Must I sign my doctor’s HIPAA policy receipt form?

Must I sign my doctor’s HIPAA policy receipt form?

My son and I share a doctor who recently declined to treat my son, and said she would need to bill me directly for past services, because we each refused to sign the form acknowledging her office’s HIPAA policy. Doc said that by not signing the acknowledgement form Jorge Ivan and I made it impossible for her office to bill our insurance provider. I said, “I’ve been told that you need to ask for my signature on this form, but that I am not obliged to sign it.” Eventually, Doc and I agreed that I would do some research to prove my case, and if I couldn’t prove it – and still refused to sign the form – that I would agree to pay for her services directly.

Today I had a bit of time and did that research. I learned that I’m totally within my rights not to sign and that actually, my doctor’s conformance with law could be improved in several ways:

  1. My doctor’s form asks me to certify that, “I have received, read and understand your Notice of privacy Practices,” when the law provides only for requesting that patients acknowledge receiving a copy of that policy; and
  2. Our doctor didn’t actually give my son and I a copy of her HIPAA policy. I’ve noticed that most doctors never do provide this although they all ask patients to sign indicating receipt.
  3. Refusal to sign the form should not affect a patient’s medical treatment. When a patient refuses to sign the HIPAA policy receipt form, the doctor should still treat him/her.


What’s behind my refusal to sign the HIPAA acknowledgement form?

I just don’t understand why I should acknowledge receipt of a privacy policy which provides for my doctor to give access to my medical records to a long list of organizations without my permission being required at any level. The University of the Pacific dental school provides a list of 16 different circumstances, or entities, that they can share my medical records with (list follows) without authorization. Notice that they can share my medical records “As part of research projects” and for “Required Disclosures” – blanket terms that could indicate just about anything, or anyone. HIPAA being the legal requirement for all medical providers to adhere to the same federal privacy policy standards, it’s likely that other providers operate similarly, although they don’t all set their policies out for public perusal as clearly as UP does.

Simply put: in my mind, a privacy policy that makes it legal to share my information in this many situations has too many holes in it. Before signing a paper acknowledging that privacy policies are in place for me at my doctor’s office, I want first to see that I’m being offered important protections.

At the University of the Pacific, our top priority is taking care of our patients. An important aspect of patient care is ensuring that our patient’s private information is kept confidential. The Arthur A. Dugoni School of Dentistry abides by federal privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA). In addition, we’ve put into place several safeguards and policies to ensure that the only people who see your private information are the people authorized to do so.

b) Uses or Disclosures Permitted under this Section 5 – The situations in which the School of Dentistry is permitted to use or disclose PHI in accordance with the procedures set out in this Section 5 are listed below.

  • The School of Dentistry may use or disclose PHI in the following types of situations, provided procedures specified in the Privacy Rules are followed:
  • For public health activities;
  • To health oversight agencies;
  • To coroners, medical examiners, and funeral directors;
  • To employers regarding work-related illness or injury;
  • To the military;
  • To federal officials for lawful intelligence, counterintelligence, and national security activities;
  • To correctional institutions regarding inmates;
  • In response to subpoenas and other lawful judicial processes;
  • To law enforcement officials;
  • To report abuse, neglect, or domestic violence;
  • As required by law;
  • As part of research projects; and
  • As authorized by state worker’s compensation laws.
  • Required Disclosures
  • The School of Dentistry will disclose protected health information (PHI) to a patient (or to the patient’s personal representative) to the extent that the patient has a right of access to the PHI (see Section 10); and to the U.S. Department of Health and Human Services (HHS) on request for complaint investigation or compliance review.

University medical centers on the topic of HIPAA policy acknowledgement

  • Ohio State University Notice of Privacy PracticesWhat is a patient refuses to sign the acknowledgement form? Should we refuse to treat them? No. HIPAA says that we must make a good faith effort to obtain the patient’s acknowledgement that they received the NPP. If we are unable to do so, we must document why, but may still treat the patient. On the A2K screen where acknowledgement of the NPP is recorded, there will be reason codes that you can use if you were unable to obtain the patient’s acknowledgement.
  • University of Southwestern Texas on HIPAA policy acknowledgementI have been asked to sign an acknowledgment form. I don’t like to sign anything until I have read the entire document. Are you going to make me sign the acknowledgment form before I can see my doctor?
    No. Your signature simply indicates that you were given the notice (NPP). If you choose not to read the NPP or sign the form, there will be no impact on the care or service you receive.Why do I have to sign the acknowledgment?
    You don’t have to sign anything. The HIPAA law requires that we, as your health care provider, give you this notice (NPP) and make a good faith effort to document that you have received it.What if I refuse to sign the acknowledgment?
    If you choose not to sign, it will have no impact on your care or service.

    Who can I talk with to explain some of the things in the NPP?
    Clinic staff will be happy to answer any basic questions you have. If you have questions that they cannot answer, you can contact the UT Southwestern Privacy Officer at (214) 648-6080.

    What is HIPAA anyway? Why do I need to care about it?
    HIPAA is the Health Insurance Portability and Accountability Act, a federal law, enacted in 1996, that requires that health providers take certain steps to protect the privacy and security of patient health information. The privacy part of the law went into effect on April 14, 2003. The NPP document and the one page NPP summary describe how UT Southwestern protects your health information.

    What does this have to do with my doctor and my care?
    Your care will not change. The law formalizes many patient privacy practices that UT Southwestern has routinely followed for some time.

    Will I have to sign this same acknowledgment at other clinics?
    The UT Southwestern University Hospitals (St. Paul and Zale Lipshy) are managing the compliance of this process separately from the UT Southwestern Ambulatory Services clinics. If you are a patient at either hospital, the admissions staff will ask that you sign a form which combines the NPP with the consent for admission. It is possible that you will be asked to sign a separate acknowledgment form if you are later seen at a UT Southwestern Ambulatory Services clinic. You may either sign the acknowledgment form again or you may simply inform them that you previously signed the form at another clinic. If you receive care at other clinics or hospitals that are not affiliated with UT Southwestern, expect that they will ask you to accept their Notice of Privacy Practices and sign their acknowledgment form.

    What did you do with my medical information before HIPAA came along?
    UT Southwestern has always protected the privacy and confidentiality of your health care, and has treated your health information accordingly. The new HIPAA law formalizes these privacy requirements, so that in addition to a being good practice, they are now spelled out as law.

    Who can sign for my minor children or elderly parents? Who will explain it to them?
    This is not a legal document, but you will need to sign the form for your minor children or elderly parents, if you are the designated legal representative. Should you or your child or elderly parent have questions or need help understanding the notice, you may contact UT Southwestern’s Privacy Officer at (214) 648-6080.

    Do you have an NPP document available in other languages?
    The NPP is also readily available in Spanish. This version can be found at all Ambulatory Services clinics and at many locations throughout both St. Paul and Zale Lipshy.

    What is the difference between the acknowledgment form and the other forms I need to sign?
    This form is a statement that you received a notice regarding UT Southwestern’s privacy and confidentiality practices. It has nothing to do with how we handle your billing, registration or treatment.

  • University of Miami: information about HIPAA Privacy RuleHIPAA’s Privacy Rule requires that providers with a direct treatment relationship make a good faith effort to obtain an individual’s written acknowledgment of receipt of the Notice of Privacy Practices.The receipt-of-notice acknowledgment is intended to create the “initial moment” between a provider and an individual, formerly expected to result from the (now optional) consent process, during which individuals may focus on information practices and privacy rights, and discuss any concerns with the provider.DHHS has taken the position that “[n]othing relieve[s] a covered entity of its duty to provide the entire Notice in plain language so the average reader can understand it.” Nonetheless, this is only an acknowledgment that the patient has received the Notice, not that he or she has read or understood it.

    The acknowledgment must be in writing. If the good faith effort fails to obtain an acknowledgment (e.g., the patient refuses to sign), the reason(s) why must also be documented in writing. Note that the attempt to obtain an acknowledgment can be delayed in emergency treatment situations until “reasonably practicable.”

  • University of Washington about Notice of Privacy PracticesPP-21. UW Medicine provides all patients (except prisoner patients) a copy of its Notice of Privacy Practices (NPP), which outlines how an individual’s PHI will be used or disclosed. UW Medicine is required to make a good faith effort to obtain written acknowledgement of receipt of the NPP from each patient treated.PP-22. Individuals treated at UW Medicine facilities have a right to request additional restrictions on the use or disclosure of their PHI. UW Medicine is not required to agree to any restriction. If UW Medicine does agree then it must follow the agreed-upon restrictions. All agreed-upon restrictions must be documented in the individual’s designated record set. The designated record set contains an individual’s medical and billing records, and other information used to make decisions about the individual.PP-23. An individual has the right to access, inspect or request a copy of PHI contained in the UW Medicine designated record set, unless an exemption applies (e.g., psychotherapy notes, information compiled for risk management purposes, etc.). Requests to access, inspect or photocopy PHI should be referred to the Release of Information Service Area for the entity in which services are provided.

    PP-24. An individual may ask a health care provider to correct or amend his or her health care record. Requests must be in writing and state a reason for the requested change. UW Medicine has ten days from receipt of the request to respond in writing. If a provider receives a request for amendment, he or she must immediately contact the Release of Information Service Area for the entity in which services are provided.

    PP-25. An individual has the right to request UW Medicine to provide an accounting of all disclosures from an individual’s designated record set, excluding those uses or disclosures for which an accounting is not required (e.g., treatment, payment, or health care operations; uses or disclosures made with the individual’s authorization; or uses or disclosures incidental to an authorized use or disclosure).

Legal code and official federal policy

  • Excerpt from Code of Federal Regulations[Code of Federal Regulations]
    [Title 45, Volume 1]
    [Revised as of October 1, 2010]
    From the U.S. Government Printing Office via GPO Access
    [CITE: 45CFR164.520][Page 857-860]

    PART 164_SECURITY AND PRIVACY–Table of Contents

    Subpart E_Privacy of Individually Identifiable Health Information

    Sec. 164.520 Notice of privacy practices for protected health information.

    (e) Implementation specifications: Documentation. A covered entity
    must document compliance with the notice requirements, as required by
    Sec. 164.530(j), by retaining copies of the notices issued by the
    covered entity and, if applicable, any written acknowledgments of
    receipt of the notice or documentation of good faith efforts to obtain
    such written acknowledgment, in accordance with paragraph (c)(2)(ii) of
    this section.

  • Direct Treatment Providers must also:
    Provide the notice to the individual no later than the date of first service delivery (after the April 14, 2003 compliance date of the Privacy Rule) and, except in an emergency treatment situation, make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice. If an acknowledgment cannot be obtained, the provider must document his or her efforts to obtain the acknowledgment and the reason why it was not obtained.

original source of post found here –

Leave a Reply