HIPAA authorization

What is HIPAA Authorization?

by

The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights concerning that information. 45 CFR §164.508 states the uses and disclosures of PHI that require authorization from a patient/plan member before information can be shared or used.

It’s important to know that some organizations are considered “partial” or “hybrid” entities. These are usually organizations whose primary function isn’t healthcare or health insurance but who have access to health information that should be protected. An educational institution that provides health services to the public is an example of a partial or hybrid entity.

HIPAA Journal’s recent article entitled “What is HIPAA Authorization?” explains that in some situations, informal consent rather than formal authorization is enough to satisfy the requirement of the HIPAA Privacy Rule. These circumstances are called “Uses and Disclosures with an Opportunity to Agree or Object” and include inclusion in facility directories and notifications to friends and family (of admission into the hospital).

If an individual cannot give their authorization, covered entities must wait until the patient or their legal representative can give their authorization. When only informal consent is required, covered entities can use their professional judgment to determine whether the use or disclosure of PHI is in the patient´s best interests.

Note that the requirements for HIPAA authorizations aren’t the same throughout the country. The HIPAA Privacy Rule is a “federal floor” for permissible uses and disclosures. However, some state laws may pre-empt HIPAA, if they have more stringent regulations.

The clause “covered entities cannot condition treatment, payment, enrollment, or eligibility for benefits” means that a covered entity can’t withhold treatment, payment, enrollment, or eligibility for benefits because a patient or plan member refuses to sign an authorization giving the covered entity additional uses for their PHI, which stands for Protected Health Information (PHI). A patient or plan member shouldn’t be put under any duress to approve the uses and disclosures of PHI, in addition to those permitted by the Privacy Rule.

The law stipulates that there has to be written authorization for every use or disclosure of PHI not required or permitted by the Privacy Rule. The retraction of HIPAA authorization also has to be written. However, HIPAA consent can be verbal, but only when consent – rather than authorization – is an option.

Reference: HIPAA Journal (October 9, 2021) “What is HIPAA Authorization?”

Additional Reading

Estate Planning Essentials for the Sandwich Generation

Estate Planning Essentials for the Sandwich Generation

The Sandwich generation refers to a generation of people who are simultaneously caring for their aging parents and their children. This group often feels “sandwiched” between the needs of their parents and their children and may face challenges in balancing caregiving...

read more
How Marital Trusts Help Protect Blended Families

How Marital Trusts Help Protect Blended Families

Navigating Marital Trusts: Securing Your Spouse's Financial Future Embarking on a journey of blending families brings its own set of joys and challenges. In this blog post, we unravel the complexities of estate planning for blended families and explore why the Marital...

read more
Essential End of Life Documents: What You Need to Know

Essential End of Life Documents: What You Need to Know

End-of-life planning is a crucial aspect of life that often goes unaddressed until it's too late. Beyond drafting wills and trusts, understanding the array of end-of-life documents is paramount for ensuring a comprehensive and legally sound estate plan. This  guide...

read more