The HIPAA Rules place restrictions on the disclosure of protected health information (PHI) and healthcare records without prior authorization from patients – termed a HIPAA authorization.
The HIPAA Privacy Rule, which has been in force since April 14, 2003, introduced standards on the permitted uses and disclosures of patient data, which include to whom data may be shared and under what instances PHI may be disclosed.
The HIPAA Privacy Rule allows medical data to be shared by healthcare providers, health insurers, healthcare clearinghouses, and business associates of HIPAA-covered entities and other entities subject to HIPAA Rules under specific circumstances. Generally, allowed uses and disclosures of PHI are restricted to treatment, payment, or healthcare operations.
HIPAA authorization is permission given by a patient or health plan member that allows a covered entity or business associate to disclose or make use of PHI for a purpose that the HIPAA Privacy Rule would otherwise not permit. Without a HIPAA authorization, using or sharing PHI violates HIPAA Rules and could result in a financial penalty, or in certain cases, criminal charges.
When Should a HIPAA Authorization Be Obtained?
45 CFR §164.508 states the uses and disclosures of PHI where patient or plan member authorization is necessary before data may be shared or used. HIPAA authorization must be secured for:
- Any use or disclosure of PHI where it is not allowed by the HIPAA Privacy Rule
- Using or sharing PHI for marketing reasons except if communication takes place one on one between the covered entity and the person, or if the communication entails a promotional gift of minimal value.
- Use or disclosure of psychotherapy notes besides for particular treatment, bill settlement, or health care operations (45 CFR §164.508(a)(2)(i) and (a)(2)(ii))
- Use or disclosure of information pertaining to substance abuse and treatment
- Use or disclosure of PHI in association with research
- Before PHI can be sold
What Must a HIPAA Authorization Form Include?
A HIPAA authorization is a document detailing, in full, the precise uses and disclosures of PHI.
When a person signs an authorization, he/she is agreeing to have his/her medical data used or disclosed in ways stated on the authorization. The covered entity or business associate can only use or disclose PHI for purposes detailed on the authorization.
The authorization form should be written in simple language to make sure it can be easily understood. The following elements must also be included:
- Specific and meaningful details, such as a description of the data to be used or disclosed
- The name of the individual or class of persons permitted to make the requested use or disclosure
- The name(s) of the individual(s) or group of persons to whom the data is going to be disclosed
- A brief description of the reason for the requested use or disclosure. In instances where there is no stated purpose, the phrase “at the request of the individual” is enough
- A particular period of time for the authorization. An expiration date must be included. Regarding uses and disclosures associated with research, the phrase “at the end of the study” may be utilized or “none” for research that entails the creation of a research database or repository
- The authorizing individual’s signature and date of signing. If an individual’s authorized representative provided the authorization, there must be a description of the individual’s authority to act on behalf of the person.
The following statements should likewise be stated in writing on the HIPAA authorization to inform the person regarding:
- The right to revoke the HIPAA authorization
- Exclusions to the right to revoke and a brief description of how that right can be exercised
- The extent to which the data is incorporated in the notice of privacy practices of the organization
- The ability or inability to condition treatment, payment, enrollment, or eligibility for benefits by saying:
- That the covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization; or
- The effects of not signing the authorization when the covered entity is allowed to condition treatment, registration in the health plan, or eligibility for benefits on the inability to get authorization.
The person giving the consent should be provided with a copy of the authorization form for his/her personal records.