What is the HIPPA privacy rule?

Statutory History: The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Public Law 104-191, was enacted on August 21, 1996.  Section 261 through 264 of HIPAA requires the Secretary of U.S. Department of Health and Human Services (“HHS”) to publicize standards for the electronic exchange, privacy, and security of health information.[1]  HIPAA was enacted “[P]rincipally to increase the portability and continuity of health insurance and to simplify administrative procedures so as to reduce healthcare costs.”[2]

The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, healthcare clearinghouses, and to any healthcare provider who transmits health information in electronic form in connection with transactions for which the secretary of HHS has adopted standards under the HIPAA.[3]  A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by covered entities.  A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative authorizes in writing.


History:  This form is the product of a collaborative process between the New York State Office of Court Administration, representatives of the medical provider community in New York, and the bench and bar. The form is designed to produce a standard official form that complies with the privacy requirements of the federal HIPAA and its implementing regulations, and is to be used to authorize the release of health information needed for litigation in New York State courts.  However, it can also be used before litigation has commenced, or whenever counsel would find it useful.

The goal was to produce a standard HIPAA-compliant office form to obviate the current disputes which often take place as to whether health information requests made in the course of litigation meet the requirements of the HIPAA privacy rule.  It should be noted, however, that the form is optional.  This form may be filled out online and downloaded to be signed by hand, or downloaded and filled out entirely on paper.


As previously mentioned, the Privacy Rule (aka HIPAA), applies to all covered entities.[4]  Covered entities are inclusive of health plans, healthcare clearinghouses[5], and any health care providers who transmit health information in electronic form for certain transactions.  Often a covered entity will contract with another entity to perform certain functions involving the use of disclosure of PHI (like claims processing, billing or utilization review).

Function of the Form:  This is a form that permits  the patient to control access to his or her  Protected Health Information (“PHI”).  PHI includes all “individually identifiable health information.”  This includes information related to:

1. The patient’s physical or mental health status;
2. The provision of health to the patient, or
3. The payment of health care.

AND, any information that can be used to identify a patient, like her name, address, birth date, social security number and so forth.[6]

Criteria for Release or Authorization:  The HIPAA Privacy Rule says that a covered entity cannot use or disclose PHI except as defined in the Privacy Rule or as the patient authorizes in writing and the criteria is very specific.  A HIPAA compliant authorization must contact the following elements:

1. A specific description of the information to be used or disclosed (any records related to a particular treatment period or provider)
2. The name of the person(s) or organization who will be authorized to release the information to whom the information is authorized to be released
3. The name of the person(s) or organization to whom the information is authorized to be released
4. A description of the purpose of the use or disclosure OR the statement, “at the request of the individual”
5. A date or event of expiration
6. The signature of the individual/patient and date

The authorization must also give notice to the patient of the following:

1. A patient’s right to revoke authorization
2. The potential for redisclosure by the person who receives the information

Revocation:  A patient can revoke such an authorization in writing at any time, however, authorization cannot be revoked for information that has already been released in compliance with the law.[7]

HIPAA Release Form for Medical Records:  Although PHI can be obtained without authorization in certain circumstances under HIPAA, New York’s civil practice rules, which would apply for state law claims are more restrictive.  Medical providers are only required to comply with subpoenas for medical records if they are accompanied by a written authorization from the patient.  In addition, the subpoena must state in conspicuous bold-faced type that the records shall not be provided unless the subpoena is accompanied by a written authorization from the patient.  If an authorization does not accompany the subpoena the provider is not required to respond.[8]

CONCLUSION:  A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health information needed to provide and promote high quality health care and to protect the public’s health and well being.

As such, with our services, every medical provider that we consult included a HIPAA Medical Release Form provided by the United States Department of Health and Human Services.[9]   By requiring each patient to sign a HIPAA Medical Release Form, the medical provider may efficiently exchange electronic health information approved by the patient.

We specialize in No-Fault billing and collections, please call us at 516-427-5400 for an immediate free consultation.


[1] http://www.hhs.gov/ocr/hipaa.

[2] Arons v. Jukowitz, 9 N.Y.3d 393 (2007),

[3] For help in determining whether you are covered, use the decision tool at: http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp.

[4] 45 C.F.R. Section 160.102

[5] “Health care clearinghouses” are defined as public or private entities that process or facilitate the processing of nonstandard data elements of health information into standard data elements. 42 U.S.C.A. Section 1320d(2); 45 CFR Section 160.103

[6] 45 C.F.R. Section 160.103.

[7] 45 C.F.R. Section 164.508(b)(5)

[8] CPRL Section 3122.

[9] http://www.hhs.gov/ocr/hipaa