Wednesday, June 28, 2017

Patient Authorization

What is the difference between “consent” and “authorization” under the HIPAA Privacy Rule?
 Healthcare Compliance Solutions Inc.
The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations (TPO). Covered entities that do so have complete discretion to design a process that best suits their needs.

By contrast, an “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than TPO (treatment, payment, or health care operations), or to disclose protected health information to a third party specified by the individual.

HIPAA requires that certain elements be present on the authorization that the patient is to sign. Whenever you receive an authorization (or “release”) asking you to disclose PHI and HIPAA requires an authorization for the disclosure, use this checklist to verify that the authorization meets the HIPAA requirements. If any ONE of the following elements is missing, you should NOT release the patient’s PHI until you have a valid authorization signed by the patient. If ALL the elements are present, the authorization is valid.

• A description of the PHI to be used or disclosed that identifies it in a specific and meaningful fashion. They may request the entire medical record, all records between specific dates, or other specific items.

• The name or other specific identification of the person(s), or class of persons, who can make the requested use or disclosure. For example, the signed request should list either your organization or someone in your organization by name.

• The person(s), or class of persons, to whom you may make the requested disclosure. The specific entity(ies) to receive the information should be identified. A cover sheet stating who should receive the information is NOT sufficient.

• A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when a patient initiates the authorization and does not, or elects not to, provide a statement of the purpose. The above statement or some other description must be present.

• An expiration date or an expiration event that is related to the individual or the purpose of the use and disclosure. The statement “end of research study”, “none”, or similar language is sufficient if the authorization is for a use or disclosure of PHI for research. Again, the statement must be present.

• Signature of the patient and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.

• In addition to the core elements, the rule states that a valid authorization must include:
  1. A statement of the individual’s right to revoke the authorization, in writing, and either:
    • A reference to the revocation right and procedures described in the notice, or
    • A statement about the exceptions to the right to revoke, and a description of how the individual may revoke the authorization
    Exceptions to the right to revoke include situations in which the covered entity has already taken action in reliance on the authorization, or the authorization was obtained as a condition of obtaining insurance coverage. (*Note that if an authorization is revoked it must be fully documented in a separate "revocation of authorization" form/document.)

  2. A statement about the ability or inability of the covered entity to condition treatment, payment, enrollment, or eligibility for benefits on the authorization:

    • The covered entity must state that it may not condition treatment, payment, enrollment, or eligibility for benefits on whether the individual signs the authorization, or
    • The covered entity must describe the consequences of a refusal to sign an authorization when the covered entity conditions research-related treatment, enrollment or eligibility for benefits, or the provision of healthcare, solely for the purpose of creating protected health information for a third party on obtaining an authorization.

  3. A statement that information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and may no longer be protected by the rule
•    The ability or inability to condition treatment on the authorization by stating either:  
  1. The covered entity may not condition treatment on whether the individual signs the authorization or 
  2. The consequences to the individual for refusal to sign the authorization.  (Remember that there are very limited circumstances in which action can be a condition on a patient signing an authorization.)
•    A statement that informs of the potential for information to be re-disclosed by the person or organization to which it is sent.  The privacy of this information may not be protected under the Federal Privacy Rule depending on whom the information is disclosed to.

*Authorization for marketing purposes: If the requested use or disclosure is for marketing purposes. If the marketing involves direct or indirect remuneration to the covered entity from a third party, the authorization must state such remuneration.

The HITECH Omnibus Rule requires a valid authorization be obtained from an individual before the use or disclosure of PHI for marketing purposes involving financial remuneration. The authorization must also include a statement about any direct or indirect remuneration the covered entity has received or will receive from a third party. An authorization for marketing purposes can be included on the organization’s compliant HIPAA authorization form or a separate one may be created.

The following are exceptions to the marketing rule and do not require an authorization:
  • Face-to-face communications from the covered entity to the individual 
  • Gifts of nominal value provided by the covered entity


To subscribe to this blog, enter your email address:

Delivered by FeedBurner