In general, covered entities, defined as follows, cannot disclose protected health information without consent from the person or patient that the information is about under the Privacy Rule. In this post, we will define the privacy rule and covered entities and then review HIPAA consent requirements, as well as sample PHI use and disclosures.
As an auditor of HIPAA, among other security frameworks which provide requirements and guidance in an effort to safeguard protected health information, it’s obvious that there is no one simple approach in which the information is magically protected. Success requires many layers of protection. Including tone at the top where management provides full buy-in that protection of this information is required within the organization, communication of security controls that everyone must follow, data encryption, access controls, data segregations, incident and breach management and the list goes on. The more granular an organization goes in the protection of protected health information, the organization will find less risk and more success.
One of the fundamental principles of the Privacy Rule was to create boundaries in an effort to limit the ways that PHI could be disclosed without specific consent, such as verbal or written, by a covered entity. The Privacy Rule requires that a covered entity disclose PHI in two situations.
There are certain instances where a covered entity does have the ability to use or disclose PHI but depending on the situation, certain consent is required. Keep reading for more details.
To understand HIPAA authorization requirements, one must first know what the Privacy Rule is and who qualifies as a covered entity.
“The Privacy Rule protects most individually identifiable health information held or transmitted by a covered entity or its business associate in any form or media, whether electronic, paper, or oral.” Source.
The Privacy Rule calls this information “protected health information” or “PHI.” Individually identifiable health information is information including demographic information, that relates to the following per UMASS:
In addition, individually identifiable health information identifies the individual or there is a reasonable basis to believe it can be used to identify the individual.
If there is any confusion about the information your organization hosts, check out another blog that goes into more detail regarding the definitions between personal identifiable information (PII) and protected health information (PHI). This will allow for a more guided approach to data protection and required audits.
A covered entity can be a single person, company, or agency who is one (or any combination of) of the following:
One additional item to note about covered entities is that they oftentimes use business associates to provide services in which PHI is either transferred, accessed, or used in some form or fashion.
Under the Privacy Rule, this is allowed but the covered entity is required to have a Business Associate Agreement in place. This reduces the risk that a business entity uses or discloses PHI in a way that does not protect the user. For example, is it acceptable to send ePHI in an email?
Additionally, oftentimes, the business associate holds the company providing the service liable to certain requirements, such as the proper process of de-identification of personal information, and can undergo legal penalties and/or penalties as defined within the agreement.
In summary, uses and disclosures of PHI fall into three categories with regard to the need to obtain the individual’s consent.
When auditing, we often look at what the requirements are and how a company has controls and processes in place to meet them. But with all requirements come exceptions to those rules and it’s up to the auditor’s professional judgment to determine whether the exception is reasonable. This is similar to doctors and other medical support staff. While keeping the rules in place to support the protection of protected health information should always be at the forefront, there are professional judgment calls that may become the exception. Exceptions called out by HIPAA are reviewed below.
In general, a covered entity may use and disclose PHI for treatment, payment, and health care operations activities (aka, TPO) without obtaining an individual’s written permission (e.g., consent or authorization). According to HHS.gov, “Treatment is the provision, coordination, or management of healthcare and related services for an individual by one or more healthcare providers, including consultation between providers regarding a patient and referral of a patient by one provider to another.”
One exception to this general statement exists concerning psychotherapy notes—see the Written Consent Required section. See more details related to TPO and examples below within the When HIPAA Authorization Requirements Do Not Require Patient Authorization section below.
A covered entity may disclose PHI without individual authorization in certain situations, such as the following:
A covered entity may disclose PHI that it believes is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone you believe can prevent or lessen the threat (including the target of the threat). According to HHS.gov, “Covered entities may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal.”
HIPAA generally requires an explicit HIPAA authorization that allows for the use and disclosure of protected health information. There are, however, instances where verbal consent can be utilized under HIPAA. These instances are reviewed below.
To make disclosures to family and friends involved in an individual’s care or for notification purposes, or to other persons whom the individual identifies, you must obtain informal permission. This is done by asking the individual outright, or by determining that the individual did not object in circumstances that clearly gave the individual the opportunity to agree, acquiesce, or object. According to HHS.gov, “Where an individual is incapacitated, in an emergency situation or not available, a covered entity generally may make such disclosures, if the provider determines through his/her professional judgment that such action is in the best interests of the individual.”
Oftentimes, healthcare facilities have directories with patient information. These directories may have such information as a patient’s name, a summary of their condition, and location within the facility. In these cases, an informal permission, by the patient, can be provided to allow this information to be displayed.
HIPAA was created to protect the use and disclosure of protected health information. As part of this protection, there is a general requirement of written or explicit consent. Below is an overview of the requirement and when it is used in the protection of confidentiality and privacy of patient information.
In general, a covered entity must collect written authorization from the subject before they are legally allowed to use or disclose PHI under the Privacy Rule. As mentioned before, this is to limit the amount of scenarios that could result in protected health information being lost or stolen. The exception to the rule is meant to be limited.
As noted previously, a covered entity cannot disclose psychotherapy notes without an individual’s written authorization.
A covered entity must obtain an individual’s authorization prior to using or disclosing PHI for marketing activities. Marketing is considered any message or statement to the public in an effort to get them to use or seek more information about a product or service. If a specific marketing campaign includes payment, these details must be included as part of the written consent.
A covered entity may not sell PHI without the individual’s authorization (including the licensing of PHI). A sale is a disclosure of PHI in which the covered entity directly or indirectly receives payment from the recipient of the PHI. The Privacy Rules identify certain actions that do not constitute the “sale of PHI” and therefore do not require an individual’s authorization. For example, the sale or merger of a covered entity’s practice falls into this category.
Special rules apply with regard to clinical research, bio-specimen banking, and all other forms of research not involving psychotherapy notes. In some circumstances, patient authorization is required.
An authorization in HIPAA terms is the consent of an individual or patient providing explicit authorization to use or disclose their personal information. Authorizations should have certain elements to be considered valid. Read on to see what those items include.
The creation of the Privacy Rule, as explained above, was meant to protect the use and disclosure of protected health information. Still, the rule takes into consideration certain permissions that, with care, information may be shared to aid in “treatment”, “payment”, and “health care operations”. This is specifically addressed under Privacy Rule 45 CHR 164.501. The reason for this provision is to aid in the continuous and best access to specific treatments and payments which both require the sharing of at least some amount of protected health information as part of day-to-day business operations.
Below are the definitions of treatment, payment, and healthcare operations to better explain how the rule works.
This includes the arrangement or administration of health care among doctors or support staff regarding the patient or if the patient requires a referral to visit another practitioner.
This includes the activities of practitioners and their staff to work with insurance or similar services in receiving payment or authorization under health insurance for certain procedures that have either occurred or need to occur if a pre-authorization is required. Below are examples of common payment activities which include, but are not limited to:
This includes certain operations such as back-office or contractual in nature of a covered entity that are required as part of normal business practices and in support of treatment and payment as explained above. Examples include:
More information related to the uses and disclosures allowed under this rule can be found within 45 CFR 164.506.
As explained above, there are certain conditions under the Privacy Rule that do not require authorization to share protected health information. That is in support of treatment, payment, and health care operations in direct support of a patient. In this situation, the rule provides a covered entity with the option of voluntary consent. Any protected health information shared outside of these exceptions must have explicit authorization from the patient. If explicit authorization has not been provided, it should not be shared.
Under the HIPAA Privacy Rule, covered entities are required to follow specific rules when handling PHI. The use and disclosure of PHI requires certain types of consent, including nonverbal consent or written consent depending on the use case. If you think your information was possibly used or disclosed in an inappropriate manner, the best course of action would be to contact HHS to file an official complaint.
If your company is interested in more information about HIPAA audits, feel free to reach out for more information.
See the following blog posts from Linford & Co for more information:
This article was originally published on 10/16/2019 and was updated on 12/27/2023.
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.