Skip to content
RegenCompliance
All articles
Tactical playbook

Patient Intake Form Compliance Audit: What HIPAA, FTC, and State Laws Actually Require

Most practices' intake forms were written years ago and haven't been audited since. Here's the specific audit framework covering HIPAA, marketing authorization, CAN-SPAM, TCPA, and state requirements.

7 min readBy RegenCompliance Editorial, FDA/FTC compliance desk

Patient intake forms are the primary document establishing the patient-practice relationship, including key authorizations that affect marketing, communication, and HIPAA compliance. Most practices’ intake forms were written years ago, by an attorney who understood the framework at the time, and haven’t been updated since. A periodic audit catches gaps that accumulate.

The audit categories

1. HIPAA Notice of Privacy Practices

  • Current version reflecting recent HIPAA updates.
  • Specific to your practice’s uses and disclosures.
  • Contains all required elements (access rights, amendment rights, accounting rights, complaint process).
  • Patient acknowledgment documented.

2. HIPAA authorizations

  • Specific separate forms for non-treatment uses (marketing, specific disclosures).
  • Not bundled with treatment consent where separate authorization required.
  • Contains all HIPAA-required elements.
  • Specific scope, not overbroad.

3. Marketing authorization

  • Separate from treatment consent.
  • Specific scope (website, social media, print, video).
  • Duration specified.
  • Revocation mechanism described.
  • Specific patient information covered.

4. Photo and imagery authorization

  • Separate authorization for photo use in marketing.
  • Specific scope of use (which marketing channels).
  • Duration of authorization.
  • Limitations on use (before/after only, specific procedures only).

5. Communication preferences and CAN-SPAM/TCPA

  • Email communication consent (specific, not blanket).
  • SMS/text message consent with TCPA-required express written consent language if autodialers used.
  • Phone call consent.
  • Marketing communications separate from treatment communications.

6. Financial responsibility and pricing disclosure

  • Accurate insurance billing practices.
  • Cash-pay pricing disclosure.
  • Financing options and terms.
  • State-specific financial disclosure requirements.

7. Treatment consent

  • General consent for evaluation and treatment.
  • Procedure-specific consents for specific services.
  • Anesthesia/sedation consent where applicable.
  • Off-label use consent where applicable.

8. Consumer review policies

  • No-negative-review clauses are prohibited under CRFA - audit for and remove.
  • Review solicitation practices should not be structured as review-gating.

9. State-specific requirements

  • State-specific privacy laws (California CMIA, New York SHIELD, etc.).
  • State-specific financial disclosure requirements.
  • State-specific specialty board requirements.

Common audit findings

Pitfall 1: Everything bundled into treatment consent

A single form asking the patient to agree to treatment, marketing use, photo use, and communication preferences. Doesn’t meet HIPAA authorization specificity requirements.

Pitfall 2: Indefinite marketing authorizations

Authorizations with no expiration. HIPAA expects specific expiration or triggering event.

Pitfall 3: Old HIPAA notices

Notice of Privacy Practices that hasn’t been updated in years. Should reflect current practice and regulatory framework.

Pitfall 4: No-negative-review clauses

These are prohibited under the Consumer Review Fairness Act. Any clause restricting patient reviews should be removed.

Pitfall 5: Blanket TCPA consent

SMS consent buried in a larger form without TCPA-specific clear-and-conspicuous express written consent language.

Pitfall 6: Missing state-specific addenda

Forms designed for one state used in multi-state practice without state-specific additions.

Form update process

  1. Legal review of current forms. Healthcare regulatory attorney identifies gaps.
  2. Draft updates addressing gaps.Specific attention to HIPAA, marketing authorization, TCPA, CRFA, state-specific items.
  3. Implementation plan. When new forms take effect; how existing patients transition.
  4. Staff training. Front desk understands the changes and collection requirements.
  5. Systems integration. EHR and practice management systems reflect the new forms.
  6. Ongoing review. Annual form review to catch regulatory updates.

Frequently asked questions

How often should intake forms be updated?

Major review every 2-3 years with attorney involvement. Triggered updates when specific regulations change (HIPAA updates, state law changes, CRFA awareness).

Do existing patients need to sign new forms?

Depends on what changed. HIPAA Notice updates may require acknowledgment; new marketing authorizations typically apply only to new uses.

Can digital intake be compliant?

Yes, with appropriate electronic signature mechanisms and HIPAA-compliant platforms. Digital intake can be more compliant than paper because validation can be built in.

What about telehealth-specific intake?

Telehealth adds state-licensure acknowledgments, specific communication preferences, and platform-security disclosures.

Should I include prepaid package terms in intake?

Package-pricing terms are often better in separate documents. Bundling into general intake can create interpretation issues.

What documentation of intake should I retain?

Signed forms in patient records, version history of form updates, documentation of staff training on form usage, and record of any patient-specific modifications.

Built for this exact problem

Scan your clinic's content before regulators do.

RegenCompliance checks every word of your marketing against live FDA and FTC enforcement data - and rewrites violations automatically. A 30-second scan can save a $50,000–$5M regulatory response.

Apply for betaTry the free demo

Related in the platform

tool

Compliance scanner

tool

AI compliant rewriter

hub

Data handling & HIPAA posture

Weekly compliance brief

One email a week. New enforcement actions, rule changes, and tactical fixes. No spam, unsubscribe anytime.

We only send one email per week. No marketing blasts.

Keep reading

FDA Warning Letters at a 25-Year High: What Every Healthcare Practice Needs to Know in 2026

More than 200 FDA warning letters hit healthcare practices in 2024 - the highest volume in a quarter century. Here is what is being flagged, why regenerative medicine and med spas are on the front line, and what a defensible marketing program looks like now.

Read article

How a Single Social Media Post Can Become a Multi-Million-Dollar FTC Settlement

Multi-million-dollar FTC settlements against stem cell and regenerative medicine clinics now routinely start with a single Instagram caption or Facebook testimonial. Here is how that chain actually works - and the four places clinics lose control of it.

Read article

Structure/Function Claims vs. Disease Claims: The One FDA Distinction That Determines Whether Your Marketing Is Legal

One line separates legal marketing from a warning letter: the difference between a structure/function claim and a disease claim. Most practice owners think they know where the line is. They are usually wrong by one or two key phrases.

Read article