HIPAA came into effect in 1996, with the initial goal of easing the transfer of health insurance policies and other health documents between employers. Since then, it has come to cover many aspects of health data, namely concerning Protected Health Information (PHI). Additions and alterations were made to HIPAA legislation came in 2003 via the Privacy Rule. Amongst other things, the Privacy Rule established the scenarios and situations in which PHI can be accessed, disclosed, used and transferred. In some cases, for non-routine situations such as marketing, a patient’s authorization may be needed for these tasks.
Consent vs Authorization
Under the Privacy Rule, if a CE wants to access or disclose PHI for tasks related to health care operations, they do not usually need to obtain the patient’s consent (though they may if they see fit).
However, if the CE wants to use PHI for something not detailed in the Privacy Rule, they must first obtain the patient’s authorization. This must be obtained via a detailed authorization document that explicitly details the intended use of the PHI, including details of all future parties the PHI may be shared with. To prevent misuse of the data, other information should be included such as the details of those permitted to disclose the information and an expiration date for the authorization.
The CE may not condition treatment on the individual providing authorization, though there are some exceptions to this. Additionally, if a person’s authorization has been obtained, the minimum necessary rule does not apply.
Obtaining a Valid Authorization
For authorization to be valid, the following conditions must be met:
- A meaningful description of the information to be disclosed
- The name of the individual or the name of the person authorized to make the requested disclosure
- The name or other identification of the recipient of the information
- A description of each purpose of the disclosure (The statement “at the request of the individual” is sufficient when the individual initiates the authorization and does not, or elects not to, provide a statement of the purpose)
- An expiration date or an expiration event that relates to the individual
- A signature of the individual or their personal representative (someone authorized to make health care decisions on behalf of the individual) and the date.
The patient must also be provided with a copy of the authorization. They also retain the right to revoke their permission even after the authorization has been signed.
When is Authorization Necessary?
As detailed above, a CE must obtain a patient’s authorization for use of PHI that is not detailed in the Privacy Rule. After authorization has been obtained, they may then only use it for the use detailed in the authorization.
One common use for which authorization is obtained is marketing. If marketing involves payment or other financial remuneration, the authorization document must detail this. Authorization for marketing need not be obtained for either of the following situations:
- When the communication occurs in a face-to-face encounter between the covered entity and the individual; or
- The communication involves a promotional gift of nominal value.
Other common instances where authorization must be obtained include sharing psychotherapy notes or selling PHI.
Authorization is different from consent as it concerns tasks and practices not otherwise covered by HIPAA. It must be obtained via a written document that describes the intended use, who will disclose the information and to whom it will be disclosed. Often, authorization is needed for marketing purposes, though there are other scenarios such as the sale of PHI or the sharing of psychotherapy notes. Valid authorization is a HIPAA requirement, and not having it can attract serious penalties.