A signed acknowledgement of receipt of a privacy notice is not the same as an authorization

Please correct the errors described below.

HIPAA Omnibus Rule

You may refuse to sign this acknowledgement & authorization. In refusing, we may not be allowed to process your insurance claims.

The undersigned acknowledges receipt of a copy of the currently effective Notice of Privacy Practices for this healthcare facility. A copy of this signed, dated document shall be as effective as the original. MY SIGNATURE WILL ALSO SERVE AS A PHI DOCUMENT RELEASE SHOULD I REQUEST TREATMENT OR RADIOGRAPHS BE SENT TO OTHER ATTENDING DOCTOR / FACILITIES IN THE FUTURE.

By typing your name below, you are signing this application electronically. You agree your electronic signature is the legal equivalent of your manual signature on this application.

Please print name of Patient

Please sign for Patient/Guardian of Patient

Legal Representative/Guardian

Relationship of Legal Representative/Guardian

Your comments regarding Acknowledgements or Consents:

How do you want to be addressed when summoned from the reception area:

First Name Only

Proper Sir Name

Other

Please list any other parties who can have access to your health information. (This includes step parents, grandparents, and any care takers who can have access to this patient's records.)

I authorize contact from this office to confirm my appointments, treatment, and billing information via:

Cell Phone Confirmation

Home Phone Confirmation

Work Phone Confirmation

Text Message to my Cell Phone

Email Confirmation

Any of the Above

I authorize information about my health to be conveyed via:

Cell Phone Confirmation

Home Phone Confirmation

Work Phone Confirmation

Text Message to my Cell Phone

Email Confirmation

Any of the Above

I approve being contacted about special services, events, fund raising efforts, or new health info on behalf of this Healthcare Facility via:

Phone Message

Text Message

Email

Any of the Above

None of the Above (opt out)

In signing this HIPAA Patient Acknowledgement Form, you acknowledge and authorize, that this office may recommend products or services to promote your improved health. This office may or may not receive third party remuneration from these affiliated companies. We, under current HIPAA Omnibus Rule, provide you this information with your knowledge and consent.

As Privacy Officer, I attempted to obtain the patient's (or representatives) signature on this Acknowledgement but did not because:

It was emergency treatment

I could not communicate with the patient

The patient refused to sign

The patient was unable to sign because

Other

Your information will be encrypted.

A signed acknowledgement of receipt of a privacy notice is not the same as an authorization
Whether you are a patient or a covered entity (e.g. health organization), you will undoubtedly come into contact with a variety of HIPAA forms. To understand your legal duties as a covered entity, or your rights as a patient, you should become very familiar with these legal documents.

The two most standard HIPAA forms are privacy forms (a.k.a. “notices of privacy practices”) and authorization forms (a.k.a. “release forms”).

The HIPAA privacy form is by far the most common of the two. In fact, according to HIPAA’s Privacy Rule, all covered entities should be making an effort to obtain patient signatures on privacy forms. The HIPAA privacy form is a document that outlines the manner in which a patient’s PHI (protected health information) may be disclosed to third parties (e.g. health clearinghouses). Patients who sign one of these forms legally acknowledge that they have understood the provider’s privacy practices.

If you are a patient, you should receive a HIPAA privacy form on your first visit to a new health provider.

HIPAA release forms, also known as authorization forms, are a less common, but equally necessary consideration for covered entities and patients alike.

Simply put: without explicit legal permission (a signed HIPAA authorization form), no civilian can access your PHI. This applies to a patient’s parents, children, spouse, friends, coworkers, employers, etc. HIPAA release forms allow patients to authorize their health provider to disclose information to a civilian third party of their choosing.

Below is a deeper examination of the two types of standard HIPAA forms. We will examine why these forms are necessary, and how they impact both covered entities and patients alike.

HIPAA Privacy Form Detailed

In order to understand the necessity of HIPAA privacy forms, you must first understand HIPAA’s privacy rule.

Health providers deal with a lot of sensitive information about their patients—illnesses, prescriptions, past medical procedures, insurance bills, etc. If this information never had to leave your doctor’s office, the laws for medical disclosure would be a lot simpler. In the real world, however, health organizations must work in close concert with a variety of third parties (like insurance companies and health clearinghouses) to ensure that you are getting the coverage you are eligible for and the treatment that you need.

Due to the complexity of the healthcare infrastructure, it would be nearly impossible to ask for a patient’s permission every time a health provider needed to share medical information with another party. For purposes of enrollment, coverage, treatment, and billing, your PHI would be requested many dozens of times a year. Yet, there are real risks in giving third parties access to such sensitive, private information.

This is what HIPAA’s privacy rule seeks to remedy.

As outlined in our HIPAA Compliance Checklist article, covered entities (or any party that will have access to a patient’s PHI) must follow a large quantity of rigid guidelines to ensure that sensitive patient information remains secure and confidential.

Specifically singled out by HIPAA, healthcare providers that have a direct treatment relationship with patients are required by law to disclose their privacy practices. These disclosures come in the form of a “notice of privacy practices.”

Implications for Health Providers

Most covered entities are exempt from the “notice of privacy practices” requirement. This requirement only applies to entities that have a direct treatment relationship with individuals (e.g. clinics, private practices).

As stated in HIPAA’s Privacy Regulation Text, health providers with a direct treatment relationship with individuals must:

…make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice. If an acknowledgment cannot be obtained, the provider must document his or her efforts to obtain the acknowledgment and the reason why it was not obtained. Source: HHS

In practical terms, if this rule applies to you, you must provide every patient with a privacy form and request his or her signature.

The importance of obtaining a signature is twofold:
1. Educating the patient about how his or her PHI is being used.
2. Limiting the liability of your organization in the case of a civil suit.

Implication for Patients

Chances are that you have signed half a dozen HIPAA privacy forms without realizing it. They are one of the many forms that you are asked to fill out on your first visit to a doctor.

According to HIPAA’s Privacy Rule, you are not required to sign these documents.

Although the receptionists handing you these forms may not be fully aware of this fact, you are under no legal obligation to give your signature (HHS).

One potential reason for refusing to sign a HIPAA privacy form is to keep your options open in the case of a violation. If you signed a privacy form, it will be much harder to sue the health provider if the confidentiality of your PHI was broken. Although this is an unlike possibility, it is a possibility nonetheless.

Ultimately, the decision of signing is up to you. If you are legitimately worried about privacy violations, you can read more about the policies HIPAA has in place to protect your information.

HIPAA Release Form Detailed

While certain HIPAA policies allow health providers to give PHI to third party businesses (for enrolment, billing, etc.), there are many administrative, physical, and technical safeguards in place to keep the data confidential. The same breadth of protections is impossible to enforce on civilians.

The HIPAA Privacy Rule allows patients to keep their health conditions, insurance information, health transactions, etc. completely confidential.

This law stipulates that disclosure of this information to a third-party individual is completely up to the discretion of the patient. This discretion is exercised through the help of HIPAA release forms.

Simply: HIPAA release forms give patients full power over choosing who can access their health information (parents, children, spouses, friends, etc.)

In order for an release form to be legally valid, it must inform the patient of the following:

• The patient has the right to revoke an authorization at any time.
• Authorization forms are completely voluntary.
• There is a chance that the person you are choosing to trust with your information might disclose it to someone else.

Amongst other requirements, the authorization must also be written in plain language, as to be fully comprehensible to the patient.

Assuming that the form meets all the above requirements, it still cannot be considered valid until the following criteria have been met:

• The information being disclosed must be described in a specific and meaningful fashion.
• The purpose of each disclosure must be outlined.
• The name of the person who is authorizing disclosure, and the name of the person(s) receiving the authorization must be clearly printed.
• An expiration date or expiration event (after which disclosures can no longer be made) must be specified.
• The patient must date and sign the document.

Implications for Health Providers

If you work on behalf of a covered entity, as defined by HIPAA, you are legally obligated to keep all PHI confidential. Any requests for PHI by a patient’s spouse, family, etc. must be denied, unless the patient has signed a legally binding release form.

HIPAA’s privacy rule demands that, in order for authorization to be considered valid, the release form must A) provide specific legal information about HIPAA’s Privacy Rule, and B) detail the nature of information being disclosed, the purpose, to who, and for how long. Additional criteria may need to be met.

Your organization must also be careful to account for individual state laws. While in most cases HIPAA requirements supersede those of state law, there can be exceptions. In the case of a state privacy law being more stringent than that of HIPAA, for example, you are legally obligated to follow the state standard.

In addition to carrying HIPAA authorization forms, your offices must have all relevant state forms as well.

Implications for Patients

Except under very special circumstances, no one will be able to access your PHI without your permission. If you wish for your health information to remain hidden from your family, friends, etc., don’t sign any disclosure forms. Also note that, while some health providers may ask you to fill out a “next of kin form” or a HIPAA form, you are under no obligation to do so.

There are many circumstances under which you may want someone to have access to your PHI. For example, if a family member or friend is helping you make payments on medical bills, it might be useful for them to see what they’re paying for. In another scenario, you may be too ill to deal with the bureaucracy of constant treatment, and may need help from a spouse or family member.

Implications for Individuals Caring for Patients

The default mode of health privacy is this: unless the patient makes a conscious effort to give someone access, the PHI will remain private. Even if you are the spouse of a patient, PHI will be inaccessible to you until your husband/wife authorizes you.

Final Thoughts on HIPAA Forms

Despite the typical nonchalance that HIPAA forms are treated with by providers and patients alike, they are a vital component of the patient/provider relationship.

For better or worse, HIPAA’s Privacy Rule has been carefully drafted to give patients the final say over the disclosure of their PHI. While this may create difficulties for covered entities and the loved ones of patients, it is ultimately necessary.

Is a privacy notice the same as authorization?

What is in the Notice? The notice must describe: How the Privacy Rule allows provider to use and disclose protected health information. It must also explain that your permission (authorization) is necessary before your health records are shared for any other reason.
Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization.

Which of the following must be included in an authorization?

The core elements of a valid authorization include: A meaningful description of the information to be disclosed. The name of the individual or the name of the person authorized to make the requested disclosure. The name or other identification of the recipient of the information.

What is a HIPAA release & authorization?

HIPAA Authorization is a document that authorizes the release of medical records which are protected under HIPAA. The authorization names designated representatives who may receive protected medical records, despite the privacy protections of HIPAA. HIPAA is an important piece of legislation.