Between 2009 and 2021, there have been 4,419 healthcare data breaches of 500 or more records. These breaches resulted in the loss, exposure, and theft of 314,063,186 healthcare records. Each year officials take steps to prevent breaches like these from happening.
Especially since 2015, which was the worst year in history for healthcare data breaches. With more than 113.27 million records stolen, it was clear to the public that anyone can be a target no matter the size of the company.
As a patient, you expect that your protected health information (PHI) is going to stay as just that: protected. This is thanks to The Health Insurance Portability and Accountability Act of 1996.
HIPAA is a federal law that upholds standards to prevent disclosing unauthorized information. Healthcare professionals can then better protect medical records and identifiable health information while providing services.
So where does a consent form come into play? The HIPAA Privacy Rule states requirements for a patient's consent to release their protected health information. This is helpful for a multitude of reasons. One of them being that it marks an individual's rights to understand and control their protected health information. The other is that it allows healthcare professionals to limit the liability of their organization in the case of a civil suit.
There are a variety of different HIPAA consent forms that both patients and covered entities will likely come into contact with. In order to understand your rights and legal duties, it is important to to understand these legal forms.
Table of Contents
Why do I need a HIPAA consent form?
Healthcare providers often deal with patient’s sensitive health information. This includes illnesses, prescriptions, past medical procedures and diagnoses. The list of course goes on. If this information never had to leave the practice, we may not have as much of a need for consent forms. However, in reality this isn’t the case.
Healthcare organizations need to work together with third parties such as clearinghouses and insurance companies to ensure proper patient care. The healthcare infrastructure is therefore pretty complex and prone to mistakes.
While navigating this infrastructure, professionals must keep business agreements and medical records safe and secure. This relates directly to HIPAA compliance.
Understanding the main types of HIPAA consent forms can mean the difference between good HIPAA compliance and a hefty fine.
In 2018 Anthem Inc. paid the largest ever financial penalty for a HIPAA violation. After the investigation of their 78.8 million record data breach in 2015, the insurance company paid $16 million to settle the case.
The need for a HIPAA consent form can apply to many different cases while handling protected health information. Whether you work in a doctors office, a hospital setting, or a lab, HIPAA consent forms are necessary to carry out even the simplest tasks.
HIPAA Forms: Privacy vs Authorization
The two most standard types of HIPAA consent forms are privacy forms and authorization forms. The HIPAA privacy form outlines the manner in which a covered entity can share PHI with third party organizations. While a HIPAA authorization form focuses on allowing patients to keep their medical information private from civilians.
Both forms branch out into even more specific consent forms depending on the case. Let’s take a closer look at these consent forms and a few specific examples.
HIPAA Privacy Form
Privacy forms are also known as “notices of privacy practices” and are the most common of the two. If you are a covered entity, HIPAA’s Privacy Rule requires you to obtain a patient's signature on these forms. By signing these documents, a patient acknowledges that they understand the provider’s privacy practices.
According to the U.S. Department of Health and Human Services, direct treatment providers must:
“…make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice. If an acknowledgment cannot be obtained, the provider must document his or her efforts to obtain the acknowledgment and the reason why it was not obtained.” Source: HHS
As stated before, the healthcare infrastructure is compex. A signed privacy form allows the use of a patient’s protected health information for additional purposes. This includes sharing medical information with a third party for purposes of…
Enrollment
Coverage
Billing to insurances
New Patient Form
If you are a new patient, you should fill out a HIPAA privacy form during your first visit to a new healthcare provider. This is a pretty standard procedure, but it's helpful in gathering information about the patient. More specifically, in finding out about their insurance and communication preference.
The form also ensures that the patient acknowledges the privacy agreement upheld by the organization. This agreement lets the patient know that the facility complies with HIPAA to protect health information and explains the patients rights to their medical records.
Having this form signed also helps the healthcare facility prove HIPAA compliance in the event of an audit.
Business Associate Agreement Form
A Business Associate is any person or entity who transmits, receives, processes, or stores protected health information on behalf of providers. Business Associate Agreement (BAA) allows these entities or individuals outside of your practice access to protected health information.
A valid HIPAA BAA must be present between a covered entity and a business associate before the sharing of protected health information.
HIPAA Authorization Form
HIPAA authorization forms are less common, but equally as necessary for both providers and patients as well. Without a signed authorization form, HIPAA does not allow the sharing of PHI. This applies to a patient’s parents, children, spouse, friends… you get the idea.
The HIPAA release forms allow patients to share their information with someone of their choosing.
Medical Release Form
I’m sure you’ve heard of a medical release form, and if not then here’s what it is. These authorization consent forms require a patient’s signature so an organization can share their protected health information with someone other than the patient.
This can include:
Sharing health information with a university for educational or research purposes.
Disclose psychotherapy notes.
Transfer records to a new physician or a specialist the patient is being sent to.
Using the patient’s recovery story as a part of a marketing plan.
Does there always need to be a consent form involved?
There are instances that the law does permit a covered entity to use and disclose health information without an individual's authorization.
The following are examples of such situations:
Treatment, payment, and healthcare operations
Disclosure to the individual
Public interest and benefit activities
Incident to an otherwise permitted use and disclosure
Conclusion
The need for consent forms allows the healthcare infrastructure to not only protect the patient’s rights, but save an organization from large fines and even jail time. These are only a few of the more common consent forms but there are several other forms that an organization may need to keep up with HIPAA compliance.
Maintaining proper documentation by collecting patient signatures can save you from heavy penalties after an official audit, as well.
It can be a burden to be able to intake, manage, and keep this information secure. That is why it is helpful for organizations to use proper administrative software for easier access to records.