The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is something that all dental practitioners need to be familiar with – along with the variety of HIPAA forms that come with it. A signed HIPAA form must be obtained from a patient before their protected health information (PHI) can be shared with other individuals or organizations, unless for certain routine disclosures as outlined in the HIPAA Privacy Rule.
So, what are your legal duties when it comes to HIPAA forms, what information do they contain, and when do you use them? This article breaks down what you need to know.
Understanding the HIPAA Privacy Rule
As HIPAA-covered entities, all dental practitioners must comply with the HIPAA Privacy Rule. This Rule stipulates that covered entities implement policies and procedures that limit the use and disclosures of PHI (protected health information) to the minimum number of people necessary. In addition, the Privacy Rule gives patients control over who their PHI is released to and shared with. The Privacy Rule aims to protect the privacy of patients and their PHI, while still allowing health care data to be exchanged between certain authorized individuals for necessary healthcare-related activities.
The flow of information between a variety of third-party covered entities – including health care providers, insurance companies, health plans, clearinghouses, and business associates of covered entities (such as data storage providers) – is essential for the health care system to work and for patients to get the treatment they need. If permission needed to be obtained from every single patient every time a piece of medical information exchanged hands amongst these covered identities, most patients would need to be contacted dozens of times every year.
As such, the Privacy Rule allows HIPAA-covered entities to use and disclose certain PHI and medical records without patient authorization for routine disclosures concerning treatment, payment, and healthcare operations.
In all other cases, a covered entity must use a HIPAA authorization form to obtain permission from the patient to use their PHI.
HIPAA Authorization Form
HIPAA Authorization Forms – also known as HIPAA release forms – are required in a number of cases, as detailed in the legislation.
They can be summarized, however, as follows:
- When the covered entity wishes to use or disclose PHI to a third party for reasons other than those permitted by the HIPAA Privacy Rule – for example, disclosing information to an insurance underwriter
- When the covered entity wishes to use or disclose PHI for marketing or fund-raising purposes
- When PHI is being provided to a research organization
- Before sale or sharing of PHI that involves remuneration
In addition, though it won’t usually be pertinent to dental practitioners, a signed HIPAA form must be obtained prior to psychotherapy notes being shared or disclosed.
What Information Should Be Included on the HIPAA Form?
In order to meet HIPAA compliance and to be legally valid, the HIPAA authorization form must contain the following information:
- A full description of the information being disclosed
- The purposes of the disclosure
- The name of the person or entity to whom the information will be disclosed
- An expiration date or expiration event (such as when a research study is completed) – after which consent for further use or disclosure is thereby withdrawn
- A signature and date from either the patient or the patient’s representative. In the latter case, the representative’s relationship with the patient must be detailed along with his/her authority to act on the patient’s behalf.
In addition, the HIPAA form must also inform the patient of the following:
- The patient has the right to revoke the authorization at any time
- How the patient can revoke authorization
- That the covered entity cannot withhold treatment, enrollment, or eligibility for benefits for the patient for refusing to sign the HIPAA form
- The potential for information disclosed in the authorization to be redisclosed by the recipient and be no longer protected by the Privacy Rule
In all cases, a HIPAA release form must be written in clear, unambiguous language, and a copy of the signed form provided to the patient.
Notice of Privacy Practices
In order to be HIPAA compliant, dental practitioners must also provide patients with a notice of privacy practices – i.e., a privacy form – that provides a clear explanation of patients’ privacy rights with respect to their PHI.
As detailed by the Department of Health and Human Services (HHS), covered entities are required to provide patients with a notice in plain language that describes:
- How the covered entity may use and disclose protected health information about an individual
- The individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity
- The covered entity’s legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information
- Whom individuals can contact for further information about the covered entity’s privacy policies
Direct treatment providers must provide such notices to patients no later than the date of their first treatment or service delivery (except in an emergency treatment situation). In addition, they must make every effort to obtain the patient’s written acknowledgment of receipt of the notice. In other words, you must provide every patient with a privacy form and request a signature.
If a signature of acknowledgment cannot be obtained (and patients are under no legal obligation to sign a privacy form), you must document your efforts to obtain the acknowledgment – and maintain compliance with the Privacy Rule regardless.
Central Data Storage
HIPAA forms are an essential component of HIPAA compliance. If you’re looking for help regarding any of your HIPAA obligations surrounding your patients’ PHI, talk to us here at Central Data Storage.
We provide HIPAA compliant cloud-based data backup and recovery services for HIPAA covered entities and full, round-the-clock support and guidance on best practices for data protection and HIPAA compliance.
Get in touch today to find out more about how we can help you meet your HIPAA form, data storage, file sharing and backup obligations. Call 1-888-907-1227 or email email@example.com