Gazelle Consulting

HIPAA Consent Form – How to Obtain HIPAA Authorization

Stronger HIPAA enforcement
It can be confusing to understand the difference between the need for a HIPAA Consent Form and HIPAA Authorization. The tricky part is, HIPAA consent is oftentimes (unknowingly) referring to HIPAA Authorization! To make things easier on you and your company, here is a breakdown of HIPAA Consent Forms, HIPAA Authorization, and what is needed to obtain each.

Background on the HIPAA Privacy Rule

In 2003, the HIPAA Privacy Rule introduced standards for uses and disclosures of PHI (Protected Health Information). This includes whom information can be disclosed to, and under what circumstances PHI can be shared. This rule allows for the sharing of PHI by health plans, healthcare providers, HIPAA covered institutions and entities, and others covered by the rules of HIPAA. Generally, PHI can be shared for treatment, payment, and other health-related operations. These allowable disclosures may be performed without explicit consent from a patient.
For example, an ambulance company would not need to obtain patient consent to disclose information about the patient’s EMS transport to a hospital or care provider who is involved in the patient’s treatment because those disclosures are allowed by law. These allowable disclosures extend to insurance companies, speciality care providers, laboratories, pharmacies, and any other covered entities or business associates (with a Business Associate Agreement in place!) that are involved in the patient’s care. Allowable disclosures do not extend to entities involved in the operations of Business Associates unless those third parties have compliant BAAs as well.
Most importantly, patient authorization is not required when the patients are requesting their own PHI. Remember, we’re all here reading this article because we want to protect patient’s rights and patients have the right to inspect and receive a copy of their PHI. It is the responsibility of covered entities to ensure that patient PHI is available on demand, without reasonable delay.
Now that that’s covered, let’s get to the bottom of this.

What is a HIPAA Consent Form? How does one obtain HIPAA Authorization?

When someone refers to a “HIPAA Consent Form”, it’s likely they are referring to either a form or the process of securing HIPAA authorization.Authorization is required whenever a disclosure is made outside of the allowable disclosures outlined by the HIPAA Privacy Rule (see below). This consent is obtained from a patient or health plan member that permits a covered entity to use or disclose PHI in one of these circumstances. Without obtaining this HIPAA authorization, this disclosure of PHI would violate HIPAA Rules and could lead to a severe fine by the Office of Civil Rights.
HIPAA Authorizations, sometimes termed Release of Information or ROI, are needed when disclosing patient PHI for research, sales, or marketing purposes, such as posting patient stories on social media. HIPAA Authorization is also required for disclosures of protected classes of PHI including psychotherapy notes and information about substance abuse treatment. One-off cases may also require an authorization, including instances in which the patient has requested that a disclosure be made, such a to a school or to their employer. But remember! Authorization is only required if the covered entity or business associate is making the disclosure themselves. Authorization would not be required if a patient took their own records and provided them to their school, their employer, or posted them on social media.

A proper HIPAA Authorization form must contain the following

  • A specific description of the information that will be used or disclosed.
  • The name (or other specific identification) of the person or entity authorized to make the requested use or disclosure.
  • The name or other specific identification of the entity whom information will be shared with.
  • A description of the purpose of the requested disclosure. If a statement of the purpose is not provided, “at the request of the individual” can be sufficient.
  • A specific time frame for the authorization, with an expiration date.
  • A date and signature from the individual giving this authorization. (If the authorization is being given by an individual’s authorized representative, a description of the person’s authority to act on behalf of the individual must be detailed.)

Statements must also be included on the HIPAA authorization to notify the individual of:

  • The right to revoke the authorization in writing.
  • Exceptions to the right to revoke and a description of how the right to revoke can be exercised.

Takeaways:

  • HIPAA consent forms or HIPAA authorization are not required for allowable disclosures such those required for treatment, payment, or healthcare operations.
  • HIPAA consent is often referring to HIPAA Authorization or an ROI.
Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest

Popular Posts

  • 2018’s Most Interesting HIPAA Violation Cases

    2018’s Most Interesting HIPAA Violation Cases

    Since the 2003, the Enforcement Act, an addendum to HIPAA that gave the OCR the right to enforce HIPAA on behalf of the HHS, we’ve seen an ever increasing number of fines and breaches.

  • The Specter of HIPAA Enforcement

    Who Enforces HIPAA?

    HIPAA, which stands for the Health Insurance Portability and Accountability Act, is enforced by the Office for Civil Rights (OCR), which is an arm of the Department of Health and Human Services (HHS).

  • Stronger HIPAA enforcement

    HIPAA Consent Form – How to Obtain HIPAA Authorization

    Earlier this month, the Office for Civil Rights (OCR) announced a new plan to strengthen HIPAA enforcement in response to criticism from the Office of Inspector General (OIG). The OCR will be beefing up their compliance investigations and expanding their audit program in 2016.

  • What if patient records get lost or deleted?

    Whether it be an delete happy IT admin, a theft, or a glitch in your system, lost health records can have an impact on your patients...

  • What is the Purpose of HIPAA?

    What is the purpose of HIPAA?

    HIPAA compliance can be confusing. Is it HIPAA or HIPPA? Do I need to be HIPAA compliant? Who enforces HIPAA? Gazelle Consulting is here to answer your questions and help you to achieve compliance quickly and painlessly!