Problem solve Get help with specific problems with your technologies, process and projects.

Release of medical forms under HIPAA

In regard to the release of medical records, does the patient still have to sign the form? If they do, when do...

we need to have them sign the form? Does the form only need to be signed when the patient is transfering to another practice, and we will no longer be treating them?

The answers to these questions vary depending upon what type of covered entity you are, specific details of your situation, etc. I can answer this from a high-level, but I still recommend that you obtain outside HIPAA expertise from an attorney or HIPAA consultant. The August 2002 updates to the Privacy Rule includes that consents from patients are no longer required. However, authorizations for use and disclosure of protected health information must be obtained from patients, except in the following cases:

  • use and disclosure during healthcare treatment, payment and operations
  • those allowing opportunity to agree or object
  • if use or disclosure is exempted under the rule
  • if use or disclosure is required under the rule (for example, to the individual, to the DHHS Secretary, etc.)

There are many other factors to consider, such as whether or not you already have a relationship (e.g., business associate or healthcare services) with the other practice along with what type of service is being transferred (e.g., psychotherapy notes, general healthcare information, etc.) There's a chance that you will not need to have another authorization signed unless the patient's new provider is performing activities (e.g., marketing, research, etc.) that specifically require an authorization for which you did not previously perform.

Bottom line, the Privacy Rule is quite complicated and only outside expertise can get involved and understand your particular situation well enough to make sure you're doing things correctly. It may be expensive in the short-term, but outside expertise will provide value and will save you time, effort and money in the long-term.

I would like to express my deep appreciation to Becky Herold, Senior Security Architect at QinetiQ Trusted Information Management, Inc., for her expertise on this particular issue.

For more information on this topic, visit these other SearchSecurity.com resources:
News & Analysis: HIPAA privacy changes trickle down to IT
News & Analysis: Experts answer users' HIPAA questions
Best Web Links: Securing healthcare/health services

This was last published in October 2002

Dig Deeper on Information security policies, procedures and guidelines

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.