Attorney Articles | HIPAA Forms The Three Headed Monster

Articles by Legal Department Staff

The Legal Department articles are not intended to serve as legal advice and are offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in the article.

HIPAA Forms The Three Headed Monster

Diligent readers of The Therapist know that the Health Insurance Portability & Accountability Act of 1996 (HIPAA) will have consequences for certain health care providers, including psychotherapists, who are "covered entities" within the meaning of HIPAA.  The purpose of this article is to enable you to understand and to prepare some of the more important forms that HIPAA will require covered entities to use after April 14, 2003.

by David G. Jensen, JD
Staff Attorney
The Therapist
(November/December 2002)
Updated 2010
Updated 2012

Diligent readers of The Therapist know that the Health Insurance Portability & Accountability Act of 1996 (HIPAA) will have consequences for certain health care providers, including psychotherapists, who are "covered entities" within the meaning of HIPAA. (As a reminder, a "covered entity" is a therapist who interacts electronically with other covered entities, such as health plans or insurance companies, while conducting certain administrative or financial transactions, such as getting treatment authorized, submitting claims for reimbursement, and being reimbursed for such claims.) Such consequences include having covered entities implement national standards for electronic health care transactions and having such entities implement security and privacy practices and standards in order to protect the personal health information (PHI) of their patients.

Assuming you are a "covered entity," like ripples' emanating from a pond after a stone has been thrown into it, these consequences will lap up against your office walls and directly affect your practice. Consequently, you must understand the rights that individuals have concerning their PHI and you must be prepared to address such rights in your practice. One of the ways you can prepare to address these rights is to adopt certain forms, which will both educate your clients and streamline the process for addressing their rights under HIPAA.

The purpose of this article is to enable you to understand and to prepare some of the more important forms that HIPAA will require covered entities to use on or after April 14, 2003. For lack of a better name, I've collectively called these forms "The Three-Headed Monster," with the documents that comprise such a beast being the Notice of Privacy Practices; an Authorization for Release of Health Information; and, a Request for Amendment of Health Information. Each of these forms is discussed in turn and sample forms have been prepared for your edification.

The Notice of Privacy Practices
Pursuant to 45 CFR 164.520, a covered entity must provide its patients with a written notice describing the entity's privacy practices (Notice), and such Notice must be given to the patient at his or her first appointment that occurs after April 14, 2003. You must also make a good faith effort to obtain a written acknowledgement from your clients of their receipt of your Notice. I think the best way to handle this acknowledgement aspect, for new patients, is to include the acknowledgement in your informed consent documents. For existing patients, you should have them acknowledge in writing that they have received a copy of your Notice. Additionally, a copy of your Notice must be posted in your office. Please note, however, that the compliance date for delivering and posting the Notice is April 14, 2003. Consequently, you do not have to give out and post your Notice until then, although you may do so earlier if you wish.

In terms of the Notice itself, it must include:

  1. A description of the individual's rights with respect to PHI and how the individual can exercise such rights;
  2. A description of the covered entity's legal duties;
  3. A description of the types of uses and disclosures of information that are permitted, including those that are permitted or required without the client's written authorization;
  4. A description of how an individual can file complaints with you, as a covered entity, and the Secretary of Health Human Services;
  5. A description of how you, as a covered entity, will provide the individual with a revised notice of privacy practices if such Notice is changed;
  6. A contact for additional information; and,
  7. The date on which the Notice is in effect (April 14, 2003).

It is also important to note that HIPAA imposes requirements on when and how a covered entity's privacy practices can be revised. In fact, notice must be given to your clients before you can implement any new policies or make changes to existing ones. Any such changes can be retroactive if you reserve the right to make such changes in your Notice by informing your clients that such changes will apply to previously created or received PHI. The Sample Notice of Privacy Practices, which can be found on page ___, contains such a reservation.

Written Authorizations & Consents to Release Health Information
The concept of a written authorizations/consents to release health information should not be new to you. As you undoubtedly know, the information communicated to you in session is confidential, and such information cannot be communicated to anyone else without the client's written authorization unless the disclosure is mandated or permitted by law. HIPAA builds on these fundamental ideas, but it also adds some wrinkles.

One such wrinkle is that HIPAA makes a distinction between authorizations to use or disclose PHI ("Authorization") and consents to use or disclose PHI ("Consent"). They are not the same thing. Authorizations are required by HIPAA for uses and disclosures of PHI that are not otherwise allowed by HIPAA. Consents, on the other hand, are not required by HIPAA, but covered entities may use them for uses and disclosures of PHI for the covered entity's own treatment, payment, and health care operations. Admittedly, this is fairly complicated stuff, but fundamentally it is important to understand that under HIPAA, Authorizations and Consents are different beasts. HIPAA mandates the use of Authorizations; it allows for the use of Consents.

A second wrinkle is that HIPAA distinguishes a "use" from a "disclosure." PHI is "used" when it is shared, examined, utilized, applied, or analyzed within a covered entity; PHI is "disclosed" when it is released, transferred, has been given to, or otherwise divulged outside of the covered entity.

And, a third wrinkle is the concept of "treatment, payment, and health care operations" or TPO. HIPAA defines "treatment" as the "provision, coordination, or management of healthcare, including consultations and referrals between health care providers." It defines "payment" as including, but not limited to, efforts to obtain reimbursement; determine eligibility; billing; claims management; review of healthcare for determining whether it is medically necessary; and utilization review." And, HIPAA defines "health care operations" as including such things as quality assessment and improvement activities; case management and care coordination; arranging for legal services; and business planning, among others.

Consents. Pursuant to 45 CFR 164.506(b), a general consent is permitted, but not required, for uses or disclosures of PHI for the covered entity's TPO. Covered entities that choose to have clients sign Consents for uses or disclosures of PHI for TPO have complete discretion in designing the Consent form. HIPAA does not specify any requirements for the content of such form. Since there are no mandatory requirements for Consent forms, however, nothing prohibits you from incorporating HIPAA's consent concepts into your informed consent documents. Moreover, as required by HIPAA, these concepts will also be spelled out in your Notice of Privacy Practices.

Authorizations. Authorizations, however, are treated differently under HIPAA. In general, Authorizations must be used for uses and disclosures of PHI that are not required or permitted by HIPAA. And, for psychotherapists, an Authorization must be obtained for most disclosures of "psychotherapy notes." The use of Authorizations should not be new to California therapists, however, because California law has required such authorizations for many years. But, although the concepts are similar, HIPAA does add a wrinkle for "psychotherapy notes."

HIPAA defines the concept of "psychotherapy notes" very narrowly. HIPAA limits the information that constitutes such notes to "notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session that are separated from the rest of the individual's medical record." Specifically excluded, however, from the definition of "psychotherapy notes" are counseling session start and stop times; the modalities and frequencies of treatment furnished; results of clinical tests; and, any summaries of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

Unlike the Consent form, HIPAA includes detailed requirements for the contents of Authorization forms. Authorizations must contain certain core elements; however, the form that HIPAA requires is quite similar to the one California requires. Hence, it's possible to draft an omnibus authorization, i.e., one that complies with both HIPAA and applicable California law. Such an authorization must, at a minimum:

  1. Be written in plain language;
  2. Be handwritten by the person who signs it or be in 14-point typeface or larger;
  3. Be separate from all other documents;
  4. Be signed and dated;
  5. Specifically describe the health information to be used or disclosed;
  6. State the specific limitations on the type of information to be disclosed;
  7. State the name or function of the person, or the organization, authorized to make the disclosure;
  8. State the specific date after which the provider is no longer authorized to disclose the information;
  9. State the name or function of persons, or the organization, authorized to use or receive the information;
  10. State the specific uses and limitations on the use of medical information by the persons authorized to receive the information;
  11. Advise the patient of his or her right to receive a copy of the authorization;
  12. Inform the patient of his or her right to revoke the authorization under applicable federal and California law;
  13. Include a statement that information used or disclosed under the authorization may be subject to re-disclosure by the recipient and may no longer be protected by the Federal Privacy Rule, but may be protected by applicable California law.

And, if a health care provider, such as a psychotherapist, seeks an Authorization to use or disclose health information that the provider maintains, the Authorization must also state that the provider will not condition treatment on the patient providing the requested Authorization and that the individual has the right to refuse to sign the form. A copy of a Sample Authorization Form can be found by clicking on the link at the bottom of this article..

The Request for Amendment of Health Information
Pursuant to 45 CFR 164.526, HIPAA gives individuals the right to amend or supplement their own PHI. For instance, if one of your patients disagrees with your diagnosis of him or her, that patient could submit a second opinion to be included in the medical record that you maintain for such patient. Your client has this right for as long as you maintain the information.

Before you panic with the thought of having your conclusions about a patient continually second guessed by such patient, keep in mind that you can accept or deny requests for amendments. If you accept an amendment, you must notify your patient that you are accepting the information, which basically means that you are agreeing to add the information to the patient's medical record, or you are agreeing to make the necessary changes to the patient's medical record. You are then required to provide the amended information to individuals or entities identified by your patient and to other individuals or entities known to have received the erroneous information.

However, it is also possible for you to deny the patient's request to amend his or her PHI. You may deny such a request if:

  1. The PHI was not created by you, unless its creator is no longer available to make the amendment;
  2. The PHI is not part of the Patient's designated record set, which means that the information is not medical and billing records about individuals maintained by you and not information used, in whole or part, by you to make health care decisions about individuals;
  3. The PHI would not be available for inspection because the information is psychotherapy notes; compiled in anticipation of use in a civil, criminal, or administrative action or proceeding; or, if you obtained the information from someone other than a health care provider under a promise of confidentiality and access would reasonably likely reveal the source of such information; or,
  4. The PHI is accurate and complete.

If you deny a client's request to amend his or her PHI, you must give the client a timely, written denial, which includes (1) the basis for the denial; (2) the client's right to submit a written statement disagreeing with the denial and how to exercise that right; (3) a statement that the client can request you to include the client's request and the denial with any future disclosures of the PHI; and, (4) a description of how the individual can file a complaint with you or the Secretary of Health and Human Services. Thereafter, if your patient files a statement of disagreement with you, you may also file a rebuttal to such statement. For your review, a Sample Request for Amendment Form is set forth on page ___. Handling Requests for Amendment of Patient Information is fairly complex; consequently, CAMFT will devote an entire article to the subject in a future issue of The Therapist.

Sample Notice of Privacy Practices

Notice of Privacy Practices

I. THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. (Please note that this particular provision must be set forth in your notice of privacy practices exactly as it is set forth here.)

I am legally required to protect the privacy of your PHI, which includes information that can be used to identify you that I've created or received about your past, present, or future health or condition, the provision of health care to you, or the payment of this health care. I must provide you with this Notice about my privacy practices, and such Notice must explain how, when, and why I will "use" and "disclose" your PHI. A "use" of PHI occurs when I share, examine, utilize, apply, or analyze such information within my practice; PHI is "disclosed" when it is released, transferred, has been given to, or is otherwise divulged to a third party outside of my practice. With some exceptions, I may not use or disclose any more of your PHI than is necessary to accomplish the purpose for which the use or disclosure is made. And, I am legally required to follow the privacy practices described in this Notice.

However, I reserve the right to change the terms of this Notice and my privacy policies at any time. Any changes will apply to PHI on file with me already. Before I make any important changes to my policies, I will promptly change this Notice and post a new copy of it in my office and on my website (if applicable). You can also request a copy of this Notice from me, or you can view a copy of it in my office or at my website, which is located at (insert website address, if applicable).

I will use and disclose your PHI for many different reasons. For some of these uses or disclosures, I will need your prior authorization; for others, however, I do not. Listed below are the different categories of my uses and disclosures along with some examples of each category.

A. Uses and Disclosures Relating to Treatment, Payment, or Health Care Operations Do Not Require Your Prior Written Consent. I can use and disclose your PHI without your consent for the following reasons:

  1. For Treatment. I can disclose your PHI to physicians, psychiatrists, psychologists, and other licensed health care providers who provide you with health care services or are involved in your care. For example, if you're being treated by a psychiatrist, I can disclose your PHI to your psychiatrist in order to coordinate your care.
  2. To Obtain Payment for Treatment. I can use and disclose your PHI to bill and collect payment for the treatment and services provided by me to you. For example, I might send your PHI to your insurance company or health plan to get paid for the health care services that I have provided to you. I may also provide your PHI to my business associates, such as billing companies, claims processing companies, and others that process my health care claims.
  3. For Health Care Operations. I can disclose your PHI to operate my practice. For example, I might use your PHI to evaluate the quality of health care services that you received or to evaluate the performance of the health care professionals who provided such services to you. I may also provide your PHI to our accountants, attorneys, consultants, and others to make sure I'm complying with applicable laws.
  4. Other Disclosures. I may also disclose your PHI to others without your consent in certain situations. For example, your consent isn't required if you need emergency treatment, as long as I try to get your consent after treatment is rendered, or if I try to get your consent but you are unable to communicate with me (for example, if you are unconscious or in severe pain) and I think that you would consent to such treatment if you were able to do so.

B. Certain Uses and Disclosures Do Not Require Your Consent. I can use and disclose your PHI without your consent or authorization for the following reasons:

  1. When disclosure is required by federal, state or Iocal law; judicial or administrative proceedings; or, law enforcement. For example, I may make a disclosure to applicable officials when a law requires me to report information to government agencies and law enforcement personnel about victims of abuse or neglect; or when ordered in a judicial or administrative proceeding.
  2. For public health activities. For example, I may have to report information about you to the county coroner.
  3. For health oversight activities. For example, I may have to provide information to assist the government when it conducts an investigation or inspection of a health care provider or organization.
  4. For research purposes. In certain circumstances, I may provide PHI in order to conduct medical research.
  5. To avoid harm. In order to avoid a serious threat to the health or safety of a person or the public, I may provide PHI to law enforcement personnel or persons able to prevent or lessen such harm.
  6. For specific government functions. I may disclose PHI of military personnel and veterans in certain situations. And I may disclose PHI for national security purposes, such as protecting the President of the United States or conducting intelligence operations.
  7. For workers' compensation purposes. I may provide PHI in order to comply with workers' compensation laws.
  8. Appointment reminders and health?related benefits or services. I may use PHI to provide appointment reminders or give you information about treatment alternatives, or other health care services or benefits I offer.

C. Certain Uses and Disclosures Require You to Have the Opportunity to Object.

1. Disclosures to Family, Friends, or Others. I may provide your PHI to a family member, friend, or other person that you indicate is involved in your care or the payment for your health care, unless you object in whole or in part. The opportunity to consent may be obtained retroactively in emergency situations.

D. Other Uses and Disclosures Require Your Prior Written Authorization. In any other situation not described in sections III A, B, and C above, I will ask for your written authorization before using or disclosing any of your PHI. If you choose to sign an authorization to disclose your PHI, you can later revoke such authorization in writing to stop any future uses and disclosures (to the extent that I haven't taken any action in reliance on such authorization) of your PHI by me.


You have the following rights with respect to your PHI:

A. The Right to Request Limits on Uses and Disclosures of Your PHI. You have the right to ask that I limit how I use and disclose your PHI. I will consider your request, but I am not legally required to accept it. If I accept your request, I will put any limits in writing and abide by them except in emergency situations. You may not limit the uses and disclosures that I am legally required or allowed to make.

B. The Right to Choose How I Send PHI to You. You have the right to ask that I send information to you to at an alternate address (for example, sending information to your work address rather than your home address) or by alternate means (for example, e?mail instead of regular mail) I must agree to your request so long as I can easily provide the PHI to you in the format you requested.

C. The Right to See and Get Copies of Your PHI. In most cases, you have the right to look at or get copies of your PHI that I have, but you must make the request in writing. If I don't have your PHI but I know who does, I will tell you how to get it. I will respond to you within 30 days of receiving your written request. In certain situations, I may deny your request. If I do, I will tell you, in writing, my reasons for the denial and explain your right to have my denial reviewed.

If you request copies of your PHI, I will charge you not more than $.25 for each page. Instead of providing the PHI you requested, I may provide you with a summary or explanation of the PHI as long as you agree to that and to the cost in advance.

D. The Right to Get a List of the Disclosures I Have Made. You have the right to get a list of instances in which I have disclosed your PHI. The list will not include uses or disclosures that you have already consented to, such as those made for treatment, payment, or health care operations, directly to you, or to your family. The list also won't include uses and disclosures made for national security purposes, to corrections or law enforcement personnel, or disclosures made before April 15, 2002.

I will respond to your request for an accounting of disclosures within 60 days of receiving your request. The list I will give you will include disclosures made in the last six years unless you request a shorter time. The list will include the date of the disclosure, to whom PHI was disclosed (including their address, if known), a description of the information disclosed, and the reason for the disclosure. I will provide the list to you at no charge, but if you make more than one request in the same year, I will charge you $[insert fee] for each additional request.

E. The Right to Correct or Update Your PHI. If you believe that there is a mistake in your PHI or that a piece of important information is missing, you have the right to request that I correct the existing information or add the missing information. You must provide the request and your reason for the request in writing. I will respond within 60 days of receiving your request to correct or update your PHI. I may deny your request in writing if the PHI is (i) correct and complete, (ii) not created by me, (iii) not allowed to be disclosed, or (iv) not part of my records. My written denial will state the reasons for the denial and explain your right to file a written statement of disagreement with the denial. If you don't file one, you have the right to request that your request and my denial be attached to all future disclosures of your PHI. If I approve your request, I will make the change to your PHI, tell you that I have done it, and tell others that need to know about the change to your PHI.

F. The Right to Get This Notice by E?Mail. You have the right to get a copy of this notice by e-mail. Even if you have agreed to receive notice via e?mail, you also have the right to request a paper copy of it.


If you think that I may have violated your privacy rights, or you disagree with a decision I made about access to your PHI, you may file a complaint with the person listed in Section Vl below. You also may send a written complaint to the Secretary of the Department of Health and Human Services at 200 Independence Avenue S.W., Washington, D.C. 20201. I will take no retaliatory action against you if you file a complaint about my privacy practices.


If you have any questions about this notice or any complaints about my privacy practices, or would like to know how to file a complaint with the Secretary of the Department of Health and Human Services, please contact me at: [insert provider's name, address, phone #, and email].

This notice went into effect on April 14, 2003.


The information contained in this article is intended to provide guidelines for addressing difficult legal dilimmas. It is not intended to address every situation that could possibly arise, nor is it intended to be substitute for independent legal advice or consultation. When using such infformation as a guide, be aware that laws, regulations, and technical standards change over time, and thus one should verify and update any references or information contained herein.