eForms Logo

HIPAA Forms (4)

Updated January 10, 2024

HIPAA forms are used in accordance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Its purpose is to protect and safeguard Protected Health Information (PHI) when accessing and sharing with authorized third parties.

The medical records are known as Protected Health Information (PHI) or Electronic Protected Health Information (ePHI).[1]

By Type (4)

HIPAA Medical Release Form – A request made by a patient to share their medical records with a third party.

Download: PDF, MS Word, OpenDocument



Business Associate Agreement – When a covered entity shares medical records with a third party (business associate).

Download: PDF, MS Word, OpenDocument



Employee HIPAA Agreement – When an organization shares access to medical records with an employee.

Download: PDF, MS Word, OpenDocument



Subcontractor HIPAA Agreement – When a business associate shares PHI with a subcontractor.

Download: PDF, MS Word, OpenDocument



Table of Contents

What is the HITECH Act?

Also known as the Health Information Technology for Economic and Clinical Health (HITECH) Act, it was enacted to promote the meaningful use of health information technology.

It was signed on Feb. 17, 2009 by Barack Obama and was made effective on Feb. 18, 2009 as part of the American Recovery and Reinvestment Act of 2009.

The Act offered government incentives to adopt Electronic Health Records (EHRs) as a means of sharing Protected Health Information (PHI). This has increased EHR adoption from 48.3% in 2009 to 85.9% in 2017.[2]

The HITECH Act also closed loopholes and tightened restrictions to fault a covered entity for negligence. Violations of this Act are separated into four tiers of penalties.

Sharing Medical Records (3 Rules)

When sharing medical records, three rules must be followed:

  1. Notify of a Security Breach (60 Days)
  2. Make Agreements with Subcontractors
  3. Compliance with HIPAA Rules

1. Notify of a Security Breach (60 Days)

security breach stamp on folder labeled "community hospital medical records"

If patient information is breached, it’s required to be reported within 60 days by the business associate to the covered entity from when it’s discovered, in accordance with.[3]

Afterward, the covered entity will be required to report to the patient(s) what and how the breach occurred.[4]

2. Make Agreements with Subcontractors

close up of HIPAA subcontractor agreement on deskIf a contractor or subcontractor is utilized by a business associate for the handling of patient information, a subcontractor agreement must be written. The subcontractor must sign and acknowledge that they consent to the same security and protection standards when dealing with patient information.

3. Comply with HIPAA Rules

section of contract showing line for associate's signature

It must be written that the business associate agrees to comply with the laws, procedures, and policies stated in the 45 CFR Subpart C.[5]

HIPAA Penalties ($)

HIPAA penalties are administered by the Office for Civil Rights (or OCR). In the last 5 years, the office has collected anywhere from $10 million to $30 million annually in fines. The office even has a “wall of shame” displaying publicly all past and current breaches.

Four Tiers

Fines administered by OCR can range from $100 to $1.5 million per incident depending on the circumstances of the violation. Therefore, the penalties for violating are segmented into four tiers:

TIER 1 The breached party was unaware of the breach and under the given circumstances could not have known about it. $100 to $50,000
TIER 2 The breached party was aware, or by following reasonable HIPAA protocols, could have known about the violation. The breached party must have exemplified actions of willful neglect. $1,000 to $50,000
TIER 3 The breached party acted with willful neglect although corrected the issue within thirty (30) days. $10,000 to $50,000
TIER 4 The breached party acted with willful negligence and failed to correct the issue within a reasonable time period. $50,000 to $1.5 million
*Any fine may be up to $1.5 million of OCR deems the negligence or penalty to warrant the amount.


  1. 45 CFR § 160.103
  2. https://www.healthit.gov/data/quickstats/office-based-physician-electronic-health-record-adoption
  3. 45 § 164.410
  4. 45 § 164.404
  5. § 164.302 to § 164.318