You have the right to privacy concerning information about your health, medical care, and how your care is paid for. This right comes from a federal law called HIPAA (Health Insurance Portability and Accountability Act). Although HIPAA regulates many other areas, the main impact it has on most people is the Privacy Rule, which determines how health care providers and health insurance companies can disclose Protected Health Information (PHI).
One of the most common situations in which people confront HIPAA is when they are trying to get a medical provider or health plan to disclose their Protected Health Information to another party. In order to do this, you generally need a HIPAA Release, which is a signed authorization from the patient. Some agencies and providers prefer to have a HIPAA release on their own specialized form, although this is not legally required. In fact, since November 2013, Managed Long Term Care, PACE, and Medicaid Advantage Plus plans have been REQUIRED to accept the NYS Office of Court Administration OC-960 form below. See DOH MLTC Policy 13.24
Here are some examples of organization-specific HIPAA forms:
THIS FORM MUST BE ACCEPTED BY:
DOH-2557 - HIPAA Compliant Authorization for Release of Medical Information and Confidential HIV Related Information (English)
Myths and Facts About HIPPA - and Other Resources
Advocates often find that although HIPAA was intended to protect consumers, the law is often abused by agency or health provider or insurance staff as a way to obstruct an individual's access to their own health information, or to refuse to provide even general information regarding agency practices.
Q: Does the Privacy Rule require that an authorization be notarized or include a witness signature?
This article was authored by the Evelyn Frank Legal Resources Program of New York Legal Assistance Group.