A signed HIPAA release form must be obtained from a patient before their protected health information can be shared with other individuals or organizations, except in the case of routine disclosures for treatment, payment or healthcare operations permitted by the HIPAA Privacy Rule. Releasing medical records without a HIPAA authorization form is a HIPAA violation. (free PDF document – Opens directly in browser) The HIPAA Privacy Rule (45 CFR §164.500-534) became effective on April 14, 2001. The primary purpose of the HIPAA Privacy Rule is to ensure the privacy of patients is protected while
allowing health data to flow freely between authorized individuals for certain healthcare activities. The HIPAA Privacy Rule allows HIPAA-covered entities (healthcare providers, health plans, healthcare clearinghouses and business associates of covered entities) to use and disclose individually identifiable protected health information without an individual’s consent for treatment, payment and healthcare operations. In all cases, when individually identifiable protected health information needs to be disclosed, it must be limited to the ‘minimum necessary information’ to achieve the purpose for which the information is disclosed. Get The ChecklistFree and Immediate Downloadof HIPAA Compliance ChecklistDelivered via email so verify your email address is correct. Your Privacy Respected HIPAA Journal Privacy Policy The Privacy Rule also gives patients the right to access the health data created, stored or maintained by their healthcare providers. Patients are permitted to obtain the data in a covered entity’s designated data set – a group of records maintained by the covered entity that is used to make decisions about a patient’s healthcare. Patients are also permitted to amend certain information held by a covered entity if it is discovered to be incorrect. Such requests should be obtained from a patient in writing. Covered entities are not required to obtain consent from patients for routine disclosures for treatment, payment or healthcare operations, although some covered entities still choose to do so. This provides them with an additional level of protection in the event of a privacy complaint or audit. Such authorizations detail when protected health information will be used by the covered entity, the entities to which that information will be disclosed, and the circumstances under which information will be used and disclosed. Essentially, such an authorization duplicates much of what is detailed in a covered entity’s Notice of Privacy Practices. When is a HIPAA Authorization to Release Medical Information Form Required?A HIPAA release form must be obtained from a patient before their protected health information is disclosed for any purpose other than those detailed in 45 CFR §164.506, which are specifically covered in 45 CFR §164.508 and summarized below:
What Information Should be Detailed on a HIPAA Release Form?A HIPAA-compliant HIPAA release form must, at the very least, contain the following information:
The HIPAA release form must also include statements that advise the individual of:
A HIPAA release form must be written in plain language and a copy of the signed form should be provided to the patient. Can you fax protected health information?Answer: Yes. The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone, fax, e-mail, or otherwise.
What is the purpose of an authorization form?The authorization form (sometimes called a patient HIPAA consent form), essentially serves as a handy dandy permission slip allowing a practice or business associate to use or disclose protected health information (PHI) in the ways a patient wants their data used.
What do security guidelines demand when faxing patient information?When sending a fax, include a cover sheet indicating the date and time sent; the recipient's name and fax number; and the sender's name, organization and phone number. The fax cover sheet should NEVER include a patient's name or any other PHI. 2. Include a privacy statement in the fax cover sheet.
What is the most secure way to send medical records?If a fax is sent to the wrong person, the medical records will be exposed to unauthorized individuals. So, email is not only a much more modern way to send records, but also a more secure way if used properly.
|