Anyone who has been to a healthcare provider's office for the first time is usually given a copy of a HIPAA form. This form outlines the healthcare provider’s HIPAA policy and asks for the patient’s consent to share private health information, when medically necessary. When patients sign this form, they are giving the healthcare provider permission to use their personal healthcare information in certain situations. However, if the patient ever changes their mind, they have the absolute right to revoke the HIPAA agreement.
What Is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. This Act included authorization for the Department of Health and Human Services to set national standards for the security of electronic healthcare transactions and to protect personally identifiable information.
In 2000, the Department of Health and Human Services put forward the Privacy Rule. This Rule sets the national standards to protect your uniquely identifiable health information. The rule was limited to health plans, healthcare clearing houses and most importantly, healthcare providers. This set the stage for the adoption of internal HIPAA confidentiality agreements. These internal HIPAA confidentiality agreements are in place to protect a person’s private health information.
Giving Informed Consent
Revoking HIPAA Consent
At any point during a patient’s relationship with their healthcare provider and, especially if the patient discontinues their relationship with their healthcare provider, they absolutely have the right to revoke consent. However, they must revoke consent in writing. Many healthcare organizations have forms through which a patient is able to revoke consent.
In instances where a patient is dealing with a major healthcare organization, they should either call the healthcare organization or go to the provider's website for instructions on how to revoke HIPAA consent. Typically, a patient will be able to download a form, complete the form and send it to the proper department in order for their revocation to go into effect. It's a good idea for the patient to follow up a few days later to ensure that their revocation was received and is in full effect.
Revoking Consent in Writing
However, a patient can also revoke consent through a simple letter revoking all consent given when they first signed the form. It would be helpful for the patient to have a copy of the healthcare provider’s HIPAA policy form and a copy of the consent they originally provided. Their letter should be tailored to cover all of the areas of consent they originally gave to the healthcare provider. The patient should be sure to either give the form directly to the appropriate person at the healthcare provider's office or mail it by certified mail, so that you will have proof that you did indeed revoke consent.
The patient should then wait a few days to a week to follow up with the healthcare provider’s office to ensure the letter was received and that the revocation is in full effect. The patient should be sure to note the name of the person they spoke to, as well as the date and time, in case any problems or issues arise in the future.
If you revoke authorization and the provider continues to share your information, the law requires that the provider correct the consequences of this disclosure within a month or face prosecution, according to the UC Davis Health System.
- University of Kentucky: HIPAA Authorization Regulations
- Department of Health and Human Services: Summary of the HIPAA Privacy Rule
- UC Davis Health System: Compliance Program
- HIPAA Help Center: Failing to Include the Right to Revoke
- ShareCare: Revoke Authorization to Share Healthcare Information
- Priority Health: Revocation of Authorization to Release Personal and Health Information.
- Doctor image by Monika 3 Steps Ahead from Fotolia.com