Federal Law requires our clinicians to obtain an individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) prohibits mental health care providers from responding or replying to your housing provider without your permission. In order to ensure a smoother verification process, you will need to provide us a signed waiver.
In addition, we must safeguard the information in transit, and are responsible for breach notification. The only exception arises when an individual has requested that the PHI be sent to the third party by unencrypted e-mail or in another unsecure manner, which the individual has a right to request. As long as the individual was warned of and accepted the security risks to the PHI associated with the unsecure transmission, the covered entity is not responsible for breach notification or liable for disclosures that occur in transit.
- Download the Authorization for use or disclosure of Protected Health Information.
- Print, sign, and scan the form — saving a copy to your local computer.
- We’ve included a completed sample waiver below.
Uploading your HIPAA waiver
- Upload that scanned form to us (via our HIPAA cloud service).
- Once logged into IntakeQ, visit the secured messaging area.
- There, located below the yellow message input area are “three dots” … that’s the menu icon.
- Click that, a menu appears, select “upload file”, follow the directions.
Summary of the HIPAA Privacy Rule
The HIPAA Privacy Rule (45 CFR §164.500-534) became effective on April 14, 2001. The primary purpose of the HIPAA Privacy Rule is to ensure the privacy of patients is protected while allowing health data to flow freely between authorized individuals for certain healthcare activities.
The HIPAA Privacy Rule allows HIPAA-covered entities (healthcare providers, health plans, healthcare clearinghouses and business associates of covered entities) to use and disclose individually identifiable protected health information without an individual’s consent for treatment, payment and healthcare operations. In all cases, when individually identifiable protected health information needs to be disclosed, it must be limited to the ‘minimum necessary information’ to achieve the purpose for which the information is disclosed.
The Privacy Rule also gives patients the right to access the health data created, stored or maintained by their healthcare providers. Patients are permitted to obtain the data in a covered entity’s designated data set – a group of records maintained by the covered entity that is used to make decisions about a patient’s healthcare. Patients are also permitted to amend certain information held by a covered entity if it is discovered to be incorrect. Such requests should be obtained from a patient in writing.
Covered entities are not required to obtain consent from patients for routine disclosures for treatment, payment or healthcare operations, although some covered entities still choose to do so. This provides them with an additional level of protection in the event of a privacy complaint or audit.