|
authorization
(HIPAA)
Covered
entities are permitted a broad range of uses and disclosures
of protected health
information (PHI) for treatment,
payment and other
health care operations (TPO), without any permission from
the patient. (Covered entities may optionally obtain a consent
for such uses.)
For some "extra"
activities, the HIPAA Privacy
Rule requires that a patient provide an authorization.
There are at least five notable areas where authorizations
are likely to come into use.
The first is for
psychotherapy notes.
Use or disclosure of such notes requires an authorization,
except for:
- treatment uses
by the originator of the notes (i.e., the therapist);
- supervised
training of other mental health practitioners within the
covered entity; or
- defense against
a legal action brought by the subject of the notes.
(Other than psychotherapy
notes, the privacy regulations do not identify additional
categories of PHI deserving of "extra protection."
It is possible that genetic
information might come to be included in the near future,
but this is purely speculative.)
The second important
area where authorizations are required is research,
except where waived by an IRB or Privacy
Board determination. (The privacy regulations do not include
research within the broad definition of healthcare operations.)
The third major
area for authorizations is marketing
activity that fails to meet certain criteria for exception.
The fourth is in
the area of fundraising,
for uses of PHI beyond basic demographic information and dates
of past services.
The fifth is general
requests for, and release of, protected health information,
such as information required as part of an insurance coverage
application.
Treatment and payment
for health services cannot be conditioned on an authorization
except for:
- the provision
of research-related treatment, which can be conditioned
on provision of an authorization for research uses and disclosures;
- enrollment
in the health plan or eligibility for benefits can be conditioned
on provision of a pre-enrollment authorization for risk-rating
or underwriting determinations (except for psychotherapy
notes);
- a claim under
plan coverage, if the disclosure of information is necessary
to determine the level or validity of the payment (again,
except for psychotherapy notes); or
- provision of
health care that is solely for the purpose of creating protected
health information for disclosure to a third party can be
conditioned on an authorization for disclosure to that third
party (e.g., a life insurance physical exam).
An authorization
must be in writing -- "in plain language so that individuals
can understand the information contained in the form, and
thus be able to make an informed decision." And it must
include include all of the following core elements to be valid:
- a description
of the information to be used or disclosed;
- an identification
of the persons or class of persons authorized to make the
use or disclosure of the protected health information;
- an identification
of the persons or class of persons to whom the covered entity
is authorized to make the use or disclosure;
- a description
of each purpose of the use or disclosure;
- an expiration
date or event (except for research, where a statement that
there is no expiration date may be inserted instead);
- the individual's
signature and date; and
Valid authorizations
must also contain the following statements, in addition to
the above elements:
- that the individual
may revoke the authorization in writing, and either a statement
regarding the right to revoke, and instructions on how to
exercise such right or, to the extent this information is
included in the covered entity's Notice
of Privacy Practices, a reference to the notice;
- that treatment,
payment, enrollment, or eligibility for benefits may not
be conditioned on obtaining the authorization if such conditioning
is prohibited by the Privacy Rule or, if conditioning is
permitted, a statement about the consequences of refusing
to sign the authorization; and
- that, generally,
the health information may no longer be protected by the
Privacy Rule once it is disclosed by the covered entity
(or a more specific statement of redisclosure risks where
appropriate).
Covered entities
must provide individuals with a copy of the signed authorization.
Multiple authorizations
may be combined into a single document. (However, authorizations
for use or disclosure of psychotherapy notes may only be combined
with other psychotherapy note authorizations.)
In general, authorizations
may not be combined with other types of documents, such as
the Notice of Privacy Practices or an optional consent. (Informed
consents for participation in research and authorizations
for use of PHI for research can be combined.)
In the event that
multiple authorizations conflict, the institution is bound
by the more restrictive arrangement unless/until the conflict
is resolved.
Note that the minimum
necessary standard does not apply to authorizations of
any kind. The rationale is that a person who has signed an
authorization has waived a right to limits other than those
specified in that authorization. (That said, we believe it
is always a good idea to adhere to the minimum necessary standard,
even where HIPAA appears not to require it.)
An individual may
revoke an authorization at any time, provided that the revocation
is in writing, except to the extent that the covered
entity has taken actions relying on it. (See especially the
discussion of such revocations in the context of research.)
As with other HIPAA
documentation retention
requirements, covered entities must keep a signed authorization
for six years from the date of its creation or the date when
it last was in effect, whichever is later.
See also:
|
