There are certain circumstances in which it is required for behavioral health professionals to receive a HIPAA medical release form before they are permitted to disclose protected health information (PHI). HIPAA medical release form requirements are discussed below.
What to Include in a HIPAA Medical Release Form
When drafting a medical release form, it is important that it is written in plain language, without any jargon, ensuring that it is easily understandable to patients. The medical release form must be given to patients to review before they sign the document.
The following must be included in the medical release form:
- A description of the PHI that may be shared or disclosed.
- The purpose of the PHI disclosure.
- The name of the entity or person(s) with whom the PHI will be shared.
- A date by which the authorization for the disclosure will expire.
- The signature of the patient.
If a personal representative is signing on behalf of the patient, covered entities must also include a description of the representative’s relationship patient, and documentation of the representative’s authority to act on behalf of the patient. Within the medical release form, there must be a statement regarding the patient’s rights with respect to the authorization.
- The right to revoke the authorization for disclosures, including procedures for how to revoke the authorization.
- The patient’s right to be free from retaliation or other penalties for failing to sign the authorization.
State medical release form requirements may differ from federal HIPAA requirements. Those states that have stricter requirements than HIPAA, must also be adhered to for behavioral health professionals operating in that state.
When is a Medical Release Form Required?
A HIPAA medical release form is required when PHI disclosures fall outside of the treatment, payment, or healthcare operations. The following are instances in which a HIPAA medical release form is required:
- Prior to any disclosure of PHI to a third party for any reason other than treatment, payment, or healthcare operations.
- Prior to disclosing PHI that may be used in marketing or fundraising efforts.
- Prior to disclosing PHI for research purposes.
- Prior to the disclosure of any psychotherapy notes.
- Prior to PHI being disclosed or shared for monetary compensation.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Ransomware hackers attack smaller healthcare practices daily, creating serious data breaches and HIPAA violations. Are you and your clients/patients vulnerable, too?
Managing social media use and HIPAA compliance can lead to some of the most common misunderstandings faced by healthcare providers. Improperly trained employees can expose your organization to HIPAA violations and costly fines!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.