Paubox blog: HIPAA compliant email made easy

When is a HIPAA authorization form required?

Written by Tshedimoso Makhene | December 24, 2024

A HIPAA authorization form is required when a covered entity or business associate wants to use or disclose a patient’s protected health information (PHI) for purposes unrelated to treatment, payment, or healthcare operations. 

 

Use of authorization forms

The uses of a HIPAA authorization form include: 

  • Marketing: According to the Department of Human and Health Services (HHS),the [Privacy] Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing.However, if communication involves face-to-face interactions ora promotional gift of nominal value”, authorization forms are not required.
  • Research: When researchers seek to access or use PHI for studies, an authorization form is needed unless an Institutional Review Board (IRB) grants a waiver.
  • Sharing with third parties: If PHI is disclosed to a third party for purposes outside the scope of treatment, payment, or operations, such as employment background checks or legal proceedings, a signed authorization is mandatory.
  • Psychotherapy notes: The use or disclosure of psychotherapy notes requires specific authorization, except in limited circumstances such as to defend a legal claim by the provider.

Read also: Sharing patient information with authorization

 

Elements of a HIPAA authorization form

A valid HIPAA authorization must include:

  • A description of the information to be disclosed.
  • The name of the person or entity authorized to make the disclosure.
  • The name of the person or entity receiving the information.
  • The purpose of the disclosure.
  • An expiration date or event.
  • A statement of the individual's right to revoke the authorization.
  • A signature and date.

 

Tips/best practices

When handling HIPAA authorization forms, it is best practice to: 

  • Provide clear and complete information: Ensure the form includes all necessary details, such as the specific information being disclosed, the purpose, recipient, and expiration date, in a way that's easy for patients to understand.
  • Document authorizations: Keep accurate records of all signed forms for audit purposes and secure storage.
  • Respect revocations: Act promptly to stop further disclosures if a patient revokes their authorization and document the revocation.

See also: Collect patient data securely with Paubox Forms

 

FAQs

Does a healthcare provider need to get authorization for sharing PHI with other doctors?

Healthcare providers can share PHI for purposes of treatment without requiring a separate authorization form. This includes sharing information with other healthcare providers involved in a patient’s care. However, for uses outside treatment, such as research or marketing, authorization is needed.

 

Who is responsible for ensuring that a HIPAA authorization form is obtained?

It is the responsibility of the covered entity to obtain a HIPAA authorization before using or disclosing PHI for purposes not covered under treatment, payment, or healthcare operations.
View full post