Hipaa Notice Form: Fill & Download for Free

Does HIPAA authorization need to be notarized?That depends on what you mean by “HIPAA Authorization”. If you mean that document your doctor’s office has you sign to say you’ve read their HIPAA notice, then no it does not - if it does then every doctor’s office I’ve been to in the past twenty years has been Doing It Wrong.In terms of when a medical facility is certified as HIPAA-compliant, which constitutes vastly more than just that one form patients see… offhand I don’t recall any of the documents I saw for that work explicitly being notarized, but they had to be signed but a number of people who necessarily were notaries public, like the hospital’s legal counsel. The provider side of HIPAA has some pretty hefty requirements for authorizations and compliance and I think that stuff is otherwise covered. But that’s also terribly specialized and if that is relevant I’d seek advice of an actual lawyer who specializes in such matters.

There are a number of common complaints about HIPAA provisions. I'll summarize some of the main ones:Parental access to their adult children's informationOnce children reach the age of 18, parents are no longer eligible to access their medical information. This is true even if the children are still on the parents' insurance policies, making the parents guarantors for payment of their children's procedures. That is, a parent could easily be in the position of being asked to pay for an adult child's procedure, but not able to ask the doctor's office for any details of what was done.Difficulty of doing medical researchHIPAA compliance makes it much harder to do retrospective studies. My wife actually helped design and perform a retrospective study while getting her Pharm.D., and a substantial chunk of the budget went to having the medical records department redact records to make them HIPAA-compliant.Prospective studies suffer too. Under HIPAA, informed consent forms have to include a large privacy section filled with legalese. One study that implemented HIPAA-compliant protocols suffered "...a 72.9% decrease in patient accrual, and a threefold increase in mean personnel time spent recruiting and mean recruitment costs." (http://www.ncbi.nlm.nih.gov/pubmed/16342254 )Over-caution by providersAs with any incredibly complicated law, most of the people affected by it don't fully understand all of the provisions. This leads to all sorts of knee-jerk overprotective policies. E.g., during a hospital stay the hospital placed all sorts of barriers in the way of my wife seeing my chart, blaming "privacy laws" that had no basis in HIPAA. The atmosphere of fear can impede communications, especially in situations where the patients ability to communicate or monitor their own care is impeded.Cost, waste, and bureaucracyHIPAA generates a lot of paperwork that few people ever read. Notices of privacy practices get printed in bulk. Fortunately, the costs are much less than they were back when HIPAA was introduced; all medical information systems now include HIPAA features out of the box. However, the cost to train personnel on HIPAA requirements remains a major expense, and additional personnel (or, for a small practice, a portion of a person) is necessary to perform compliance duties.IneffectivenessWhile I agree with the general privacy intent of HIPAA, the implementation isn't particularly effective. Individuals cannot sue under HIPAA for privacy breaches (although they can often sue under state privacy laws or common law principles such as negligence). All an individual can do is file a complaint with the Department of Health and Human Services, which will either be ignored or be added onto a backlog so long that it might as well be. Just last year, University of California at Los Angeles Health System settled charges that employees were browsing through patient records (http://www.hhs.gov/news/press/2011pres/07/20110707a.html). Actually doing as DHHS recommends, and having someone review all audit trails to catch unauthorized viewing, would dramatically increase the cost of HIPAA compliance.ConclusionI need to point out that most of these problems could be addressed with amendments to HIPAA. In many ways, a repeal would be a big step backwards - I think most Americans agree that they should have privacy protections, especially as their medical information migrates from paper charts to networked databases. But compliance could be made much easier, and allowing private lawsuits against employees such as those at UCLAHS that deliberately violate confidentiality would give the law more teeth. I don't think that most politicians would find a repeal of HIPAA, as opposed to a reform, politically palatable.

The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of regulatory standards that talks about the lawful use and disclosure of protected health information (PHI). HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).The OCR’s role in maintaining HIPAA compliance comes in the form of routine guidance on new issues affecting health care and in investigating common HIPAA violations.Through a series of interlocking regulatory rules, HIPAA compliance is a living culture that health care organizations must implement into their business in order to protect the privacy, security, and integrity of protected health information.HIPPA RULESHIPAA Privacy Rule: The HIPAA Privacy Rule sets national standards for patients’ rights to PHI. The HIPAA Privacy Rule only applies to covered entities, not business associates. Some of the standards outlined by the HIPAA Privacy Rule include patients’ rights to access PHI, health care providers’ rights to deny access to PHI, the contents of Use and Disclosure forms and Notices of Privacy Practices, and more. The regulatory standards must be documented in the organization’s HIPAA Policies and Procedures. All employees must be trained on these Policies and Procedures annually, with documented attestation.HIPAA Security Rule: The HIPAA Security Rule sets national standards for the secure maintenance, transmission, and handling of ePHI. The HIPAA Security Rule applies to both covered entities and business associates because of the potential sharing of ePHI. The Security Rule outlines standards for the integrity and safety of ePHI, including physical, administrative, and technical safeguards that must be in place in any health care organization. Specifics of the regulation must be documented in the organization’s HIPAA Policies and Procedures. Staff must be trained on these Policies and Procedures annually, with documented attestation.HIPAA Breach Notification Rule: The HIPAA Breach Notification Rule is a set of standards that covered entities and business associates must follow in the event of a data breach containing PHI or ePHI. The Rule differentiates between two kinds of breaches depending on the scope and size, called Minor Breaches and Meaningful Breaches. Organizations are required to report all breaches, regardless of size to HHS OCR, but the specific protocols for reporting change depending on the type of breach.HIPAA Omnibus Rule: The HIPAA Omnibus Rule is an addendum to HIPAA regulation that was enacted in order to apply HIPAA to business associates, in addition to covered entities. The HIPAA Omnibus Rule mandates that business associates must be HIPAA compliant, and also outlines the rules surrounding Business Associate Agreements (BAAs). Business Associate Agreements are contracts that must be executed between a covered entity and business associate–or between two business associates–before ANY PHI or ePHI can be transferred or shared.