1 min read

Who is responsible for obtaining a HIPAA authorization form?

Picture of Tshedimoso Makhene Tshedimoso Makhene Jan 24, 2025 4:58:47 PM

HIPAA compliance
Security shield with padlock icon on circuit board

The responsibility for obtaining a HIPAA authorization form falls on the covered entity or its business associate involved in the use or disclosure of protected health information (PHI). 

 

Requirements for HIPAA authorization forms

To ensure compliance, covered entities and business associates must verify that authorization forms meet the following requirements: the authorization must include, as stated by the HHS, a “description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed.” 

See also: Collect patient data securely with Paubox Forms

 

Key considerations

  • Documentation: The organization responsible must ensure the authorization form meets HIPAA requirements.
  • Verification: Employees or designated compliance officers often verify that authorization is obtained and valid before releasing PHI.
  • Training: Covered entities and business associates must train their staff to recognize when authorization is required and how to process it appropriately.

 

Consequences of non-compliance

Failing to obtain a valid HIPAA authorization form can have serious consequences, including:

  • Fines and penalties: The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) can impose fines ranging from $141 to $71,162 per violation, depending on the level of negligence.
  • Lawsuits: Individuals may sue for damages if their PHI is improperly disclosed.
  • Reputational damage: Non-compliance can harm an organization’s reputation, leading to loss of trust from patients and clients.

Learn more: FAQs: HIPAA authorizations

 

FAQs

Can an individual revoke their HIPAA authorization?

Individuals can revoke authorization in writing at any time, except to the extent the entity has already acted based on the authorization.

 

Can PHI be disclosed without authorization in emergencies?

Yes, HIPAA allows disclosures without authorization in certain cases, such as life-threatening emergencies or public health activities.

 

How long is a HIPAA authorization form valid?

The form is valid until the specified expiration date or event. If no expiration is provided, it is not considered valid.

 

Download the HIPAA compliant email checklist

Download the HIPAA compliant email checklist
Healthcare workers with hands joined together in unity

Who does HIPAA apply to?

Picture of Liyanda Tembani Liyanda Tembani : Sep 21, 2024 8:17:19 PM

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses, as well as their business...

HIPAA compliance
Read More
lock on files

1 min read

How to handle family requests for deceased patient records

Gugu Ntsele : Feb 14, 2025 6:07:19 AM

According to the Department of Health and Human Services (HHS), “The HIPAA Privacy Rule provides two ways for a surviving family member to obtain the...

HIPAA compliance
Read More
Image of blocks reading "HIPAA" for blog about The 7 HIPAA compliance rules for covered entities 

The 7 HIPAA compliance rules for covered entities

Picture of Farah Amod Farah Amod : Jan 1, 2025 1:05:10 PM

According to the U.S. Department of Health and Human Services (HHS), “Individuals, organizations, and agencies that meet the definition of a covered...

HIPAA compliance
Read More