A HIPAA authorization is consent obtained from a person that allows a covered entity or business associate to use or disclose his or her protected health information (PHI) to someone else for a purpose that would otherwise not be allowed by the HIPAA Privacy Rule.
HIPAA Journal’s recent article entitled “What is HIPAA Authorization?” addresses some common issues about this rule.
Hybrid entities. Some organizations are considered to be “partial” or “hybrid” entities. They’re usually organizations whose primary function is not healthcare or health insurance, but who have access to health information that should be protected, such as an educational institution who provide health services to the public.
The difference between consent and authorization. Informal consent rather than formal authorization may be enough to fulfil the requirement of the HIPAA Privacy Rule in some situations. These are referred to as “Uses and Disclosures with an Opportunity to Agree or Object” and include inclusion in facility directories and notifications to friends and family (of admission into hospital).
When a person can’t give their authorization. If a patient is unable to give their authorization, covered entities must wait until the patient or their legal representative is able to give their authorization. For circumstances in which only informal consent is required, covered entities can use their professional judgment to determine whether the use or disclosure of PHI is in the patient´s best interests.
The meaning of “covered entities cannot condition treatment, payment, enrollment, or eligibility for benefits.” This means that a covered entity can’t withhold treatment, payment, enrollment, or eligibility for benefits because a patient or plan member refuses to sign an authorization giving the covered entity additional uses for their PHI.
The Requirement of writing. HIPAA requires a written authorization for every use or disclosure of PHI not required or permitted by the Privacy Rule. The retraction of HIPAA authorization must also be written. This protects covered entities in case an individual complains about a use or disclosure of PHI they previously authorized. However, HIPAA consent can be verbal, but only in circumstances when consent – rather than authorization – is an option. These are generally limited to a patient´s inclusion in a hospital directory and notifications to family or friends.
Reference: HIPAA Journal (Oct. 9, 2021) “What is HIPAA Authorization?”