A patient of an internal medicine practice had been receiving treatment for over six years. The patient came to the practice and requested a release of her medical record information to an insurance company. She provided the name of the company and the person to whom the report was to be sent. She assured the office manager that she was agreeable to the release without any necessary paperwork needed by the medical office. Is the consent of the patient enough or is something more needed to avoid a violation under the HIPAA privacy and security regulations? And if more is needed, what would be necessary?
ANSWER: Yes, more is needed. The practice must obtain not only the consent of the patient, but also “authorization” to release the protected health information (PHI).
A valid authorization is a written document and may contain any number of elements desired by the covered entity, as long as the parts are consistent with the following required specific elements:
- A description of the information to be used or disclosed,
- The name or other ID of the person(s) authorized to make the requested use or disclosure,
- The name or other ID of the person(s) to whom the use or disclosure is to be made,
- A description of each purpose of the requested use or disclosure,
- An expiration date or expiration event related to the purpose of the use or disclosure,
- Signature of the individual and date
In addition to containing specific elements, the authorization must also contain statements as a notice to the individual requesting the information concerning:
- The right to revoke the authorization in writing,
- The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, and
- The potential for the PHI disclosed to the individual to no longer be protected
The authorization must be written in “plain language” that is understandable with a copy of the signed authorization provided to the individual. A final signed copy must be retained by the covered entity (CE).
Some medical office situations may involve the use or disclosure of protected health information to third parties either related or unrelated to the patient and in situations where such release has not been requested by the patient. The regulations provide for “uses and disclosures for which an authorization or opportunity to agree or object is not required”. Stated in another way, the physician as a covered entity (CE) does not need permission from the individual to use or disclose their PHI in certain situations. These situations may include:
- Victims of abuse, neglect or domestic violence
- Health oversight activities
- Judicial and administrative proceedings
- Release related to decedents
- Cadaveric donation purposes
- Research purposes
- Specialized government functions and
- Workers’ compensation
However, in other situations HIPAA regulations provide an individual the right to agree or object to the use or disclosure of their PHI or stated differently give their consent or refuse their consent for the proposed use or disclosure of their PHI. The consent may be verbal or written in some manner without requiring specific elements of information. These situations may include:
- Use of (PHI) in directories
- Use of PHI in an individual’s care or
- Use of PHI in notifications
Misunderstanding of the terms “consent” and “authorization” is not unusual, but the terms in HIPAA regulations have different meanings. Related to uses or disclosures of PHI, “consent” refers to a simple verbal agreement or a written agreement without specific wording. An “authorization” is a type of detailed, signed document containing the information elements noted above expressing an individual’s agreement. Authorizations are required in certain situations of PHI uses and disclosures. Examples with certain exceptions include:
- Psychotherapy notes
- Sale of PHI or
- Research-related treatment
Every medical practice should be aware of the distinction between the “consent” of an individual and the requirement of an “authorization” by the individual in uses and disclosures of PHI. Covered entities (CE) should understand the different situations and provide education to the medical workforce as part of ongoing training.
- Ibid §164.508 (c)(1)
- Ibid §164.508 (b)(1)(ii)
- Ibid §164.508 (c)(1)(iv) A statement “at the request of the individual” is a sufficient description
- Ibid §164.508 (c)(2)
- Ibid §164.508 (c)(2)(ii)
- Ibid §164.508 (c)(3)(4)
- Ibid §164.508 (b)(6)
- HHS Office of Civil Rights. HIPAA Administrative Simplification Regulation Text. http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf. p. 88. March 26, 2013.
- HHS Office of Civil Rights. HIPAA Administrative Simplification Regulation Text. http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf. p. 88 & 96. March 26, 2013.
- Ibid §164.510
- HHS. What is the difference between “consent” and “authorization” under the HIPAA Privacy Rule? Health Information Privacy. https://www.hhs.gov/hipaa/for-professionals/faq/264/what-is-the-difference-between-consent-and-authorization/index.html. July 26, 2013
- HHS Office of Civil Rights. HIPAA Administrative Simplification Regulation Text. http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf. §164.508. March 26, 2013.
- Ibid §164.308 (a)(5)(i)