Sample HIPAA Forms

Patient signing a HIPAA privacy form.

Feel free to use these sample HIPAA forms. Most will require some level of customization, .e.g., you'll need to add your business contact information. Customization for some, however, can be more extensive. Such is the case with business associate agreements.

DISCLAIMER: Because of the generality of these sample forms, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice.

Patient Forms

Always obtain a patient’s authorization if you ever send, or intend to send, protected health information (PHI) via email or text message. Examples include: appointment reminders and payment receipts.

For use when a patient wants to give you permission to communicate with others regarding his or her care.

Use this form when a patient or client wants to file a complaint with your office. Meaning, the patient feels you've committed a HIPAA violation.

At the bottom of the form there is a section to document that an internal review occurred. This is used to help prove the patient's complaint was not ignored by your office.

Workforce (Employee) Forms

All workforce members must sign this document. Read this article about the sanction policy for more information.

The HIPAA law does not require employee background checks. A sample form is below, however, if you are performing background checks then you probably have a more appropriate form provided by the background check service being utilized.

Business Associate Form

Disclaimer: This document includes sample business associate agreement provisions to help covered entities and business associates more easily comply with the business associate contract requirements. While these sample provisions are written for the purposes of the contract between a covered entity and its business associate, the language may be adapted for purposes of the contract between a business associate and subcontractor.

This is only sample language and use of these sample provisions is not required for compliance with the HIPAA Rules. The language may be changed to more accurately reflect business arrangements between a covered entity and business associate or business associate and subcontractor. In addition, these or similar provisions may be incorporated into an agreement for the provision of services between a covered entity and business associate or business associate and subcontractor, or they may be incorporated into a separate business associate agreement. These provisions address only concepts and requirements set forth in the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, and alone may not be sufficient to result in a binding contract under State law. Reliance on this sample may not be sufficient for compliance with State law, and does not replace consultation with a lawyer or negotiations between the parties to the contract. Read more at

Non-Workforce / Non-Business Associate Form

For use when an entity or person is in your office but they are not directly involved with creating, receiving, using, disclosing or maintaining your PHI. For example, an office cleaning service may have access to patient information even though the job they are performing doesn't involve patient information. Read this article about when to use a confidentiality agreement to learn more.