HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

Who is responsible for obtaining a HIPAA authorization form?

Written by Tshedimoso Makhene | Jan 25, 2025 12:58:47 AM

The responsibility for obtaining a HIPAA authorization form falls on the covered entity or its business associate involved in the use or disclosure of protected health information (PHI). 

 

Requirements for HIPAA authorization forms

To ensure compliance, covered entities and business associates must verify that authorization forms meet the following requirements: the authorization must include, as stated by the HHS, a “description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed.” 

See also: Collect patient data securely with Paubox Forms

 

Key considerations

  • Documentation: The organization responsible must ensure the authorization form meets HIPAA requirements.
  • Verification: Employees or designated compliance officers often verify that authorization is obtained and valid before releasing PHI.
  • Training: Covered entities and business associates must train their staff to recognize when authorization is required and how to process it appropriately.

 

Consequences of non-compliance

Failing to obtain a valid HIPAA authorization form can have serious consequences, including:

  • Fines and penalties: The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) can impose fines ranging from $141 to $71,162 per violation, depending on the level of negligence.
  • Lawsuits: Individuals may sue for damages if their PHI is improperly disclosed.
  • Reputational damage: Non-compliance can harm an organization’s reputation, leading to loss of trust from patients and clients.

Learn more: FAQs: HIPAA authorizations

 

FAQs

Can an individual revoke their HIPAA authorization?

Individuals can revoke authorization in writing at any time, except to the extent the entity has already acted based on the authorization.

 

Can PHI be disclosed without authorization in emergencies?

Yes, HIPAA allows disclosures without authorization in certain cases, such as life-threatening emergencies or public health activities.

 

How long is a HIPAA authorization form valid?

The form is valid until the specified expiration date or event. If no expiration is provided, it is not considered valid.

 
View full post