HIPAA Authorization: Requirements & Consent for Disclosing PHI

HIPAA Authorization Requirements and Consent

In general, covered entities, defined as follows, cannot disclose protected health information without consent from the person or patient that the information is about under the Privacy Rule. In this post, we will define the privacy rule and covered entities and then review HIPAA consent requirements, as well as sample PHI use and disclosures.

As an auditor of HIPAA, among other security frameworks which provide requirements and guidance in an effort to safeguard protected health information, it’s obvious that there is no one simple approach in which the information is magically protected. Success requires many layers of protection. Including tone at the top where management provides full buy-in that protection of this information is required within the organization, communication of security controls that everyone must follow, data encryption, access controls, data segregations, incident and breach management and the list goes on. The more granular an organization goes in the protection of protected health information, the organization will find less risk and more success.

What Are the Fundamental Principles of the HIPAA Privacy Rule?

One of the fundamental principles of the Privacy Rule was to create boundaries in an effort to limit the ways that PHI could be disclosed without specific consent, such as verbal or written, by a covered entity. The Privacy Rule requires that a covered entity disclose PHI in two situations.

There are certain instances where a covered entity does have the ability to use or disclose PHI but depending on the situation, certain consent is required. Keep reading for more details.

Covered entities with the HIPAA privacy rule

Covered Entities Under The HIPAA Privacy Rule

To understand HIPAA authorization requirements, one must first know what the Privacy Rule is and who qualifies as a covered entity.

The Privacy Rule protects most individually identifiable health information held or transmitted by a covered entity or its business associate in any form or media, whether electronic, paper, or oral.” Source.

The Privacy Rule calls this information “protected health information” or “PHI.” Individually identifiable health information is information including demographic information, that relates to the following per UMASS:

In addition, individually identifiable health information identifies the individual or there is a reasonable basis to believe it can be used to identify the individual.

If there is any confusion about the information your organization hosts, check out another blog that goes into more detail regarding the definitions between personal identifiable information (PII) and protected health information (PHI). This will allow for a more guided approach to data protection and required audits.

What is a Covered Entity?

A covered entity can be a single person, company, or agency who is one (or any combination of) of the following:

One additional item to note about covered entities is that they oftentimes use business associates to provide services in which PHI is either transferred, accessed, or used in some form or fashion.

Under the Privacy Rule, this is allowed but the covered entity is required to have a Business Associate Agreement in place. This reduces the risk that a business entity uses or discloses PHI in a way that does not protect the user. For example, is it acceptable to send ePHI in an email?

Additionally, oftentimes, the business associate holds the company providing the service liable to certain requirements, such as the proper process of de-identification of personal information, and can undergo legal penalties and/or penalties as defined within the agreement.

HIPAA consent

When is Written or Verbal HIPAA Consent Required for PHI?

In summary, uses and disclosures of PHI fall into three categories with regard to the need to obtain the individual’s consent.

  1. No consent required.
  2. Verbal consent or acquiescence required.
  3. Written consent required.

No Consent Required — TPO, Public Health & Safety, Imminent Danger

When auditing, we often look at what the requirements are and how a company has controls and processes in place to meet them. But with all requirements come exceptions to those rules and it’s up to the auditor’s professional judgment to determine whether the exception is reasonable. This is similar to doctors and other medical support staff. While keeping the rules in place to support the protection of protected health information should always be at the forefront, there are professional judgment calls that may become the exception. Exceptions called out by HIPAA are reviewed below.

Treatment, Payment, and Healthcare Operations (TPO)

In general, a covered entity may use and disclose PHI for treatment, payment, and health care operations activities (aka, TPO) without obtaining an individual’s written permission (e.g., consent or authorization). According to HHS.gov, “Treatment is the provision, coordination, or management of healthcare and related services for an individual by one or more healthcare providers, including consultation between providers regarding a patient and referral of a patient by one provider to another.”

One exception to this general statement exists concerning psychotherapy notes—see the Written Consent Required section. See more details related to TPO and examples below within the When HIPAA Authorization Requirements Do Not Require Patient Authorization section below.

Public Health and Safety

A covered entity may disclose PHI without individual authorization in certain situations, such as the following:

Prevent or Lessen Imminent Danger

A covered entity may disclose PHI that it believes is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone you believe can prevent or lessen the threat (including the target of the threat). According to HHS.gov, “Covered entities may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal.”

Verbal Consent or Acquiescence Required — Disclosures to Family or Facility Directories

HIPAA generally requires an explicit HIPAA authorization that allows for the use and disclosure of protected health information. There are, however, instances where verbal consent can be utilized under HIPAA. These instances are reviewed below.

Disclosures to Family, Friends & Others

To make disclosures to family and friends involved in an individual’s care or for notification purposes, or to other persons whom the individual identifies, you must obtain informal permission. This is done by asking the individual outright, or by determining that the individual did not object in circumstances that clearly gave the individual the opportunity to agree, acquiesce, or object. According to HHS.gov, “Where an individual is incapacitated, in an emergency situation or not available, a covered entity generally may make such disclosures, if the provider determines through his/her professional judgment that such action is in the best interests of the individual.”

Disclosures in Facility Directories

Oftentimes, healthcare facilities have directories with patient information. These directories may have such information as a patient’s name, a summary of their condition, and location within the facility. In these cases, an informal permission, by the patient, can be provided to allow this information to be displayed.

Written Consent Required — General Requirements, Physicians, Marketing, Sales, & Licensing

HIPAA was created to protect the use and disclosure of protected health information. As part of this protection, there is a general requirement of written or explicit consent. Below is an overview of the requirement and when it is used in the protection of confidentiality and privacy of patient information.

General Requirements

In general, a covered entity must collect written authorization from the subject before they are legally allowed to use or disclose PHI under the Privacy Rule. As mentioned before, this is to limit the amount of scenarios that could result in protected health information being lost or stolen. The exception to the rule is meant to be limited.

Psychotherapy Notes

As noted previously, a covered entity cannot disclose psychotherapy notes without an individual’s written authorization.

Marketing Activities

A covered entity must obtain an individual’s authorization prior to using or disclosing PHI for marketing activities. Marketing is considered any message or statement to the public in an effort to get them to use or seek more information about a product or service. If a specific marketing campaign includes payment, these details must be included as part of the written consent.

PHI Sales and Licensing

A covered entity may not sell PHI without the individual’s authorization (including the licensing of PHI). A sale is a disclosure of PHI in which the covered entity directly or indirectly receives payment from the recipient of the PHI. The Privacy Rules identify certain actions that do not constitute the “sale of PHI” and therefore do not require an individual’s authorization. For example, the sale or merger of a covered entity’s practice falls into this category.

Research

Special rules apply with regard to clinical research, bio-specimen banking, and all other forms of research not involving psychotherapy notes. In some circumstances, patient authorization is required.

HIPAA authorization requirements

Valid HIPAA Authorization Requirements

An authorization in HIPAA terms is the consent of an individual or patient providing explicit authorization to use or disclose their personal information. Authorizations should have certain elements to be considered valid. Read on to see what those items include.

  1. The information that is going to be disclosed should be defined and clear to the individual providing their consent.
  2. Each form should include a spot for the individual to print their name so that it is obvious who is providing authorization.
  3. Explicit information about who may use or disclose the PHI as a direct result of providing authorization.
  4. A detail of each use or disclosure that will be a result of the authorization. An individual providing authorization should understand how their information is planning to be used or disclosed.
  5. A date of expiration where the authorization is no longer valid and their information can no longer be used or disclosed.
  6. Finally, there should be an area where the individual providing their authorization can provide their signature.

When is patient authorization not required?

When HIPAA Authorization Requirements Do Not Require Patient Authorization

The creation of the Privacy Rule, as explained above, was meant to protect the use and disclosure of protected health information. Still, the rule takes into consideration certain permissions that, with care, information may be shared to aid in “treatment”, “payment”, and “health care operations”. This is specifically addressed under Privacy Rule 45 CHR 164.501. The reason for this provision is to aid in the continuous and best access to specific treatments and payments which both require the sharing of at least some amount of protected health information as part of day-to-day business operations.

Below are the definitions of treatment, payment, and healthcare operations to better explain how the rule works.

Treatment

This includes the arrangement or administration of health care among doctors or support staff regarding the patient or if the patient requires a referral to visit another practitioner.

Payment

This includes the activities of practitioners and their staff to work with insurance or similar services in receiving payment or authorization under health insurance for certain procedures that have either occurred or need to occur if a pre-authorization is required. Below are examples of common payment activities which include, but are not limited to:

Health Care Operations

This includes certain operations such as back-office or contractual in nature of a covered entity that are required as part of normal business practices and in support of treatment and payment as explained above. Examples include:

More information related to the uses and disclosures allowed under this rule can be found within 45 CFR 164.506.

HIPAA authorization vs. consent

HIPAA Authorization vs. Consent – What is the Difference?

As explained above, there are certain conditions under the Privacy Rule that do not require authorization to share protected health information. That is in support of treatment, payment, and health care operations in direct support of a patient. In this situation, the rule provides a covered entity with the option of voluntary consent. Any protected health information shared outside of these exceptions must have explicit authorization from the patient. If explicit authorization has not been provided, it should not be shared.

Summary of HIPAA Consent Requirements

Under the HIPAA Privacy Rule, covered entities are required to follow specific rules when handling PHI. The use and disclosure of PHI requires certain types of consent, including nonverbal consent or written consent depending on the use case. If you think your information was possibly used or disclosed in an inappropriate manner, the best course of action would be to contact HHS to file an official complaint.

If your company is interested in more information about HIPAA audits, feel free to reach out for more information.

See the following blog posts from Linford & Co for more information:

This article was originally published on 10/16/2019 and was updated on 12/27/2023.

jaclyn-finney

Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.

Related Posts: