The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

What is HIPAA Authorization?

Posted By on Dec 9, 2023

A HIPAA authorization is a form that must be completed by a patient or a health plan member when a covered entity wishes to use or disclose PHI for a purpose not permitted by the Privacy Rule. The failure to obtain a HIPAA authorization is considered a serious violation of HIPAA compliance.

What is HIPAA Authorization?

The HIPAA Privacy Rule (effective since April 14, 2003) introduced standards covering allowable uses and disclosures of health information, including to whom information can be disclosed and under what circumstances protected health information can be shared.

The HIPAA Privacy Rule permits the sharing of health information by healthcare providers, health plans, healthcare clearinghouses, business associates of HIPAA-covered entities, and other entities covered by HIPAA Rules under certain circumstances. In general terms, permitted uses and disclosures are for treatment, payment, or health care operations, and reporting issues such as domestic abuse to public health agencies.

HIPAA authorization is consent obtained from a patient or health plan member that permits a covered entity or business associate to use or disclose PHI to an individual/entity for a purpose that would otherwise not be permitted by the HIPAA Privacy Rule. Without HIPAA authorization, such a use or disclosure of PHI would violate HIPAA Rules and could attract a severe financial penalty and may even be determined to be a criminal act.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

When is HIPAA Authorization Required?

45 CFR §164.508 details the uses and disclosures of PHI that require an authorization to be obtained from a patient/plan member before information can be shared or used. HIPAA authorization is required for:

  • Use or disclosure of PHI otherwise not permitted by the HIPAA Privacy Rule
  • Use or disclosure of PHI for marketing purposes except when communication occurs face to face between the covered entity and the individual or when the communication involves a promotional gift of nominal value.
  • Use or disclosure of psychotherapy notes other than for specific treatment, payment, or health care operations (see 45 CFR §164.508(a)(2)(i) and (a)(2)(ii))
  • Use or disclosure of substance abuse and treatment records
  • Use or disclosure of PHI for research purposes
  • Prior to the sale of protected health information

What Must Be Included on a HIPAA Authorization Form?

A HIPAA authorization is a detailed document in which specific uses and disclosures of protected health are explained in full.

By signing the authorization, an individual is giving consent to have their health information used or disclosed for the reasons stated on the authorization. Any use or disclosure by the covered entity or business associate must be consistent with what is stated on the form.

The authorization form must be written in plain language to ensure it can be easily understood and as a minimum, must contain the following elements:

  • Specific and meaningful information, including a description, of the information that will be used or disclosed
  • The name (or other specific identification) of the person or class of persons authorized to make the requested use or disclosure
  • The name(s) or other specific identification of the person or class of persons to whom information will be disclosed
  • A description of the purpose of the requested use or disclosure. In cases where a statement of the purpose is not provided, “at the request of the individual” is sufficient
  • A specific time frame for the authorization including an expiration date. In the case of uses and disclosures related to research, “at the end of the study” can be used or ‘none’ in the case of the creation of a research database or research repository
  • A date and signature from the individual giving the authorization. If the authorization is being given by an individual’s authorized representative, a description of the person’s authority to act on behalf of the individual must be detailed.

Statements must also be included on the HIPAA authorization to notify the individual of:

The right to revoke the authorization in writing and either:

  1. Exceptions to the right to revoke and a description of how the right to revoke can be exercised; or
  2. The extent to which the information is included in the organization’s notice of privacy practices

The ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization by stating either:

  1. That the covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization; or
  2. The consequences of a refusal to sign the authorization when the covered entity is permitted to condition treatment, enrollment in the health plan, or eligibility for benefits on a failure to obtain authorization.

The individual providing consent must be provided with a copy of the authorization form for their own records.

What is HIPAA Authorization? FAQs

Other than covered entities and business associates, which other entities might be covered by the HIPAA rules?

Some organizations are considered to be “partial” or “hybrid” entities. These are usually organizations whose primary function is not healthcare or health insurance, but who have access to health information that should be protected. An example of a partial or hybrid entity is an educational institution who provide health services to the public.

What is the difference between consent and authorization?

In some circumstances, informal consent rather than formal authorization is sufficient to fulfil the requirement of the HIPAA Privacy Rule. These circumstances are referred to as “Uses and Disclosures with an Opportunity to Agree or Object” and include inclusion in facility directories and notifications to friends and family (of admission into hospital).

What happens if an individual is unable to give their authorization?

If a patient is unable to give their authorization for the activities listed above (under “when is HIPAA authorization required?”), covered entities must wait until the patient or their legal representative is able to give their authorization. For circumstances in which only informal consent is required, covered entities can use their professional judgement to determine whether the use or disclosure of PHI is in the patient´s best interests.

Are the requirements for HIPAA authorizations the same throughout the country?

Not necessarily. The Privacy Rule provide a “federal floor” for permissible uses and disclosures, but some state laws may pre-empt HIPAA if they have more stringent regulations. It may also be the case that patients from some states (i.e., Texas) benefit from more stringent privacy protections regardless of the location in which they receive treatment.

What does it mean that “covered entities cannot condition treatment, payment, enrollment, or eligibility for benefits”?

This clause means that a covered entity cannot withhold treatment, payment, enrollment, or eligibility for benefits because a patient or plan member refuses to sign an authorization giving the covered entity additional uses for their PHI. A patient or plan member should not be put under any duress to authorize uses and disclosures of PHI additional to those permitted by the Privacy Rule.

Can a HIPAA authorization be verbal?

No. HIPAA stipulates that there has to be a written authorization for every use or disclosure of PHI not required or permitted by the Privacy Rule. In addition, the retraction of HIPAA authorization also has to be written. This provision is to protect covered entities in the event that an individual makes a complaint about a use or disclosure of PHI they have previously authorized.

Can HIPAA consent be verbal?

HIPAA consent can be verbal, but only in circumstances when consent – rather than authorization – is an option. These are generally limited to a patient´s inclusion in a hospital directory and notifications to family or friends. However, in both cases, the disclosure of PHI should be limited to the patient´s name, their general condition, and their location in the facility.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist