DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
What is a Patient Authorization?
A patient authorization is a written document, signed by a patient and containing legally required content, that authorizes a provider or health plan to use PHI for specified purposes or to disclose PHI to specified entities.
When is Written Patient Authorization NOT Required?
Written patient authorization is not required for uses and disclosures that a practice makes directly to the patient themselves. Under the HIPAA right of access rule, patients have the right to inspect and obtain a copy of protected health information about themselves in a designated record set. A provider may require a patient to make a request for access, provided that the provider informs the patient of such a requirement.
May a Healthcare Provider Share Patient PHI with Other Healthcare Providers for Treatment Purposes Without the Patient’s Authorization?
Yes. The Privacy Rule allows those doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities to use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes without the patient’s authorization. This includes sharing the information to consult with other providers, including providers who are not covered entities, to treat a different patient, or to refer the patient.
May a Healthcare Provider Use or Disclose Patient PHI for Payment Purposes?
Yes. A covered entity may use or disclose protected health information for its own payment purposes. A covered entity may also disclose protected health information to another covered entity or a health care provider for the payment activities of the entity that receives the information. These activities may be done without having to obtain patient authorization.
Please note that consent (permission) is not required either for the above activities. Consent is optional. A provider can seek to obtain written or verbal consent if the provider wishes to, but the provider is not required to.
May a Healthcare Provider Use or Disclose Patient PHI for Healthcare Operations Purposes?
A covered entity may use or disclose protected health information for its own healthcare operations, without having to obtain patient authorization. A covered entity may disclose protected health information to another covered entity for health care operations activities of the entity that receives the information, without patient authorization, if each entity either has or had a relationship with the individual who is the subject of the protected health information being requested, the protected health information pertains to such relationship, and the disclosure is:
(i) For a purpose listed in paragraph (1) or (2) of the definition of healthcare operations; or
(ii) For the purpose of health care fraud and abuse detection or compliance.
Paragraph (1) of the definition of healthcare operations is: Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; patient safety activities (as defined in 42 CFR 3.20); population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment.
Paragraph (2) of the definition of healthcare operations is: “Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities.”
When is Written Patient Authorization Required?
Patient authorization is required for:
1. Marketing
2. Sale of protected health information
4. Research
5. Disclosure of psychotherapy notes
6. Whenever there is not a specific Privacy Rule provision permitting or requiring a use or disclosure.
Marketing
Generally, any communication that meets the Privacy Rule definition of “marketing” is not permitted, unless the covered entity obtains an individual’s authorization.
There is an exception to this rule. A communication does not require an authorization, even if it is marketing, if it is in the form of a face-to-face communication made by a covered entity to an individual; or a promotional gift of nominal value provided by the covered entity. For example, no prior authorization is necessary when:
1. A hospital provides a free package of formula and other baby products to new mothers as they leave the maternity ward.
2. An insurance agent sells a health insurance policy in person to a customer and proceeds to also market a casualty and life insurance policy as well.
If the marketing involves direct or indirect remuneration to the covered entity from a third party, authorization must be obtained, and the authorization must state that such remuneration is involved.
Sale
Sale of protected health information means a disclosure of protected health information by a covered entity or business associate, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information.
Except pursuant to and in compliance with § 164.508(a)(4) (which requires that a covered entity an authorization for any disclosure of protected health information which is a sale of protected health information, and which requires that the authorization state that the disclosure will result in remuneration to the covered entity), a covered entity or business associate may not sell protected health information.
Sale of protected health information does not include the following disclosures of protected health information (which means that these disclosures do not require a "sale" authorization)":
- Disclosures for public health purposes, as that phrase is defined in the HIPAA Privacy Rule;
- Disclosures for research purposes, if (and only if) the remuneration constitutes a “reasonable cost-based fee to cover the cost to prepare and transmit” the PHI;
- Disclosures For purposes of treatment and payment, as allowed under the Privacy Rule;
- Disclosures for the sale, transfer, merger, or consolidation of all or part of a covered entity and for due diligence connected to these activities;
- Disclosures to the patient when the patient requests the PHI (provided the fee amounts are compliant with the right of access); and
- Disclosures required by law.
Social Media Disclosures
Under the HIPAA Privacy Rule, covered entities and business associates may not use or disclose protected health information (PHI), except as that rule specifically permits or requires. What does this mean for social media? It means that a provider may not post information about a patient, pictures of the patient, or testimonials made by the patient, on social media, unless the patient has first provided written authorization to the provider to do so. This written authorization must be obtained on a form that meets the requirements for a valid HIPAA authorization.
May an Employee Take a Picture or Video of a Patient and Post the Picture or Video on Social Media?
An employee of a practice may not take a picture or video of a patient and post that picture or video on social media (e.g., Facebook, Twitter, Instagram), unless the patient consents to the taking of the picture for this purpose, and provides written authorization to disclose the picture to social media.
Providers may ask patients to complete a HIPAA social media authorization form. On the form, patients may indicate information such as which social media channels the patient authorizes disclosure to, the purpose of the disclosure, and the scope of the disclosure. Once a practice obtains the written authorization from the patient, the practice must abide by its terms. If, for example, the patient authorizes that only the patient appears in the photo (as opposed to the patient appearing in the photo along with his or her physicians), this restriction must be honored.
How May a Practice Respond to Social Media Reviews?
A patient is free to leave reviews on a practice’s website that solicits such reviews. A patient may also leave reviews on websites that solicit reviews of services in general, such as Yelp and Google Reviews. The patient’s transmission of his or her own PHI to such sites in the course of leaving a review, does not violate HIPAA rules against use or disclosure of PHI. This is so because patients are not regulated by HIPAA; practices are.
A practice may not respond to reviews by revealing patient PHI, unless a patient has provided prior written authorization enabling the patient to do so.
Is an Authorization Required for Research Purposes?
Authorization is required to use or disclose PHI that identifies someone for a research study.
Is Authorization Required for a Provider to Use or Disclose Psychotherapy Notes?
In general, a covered entity must obtain prior written patient authorization for any use or disclosure of psychotherapy notes to another entity. A covered entity need not obtain authorization for any use or disclosure of psychotherapy notes under certain circumstances.
What Content Must be Contained in an Authorization for the Authorization to be Valid?
The law requires that a HIPAA authorization form contain specific “core elements” to be valid. These elements include:
1. A description of the specific PHI information to be used or disclosed.
2. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
Note: One Authorization form may be used to authorize uses and disclosures by classes or categories of persons or entities, without naming the particular persons or entities. For example, it would be sufficient if an authorization authorized disclosures by "any health plan, physician, health care professional, hospital, clinic, laboratory, pharmacy, medical facility, or other health care provider that has provided payment, treatment or services to me or on my behalf" or if an Authorization authorized disclosures by "all medical sources." A separate authorization specifically naming each healthcare provider from whom protected health information may be sought is not required.
3. The name or other specific identification of any third parties (persons or classes of persons) to whom the covered entity may make the requested use or disclosure.
Note: The Authorization Rule permits the identification of classes of persons to whom the covered entity is authorized to make a disclosure. Therefore, a valid authorization may authorize disclosures to a particular entity, particular person, or class of persons, such as "the employees of XYZ division of ABC insurance company."
4. A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
5. An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.
The Privacy Rule requires that an Authorization contain either an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. For example, an Authorization may expire "one year from the date the Authorization is signed," "upon the minor’s age of majority," or "upon termination of enrollment in the health plan."
An Authorization remains valid until its expiration date or event, unless effectively revoked in writing by the individual before that date or event. The fact that the expiration date on an authorization may exceed a time period established by State law does not invalidate the authorization under the Privacy Rule, but a more restrictive State law would control how long the authorization is effective.
6. The signature of the individual, and the date.
In addition to the core elements, the HIPAA authorization must contain statements adequate to place the individual on notice of all of the following:
1. The individual‘s right to revoke the authorization in writing.
The Privacy Rule gives individuals the right to revoke, at any time, an Authorization they have given. The revocation must be in writing, and is not effective until the covered entity receives it. In addition, a written revocation is not effective with respect to actions a covered entity took in reliance on a valid authorization, or where the authorization was obtained as a condition of obtaining insurance coverage and other law provides the insurer with the right to contest a claim under the policy or the policy itself.
The Privacy Rule requires that the authorization must clearly state the individual’s right to revoke, and the process for revocation must either be set forth clearly on the authorization itself, or, if the covered entity creates the Authorization, and its Notice of Privacy Practices contains a clear description of the revocation process, the Authorization can refer to the Notice of Privacy Practices.
Authorization forms created by or submitted through a third party should not imply that revocation is effective when the third party receives it, since the revocation is not effective until a covered entity which had previously been authorized to make the disclosure receives it.
2. The exceptions to the right to revoke (an individual may revoke an authorization in writing except when the covered entity has taken action in reliance on the authorization).
3. The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization, except that:
a. A covered healthcare provider may condition the provision of research-related treatment on provision of an authorization for such research.
b. A health plan may, to make eligibility or enrollment determinations, condition enrollment in the health plan or eligibility for benefits on provision of an authorization.
4. The potential for information disclosed in the authorization to be subject to HIPAA redisclosure by the recipient and no longer be protected by the Privacy Rule.
HIPAA regulations also require that the HIPAA authorization must be written in plain language.
In addition, whenever a covered entity seeks a HIPAA authorization from an individual for a PHI use or disclosure, the covered entity must provide the individual with a copy of the signed HIPAA authorization form.
What is the Difference Between “Consent” and “Authorization” under the HIPAA Privacy Rule?
The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs.
By contrast, an authorization, as noted above, is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization.
As noted above, an authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.
Is a Copy, Facsimile, or Electronically Transmitted Version of a Signed Authorization Valid?
Yes. Under the Privacy Rule, a covered entity may use or disclose protected health information pursuant to a copy of a valid and signed authorization, including a copy that is received by facsimile or electronically transmitted.
May a Covered Entity Disclose Protected Health Information Specified in an Authorization, Even if That Information Was Created After the Authorization Was Signed?
Yes, provided that the authorization encompasses the category of information that was later created, and that the authorization has not expired or been revoked by the individual. Unless otherwise expressly limited by the authorization, a covered entity may use or disclose the protected health information identified on the authorization regardless of when the information was created.
Does the Privacy Rule Require that an Authorization be Notarized or Include a Witness Signature?
The Privacy Rule does not require that an authorization document be notarized or witnessed.
Can an Authorization be Used Together With Other Written Instructions from the Intended Recipient of the Information?
A transmittal or cover letter can be used to narrow or provide specifics about a request for protected health information as described in an Authorization, but it cannot expand the scope of the Authorization.
For example, if an individual has authorized the disclosure of "all medical records" to an insurance company, the insurance company could by cover letter narrow the request to the medical records for the last 12 months. The cover letter could also specify a particular employee or address for the "class of persons" designated in the Authorization to receive the information. By contrast, an insurance company could not by cover letter extend the expiration date of an Authorization, or expand the scope of information set forth in the authorization.
Can a Covered Entity Condition Treatment, Payment, or Eligibility for Benefits on the Providing of an Authorization?
To ensure that authorizations are informed and voluntary, the Privacy Rule prohibits covered entities, with limited exceptions, from conditioning treatment, payment, or eligibility for benefits or enrollment in a health plan, on obtaining an authorization.
Here are the exceptions:
A covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization, except that:
(i) A covered health care provider may condition the provision of research-related treatment on provision of an authorization for the use or disclosure of protected health information for such research under the Privacy Rule;
(ii) A health plan may condition enrollment in the health plan or eligibility for benefits on provision of an authorization requested by the health plan prior to an individual's enrollment in the health plan, if:
(A) The authorization sought is for the health plan's eligibility or enrollment determinations relating to the individual or for its underwriting or risk rating determinations; and
(B) The authorization is not for a use or disclosure of psychotherapy notes under 45 CFR 164.508(a)(2) (covering when authorization is required for release of psychotherapy notes, and when it is not); and
(iii) A covered entity may condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on provision of an authorization for the disclosure of the protected health information to such third party. Provision of care that is solely for the purpose of creating PHI to a third party includes, for example, pre-employment examinations, research treatments, and school physicals.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article