Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

When is a HIPAA authorization form required?

Picture of Tshedimoso Makhene Tshedimoso Makhene December 23, 2024

HIPAA compliant forms
When is a HIPAA authorization form required?

A HIPAA authorization form is required when a covered entity or business associate wants to use or disclose a patient’s protected health information (PHI) for purposes unrelated to treatment, payment, or healthcare operations. 

 

Use of authorization forms

The uses of a HIPAA authorization form include: 

  • Marketing: According to the Department of Human and Health Services (HHS),the [Privacy] Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing.However, if communication involves face-to-face interactions ora promotional gift of nominal value”, authorization forms are not required.
  • Research: When researchers seek to access or use PHI for studies, an authorization form is needed unless an Institutional Review Board (IRB) grants a waiver.
  • Sharing with third parties: If PHI is disclosed to a third party for purposes outside the scope of treatment, payment, or operations, such as employment background checks or legal proceedings, a signed authorization is mandatory.
  • Psychotherapy notes: The use or disclosure of psychotherapy notes requires specific authorization, except in limited circumstances such as to defend a legal claim by the provider.

Read also: Sharing patient information with authorization

 

Elements of a HIPAA authorization form

A valid HIPAA authorization must include:

  • A description of the information to be disclosed.
  • The name of the person or entity authorized to make the disclosure.
  • The name of the person or entity receiving the information.
  • The purpose of the disclosure.
  • An expiration date or event.
  • A statement of the individual's right to revoke the authorization.
  • A signature and date.

 

Tips/best practices

When handling HIPAA authorization forms, it is best practice to: 

  • Provide clear and complete information: Ensure the form includes all necessary details, such as the specific information being disclosed, the purpose, recipient, and expiration date, in a way that's easy for patients to understand.
  • Document authorizations: Keep accurate records of all signed forms for audit purposes and secure storage.
  • Respect revocations: Act promptly to stop further disclosures if a patient revokes their authorization and document the revocation.

See also: Collect patient data securely with Paubox Forms

 

FAQs

Does a healthcare provider need to get authorization for sharing PHI with other doctors?

Healthcare providers can share PHI for purposes of treatment without requiring a separate authorization form. This includes sharing information with other healthcare providers involved in a patient’s care. However, for uses outside treatment, such as research or marketing, authorization is needed.

 

Who is responsible for ensuring that a HIPAA authorization form is obtained?

It is the responsibility of the covered entity to obtain a HIPAA authorization before using or disclosing PHI for purposes not covered under treatment, payment, or healthcare operations.

HIPAA compliant email you can set and forget

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.