acknowledgment”. In cases where no acknowledgement is obtained, healthcare providers must document their good faith efforts and the reason why the acknowledgment was not obtained. For this reason, some HIPAA acknowledgement forms have two parts – the first for the patient to acknowledge receipt of the Notice, and the second to explain why an acknowledgement was not obtained.
Other Uses of the Term HIPAA Form
The term HIPAA Form is not used exclusively for Privacy Rule purposes. A covered entity or businesses associate may use the term to describe a breach notification template or a Business Associate Agreement – especially when a business associate subcontracts services to a downstream partner that would not use the term HIPAA Form for any other purpose.
To reduce any confusion about what form should be used for what purpose, it is advisable to use the most appropriate terminology for each HIPAA form – i.e., authorization form, consent form, privacy restriction form, etc. Admittedly, it may not be easy to convince members of the workforce to adopt a new terminology after many years of referring to a (for example) consent form as a HIPAA form, but it can make the administration of the HIPAA standards a little easier to navigate.