Skip to content

Compliance

HIPAA forms: 8 documents every small healthcare practice needs

Wondering what forms you need to be HIPAA compliant? This guide covers the paperwork you need and what to put in it. With recommendations to help you elevate your compliance game.
HIPAA Forms

Forms are a crucial part of every healthcare practice. They collect patient data, share vital information, and help you keep accurate records. But how do you know if you have the right ones to comply with the Health Insurance Portability and Accountability Act (HIPAA)?

Although the HIPAA Privacy Rule does outline required forms and explains what to put in them, it isn’t always easy to wade through the legal lingo to figure out whether or not you have everything you need.

In this article, we’ll give you a helping hand by going over the key HIPAA-required forms and explaining what to include in them. We’ll also recommend additional forms to help strengthen your privacy practices.

👉 It’s always best to consult with a legal expert or compliance professional regarding HIPAA forms to help ensure you’re complying with the HIPAA rules and local laws.

Forms required by HIPAA

Required HIPAA Forms

First, let’s review the forms necessary to comply with the HIPAA rules. Skipping one of these documents could be a HIPAA violation and lead to penalties from the Office for Civil Rights (OCR).

For example, a mental health center was investigated by the OCR after it failed to provide a Notice of Privacy Practices (NPP) to a father and his underage daughter, a client at the center. Investigations are nerve-wracking and time-consuming. This center could have saved itself a lot of time and stress by using the form consistently before a complaint was filed.

We’ll go over what an NPP is and how to use it later in this section.

Authorization to Use and Disclose Protected Health Information (a.k.a. Release of Information)

According to the HIPAA Privacy Rule, covered entities, such as healthcare providers, must obtain their clients’ written permission to share protected health information (PHI) in situations that fall outside the allowances in the privacy rule. In these cases, you must ask clients to sign an Authorization to Use and Disclose Protected Health Information form. In some healthcare settings, this may be called a Release of Information (ROI) form.

PHI

Information that relates to:

  • A person’s past, present, or future physical or mental health or condition
  • The provision of healthcare to a person
  • Payment for a person’s healthcare

Definition of PHI and its 18 identifiers

So, when do you require an authorization form?

Generally speaking, you don’t need permission to share PHI with:

  • The client or patient being treated, or their legal representative
  • Organizations or individuals also covered by HIPAA and involved with the client’s treatment, payment for healthcare services, or healthcare operations (e.g., another healthcare provider treating the client, a health plan, etc.)
  • State or federal governments (according to law)
  • Public health authorities, organizations, or individuals regarding public health activities
  • Those involved in special circumstances such as health oversight, judicial proceedings, workers’ compensation, etc.

You do need permission to share PHI in any other way that falls outside of these guidelines. This includes disclosing psychotherapy or substance use disorder notes (which we’ll cover later in this article), sharing information with a client’s employer, for some types of research, or when marketing third-party products or services to clients. In all these cases, and more, you would use this authorization form.

What information should be in an Authorization to Use and Disclose Protected Health Information form? The Privacy Rule spells it out in detail.

Authorization to Use and Disclose Protected Health Information

Include:

  • The date
  • The name and address of your organization
  • The client’s name
  • A specific description of the information being shared
  • The person/people authorized to share the information
  • The person/people authorized to receive the information
  • A description of each purpose of the shared PHI. You can use “at the request of the individual” if a client initiates the request and does not want to share more information
  • An end date for the use/disclosure
  • A statement explaining that the client can revoke their permission (as long as you haven’t already acted on it) and how to do this
  • Include any exceptions that may apply
  • OR Refer the client to this information if it’s in your NPP
  • A statement explaining whether treatment may or may not be withheld according to the Privacy Rule if the client refuses to sign the form
  • A statement explaining that the PHI could potentially be re-disclosed by the recipient and in that case, would no longer be protected by the HIPAA Privacy Rule
  • The client or their legal representative’s agreement
  • The client or their legal representative’s signature

Notice of Privacy Practices (NPP)

What is an NPP? It’s a notice that explains your obligations to protect client information under HIPAA and your practice’s privacy policies.

This is one document that many practices either don’t have or don’t execute properly. A 2016-2017 HIPAA audit found that only 2% of audited organizations fully complied with this requirement. (An update to these stats is coming soon. The OCR launched a new round of audits for the 2024-2025 cycle. An industry report summarizing the findings will be released after the audit is complete.)

The NPP must be given to clients before their first appointment, but clients can request another copy at any time. It must also be displayed in a prominent physical location and be published on your website.

Clients are expected to acknowledge that they received their NPPs in writing. You can either include this on your NPP along with space for a signature or create a separate acknowledgement form. And don’t forget to give a copy to your clients!

The US Department of Health and Human Services (HHS) provides customizable templates of this form free of charge.

If you prefer to make your own, don’t skip these critical elements. For more detailed information, check the NPP rules.

Notice of Privacy Practices

Include:

  • The date
  • The name and address of your organization
  • A header that clearly states, "This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully."
  • The date the NPP goes into effect
  • A clear statement that you are legally required to follow the HIPAA rules and the terms of the NPP
  • A clear statement that you reserve the right to change the terms of this notice which will apply to all PHI received before and after the update
  • Explain how you will notify your clients when updates to this notice are made
  • A clear statement explaining that clients may complain to you and the HHS if they believe you have not safeguarded their information properly
  • A clear statement that you must notify clients if their PHI is compromised in a data breach
  • Describe how you use and disclose PHI for treatment, healthcare operations, payment for services, and any other situations
  • Include at least one example for each type of disclosure
  • A clear statement explaining that you may not share client information for marketing purposes without written permission
  • If you work in mental health, include a clear description of how you may share psychotherapy notes and/or substance use disorder information with and without permission
  • Your clients’ rights including:
    • Asking to receive confidential communications in a specific way (e.g., by email only, no phone calls)
    • Accessing and receiving a copy of their records
    • Requesting their records to be corrected if they think something is wrong
    • Restricting some sharing of their information
    • Obtaining a list of how their information has been shared
    • Obtaining a paper copy of this notice
  • Whom clients should contact for more information on your privacy practices
  • How to make a complaint to you and to the HHS
  • A clear statement that your client has received this notice, read it, and understands the content
  • The client’s printed name and signature

👉 Note: Does your practice treat patients in the fields of reproductive healthcare or substance abuse?

If so, be aware that the HHS has made amendments to HIPAA to set further protections for client data related to reproductive healthcare. Additionally, the HHS has simplified and aligned the protection of patient records related to the treatment of substance abuse disorder. These changes may require specific statements in your NPP.

Use or Disclosure of Substance Use Disorder Information

If you work with clients being treated for substance use disorder (SUD), then in most cases, you’ll need their permission to share any information related to their treatment.

The privacy rules on SUD information (also sometimes referred to as “Part 2”) treat counseling notes differently than other PHI related to SUD.

General information on SUD therapy (not counseling notes) can be shared without written permission in a few ways:

This means you need authorization to share information for treatment, payment for services, or healthcare operations. A 2024 update to the rules made it possible to obtain a single authorization for these purposes.

If you must share general information for another reason (in legal proceedings, for example), you would require a separate authorization.

What about counseling notes? Disclosures for them are even more limited. They can only be shared as follows:

  • For training purposes in your own programs
  • To defend yourself legally from the client
  • To a health oversight agency you belong to
  • To a coroner or medical examiner
  • As otherwise required by law

To share counseling notes in another way, use a written authorization.

What should you include in a Use or Disclosure of Substance Use Disorder Information form? It’s similar to the Authorization to Use and Disclose Protected Health Information, but not exactly the same.

Use and Disclosure of Substance Use Disorder Patient Records

Include:

  • The date
  • The name and address of your organization
  • The client’s name
  • The person/people authorized to share the information
  • A specific description of the information being shared
  • The person/people the information will be shared with
  • You may use a single authorization for activities related to treatment, payment for services, and healthcare operations by using a statement like this:
    “My treating providers, health plans, third-party payers, and people helping to operate this program.”
  • A description of each purpose of the shared PHI
  • If the client initiates the authorization and does not want to share the purpose, you can use a statement like:
    “At the request of the patient.”
  • You can use “For treatment, payment, and health care operations” as a purpose
  • If the use/disclosure is related to fundraising, you must include a statement explaining that the client can opt out of these communications
  • A clear statement explaining that the client can revoke their permission (as long as you haven’t already acted on it) and how to do this
  • An end date for the disclosure
  • If the authorization is for treatment, payment, and healthcare operations, you can use phrases like:
    “End of the treatment,” or “None,” if applicable
  • If the authorization is for research, you can use:
    “End of the research study” or similar
  • A clear statement explaining that the information could potentially be re-disclosed by the recipient and in that case, would no longer be protected by the rules governing SUD records
  • A clear statement explaining the consequences to the client of refusing to sign the document
  • If the authorization is for counseling notes, a statement explaining that you may not withhold treatment if the client refuses to sign the form
  • The client or their legal representative’s agreement
  • The client or their legal representative’s signature

Forms Recommended to Support HIPAA Compliance

Recommended HIPAA Forms

These forms aren’t strictly required by the HIPAA rules, but they are recommended as a good way to support compliance in your practice.

Communication Preferences

According to the Privacy Rule, clients have the right to ask you to communicate with them in a specific way, as long as the request is reasonable. Why not make it easy for them with a Communication Preferences form?

This is especially helpful if you use email to communicate PHI. Although the HIPAA Privacy Rule does permit you to email clients, explaining the risks and asking them to sign off on using email may be a useful insurance policy.

According to the Privacy Rule, clients may also give you permission to share their PHI with a legal representative or another individual. A Communication Preferences form is a helpful way to capture this information as well.

Communication Preferences Form

Include:

  • The date
  • The name and address of your organization
  • The client’s name
  • A sentence or two explaining that clients may choose how you communicate with them regarding their health information
  • A description of the type of information that may be communicated
  • A list of communication options (e.g., home phone, cell phone, mail, secure email, etc.) and a way for clients to select their preferences (e.g., check boxes)
  • An optional field appointing another person (e.g., legal representative, family member) to receive PHI
  • A statement explaining that this information may be updated at any time
  • Explain how to do this
  • Space to write requests or more detailed information
  • The client’s signature

Request for Non-Secure Communication

If your client requests less secure methods of communication, such as unencrypted email or text, you may consider using a Request for Non-secure Communication form.

This form outlines the risks to your clients’ PHI (e.g., being intercepted and read by a third party). It also asks the client to acknowledge these risks and give their permission to be contacted using the less secure method(s).

Request for Non-Secure Communication Form

Include:

  • The date
  • The name and address of your organization
  • The client’s name
  • The types of PHI that will be transmitted using unsecured channels
  • The risks to PHI
  • A statement explaining that your client is not required to sign the form to receive treatment
  • A statement explaining that the client can revoke their permission
  • The client’s permission to be contacted using unsecured channels despite the risks
  • The date or event that will terminate the agreement
  • The client’s signature

Would you like a Request for Non-Secure Communication form that you can use in your practice? Submit your information below and you can start using it with your clients today:

Complaint Submission

Another important aspect of the HIPAA Privacy Rule is that clients must be able to complain to you if they feel you have not protected their information appropriately.

Even if you explain how to make a complaint in your NPP, it can also be handy to have a form ready for this purpose. This can make life easier for clients and help you track any complaints you receive.

Complaint Form

Include:

  • The date
  • The name and address of your organization
  • The client’s name and contact information
  • Space for a description of the complaint
  • The date the incident occurred
  • A sentence or two thanking the client for their input and explaining you’ll be in touch soon

Secure Contact

With more clients reaching out online, using a Secure Contact form is an excellent way to keep client information safe, right from the beginning of your relationship.

Going above and beyond with a Secure Contact form shows that you take client privacy seriously. It may also be a solid way to demonstrate your compliance with the HIPAA Security Rule, which governs digital PHI.

"Even if a person isn't a client yet, the fact that they're contacting you about future healthcare services makes you responsible for protecting their PHI. Those initial contact forms must be secure."

Liath Dalton
Director, Person Centered Tech

A secure contact form should be encrypted to provide an extra layer of protection for PHI. Hushmail’s Secure Contact Form template is a great example. It doesn’t take long to add to a website and is a snap for clients to use.

Secure Contact Form from Tweedy Medical Group
Example of a secure contact form - Tweedy Medical Group

Secure File Transfer

Using a Secure File Transfer form is a great way to receive digital PHI from other healthcare providers. As long as the form is encrypted, it’s safe to use.

Using this form can help reduce the faxes you receive, including referrals or sensitive client information. And, like the Secure Contact form, it can also help demonstrate HIPAA compliance.

You can share it with others by adding it to your website or pasting a link to the form in an email.

Secure File Transfer From from Kara Dionisio
Example of a secure file transfer form - Dr. Kara Dionisio

How Using the Right Forms Helps Your Clients and Your Practice

Sure, when you work in healthcare you have to follow a lot of rules, even when it comes to forms. But at the end of the day, it isn’t about the paperwork—it’s about great communication and keeping your clients safe.

Using the right forms at the right times can help protect your clients’ most sensitive information from falling into the wrong hands. It could also help you avoid an OCR investigation or disciplinary actions. Isn’t the extra work worth it in the long run?

Need HIPAA-compliant forms that are ready to go? Hushmail offers secure online forms you can create in minutes with our customizable templates. You can also make your own, or ask us to build one for you!

Learn more about Hush™ Secure Forms

Download 20 quick tips to help you spend less time on admin and more time helping your clients!

20-quick-time-saving-tips

By submitting this form, you agree to receive news, updates, and promotions from Hushmail. You can unsubscribe at any time.

Similar posts