go to University of Miami home page
 
go to site home pagego to reports pagego to laws and regulations pagego to glossary indexgo to FAQ indexgo to training matls indexgo to web links pagego to bibliography pagego to contact directory page


Home > Glossary Index >

 

 

consent (HIPAA)

This entry describes the version of the consent requirements in effect prior to the 14 August 2002 revisions. See the current version.

HIPAA requires that health care providers obtain a "consent" from all patients with whom they have a direct treatment relationship before using or disclosing protected health information (PHI) for treatment, payment or other health care operations (TPO).

(Note: A consent is different from a HIPAA authorization; the latter is used to permit "extra" disclosures above and beyond TPO.)

Providers that have only an indirect treatment relationship (such as labs that interact only with providers, not patients) do not need a consent to exchange protected health information, nor do health plans and health care clearinghouses. Patient consents at the point where PHI is generated -- that is, in interactions with direct treatment providers -- is sufficient. (Plans, clearinghouses and indirect providers may nonetheless optionally obtain consents.)

Consent is not required prior to treatment even by direct providers in the following circumstances:

  • emergencies, where obtaining consent would impede prompt treatment;
  • where communications barriers (such as language) make it impossible, but consent can be reasonably inferred; or
  • in circumstances where the providers is obligated to treat, but cannot obtain prior consent.

In such cases, providers must document why consent could not be obtained, and make a reasonable effort to secure consent as soon as possible after treatment. (Note that health care provided to prison inmates is exempted from consent requirements of any kind.)

Health care providers are allowed to condition treatment on a patient's provision of consent, and health plans may condition enrollment and payment on consent as well. (Note that treatment and payment cannot be conditioned on authorizations, however.)

An integrated health provider may obtain a "joint consent" that covers PHI use in all of its facilities. A joint consent must name, or otherwise clearly identify, all the entities to which it applies.

Consents for PHI use and disclosure:

  • may be combined with other types of "permission documents," such as informed consent for treatment or assignment of benefits, as well as with research and other authorizations;
  • if combined with other documents, it must nonetheless be "visually and organizationally separate," as well as separately signed and dated;
  • need be obtained only once, and remain in effect for an unlimited duration unless/until revoked by the patient;
  • retained for six years from the date of its creation, or the date when it last was in effect, whichever is later (retention can be in paper or electronic form).

Revocation of a consent by a patient must be made in writing and takes effect immediately. Such revocations do not extend to actions already taken in reliance on the consent (e.g., a revocation after treatment, but before payment for that treatment).

In addition to being written in "plain language," PHI consents must include the following information about a patient's rights under HIPAA, including that:

  • protected health information may be used and disclosed to carry out treatment, payment, or health care operations;
  • the notice of privacy practices contains a more complete description of such uses and disclosures;
  • the individual has the right to review the notice prior to signing the consent;
  • the terms of its notice may change (a description of how the individual may obtain a revised notice must be included);
  • the individual has the right to request that the covered entity restrict how protected health information is used or disclosed to carry out treatment, payment, or health care operations;
  • the covered entity is not required to agree to requested restrictions; but if it does, the restriction is binding;
  • the individual has the right to revoke the consent in writing, except to the extent that the covered entity has taken action in reliance on it.

If a covered entity obtains both a consent and an authorization, the more restrictive agreement applies absent permission from the individual that resolves the conflict in a less constraining way. The permission may be in writing or oral, but if in the latter form must be documented.

see also:

 

last modified: 27-Jun-2003 [RC]

 

<< Back | P/DP Home | Glossary Index | Site Help | Search
 
  Privacy Policy Copyright Disclaimer Contact Info