Consent is vital in every care or treatment procedure. As a healthcare provider, you are responsible for obtaining your patient’s consent, especially when it comes to matters concerning the use or sharing of their protected health information (PHI). While verbal consent may suffice, asking patients for a HIPAA written authorization serves as documented proof.
Below, you will learn why written authorization is crucial for protecting patients’ rights and how it can help ensure compliance with industry and privacy regulations such as The Health Insurance Portability and Accountability Act or HIPAA.
Table of Contents
What is HIPAA Written Authorization?
A HIPAA written authorization refers to the documented consent of a patient or individual giving a covered entity permission to disclose or use their PHI.
Purpose of a written authorization
In other words, a HIPAA written authorization represents the patient’s voluntary agreement to allow certain providers or entities to access, use, or disclose their PHI. Doing so allows specific providers (e.g., hospitals and clinics) to share important medical information for purposes that are otherwise prohibited under HIPAA guidelines.
How Written Authorization Differs From Other HIPAA Consent Forms
Unlike informed consent, a written authorization states the privacy risks of using or disclosing PHI for research or other purposes. Meanwhile, informed consent provides a clear and detailed explanation of how the provider will protect the confidentiality of a patient’s medical records.
Below are the other types of HIPAA consent forms:
HIPAA Privacy Notice
Also called Notice of Privacy Practices, this form explains in detail how a health care provider collects, uses, and handles the patient’s sensitive health information. Drafting this notice requires the inclusion of specific details, including but not limited to the following:
- The types of PHI that you will collect (e.g., names, phone numbers, addresses)
- Your organization’s contact details
- The purpose of collection (e.g., research, treatment)
- Your notification process in the event of a healthcare data breach (e.g., email, press release)
Acknowledgment of Privacy Notice
This is a separate form that patients must sign to acknowledge the receipt of the HIPAA Privacy Notice. It includes a section for patients to affix their signatures. Once signed, this form attests that the provider has performed their due responsibility to inform the patients regarding how their PHI will be used, shared, or disclosed.
When dealing with sensitive information like psychotherapy notes as a mental health provider, obtaining proper patient authorization through written authorization becomes even more critical. These practices ensure that patients’ privacy rights are upheld and that the necessary legal and ethical steps are taken in the sharing and handling of their health information.
HIPAA Release of Information
This form permits health care providers or any covered entity to disclose a patient’s sensitive health details to a third party. Such type of document is beneficial in situations wherein there is a need to share a patient’s medical records or laboratory tests with a specialist or secondary care provider. It is also a requirement when sharing health-related information with insurance companies.
Business Associate Agreement (BAA)
Organizations and businesses outside of HIPAA’s covered entities must sign a valid business associate agreement form to maintain the security and privacy of protected health information. It indicates the associates’ responsibilities regarding the storage, handling, and disclosure of PHI and the potential repercussions of failing to comply with the requirements set by HIPAA.
The Key Components of HIPAA Written Authorization
The written authorization must comply with the HIPAA Privacy Rule and should include the following statements:
- The patient’s right to revoke or withdraw consent at any given time
- The provider or covered entity must not use or disclose the protected health information for purposes other than those stated in the HIPAA written authorization
- Once obtained, the healthcare provider must not use the written authorization as a replacement or substitute for other forms of consent
Required elements for a valid authorization form
Aside from the statements mentioned above, a valid HIPAA written authorization form must contain the following elements in clear and plain language:
- A description of the PHI
- The name of the patient, individual, or representative making the authorization
- The name of the authorized person or organization to receive the PHI
- A detailed description of the authorization’s purpose
- Expiration date (the date after which the authorization is no longer considered valid)
- The signature of the individual or patient making the authorization
When Is Written Authorization Required?
A HIPAA written authorization form must be completed by a patient or a health plan member when the provider or organization requests to use or disclose PHI in specific situations. Failure to obtain one violates the HIPAA Privacy Rule.
Circumstances that necessitate written authorization
A HIPAA authorization is required for the following scenarios:
- If the HIPAA Privacy Rule does not permit it
- If your organization will use it for marketing purposes except for in-person communication between the individual and covered entity involving a promotional gift
- When disclosing or using psychotherapy notes for other purposes outside of treatment or payment
- When using or disclosing substance abuse and treatment records
- When disclosing or using PHI for research purposes
- When you’re planning to sell PHI
5 Exceptions to the Written Authorization Rule
The U.S. Department of Health and Human Services (HHS) issued a bulletin stating that covered entities and business associates may release protected health information (PHI) under the HIPAA Privacy Rule during a public health emergency, even without a patient’s authorization.
Here are some of the exceptions to the rule:
1. Preventing a serious threat
Under 45 CFR 164.512(j), healthcare providers may disclose PHI for public health purposes. If there’s an imminent threat, like the risk of spreading a disease, the law authorizes them to notify affected individuals for their safety.
2. Treating the patient during an emergency
In some cases where the patient needs immediate care, covered entities may disclose PHI for treatment purposes. The same goes for patients referred to another physician who will need medical records to diagnose or treat them.
3. Billing the insurance company or third-party payors
Healthcare organizations may disclose PHI for payment purposes. Bills requesting payment include a patient’s basic information, diagnosis, and procedures done. It is necessary to release these details to get approval from a health insurance provider.
4. Conducting government functions
A written authorization may not be required for government purposes like military missions or other national security services. Similarly, it is also applicable when protecting inmates or employees in a correctional institution or enrolling in government benefit programs.
5. Providing benefits for work-related injuries or illnesses
For workplace-related injuries, healthcare providers may disclose confidential medical records without the patient’s written consent or authorization. The HIPAA Privacy Rule permits insurers and other entities involved in the workers’ compensation systems to access PHI to obtain payment for the injured worker.
Make Your Patient’s Privacy a Top Priority
Obtaining patient consent is crucial to ensure data privacy and security when releasing confidential medical records. With HIPAA written authorization, you can clearly explain to your patients your intended purpose for using or disclosing their PHI. At the same time, you ensure your organization’s compliance with HIPAA and avoid the costly penalties of failing to protect a patient’s privacy.
