5 min read
A HIPAA consent form is typically used to obtain consent from patients for the use and disclosure of their protected health information (PHI) for treatment, payment, and healthcare operations.
Note: A HIPAA consent form is not the same as a HIPAA authorization form, which is required for uses and disclosures of PHI that are not otherwise allowed by the Privacy Rule. The consent form, on the other hand, is not actually required by HIPAA. They're very similar, and the template below can be easily modified to an authorization form by adding an expiration date and details about who will be using PHI for marketing purposes and how.
Why have a HIPAA consent form?
A HIPAA consent form is really only for educational purposes, to ensure that patients are informed about how their PHI might be used and disclosed in the course of their treatment, payment, and healthcare operations. It serves to acknowledge that the patient understands the provider's Notice of Privacy Practices, and although not a legal requirement under HIPAA, obtaining a patient's signature on such a form can help limit a healthcare provider's liability in case of a privacy breach - when a patient signs the form, it indicates their understanding of the privacy practices and minimizing disputes over PHI handling.
HIPAA consent form requirements
The Privacy Rule doesn't have specific HIPAA consent form requirements. According to the HHS, "The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs."
Despite the lack of precise requirements, the consent form should capture the basics like patient name, contact information, contact preferences, signature, and date signed.
These details are, of course, considered PHI, and so the form must be handled in accordance with HIPAA:
- Data encryption: Electronic protected health information (ePHI) shared through a form must be encrypted during transmission and storage.
- Access controls: Measures to restrict access to ePHI collected via forms must be implemented.
- Audit controls: HIPAA requires covered entities to track access to PHI gathered through online forms.
What is a Notice of Privacy Practices (NPP)?
In a nutshell, a Notice of Privacy Practices (NPP) is a document healthcare providers must give to patients that outlines how a patient's health information may be used and disclosed. It details the patient's privacy rights regarding their PHI. Components include the uses and disclosures of PHI, patient rights, as well as the provider's legal duties regarding PHI, and contact information for privacy concerns. The NPP informs patients about their privacy protections and ensures transparency in how their health information is handled.
A HIPAA consent form is an agreement related to the NPP, where a patient consents to the use and disclosure of their PHI for specific purposes outlined in the NPP. While the NPP informs patients of their rights and how their information can be used, the consent form is where patients actively agree to those terms, specifically for treatment, payment, and healthcare operations. It's a more actionable document directly connected to the NPP's disclosures.
HIPAA consent form best practices
Both the NPP and the consent form should be patient-friendly and written in clear and straightforward language to ensure patients understand their rights and the healthcare provider's practices regarding PHI.
Additionally, use digital, shareable HIPAA compliant forms like Paubox Forms to make it easy for the patient to sign and easier for the provider to store and reference the patient's consent. HIPAA compliant form software will allow the provider to share the form as a link via text message, HIPAA compliant email or even in-person on a tablet. Then, the patient's consent will be automatically saved, stored, or emailed to the appropriate people.
How to set up a HIPAA compliant consent form
Here are the basics of building a consent form with Paubox Forms:
- In the Paubox Admin Panel, navigate to Forms under the Paubox Forms section on the left-hand navigation.
- Click on the Create Form button.
- Enter a Form Name at the top of the page.
- You will see different question options on the form builder's left. To add a question to your form, drag and drop the option from the form builder onto your form.
- After building your form, click the Publish button on the top right of the form builder.
HIPAA compliant patient consent form template
This HIPAA consent form template was designed and built in Paubox Forms and, if made in your own Paubox account, can be easily shared via URL and securely emailed directly to your staff.
Better yet, build this yourself in Paubox Forms and share it via URL directly with patients.
Patient Consent for Use and Disclosure of Protected Health Information
[address] | tel.. [telephone number] | [email]
Our Notice of Privacy Practices outlines how we may use or disclose your protected health information (PHI). By signing this form, you acknowledge having reviewed our notice and give consent for the following uses and disclosures:
Use and Disclosure for Treatment, Payment, and Healthcare Operations:
Your PHI can be used for treatment, obtaining payment for treatment, and internal healthcare operations. This includes, but is not limited to, consultations with other healthcare providers, billing activities, and quality improvement initiatives.
Our privacy practices are subject to change. Should there be a significant change, you will be notified at your next visit for acknowledgment.
Right to Restrict PHI Use:
You have the right to request restrictions on certain uses and disclosures of your PHI. While we are not required to agree to these restrictions, we will abide by any agreed-upon restrictions.
Revocation of Consent:
You may revoke this consent at any time in writing. However, the revocation will not affect any prior uses or disclosures of PHI made under this.
Please indicate your preferences for how we may contact you:
(May we use these methods to confirm appointments?)
Phone  Email  Text message 
(May we leave messages regarding appointments or other non-sensitive information?)
Home answering machine  Cell phone voicemail 
(May we discuss your medical condition with designated family members?)
Yes  No 
If yes, please name the allowed members:
Patient phone number:
How much does Paubox Forms cost?
Paubox Forms is free with any Paubox Email Suite plan, including Standard, Plus, and Premium.
Do forms need to be HIPAA compliant?
Online forms must comply with HIPAA if they handle PHI.
Does a Notice of Privacy Practices need to be signed?
No, patients are not required to sign the NPP, but healthcare providers often seek an acknowledgment of receipt.
How often should consent forms be updated?
NPPs and consent forms should be updated whenever there are significant changes to privacy practices or relevant laws.
Is a HIPAA consent form required by HIPAA?
No, HIPAA does not specifically require a consent form for treatment, payment, and healthcare operations, but it does allow covered entities to obtain one if they choose.
What's the difference between consent and authorization?
Consent is a general agreement for the use and disclosure of PHI for treatment, payment, and healthcare operations and is not required under HIPAA regulations. Authorization is a more detailed permission for specific uses or disclosures, like marketing purposes. It is required by HIPAA's Privacy Rule before sharing or using PHI.
Is a HIPAA consent form the same as a HIPAA authorization form?
No, they are not the same; a consent form is used for general treatment and operations, while an authorization form is needed for specific disclosures not otherwise permitted by HIPAA.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.