HIPAA is long and complex, with many different stipulations and requirements. Here, we examine just one part of the HIPAA compliance requirements, answering the question: “What is HIPAA authorization?”
“Authorization” is required under the HIPAA Privacy Rule if the covered entity (CE) wishes to use or disclose a patient’s protected health information (PHI) in a manner that is not covered by the Rule. The Rule covers uses of PHI such as treatment, payment for healthcare services, or if the patient wishes the data to be transferred to a third party. PHI may also be shared with public bodies if the CE suspects the patient is suffering from domestic or child abuse.
If the CE, or one of their business associates (BAs), uses or discloses PHI for another use, without the proper authorization from the patient it would be considered a HIPAA violation. An example of a situation that would require authorization to be obtained is if CE or BA wishes to use the patient data for marketing purposes.
The Privacy Rule stipulates the exact circumstances under which HIPAA Authorization is required. These are:
- If the use of disclosure of PHI is outside of the scope of what is permitted under the HIPAA Privacy Rule
- If PHI is to be used or disclosed for marketing purposes (unless communication occurs face-to-face between the CE and patient, or when there is a nominal gift attached to the communication)
- If the use and/or disclosure of PHI is related to substance abuse treatment records
- If the PHI is being used or disclosed for research purposes
- If the PHI is to be sold to a third party
- If the PHI is in the form of psychotherapy notes that are not used for specific reasons (see 45 CFR §164.508(a)(2)(i) and (a)(2)(ii)).
It is also important to note that HIPAA authorization is different from consent. The HIPAA Privacy Rule establishes a set of “Uses and Disclosures with an Opportunity to Agree or Object”, which are circumstances under which informal consent is sufficient to be HIPAA compliant. Under this part of the Privacy Rule, for example, informal consent is sufficient to allow a doctor to notify a patient’s family of their health condition.
HIPAA authorization must be obtained via an Authorization Form. This document needs to fully explain how the PHI will be used and to whom it will be disclosed. If the patient chooses to sign the form, they are agreeing to its terms and allowing their PHI to be used and disclosed as detailed in the Authorization Form. If the CE or BA uses the PHI in another manner, it is considered a HIPAA violation.
There are a number of details which must be included on the HIPAA Authorization Form:
- Definitive and meaningful descriptions of what information the CE is requesting to use
- The identity of the person (or class of persons) who can use and disclose the PHI in the requested manner
- The identity of the person (or class of persons) to whom the PHI will be disclosed
- The purpose and intended use of the PHI
- A specific date after which the authorization will no longer be valid (though, in some circumstances, it may be valid to say “none”)
- A notice stipulating that the patient’s authorization may be revoked
- A notice stating the extent to which the PHI will be included in the organization’s notice of privacy practices
- A notice highlighting that the PHI may be disclosed to those who are not subject to HIPAA
- A notice stating that the CE may not condition treatment or the cost of treatment on the patient granting authorization or
- A notice stating what consequences may befall the patient if the CE is permitted to condition treatment, enrollment in the health plan, or eligibility for benefits on the patient’s authorization
Failure to obtain HIPAA authorization, or to comply with the Authorization Form signed by the patient, is considered a HIPAA violation. Such violations can result in severe financial – or even criminal – penalties, depending on the nature of the violation. If in doubt, CEs should always check to ensure that they are using PHI in a HIPAA-compliant manner.