HIPAA Forms (4)

Updated May 31, 2022

HIPAA forms are used in accordance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Its purpose is to protect and safeguard Protected Health Information (PHI) when accessing and sharing with authorized 3rd parties.

The medical records are known as Protected Health Information (PHI) or Electronic Protected Health Information (ePHI) (45 CFR § 160.103).

By Type (4)


HIPAA Medical Release Form – A request made by a patient to share their medical records with a third (3rd) party.

Download: Adobe PDF, MS Word, OpenDocument

 

 


Business Associate Agreement – When a covered entity shares medical records with a 3rd party (business associate).

Download: Adobe PDF, MS Word, OpenDocument

 

 


Employee HIPAA Agreement – When an organization shares access to medical records with an employee.

Download: Adobe PDF, MS Word, OpenDocument

 

 


Subcontractor HIPAA Agreement – When a business associate shares PHI with a  subcontractor.

Download: Adobe PDF, MS Word, OpenDocument

 

 


Table of Contents

What is the HITECH Act?

Also known as the Health Information Technology for Economic and Clinical Health (HITECH) Act that was enacted to promote the adoption and meaningful use of health information technology.

It was signed on February 17, 2009, by Barack Obama and was made effective on February 18, 2009, as part of the American Recovery and Reinvestment Act of 2009.

The act offered government incentives to adopt Electronic Health Records (EHRs) as a means of sharing Protected Health Information (PHI). This has increased EHR adoption from 48.3% in 2009 to 85.9% in 2017.

The HITECH Act also closed loopholes and tightened restrictions to fault a covered entity for negligence. Violations of this Act are separated into four (4) tiers of penalties.

Sharing Medical Records (3 rules)

When sharing medical records, three (3) rules must be followed:

  1. Notify of a Security Breach (60 Days)
  2. Make Agreements with Subcontractors
  3. Compliance with HIPAA Rules

1. Notify of a Security Breach (60 Days)

If patient information is breached, it’s required to be reported within sixty (60) days by the business associate to the covered entity from when it’s discovered in accordance with 45 § 164.410.

Afterward, the covered entity will be required to report to the patient(s) what and how the breach occurred (45 § 164.404).

2. Make Agreements with Subcontractors

If a contractor or subcontractor is utilized by a business associate for the handling of patient information, a subcontractor agreement must be written. The subcontractor must sign and acknowledge that they consent to the same security and protection standards when dealing with patient information.

3. Comply with HIPAA Rules

It must be written that the business associate agrees to comply with the laws, procedures, and policies stated in the 45 CFR Subpart C (§ 164.302 to § 164.318).

HIPAA Penalties ($)

HIPAA penalties are administered by the Office for Civil Rights (or OCR). In the last 5 years, the office has collected anywhere from $10 to $30 million annually in fines. The office even has a “Wall of Shame” displaying publicly all past and current breaches.

Four (4) Tiers

Fines administered by OCR can range from $100 to $1.5 million per incident depending on the circumstances of the violation. Therefore, the penalties for violating is segmented into four (4) tiers:

INCIDENT FINE ($) ESTIMATE*
TIER 1 The breached party was unaware of the breach and under the given circumstances could not have known about it. $100 to $50,000
TIER 2 The breached party was aware, or by following reasonable HIPAA protocols, could have known about the violation. The breached party must have exemplified actions of willful neglect. $1,000 to $50,000
TIER 3 The breached party acted with willful neglect although corrected the issue within thirty (30) days. $10,000 to $50,000
TIER 4 The breached party acted with willful negligence and failed to correct the issue within a reasonable time period. $50,000 to $1.5 million
*Any fine may be up to $1.5 million of OCR deems the negligence or penalty to warrant the amount.