The HIPAA Privacy Rule, which was brought in on April 14 2003, introduced standards in relation to allowable uses and disclosures of health information, including to whom data can be disclosed and under what circumstances protected health information can be sent.
The HIPAA Privacy Rule allows the sharing of health information by healthcare groups, health plans, healthcare clearinghouses, business associates of HIPAA-covered groupss, and other entities covered by HIPAA Rules under certain cases. In general terms, allowable uses and disclosures are for treatment, payment, or health care operations.
HIPAA authorization is permission obtained from a patient or health plan member that allows a covered entity or business associate to use or disclose PHI to an individual/group for a purpose that would otherwise not be allowed by the HIPAA Privacy Rule. Without HIPAA authorization, tp disclose of PHI would breach HIPAA Rules and could attract a severe financial penalty and may even be thought of as to be a criminal act.
HIPAA Authorization is Required When…
45 CFR §164.508 lists the uses and disclosures of PHI that require an authorization to be received from a patient/plan member before information can be shared or used. HIPAA authorization is need for:
- Use or disclosure of PHI otherwise not allowable by the HIPAA Privacy Rule
- Use or disclosure of PHI for marketing purposes apart from when communication occurs face to face between the covered entity and the individual or when the communication includes a promotional gift of nominal value.
- Use or disclosure of psychotherapy remarks other than for specific treatment, payment, or health care treatments (see 45 CFR §164.508(a)(2)(i) and (a)(2)(ii))
- Use or disclosure of substance abuse history and treatment records
- Use or disclosure of PHI in relations to research purposes
- Before to the sale of protected health information
What Must Be Listed on a HIPAA Authorization Form?
A HIPAA authorization is a detailed document in which particular uses and disclosures of protected health are completely explained.
By providing the authorization, an individual is consenting to have their health information used or disclosed for the reasons included on the authorization. Any use or disclosure by the covered entity or business associate must be in line with what is stated on the form.
The authorization form must be completed in plain language to ensure it can be easily understood and at the very least, must contain the following elements:
- Specific and meaningful details, including a description, of the information that will be used or shared
- The name (or other specific identification) of the person or class of persons given permission to make the requested use or disclosure
- The name(s) or other specific identification of the individual or class of persons to whom information will be shared
- A description of the aim of the requested use or disclosure. In instances where a statement of the purpose is not given, “at the request of the individual” is enough
- A specific duration of time for the authorization including an expiration date. In the case of uses and disclosures linked to research, “at the end of the study” can be used or ‘none’ in the case of the creation of a research database or research repository
- A date and signature from the person providing the authorization. If the authorization is being provided by an individual’s authorized representative, a description of the person’s authority to act on behalf of the individual must be included.
Statements must also be listed on the HIPAA authorization to notify the person that:
The right to withdraw the authorization in writing and either:
- Exceptions to the right to revoke and a description of how the right to revoke can be implemented; or
- The extent to which the details included in the group’s notice of privacy practices
The ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization by saying either:
- That the covered group may not condition treatment, payment, enrollment or eligibility for benefits on whether the person gives the authorization; or
- The consequences of a refusal to complete the authorization when the covered entity is allowed to condition treatment, enrollment in the health plan, or eligibility for benefits on a failure to receive authorization.
The person giving consent must be given a copy of the authorization form for their own records.