Must I sign my doctor’s HIPAA policy receipt form?

My son and I share a doctor who recently declined to treat my son, and said she would need to bill me directly for past services, because we each refused to sign the form acknowledging her office’s HIPAA policy. Doc said that by not signing the acknowledgement form Jorge Ivan and I made it impossible for her office to bill our insurance provider. I said, “I’ve been told that you need to ask for my signature on this form, but that I am not obliged to sign it.” Eventually, Doc and I agreed that I would do some research to prove my case, and if I couldn’t prove it – and still refused to sign the form – that I would agree to pay for her services directly.

Today I had a bit of time and did that research. I learned that I’m totally within my rights not to sign and that actually, my doctor’s conformance with law could be improved in several ways:

  1. My doctor’s form asks me to certify that, “I have received, read and understand your Notice of privacy Practices,” when the law provides only for requesting that patients acknowledge receiving a copy of that policy; and
  2. Our doctor didn’t actually give my son and I a copy of her HIPAA policy. I’ve noticed that most doctors never do provide this although they all ask patients to sign indicating receipt.
  3. Refusal to sign the form should not affect a patient’s medical treatment. When a patient refuses to sign the HIPAA policy receipt form, the doctor should still treat him/her.

What’s behind my refusal to sign the HIPAA acknowledgement form?

I just don’t understand why I should acknowledge receipt of a privacy policy which provides for my doctor to give access to my medical records to a long list of organizations without my permission being required at any level. The University of the Pacific dental school provides a list of 16 different circumstances, or entities, that they can share my medical records with (list follows) without authorization. Notice that they can share my medical records “As part of research projects” and for “Required Disclosures” – blanket terms that could indicate just about anything, or anyone. HIPAA being the legal requirement for all medical providers to adhere to the same federal privacy policy standards, it’s likely that other providers operate similarly, although they don’t all set their policies out for public perusal as clearly as UP does.

Simply put: in my mind, a privacy policy that makes it legal to share my information in this many situations has too many holes in it. Before signing a paper acknowledging that privacy policies are in place for me at my doctor’s office, I want first to see that I’m being offered important protections.

At the University of the Pacific, our top priority is taking care of our patients. An important aspect of patient care is ensuring that our patient’s private information is kept confidential. The Arthur A. Dugoni School of Dentistry abides by federal privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA). In addition, we’ve put into place several safeguards and policies to ensure that the only people who see your private information are the people authorized to do so.

b) Uses or Disclosures Permitted under this Section 5 – The situations in which the School of Dentistry is permitted to use or disclose PHI in accordance with the procedures set out in this Section 5 are listed below.

  • The School of Dentistry may use or disclose PHI in the following types of situations, provided procedures specified in the Privacy Rules are followed:
  • For public health activities;
  • To health oversight agencies;
  • To coroners, medical examiners, and funeral directors;
  • To employers regarding work-related illness or injury;
  • To the military;
  • To federal officials for lawful intelligence, counterintelligence, and national security activities;
  • To correctional institutions regarding inmates;
  • In response to subpoenas and other lawful judicial processes;
  • To law enforcement officials;
  • To report abuse, neglect, or domestic violence;
  • As required by law;
  • As part of research projects; and
  • As authorized by state worker’s compensation laws.
  • Required Disclosures
  • The School of Dentistry will disclose protected health information (PHI) to a patient (or to the patient’s personal representative) to the extent that the patient has a right of access to the PHI (see Section 10); and to the U.S. Department of Health and Human Services (HHS) on request for complaint investigation or compliance review.

University medical centers on the topic of HIPAA policy acknowledgement

  • Ohio State University Notice of Privacy Practices

    What is a patient refuses to sign the acknowledgement form? Should we refuse to treat them? No. HIPAA says that we must make a good faith effort to obtain the patient’s acknowledgement that they received the NPP. If we are unable to do so, we must document why, but may still treat the patient. On the A2K screen where acknowledgement of the NPP is recorded, there will be reason codes that you can use if you were unable to obtain the patient’s acknowledgement.

  • University of Southwestern Texas on HIPAA policy acknowledgement

    I have been asked to sign an acknowledgment form. I don’t like to sign anything until I have read the entire document. Are you going to make me sign the acknowledgment form before I can see my doctor?
    No. Your signature simply indicates that you were given the notice (NPP). If you choose not to read the NPP or sign the form, there will be no impact on the care or service you receive.

    Why do I have to sign the acknowledgment?
    You don’t have to sign anything. The HIPAA law requires that we, as your health care provider, give you this notice (NPP) and make a good faith effort to document that you have received it.

    What if I refuse to sign the acknowledgment?
    If you choose not to sign, it will have no impact on your care or service.

    Who can I talk with to explain some of the things in the NPP?
    Clinic staff will be happy to answer any basic questions you have. If you have questions that they cannot answer, you can contact the UT Southwestern Privacy Officer at (214) 648-6080.

    What is HIPAA anyway? Why do I need to care about it?
    HIPAA is the Health Insurance Portability and Accountability Act, a federal law, enacted in 1996, that requires that health providers take certain steps to protect the privacy and security of patient health information. The privacy part of the law went into effect on April 14, 2003. The NPP document and the one page NPP summary describe how UT Southwestern protects your health information.

    What does this have to do with my doctor and my care?
    Your care will not change. The law formalizes many patient privacy practices that UT Southwestern has routinely followed for some time.

    Will I have to sign this same acknowledgment at other clinics?
    The UT Southwestern University Hospitals (St. Paul and Zale Lipshy) are managing the compliance of this process separately from the UT Southwestern Ambulatory Services clinics. If you are a patient at either hospital, the admissions staff will ask that you sign a form which combines the NPP with the consent for admission. It is possible that you will be asked to sign a separate acknowledgment form if you are later seen at a UT Southwestern Ambulatory Services clinic. You may either sign the acknowledgment form again or you may simply inform them that you previously signed the form at another clinic. If you receive care at other clinics or hospitals that are not affiliated with UT Southwestern, expect that they will ask you to accept their Notice of Privacy Practices and sign their acknowledgment form.

    What did you do with my medical information before HIPAA came along?
    UT Southwestern has always protected the privacy and confidentiality of your health care, and has treated your health information accordingly. The new HIPAA law formalizes these privacy requirements, so that in addition to a being good practice, they are now spelled out as law.

    Who can sign for my minor children or elderly parents? Who will explain it to them?
    This is not a legal document, but you will need to sign the form for your minor children or elderly parents, if you are the designated legal representative. Should you or your child or elderly parent have questions or need help understanding the notice, you may contact UT Southwestern’s Privacy Officer at (214) 648-6080.

    Do you have an NPP document available in other languages?
    The NPP is also readily available in Spanish. This version can be found at all Ambulatory Services clinics and at many locations throughout both St. Paul and Zale Lipshy.

    What is the difference between the acknowledgment form and the other forms I need to sign?
    This form is a statement that you received a notice regarding UT Southwestern’s privacy and confidentiality practices. It has nothing to do with how we handle your billing, registration or treatment.

  • University of Miami: information about HIPAA Privacy Rule

    HIPAA’s Privacy Rule requires that providers with a direct treatment relationship make a good faith effort to obtain an individual’s written acknowledgment of receipt of the Notice of Privacy Practices.

    The receipt-of-notice acknowledgment is intended to create the “initial moment” between a provider and an individual, formerly expected to result from the (now optional) consent process, during which individuals may focus on information practices and privacy rights, and discuss any concerns with the provider.

    DHHS has taken the position that “[n]othing relieve[s] a covered entity of its duty to provide the entire Notice in plain language so the average reader can understand it.” Nonetheless, this is only an acknowledgment that the patient has received the Notice, not that he or she has read or understood it.

    The acknowledgment must be in writing. If the good faith effort fails to obtain an acknowledgment (e.g., the patient refuses to sign), the reason(s) why must also be documented in writing. Note that the attempt to obtain an acknowledgment can be delayed in emergency treatment situations until “reasonably practicable.”

  • University of Washington about Notice of Privacy Practices

    PP-21. UW Medicine provides all patients (except prisoner patients) a copy of its Notice of Privacy Practices (NPP), which outlines how an individual’s PHI will be used or disclosed. UW Medicine is required to make a good faith effort to obtain written acknowledgement of receipt of the NPP from each patient treated.

    PP-22. Individuals treated at UW Medicine facilities have a right to request additional restrictions on the use or disclosure of their PHI. UW Medicine is not required to agree to any restriction. If UW Medicine does agree then it must follow the agreed-upon restrictions. All agreed-upon restrictions must be documented in the individual’s designated record set. The designated record set contains an individual’s medical and billing records, and other information used to make decisions about the individual.

    PP-23. An individual has the right to access, inspect or request a copy of PHI contained in the UW Medicine designated record set, unless an exemption applies (e.g., psychotherapy notes, information compiled for risk management purposes, etc.). Requests to access, inspect or photocopy PHI should be referred to the Release of Information Service Area for the entity in which services are provided.

    PP-24. An individual may ask a health care provider to correct or amend his or her health care record. Requests must be in writing and state a reason for the requested change. UW Medicine has ten days from receipt of the request to respond in writing. If a provider receives a request for amendment, he or she must immediately contact the Release of Information Service Area for the entity in which services are provided.

    PP-25. An individual has the right to request UW Medicine to provide an accounting of all disclosures from an individual’s designated record set, excluding those uses or disclosures for which an accounting is not required (e.g., treatment, payment, or health care operations; uses or disclosures made with the individual’s authorization; or uses or disclosures incidental to an authorized use or disclosure).

Legal code and official federal policy

  • Excerpt from Code of Federal Regulations

    [Code of Federal Regulations]
    [Title 45, Volume 1]
    [Revised as of October 1, 2010]
    From the U.S. Government Printing Office via GPO Access
    [CITE: 45CFR164.520]

    [Page 857-860]
    TITLE 45–PUBLIC WELFARE

    SUBTITLE A–DEPARTMENT OF HEALTH AND HUMAN SERVICES

    PART 164_SECURITY AND PRIVACY–Table of Contents

    Subpart E_Privacy of Individually Identifiable Health Information

    Sec. 164.520 Notice of privacy practices for protected health information.

    (e) Implementation specifications: Documentation. A covered entity
    must document compliance with the notice requirements, as required by
    Sec. 164.530(j), by retaining copies of the notices issued by the
    covered entity and, if applicable, any written acknowledgments of
    receipt of the notice or documentation of good faith efforts to obtain
    such written acknowledgment, in accordance with paragraph (c)(2)(ii) of
    this section.

  • http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/notice.html

    Covered Direct Treatment Providers must also:
    Provide the notice to the individual no later than the date of first service delivery (after the April 14, 2003 compliance date of the Privacy Rule) and, except in an emergency treatment situation, make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice. If an acknowledgment cannot be obtained, the provider must document his or her efforts to obtain the acknowledgment and the reason why it was not obtained.

36 Replies to “Must I sign my doctor’s HIPAA policy receipt form?”

  1. I was told by a doctor’s office today that it is their policy to refuse services to anyone who does not sign the electronic acknowledgement of the HIPPA forms.

  2. Oh…by the way…the recent form I was asked to sign had this in it…

    FUNDRAISING: We may provide medical information to one of our affiliated fundraising foundations to contact you for fundraising purposes…….

    RESEARCH IN LIMITED CIRCUMSTANCES: Medical information for research purposes in limited circumstances where the research has been approved by a review board that has reviewed the research proposal and established protocols to ensure the privacy of medical information…..

    The crem-de-la-crem……SPECIALIZED GOVT. FUNCTIONS: Subject to certain requirements…we may disclose or use health info for…..protective services for the President and OTHERS, ….Dept. of State…..NATIONAL SECURITY AND INTELLIGENT SERVICES….

    REALLY??? WHAT WOULD MY PAP SMEAR HAVE TO DO W/ THE PRESIDENT OF THE UNITED STATES AND THE CIA OR NSA? IS MY GYN A MATTER OF NATIONAL SECURITY?

  3. Kimi…thank you soooo much for taking the time and doing the research to share w/ people like me who object to mandating my private bodily functions being at the disposal of every Tom, Dick and Harry who wants to know about me and my body.

    Part of living in a FREE society is to be FREE of invasion of privacy. I have been rejected from services in the last 3 years because I refused to sign the HIPPA waiver. I think a class action lawsuit should be on the horizon around this issue.

    1. Hey Suzanne, I’m just glad that my little research project has been heartening to other people. I read your comments about the items they slipped into the acknowledgement form and was WOWED.

  4. I suggest you find another Dr that wants to put up with your craziness. No Dr has the time to deal with some asshole pt that has some concern about signing some simple form.

    1. Always interesting to encounter a person who doesn’t believe in either democracy or personal freedom. Do you live in South Carolina, by any chance?

    2. Craziness?
      The only asshole I saw in this thread was you Steve. If you want to live life as a sheep and give away your rights to any and all who ask then go right ahead. Meanwhile, the rest of us will continue to value our privacy and proceed with caution by exercising our rights ~ “while we still have them”!

  5. I got a NPP(Notice of private practices) from my new doctor and was asked to sign an acknowledgement receipt. What this looks like if I sign then they can send and do all those things which is on the NPP. Does signing the receipt allows them to send my records to pharmacies, hospitals, insurances, labs, billing all covered entities? I did not sign any other authorization. Is this a consent thing for every facility or organization. This is what it looks like.

    1. Joan, if your doctor is asking you to agree to anything, that is beyond the scope of the NPP. The HIPAA/NPP document is simply a record that your doctor made available for your viewing, his/her privacy practices. Signing, or not signing, does not limit or extend your privacy rights in any way.

    2. Joan, all you’re signing is the “acknowledgment” that they had given you the opportunity to look at their HIPAA policies NOT whether you agree to the policies or not. Whether you decide to sign it or not has no bearing on if their allowed to send that information to hospitals, even if you don’t sign it they still can send information to pharmacies, labs, etc. Which makes the whole signing thing kind of pointless, but the law states that is at least required by the doctor to ask for an acknowledgement signature, bureaucracy at it’s best.

      I find it easiest to think about like this: by choosing to see that doctor you’re agreeing to his privacy polices, if you don’t then find another doctor with different policies because whether you sign that or not his policies aren’t changing.

  6. today4jun2013 had a doctor appointment they force me to sign a paper, witch initially I sign it with many notes! last week and today, when they give again the same kind of paper and I refuse to sign it, because the paper say the signature is voluntary! but they threaten me that if I don`t sign can`t have the record from my emergency room visit. where you can complaint about this abusive harassment behaviors?

    1. There must be a medical ethics board that you could complain to, but I don’t know what it is called.

      Be sure you’re not disputing the consent to treat form. AFAIK you pretty much need to sign that one.

  7. I think this has nothing to do with protecting your privacy, this law was enacted to give the government authorization to be notified if you were a potential organ donor. Before that you have had to give the doctor permission to disclose your medical records.

  8. Interesting analysis found here: http://worldprivacyforum.org/hipaa/HipaaGuidePart3.html

    HIPPA is not actually designed to protect patient privacy – it just spells out how patient privacy can be violated legally. Specifically, insurers and payment processors are allowed to get your information almost no matter what (in a way, I actually admire the doctor listed above – she’s actually offering the patient the option to pay privately and keep the insurance companies out .. HIPPA actually allows her to send that information on no matter what the patient says; in fact, though the doctor may not realize it, if Medicare is involved, she may actually be violating the law by even offering you that option).

    I do find it interesting that so many people object to being “used” as “teaching tools”. I understand the sentiment (after abuses like tuskegee, who wouldn’t understand), but if no one wants younger physicians to learn, what happens when all the experienced doctors die? Having recently completed my own residency training, I owe a lot to the patients who let me “learn” on them, and I save lives every working day (literally) because of those opportunities and experiences. I don’t think I abused anyone, though there are definitely individual patients that I made mistakes on, but those mistakes (which luckily didn’t kill anyone) have saved several lives since then (since I’m now on my own, with no one looking over my shoulder).

    Incidentally, there is an odd fact that so-called teaching hospitals may actually have better outcomes than non-teaching hospitals: http://onlinelibrary.wiley.com/doi/10.1111/1468-0009.00023/abstract;jsessionid=FCC14C8D6C4267FB3A479251A2194992.d01t02?deniedAccessCustomisedMessage=&userIsAuthenticated=false.

    JAMA recently published an article in which higher patient satisfaction was associated with higher mortality see here:http://archinte.jamanetwork.com/article.aspx?articleid=1108766

    1. Such interesting comments. Thanks Bagheera. I’ll look into that JAMA article. What an intriguing study.

    2. InterestedMD, I completely agree with you on the teaching side of things. Good doctors are constantly learning. I’ve personally had good experience with teaching hospitals so 2nd your opinion of their value.

      On the issue of my doctor, though, she wasn’t offering the option to protect my privacy by billing me directly, without the intervention of the insurance company. She simply didn’t understand the HIPAA requirement and got it confused with patient and billing consent. I did sign her patient and billing consent forms – so, I gave her permission to treat me and permission to send whatever necessary to my insurance company so she could get paid. I refused to sign her HIPAA form for three reasons.

      First, I never sign those forms, and there’s no legal requirement that I do so. The onus is all on the doctor. HIPAA law requires that a doctor have a HIPAA patient privacy policy and that they try to show it to me. I can read it or not and I can sign a form acknowledging receipt of it or not. If I don’t sign, the doctor or her staff is able to indicate my refusal on the form and they don’t run any risk of having a problem by doing so.

      Second, the doctor’s form language substantively exceeded HIPAA law. That form asked me to agree with something, but HIPAA law doesn’t ask any patient to agree with, or even to understand, the medical provider’s privacy policy. And that’s all HIPAA addresses in terms of patient obligation, or interaction. Simply put, all HIPAA wants is for a patient to say, “Yes, I saw my doc’s HIPAA policy. It was shown to me and I’m going to sign the form that says I saw it.”

      Third, I was asked to sign acknowledgement of seeing the doctor’s HIPAA policy before the policy was shown to me. That’s dumb. Interestingly enough, most doctors who have treated me and my kids, do this exactly the same way.

      1. This is somewhat an old topic, but I feel the need to reply. The fact that the doctors form went over and above HIPAA would cause me to not sign it as well. However, to just not sign it for the heck of it makes you sound difficult. Now I may be wrong, but I’m just telling you how you would then sound to doctor and his/her office. Also, the law does not require that a doctors office give each and every patient a copy of the law. But the law does require they have it on hand for the patients who would like to read through it and may have questions regarding it. So to get disgruntled that most physicians do it the same way is just frustrating yourself for no good reason. If you think it’s dumb, think it’s dumb. Try asking the doctor for a copy of it next time.

        1. Hannah, it’s important to me that my society be transparent, logical, egalitarian, honest and kind … and that I do my job as a citizen of a democracy to advocate for the protection of these principles should I perceive that they are fading from importance or are being disregarded. I view advocacy as an essential duty of democratic citizenry.

    3. With all due respect, where the teaching with us as tools begins and ends should be our decision — not yours. Ours or our survivors. I read a horror story of a young man with cancer being used as a total teaching tool during his last few days and his parents not being able to keep the teams out so he could die surrounded by his loved one — not interns that are strangers to him, treating him like an interesting specimen. Let those who aren’t bothered by it agree to it as is now done with donating your body to science. Those of us who are modest, or just want to not be surrounded by strangers in our direst health emergencies should not be given only agreeing with it or being refused health care as our only two options. Frankly, science goes too far; we’re not allowed to die with dignity any more. So, no, you really don’t move me with this argument. I don’t volunteer to be a classroom tool. Your interns can learn (and make their mistakes as you admit you do here) on somebody else. I wouldn’t be at all surprised if you’re that butcher that operated on me 10 years ago and I haven’t been right since. It was an emergency operation in a teaching hospital (3 hospitals in my city all teaching so I don’t have another option) and they stuck me with a surgeon so young I was calling him Doogie
      Howser. I’m really not impressed if he’s performing better now. I also don’t have any confidence that he is.

  9. I think there is so much confusion about the difference between consent for treatment permission forms and the HIPAA form which merely acknowledges that a patient has been informed of a provider’s privacy policy. 

    While doctors should probably not treat patients who do not consent to be treated – for obvious reasons, there doesn’t seem to be any good reason a patient should sign anything acknowledging that notification of the doctor’s privacy policies was received.  As Ruyzho  points out, any privacy policy has gaping holes in it and will exist whether I agree that I know what they are, or don’t agree.

    But Blaze! Don’t you think you owe it to yourself to get treatment for that very serious medical condition you’re carrying around in your body? I do, personally, sign consent for treatment forms. I completely understand your concerns about your patient rights being subject to violation but the good news is that most patients are not abused. Let me know how things turn out for you. I am praying for your fast and full recovery.

    1. I’m sorry. Just seeing this. I continually run into the doctors won’t treat if I don’t sign the HIPPA in addition to the treatment consent. If you don’t sign both, their attitude is go somewhere else. Since they all do this, there is no somewhere else to go. You either have to gamble with your health or your priv
      acy and one of these nightmare invasions of privacy happening to you

  10. Thank you so much for this!  Last Thursday I had an appointment for an echocardiogram because I have a leaky heart valve and an aortic aneurysm, quite serious problem and said echocardiogram is rather important.  I usually cross out what I disagree with and write in I do not agree to this section and initial it but I was told Thursday that legally speaking my signature on the bottom agrees to what is printed regardless of any alterations that I make.  What ended up happening is I would not sign my rights away and they would not give me the echocardiogram without it.  I am on the internet in small bursts trying to find my rights and get the medical care I so desperately need without signing my rights away to not be used as a guinea pig or a teaching tool.  I came across one horrific story of one couple whose son who died of cancer being used as a total teaching tool for the last four days of his life.  This patient abuse needs to end!

  11. HIPAA does NOT require that a patient give consent to bill an insurance policy.  In fact, HIPAA specifically allows disclosures of information related to receiving payment for services.

    There are actually four primary instances where your healthcare provider can share your information without getting consent from you.

    Treatment – such as discussing your care with other members of the staff providing care, consulting with other providers about the kind of care you need, or giving information to a provider whom to whom they are referring you for more specialized care.

    Payment – Such as sending bills to your established address, billing insurance companies, providing information to collections agencies when necessary, and the like.

    Operations – Handling internal issues, performing quality enhancement activities, engaging in financial audits, etc.

    Legal Requirements – Responding to subpoenas and/or search warrants, assisting in active criminal investigations, public health reporting, abuse and neglect prevention reporting, vital statistics (births and deaths) reporting, etc.

    You would probably be surprised just how much of your “private” information is openly shared.  Signing the acknowledgement only allows the provider to stop asking you to sign the document each time you come in.  It doesn’t limit your rights in any way.

  12. You don’t have to sign.  Doctor can still see a patient and document patient refused to sign.   You will have to pay for your services in full since insurance can’t be billed with consent.

    1. I’m quite willing to sign that part of it but I was told that crossing out what I was not willing to agree to — my private info being used for research and/or teaching too, my bodily material being used in any way the hospital wanted to — and writing in I do not agree to this and signing it with the changes I made does not legally null and void those parts.  My signature applies to the printed form.  I cannot agree to being used this way!  A person should not have to be rich enough to pay out of pocket and if they have to pay out of pocket to not forfeit their rights, what’s the point of insurance even if they are rich enough?

    2. On Jan 26, 2013, Allergy Associates & Lab Ltd of Chandler
      AZ denied me services because I refused to sign away my HIPPA PROTECTED HEALTH
      INFORMATION.  HIPPA laws were designed to
      protect patients’ privacy rights, so why would Allergy Associates coerce
      patients into giving them up?  How can
      they justify refusing critical medical treatment to an asthma sufferer on this
      basis when there is no legal or ethical reason why a patient must give up their
      protected medical rights?  Say NO to
      Allergy Associates or any provider and go somewhere more friendly and
      respectful of patients’ rights!     

  13. Thank you…I plan on sharing your hard work with fellow classmates as I’m researching this law as well!
     

  14. Thanks for your help in analyzing this issue.
    Bernard Freedman
    clinicalbioethics.com

  15. Thanks so much for this info. I was looking for the exact references you’ve given in the law. I wish I had found your post yesterday, before I was lied to by the doctor’s office staff: “HIPPA says either you sign your name or you don’t see the doctor – it’s your choice.” Well, they got the choice part right, at least. I did get away with filling out the form with nothing but my name, phone number and birthdate.

Leave a Reply to Steve Stinson Cancel reply

Your email address will not be published. Required fields are marked *