It can be confusing to understand the difference between the need for a HIPAA Consent Form and HIPAA Authorization.
The tricky part is, HIPAA consent is oftentimes (unknowingly) referring to HIPAA Authorization!
To make things easier on you and your company, here is a breakdown of HIPAA Consent Forms, HIPAA Authorization, and what is needed to obtain each.
Background on the HIPAA Privacy Rule
In 2003, the HIPAA Privacy Rule introduced standards for uses and disclosures of PHI (Protected Health Information). This includes whom information can be disclosed to, and under what circumstances PHI can be shared. This rule allows for the sharing of PHI by health plans, healthcare providers, HIPAA covered institutions and entities, and others covered by the rules of HIPAA.
Generally, PHI can be shared for treatment, payment, and other health-related operations. These allowable disclosures may be performed without explicit consent from a patient (though there are situations that can induce a HIPAA Privacy Exception).
For example, an ambulance company would not need to obtain patient consent to disclose information about the patient’s EMS transport to a hospital or care provider who is involved in the patient’s treatment because those disclosures are allowed by law. These allowable disclosures extend to insurance companies, specialty care providers, laboratories, pharmacies, and any other covered entities or business associates (with a Business Associate Agreement in place!) that are involved in the patient’s care.
Allowable disclosures do not extend to entities involved in the operations of Business Associates unless those third parties have compliant BAAs as well.
Most importantly, patient authorization is not required when the patients are requesting their own PHI. Remember, we’re all here reading this article because we want to protect patient’s rights and patients have the right to inspect and receive a copy of their PHI. It is the responsibility of covered entities to ensure that patient PHI is available on demand, without reasonable delay.
Now that that’s covered, let’s get to the bottom of this.
What is a HIPAA Consent Form? How does one obtain HIPAA Authorization?
When someone refers to a “HIPAA Consent Form”, it’s likely they are referring to either a form or the process of securing HIPAA authorization.
Authorization is required whenever a disclosure is made outside of the allowable disclosures outlined by the HIPAA Privacy Rule (see below). This consent is obtained from a patient or health plan member that permits a covered entity to use or disclose PHI in one of these circumstances. Without obtaining this HIPAA authorization, this disclosure of PHI would violate HIPAA Rules and could lead to a severe fine by the Office of Civil Rights.
HIPAA Authorizations, sometimes termed Release of Information or ROI, are needed when disclosing patient PHI for research, sales, or marketing purposes, such as posting patient stories on social media. HIPAA Authorization is also required for disclosures of protected classes of PHI including psychotherapy notes and information about substance abuse treatment. One-off cases may also require an authorization, including instances in which the patient has requested that a disclosure be made, such a to a school or to their employer.
But remember! Authorization is only required if the covered entity or business associate is making the disclosure themselves. Authorization would not be required if a patient took their own records and provided them to their school, their employer, or posted them on social media.
A proper HIPAA Authorization form must contain the following
- A specific description of the information that will be used or disclosed.
- The name (or other specific identification) of the person or entity authorized to make the requested use or disclosure.
- The name or other specific identification of the entity whom information will be shared with.
- A description of the purpose of the requested disclosure. If a statement of the purpose is not provided, “at the request of the individual” can be sufficient.
- A specific time frame for the authorization, with an expiration date.
- A date and signature from the individual giving this authorization. (If the authorization is being given by an individual’s authorized representative, a description of the person’s authority to act on behalf of the individual must be detailed.)
Statements must also be included on the HIPAA authorization to notify the individual of:
- The right to revoke the authorization in writing.
- Exceptions to the right to revoke and a description of how the right to revoke can be exercised.
- HIPAA consent forms or HIPAA authorizations are not required for allowable disclosures such those required for treatment, payment, or healthcare operations.
- HIPAA consent is often referring to HIPAA Authorization or an ROI (release of information).
Still unclear about HIPAA authorizations or HIPAA consent forms? Do you need help understanding what’s needed to get HIPAA authorization?
Give us a ring at (503) 389-5666! Gazelle Consulting can help compliance feel like less of a (gazelle’s) horn in your side.