How to Revoke Consent With HIPAA

••• Doctor image by Monika 3 Steps Ahead from

Anyone who has been to a healthcare provider's office for the first time is usually given a copy of a HIPAA form. This form outlines the healthcare provider’s HIPAA policy and asks for the patient’s consent to share private health information, when medically necessary. When patients sign this form, they are giving the healthcare provider permission to use their personal healthcare information in certain situations. However, if the patient ever changes their mind, they have the absolute right to revoke the HIPAA agreement.

What Is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. This Act included authorization for the Department of Health and Human Services to set national standards for the security of electronic healthcare transactions and to protect personally identifiable information.

In 2000, the Department of Health and Human Services put forward the Privacy Rule. This Rule sets the national standards to protect your uniquely identifiable health information. The rule was limited to health plans, healthcare clearing houses and most importantly, healthcare providers. This set the stage for the adoption of internal HIPAA confidentiality agreements. These internal HIPAA confidentiality agreements are in place to protect a person’s private health information.

Read More: HIPAA Release of Information Laws

Giving Informed Consent

Typically, a patient gives consent at the beginning of the relationship with their healthcare provider. The healthcare provider should explain the nature of the consent they are providing and that they have the ability to limit who can have access to their information and for how long the healthcare provider can have access. A patient must receive a copy of the healthcare provider's HIPAA Privacy Policy and it must outline the procedures by which a patient can revoke consent.

Revoking HIPAA Consent

At any point during a patient’s relationship with their healthcare provider and, especially if the patient discontinues their relationship with their healthcare provider, they absolutely have the right to revoke consent. However, they must revoke consent in writing. Many healthcare organizations have forms through which a patient is able to revoke consent.

In instances where a patient is dealing with a major healthcare organization, they should either call the healthcare organization or go to the provider's website for instructions on how to revoke HIPAA consent. Typically, a patient will be able to download a form, complete the form and send it to the proper department in order for their revocation to go into effect. It's a good idea for the patient to follow up a few days later to ensure that their revocation was received and is in full effect.

Revoking Consent in Writing

However, a patient can also revoke consent through a simple letter revoking all consent given when they first signed the form. It would be helpful for the patient to have a copy of the healthcare provider’s HIPAA policy form and a copy of the consent they originally provided. Their letter should be tailored to cover all of the areas of consent they originally gave to the healthcare provider. The patient should be sure to either give the form directly to the appropriate person at the healthcare provider's office or mail it by certified mail, so that you will have proof that you did indeed revoke consent.

The patient should then wait a few days to a week to follow up with the healthcare provider’s office to ensure the letter was received and that the revocation is in full effect. The patient should be sure to note the name of the person they spoke to, as well as the date and time, in case any problems or issues arise in the future.

If you revoke authorization and the provider continues to share your information, the law requires that the provider correct the consequences of this disclosure within a month or face prosecution, according to the UC Davis Health System.

Related Articles