Three types of HIPAA patient forms
1. Acknowledgment of Notice of Privacy Practices (NPP)
Under HIPAA, covered entities must provide patients with a Notice of Privacy Practices and make a good-faith effort to obtain an acknowledgment of receipt. This is not an authorization — it is a simple acknowledgment that the patient received the notice.
- Required elements: Patient name, date, signature acknowledging receipt of the NPP.
- Authorization required: No — this is an acknowledgment, not consent.
- Retention: 6 years from the date of creation or the date it was last in effect, whichever is later.
2. HIPAA Authorization for Release of Information
When a covered entity wants to use or disclose PHI for a purpose beyond treatment, payment, and healthcare operations, a HIPAA authorization is required.
- Description of the information to be used or disclosed
- Name or class of persons authorized to make the disclosure
- Name or class of persons or organizations authorized to receive the information
- Description of each purpose of the requested use or disclosure
- Expiration date or expiration event
- Statement of the patient's right to revoke
- Statement that the provider may not condition treatment on the authorization (with limited exceptions)
- Statement that information disclosed pursuant to the authorization may be redisclosed and may no longer be protected
- Patient signature and date
3. Informed Consent for Treatment
Informed consent for treatment is generally governed by state law rather than HIPAA. It requires that the patient understand and agree to the proposed treatment. While HIPAA does not specify elements for informed consent, state law applies.
What makes a patient signature HIPAA-compliant?
HIPAA does not specify the form of the signature — wet or electronic. However, for a signed form to be defensible, the signature should be:
- Associated with the correct patient (the person signing is the patient or their authorized representative)
- Dated at the time of signing
- Accompanied by a record establishing that the patient was presented the document and chose to sign it
Electronic signatures that include OTP identity verification, a trusted timestamp (RFC 3161), and an audit trail of the signing session are generally more defensible than wet signatures on paper forms — they produce a structured record of exactly who signed, when, and on what device.
HIPAA retention requirements
- Medical records: States vary. HIPAA requires covered entities to retain documentation of their policies and procedures for 6 years from the date of creation or last effect.
- Signed authorizations: Must be retained for 6 years.
- NPP acknowledgments: Must be retained for 6 years.
- If state law imposes a longer retention period, the longer period controls.
Making digital patient forms defensible
- Use a structured digital intake process — not emailed PDF attachments — so there is a reliable record of what was sent, when, and to whom.
- Include OTP verification before signature to confirm patient identity.
- Record a trusted timestamp (RFC 3161) on every signature event.
- Store the signed document and its audit trail together, retrievable for the full retention period.
- Use a BAA-covered platform for any software that handles PHI.
Docuplete is available with a Business Associate Agreement (BAA) for covered entities. Every signed session includes OTP identity verification, RFC 3161 timestamp, SHA-256 document hash, and a complete audit trail. See /legal/baa/ for the BAA.
Automate HIPAA-compliant patient forms.
Guided digital intake with OTP verification, trusted timestamps, and BAA coverage.