Covered entities must obtain authorization from a patient or the patient’s personal representative to disclose protected health information under the HIPAA Privacy Rule. Authorizations of this nature must contain specifics on what information will be released and for what purpose, who will disclose and receive PHI, an expiration date or event, and a patient signature. The authorization is not valid without each of these components. Covered entities commonly violate the HIPAA Privacy Rule by releasing PHI without complying with the patient signature requirements.
How HIPAA Help Center can guide you through patient signature requirements
The Training module walks covered entities through HIPAA compliance, ensuring that all workforce members in a practice understand the rules and regulations pertaining to this legislation. For example, training would include that valid authorization requires a patient signature.
Covered entities must produce a signed consent form upon HIPAA audits. The Audit Reports module collects all necessary documentation in one place, including consent forms, so covered entities are fully prepared. Additionally, because HIPAA Help Center actually houses authorization documents, covered entities can better determine if their fill-in-the-blank forms are HIPAA-compliant.
Frequently asked questions about patient signature requirements:
How can patients give authorization for ePHI?
Electronic signatures are allowed under HIPAA and may be used for authorization. HIPAA does not provide specific standards for e-signatures. However, the law does require that covered entities have proper security safeguards in place should they choose to utilize them. Additionally, the e-signatures must be set up in a way that creates a legally binding contract.
What must be included for a signature to comply with HIPAA?
The authorization must contain the patient’s signature and the date the document was signed.
What if a patient is unable to sign an authorization?
Authorization may be validated with a personal representative’s signature. However, the authorization must also contain a description of the personal representative’s authority. For example, a parent may provide a signature for authorization on behalf of a minor patient, but the adult would need to also indicate that he is the patient’s legal guardian.
Do covered entities need a patient signature to obtain consent?
Consent refers to patient approval for disclosing PHI for treatment, payment and health care operations or other reasons that do not require authorization. Covered entities are not required to obtain consent. However, for covered entities that voluntarily do so, it is best practice to follow internal procedures accordingly even if that requires obtaining a patient signature.