A valid HIPAA waiver form is required whenever a Covered Entity wants to use or disclose Protected Health Information for a purpose not otherwise required by the General Provisions of the Administrative Requirements or permitted by the HIPAA Privacy Rule.
Generally, Covered Entities are required to disclose Protected Health Information (PHI) when requested to do so by the Department of Health and Human Services (HHS) or by an individual exercising their access rights under the Privacy Rule. Additionally, some Covered Entities may be required to disclose PHI to state agencies to report events such as child abuse or domestic violence.
Other than required uses and disclosures, Covered Entities are permitted to use or disclose PHI for treatment, payment, and healthcare operations (§164.506), and for a selected number of events in which neither an authorization nor the opportunity to agree or object is required (§164.512) – although limitation exists on how much PHI can be used or disclosed and who to.
All other uses and disclosures of PHI require a Covered Entity to obtain an authorization from the subject of the PHI or their personal representative. But when might these circumstances occur? And, what makes a HIPAA waiver form valid?
When a HIPAA Waiver Form is Required
The Privacy Rule lists three examples of when a HIPAA waiver form is required – when a Covered Entity wants to use or disclose psychotherapy notes (except for the treatment of an individual), use or disclose PHI for marketing (exceptions exist if the Covered Entity is not being remunerated), or sell PHI.
However, these are not the only occasions when a HIPAA waiver form is required. For example, if a hospital is releasing a public interest story to the media which includes identifying information about one or more patients, it is necessary to obtain an authorization from each patient because the disclosure to the media infers the patients are receiving medical treatment.
Covered Entities have been sanctioned for not obtaining authorizations before disclosing identifying information to the media. In 2016, the New York Presbyterian Hospital settled a case with HHS´ Office for Civil Rights for $2.2 million after allowing a crew from the TV show “NY Med” to film two patients without obtaining a HIPAA waiver form in advance.
What Makes a HIPAA Waiver Form Valid?
In order for a HIPAA waiver form to be valid, it has to include all the core elements listed in §164.508(c). Importantly, the plain language requirement has been interpreted to mean that, if an individual´s first language is not English, a form must be provided in the individual´s native language or an interpreter must be provided to ensure the individual gives their informed authorization.
Additionally, if a waiver from the Privacy Rule is required prior to the sale of PHI, the form must state how much remuneration the Covered Entity is receiving. Also, if a disclosure is made in the public domain (i.e., social media), the individual must be informed it may be copied or forwarded before the Covered Entity has an opportunity to respond to a revocation request, and the signed HIPAA Waiver form must be retained for a minimum of six years from the date it was last in force.
While including all the core elements may satisfy HIPAA requirements, it may not satisfy state requirements. Many states have passed legislation with more stringent privacy and security standards than exist within HIPAA. If your organization is located in a state – or treats patients from a state – with more stringent privacy and security standards than HIPAA, it may be necessary to include more information that that required to make a HIPAA waiver form valid.
Download HIPAA Waiver Form
(Word document, 21Kb)