Share this article on:
We are often asked to clarify certain elements of HIPAA Rules. One recent question relates to disclosures of protected health information (PHI) and medical records – ‘What is HIPAA authorization?’
What is HIPAA Authorization?
The HIPAA Privacy Rule (effective since April 14, 2003) introduced standards covering allowable uses and disclosures of health information, including to whom information can be disclosed and under what circumstances protected health information can be shared.
The HIPAA Privacy Rule permits the sharing of health information by healthcare providers, health plans, healthcare clearinghouses, business associates of HIPAA-covered entities, and other entities covered by HIPAA Rules under certain circumstances. In general terms, permitted uses and disclosures are for treatment, payment, or health care operations.
HIPAA authorization is consent obtained from a patient or health plan member that permits a covered entity or business associate to use or disclose PHI to an individual/entity for a purpose that would otherwise not be permitted by the HIPAA Privacy Rule. Without HIPAA authorization, such a use or disclosure of PHI would violate HIPAA Rules and could attract a severe financial penalty and may even be determined to be a criminal act.
When is HIPAA Authorization Required?
45 CFR §164.508 details the uses and disclosures of PHI that require an authorization to be obtained from a patient/plan member before information can be shared or used. HIPAA authorization is required for:
- Use or disclosure of PHI otherwise not permitted by the HIPAA Privacy Rule
- Use or disclosure of PHI for marketing purposes except when communication occurs face to face between the covered entity and the individual or when the communication involves a promotional gift of nominal value.
- Use or disclosure of psychotherapy notes other than for specific treatment, payment, or health care operations (see 45 CFR §164.508(a)(2)(i) and (a)(2)(ii))
- Use or disclosure of substance abuse and treatment records
- Use or disclosure of PHI for research purposes
- Prior to the sale of protected health information
What Must Be Included on a HIPAA Authorization Form?
A HIPAA authorization is a detailed document in which specific uses and disclosures of protected health are explained in full.
By signing the authorization, an individual is giving consent to have their health information used or disclosed for the reasons stated on the authorization. Any use or disclosure by the covered entity or business associate must be consistent with what is stated on the form.
The authorization form must be written in plain language to ensure it can be easily understood and as a minimum, must contain the following elements:
- Specific and meaningful information, including a description, of the information that will be used or disclosed
- The name (or other specific identification) of the person or class of persons authorized to make the requested use or disclosure
- The name(s) or other specific identification of the person or class of persons to whom information will be disclosed
- A description of the purpose of the requested use or disclosure. In cases where a statement of the purpose is not provided, “at the request of the individual” is sufficient
- A specific time frame for the authorization including an expiration date. In the case of uses and disclosures related to research, “at the end of the study” can be used or ‘none’ in the case of the creation of a research database or research repository
- A date and signature from the individual giving the authorization. If the authorization is being given by an individual’s authorized representative, a description of the person’s authority to act on behalf of the individual must be detailed.
Statements must also be included on the HIPAA authorization to notify the individual of:
The right to revoke the authorization in writing and either:
- Exceptions to the right to revoke and a description of how the right to revoke can be exercised; or
- The extent to which the information in A) is included in the organization’s notice of privacy practices
The ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization by stating either:
- That the covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization; or
- The consequences of a refusal to sign the authorization when the covered entity is permitted to condition treatment, enrollment in the health plan, or eligibility for benefits on a failure to obtain authorization.
The individual providing consent must be provided with a copy of the authorization form for their own records.