The Privacy Rule stipulates that a valid HIPAA authorization form must be completed before using or disclosing Protected Health Information for a purpose not otherwise allowed by the Rule. This article discusses the circumstances in which an authorization may be required and what constitutes a valid HIPAA authorization form.
The HIPAA Privacy Rule protects the privacy of individually identifiable health information by limiting uses and disclosures of Protected Health Information (PHI). The limitations on uses and disclosures are summarized in five categories by the Privacy Rule:
- Required uses and disclosures of Protected Health Information.
- Uses and disclosures for treatment, payment, or healthcare operations.
- Uses and disclosures for which a HIPAA authorization form is required.
- Uses and disclosures requiring an opportunity for the individual to agree or object.
- Uses and disclosures for which neither an authorization nor the opportunity to agree or object is required.
The Privacy Rule categorization of uses and disclosures can be confusing inasmuch as it implies all uses and disclosures of PHI are allowed except those for which a HIPAA authorization form is required. However, that is not the case as the following descriptions explain.
Required uses and disclosures of PHI
There are generally two circumstances in which the use or disclosure is required – when access to PHI is required by the Department of Health and Human Services (HHS) for a compliance review, and when an individual exercises their rights to access PHI maintained about them by a Covered Entity or Business Associate or request an Accounting of Disclosures.
There are limitations to these required uses. HHS can only request access to PHI “pertinent to ascertaining compliance with the applicable administrative simplification provisions”, while individuals can only request access to PHI maintained in a designated record set. Similarly, limitations exist in what PHI should be included in an Accounting of Disclosures.
Additionally, further uses and disclosures of PHI may be required if a state law pre-empts HIPAA. In many states Covered Entities are required to disclose PHI to report child abuse, neglect, or domestic violence. It may also be the case that mandatory disease reporting is required by public health authorities during a public health event such as the COVID-19 pandemic.
Disclosures for treatment, payment, or healthcare operations
There can sometimes be a misconception that all disclosures of PHI for treatment, payment, or healthcare operations are permitted by the Privacy Rule – but this is not the case. For example, disclosures of PHI for treatment purposes are only permitted when there is a “treatment relationship” between the entity making the disclosure and the entity receiving the PHI.
Disclosures of PHI for healthcare operations cover a multitude of events from business planning and the development of clinical guidelines to training future healthcare professionals and resolving internal grievances. There seem to be few limitations to when PHI can be disclosed for healthcare operations, provided PHI disclosed in these operations remains within a Covered Entity.
However, with regards to what PHI can be disclosed in this category, the Privacy Rule includes an exception to the Minimum Necessary standard for treatment purposes, but not for payment or healthcare operations purposes. Therefore, all disclosures of PHI for payment and healthcare operations purposes must be limited to the PHI required to achieve the intended purpose.
Uses and disclosures for which a HIPAA authorization form is required
The Privacy Rule standard relating to when a HIPAA authorization form is required (§164.508) is one of the reasons people get confused about permissible uses and disclosures. This is because the standard states “Except as otherwise permitted or required by this subchapter [the Privacy Rule], a Covered Entity may not use or disclose PHI without an authorization that is valid under this section.”
This standard is not only unfortunate in its placement – coming after “permitted and required” uses and disclosures, but before disclosures for which an authorization is not required – but also neglects to acknowledge that some required uses and disclosures exist outside the Privacy Rule – for example, in the General Provisions relating to Compliance and Investigations (Part 160, Subpart C).
Furthermore, this standard is light on details – stipulating that a HIPAA authorization form is required for the disclosure of psychotherapy notes, the use of PHI for marketing, and the sale of PHI. All other uses and disclosures of PHI that require a HIPAA authorization form – for example, disclosures to the media for a public interest story – are not covered.
Uses and disclosures requiring an opportunity to agree or object
This is another section of the Privacy Rule that can cause confusion about when a HIPAA authorization form is required because it stipulates the circumstances in which a Covered Entity can orally inform an individual that they have the right to agree or object to a use or disclosure, and orally accept the individual´s agreement or objection.
The events for which an opportunity to agree or object are limited to partial disclosures to a hospital directory, to members of the clergy, and to third parties who ask for the individual by name. Such disclosures can also be made without giving an individual the opportunity to agree or object if the individual is incapacitated and the disclosures are considered to be in the individual´s best interests.
Nonetheless, in these circumstances, some Covered Entities ask individuals to complete a HIPAA authorization form – or at least document that an opportunity to object has been provided and the individual has not taken advantage of it. While useful “for covering one´s back” unnecessary documentation reduces efficiency and creates more administration for medical personnel.
Times when neither an authorization nor the opportunity to agree or object is required
The uses and disclosures for which neither an authorization nor the opportunity to agree or object is required appears to be simply more permissible uses and disclosures. There are pages and pages of such uses and disclosures in the Privacy Rule – some of which overlap with the previously mentioned required disclosures for reporting child abuse, neglect, or domestic violence.
Many uses and disclosures in this section have limitations on them beyond the minimum necessary standard. For example, a Covered Entity may only disclose to an employer information the employer requires to comply with OSHA reporting requirements in the event of a work-related illness or injury. Similar limitations apply with regards to the immunization of minors and disclosures to schools.
However, while this section lists more permissible uses and disclosures, it also contains some prohibitions. If, for example, an individual is undergoing medical treatment for a condition that has led to them committing a violent crime, PHI collected by the Covered Entity from the individual during the course of the treatment cannot be disclosed to law enforcement officials.
When is a HIPAA Authorization Form Necessary?
Other than in the examples provided above, there are not that many obvious circumstances in which a HIPAA authorization form would be necessary. However, the failure to obtain a valid HIPAA authorization form when one may be perceived to be necessary could result in complaints to HHS´ Office for Civil Rights – whether justified or not – for alleged violations of the Privacy Rule.
For this reason, when a Covered Entity or Business Associate conducts a risk assessment ahead of implementing safeguards to comply with the Administrative Requirements of the Privacy Rule (§164.530), it is recommended that any uses or disclosures of PHI not expressly permitted by the Privacy Rule are reviewed to determine whether a HIPAA authorization form is necessary.
If it is determined necessary for a use or disclosure of PHI to be supported by a HIPAA authorization form, forms should be created and procedures should be developed for how to complete the forms so they are valid. Workforces must be trained on the occasions when a HIPAA authorization form is necessary and shown how to complete and document an authorization form to ensure it is valid.
One further recommendation is to include any additional occasions when an authorization is required in the Notice of Privacy Practices beyond those required by the Notice of Privacy Practices standard (§164.520). This standard states a Notice of Privacy Practices must include:
“A description of the types of uses and disclosures that require an authorization under §164.508(a)(2)- (a)(4) [psychotherapy notes, marketing, and the sale of PHI], a statement that other uses and disclosures not described in the notice will be made only with the individual’s written authorization, and a statement that the individual may revoke an authorization.”
By determining which uses and disclosures of PHI should be supported by a HIPAA authorization form, training the workforce, and including the additional occasions in a Notice of Privacy Practices, Covered Entities can avoid unnecessary complaints to HHS´ Office for Civil Rights – thus reducing the amount of wasted time acknowledging and responding to the complaints.
What Should a HIPAA Authorization Form Include?
The objective of asking an individual to sign a HIPAA authorization form is to get their informed permission to use or disclose PHI for a purpose not expressly permitted by the Privacy Rule. Therefore, the individual needs to understand what is being disclosed, what the disclosure is for, and who the disclosure is being made to – and be comfortable with the use or disclosure.
Consequently, the HIPAA authorization form should be written in clear English (or the native language of the individual). It should warn the individual that any PHI used or disclosed with their authority may be further used or disclosed by the recipient, and possibly without the protections of the Privacy Rule in place depending on the proposed use or disclosure.
The individual should be told they have the right to revoke the authorization along with details of how they can exercise that right and the form should list any exceptions to the right to revoke. The form should also include an expiration date or event (i.e., end of a trial if the date is unknown) when the authorization is terminated and the PHI can no longer be used or disclosed.
Finally, the HIPAA authorization form should state that the covered entity may not condition treatment, payment, enrollment, or eligibility for benefits on whether the individual signs the authorization. The form should be signed and dated by the individual or the individual’s representative. If a representative is signing the form, the relationship with the individual must be detailed along with a description of the representative’s authority to act on the individual´s behalf.
Regional and Use Case Variations on Authorization Form Templates
While it is possible to download a HIPAA authorization form template and use it in its downloaded format, some Covered Entities operating in locations where state laws pre-empt HIPAA, or where additional information is required, may find it necessary to design a HIPAA authorization form more appropriate to the purposes for which an authorization is being sought.
For example, in New York, a separate HIPAA authorization form has been designed by the New York State Office of Court Administration for when PHI is released for disclosure in litigation. In Connecticut, the Department of Mental Health and Addiction Services has designed a form appropriate for individuals with psychiatric conditions, and in Texas, the standard HIPAA authorization form has been amended to comply with Texas´ Medical Records Privacy Act.
Consequently, while a HIPAA authorization form template may be suitable for some Covered Entities, it will not be suitable in its unedited format for all. Covered Entities unsure about what should be included in their HIPAA authorization forms should seek professional compliance advice.
Download HIPAA Authorization Form
(Word document, 21Kb)