The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights concerning that information. 45 CFR §164.508 states the uses and disclosures of Protected Health Information (PHI) that require authorization from a patient/plan member before information can be shared or used.
HIPAA Journal’s recent article entitled “What is HIPAA Authorization?” explains that in some situations, informal consent rather than formal authorization is enough to satisfy the requirement of the HIPAA Privacy Rule. These circumstances are called “Uses and Disclosures with an Opportunity to Agree or Object” and include inclusion in facility directories and notifications to friends and family (of admission into the hospital).
Most organizations will err on the side of caution, and ask a patient to sign a HIPAA Authorization, even if the likely need for it is low. It can be frustraiting for some patients to have to sign a different HIPAA Authoriation for each medical provider they encounter. A General HIPAA Authorization can be created by an experienced Elder Law Attorney, with provisions that apply to all medical settings.
If an individual cannot give their authorization, covered entities must wait until the patient or their legal representative can give their authorization. When only informal consent is required, covered entities can use their professional judgment to determine whether the use or disclosure of PHI is in the patient´s best interests.
Note that the requirements for HIPAA authorizations aren’t the same throughout the country. The HIPAA Privacy Rule is a “federal floor” for permissible uses and disclosures. However, some state laws may pre-empt HIPAA, if they have more stringent regulations. Texas relies on the HIPAA Statute.
Some organizations are considered “partial” or “hybrid” entities. These are usually organizations whose primary function isn’t healthcare or health insurance but who have access to health information that should be protected. An educational institution that provides health services to the public is an example of a partial or hybrid entity.
The clause “covered entities cannot condition treatment, payment, enrollment, or eligibility for benefits” means that a covered entity can’t withhold treatment, payment, enrollment, or eligibility for benefits because a patient or plan member refuses to sign an authorization giving the covered entity additional uses for their Protected Health Information. A patient or plan member shouldn’t be put under any duress to approve the uses and disclosures of PHI, in addition to those permitted by the Privacy Rule.
The law stipulates that there has to be written authorization for every use or disclosure of PHI not required or permitted by the Privacy Rule. The retraction of HIPAA authorization also has to be written. However, HIPAA consent can be verbal, but only when consent – rather than authorization – is an option.
If you are concerned about who should have access to your personal health information, contact our office today to have a General HIPAA Authorization, and other Advance Directives created to uphold your wishes.
Reference: HIPAA Journal (October 9, 2021) “What is HIPAA Authorization?”
