In general, covered entities, defined below, under the Privacy Rule cannot disclose protected health information without consent from the person or patient that the information is about. In this post, we will define the privacy rule and covered entities and then review HIPAA consent requirements as well as sample PHI use and disclosures.
Fundamental Principles: HIPAA Authorization & HIPAA Release Requirements
One of the fundamental principles of the Privacy Rule was to create boundaries in an effort to limit the ways that PHI could be disclosed without specific consent such as verbal or written by a covered entity. The Privacy Rule requires that a covered entity disclose PHI is two situations.
One is to the person in question when requested and the other is to Human Health Services (HHS) during an investigation. There are certain instances where a covered entity does have the ability to use or disclose PHI but depending on the situation, certain consent is required. Keep reading for more details.
Definitions: The HIPAA Privacy Rule Covered Entities
To understand HIPAA authorization requirements, one must first know what the Privacy Rules is and who qualifies as a covered entity.
“The Privacy Rule protects most individually identifiable health information held or transmitted by a covered entity or its business associate in any form or media, whether electronic, paper, or oral.” Source.
The Privacy Rule calls this information “protected health information” or “PHI.” Individually identifiable health information is information including demographic information, that relates to the following per UMASS:
- The individual’s past, present, or future physical, mental health, or condition,
- The provision of health care to the individual or
- The past, present or future payment for the provision of health care to the individual.
In addition, individually identifiable health information identifies the individual or there is a reasonable basis to believe it can be used to identify the individual.
A covered entity can be a single person, company, or agency who is a health care provider (doctor, pharmacy, dentist etc); a health plan (company health insurance plan, health insurance companies, ect), or health care clearinghouse (companies that process nonstandard health information into a format that is readable and/or understandable).
One additional item to note about covered entities is that they often times use business associates to provide services in which PHI is either transferred, accessed, or used in some form or fashion.
Under the Privacy Rule this is allowed but the covered entity is required to have a Business Associated Agreement in place. This reduces the risk that a business entity uses or discloses PHI in a way that does not protect the user.
Additionally, often times, the business associate holds the company providing the service liable to certain requirements and can undergo penalties as defined within the agreement.
When is Written or Verbal Consent Required for PHI?
In summary, uses and disclosures of PHI fall into three categories with regard to the need to obtain the individual’s consent: 1) No consent required, 2) Verbal consent or acquiescence required and 3) Written consent required.
1) No Consent Required— TPO, Public Health and Safety, Imminent Danger
Treatment, Payment, and Healthcare Operations (TPO): In general, a covered entity may use and disclose PHI for treatment, payment, and health care operations activities (a.k.a., TPO) without obtaining an individual’s written permission (e.g., consent or authorization). According to HHS.gov, “Treatment is the provision, coordination, or management of healthcare and related services for an individual by one or more healthcare providers, including consultation between providers regarding a patient and referral of a patient by one provider to another.” One exception to this general statement exists concerning psychotherapy notes—see the Written Consent Required section
Public Health and Safety: A covered entity may disclose PHI without individual authorization in certain situations—sending immunization records to schools; reporting to a public health authority for purposes of preventing or controlling disease, injury, or disability; reporting to a foreign government agency at the direction of a public health authority; and to warn persons at risk, prevent or control the spread of disease
Prevent or Lessen Imminent Danger: A covered entity may disclose PHI that it believes is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone you believe can prevent or lessen the threat (including the target of the threat). According to HHS.gov, “Covered entities may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal.”
2) Verbal Consent or Acquiescence Required — Disclosures to Family or Facility Directories
Disclosures to Family, Friends and Others: To make disclosures to family and friends involved in an individual’s care or for notification purposes, or to other persons whom the individual identifies, you must obtain informal permission by asking the individual outright, or by determining that the individual did not object in circumstances that clearly gave the individual the opportunity to agree, acquiesce, or object. According to HHS.gov, “Where an individual is incapacitated, in an emergency situation or not available, a covered entity generally may make such disclosures, if the provider determines through his/her professional judgment that such action is in the best interests of the individual.”
Disclosures in Facility Directories: Often times, healthcare facilitates have directories with patient information. These directories may have such information as a patient’s name, summary of their condition, and location within the facility. In these cases, an informal permission, by the patient, can be provided to allow this information to be displayed.
3) Written Consent Required — General Requirements, Physicians, Marketing, Sales, & Licensing
General: In general, a covered entity must collect a written authorization by the subject before they are legally allowed to use or disclose PHI under the Privacy Rule. As mentioned before, this is to limit the amount of scenarios that could result in protected health information being lost or stolen. The exception to the rule is meant to be limited.
Psychotherapy Notes: As noted previously, a covered entity cannot disclose psychotherapy notes without an individual’s written authorization.
Marketing Activities: A covered entity must obtain an individual’s authorization prior to using or disclosing PHI for marketing activities. Marketing is considered any message or statement to the public in an effort to get them to use or seek more information about a product or service. If a specific marketing campaign includes payment, these details must be included as part of the written consent.
PHI Sales and Licensing: A covered entity may not sell PHI without the individual’s authorization (including the licensing of PHI). A sale is a disclosure of PHI in which the covered entity directly or indirectly receives payment from the recipient of the PHI. The Privacy Rules identifies certain actions that do not constitute “sale of PHI” and therefore do not require an individual’s authorization. For example, the sale or merger of a covered entity’s practice falls into this category.
Research: Special rules apply with regard to clinical research, bio-specimen banking, and all other forms of research not involving psychotherapy notes. In some circumstances, patient authorization is required.
Valid HIPAA Authorization Requirements:
An authorization in HIPAA terms is the consent of an individual or patient providing explicit authorization to use or disclose their personal information. Authorizations should have certain elements to be considered valid. Read on to see what those items include.
- The information that is going to be disclosed should be defined and clear to the individual providing their consent.
- Each form should include a spot for the individual to print their same to that it is obvious who is providing authorization.
- Explicit information about who may use or disclose the PHI as a direct result of providing authorization.
- A detail of each use or disclosure that will be a result of the authorization. An individual providing authorization should understand any way that their information is planning to be used or disclosed.
- A date of expiration where the authorization is no longer valid and their information can no longer be used or disclosed.
- Finally, there should be an area where the individual providing their authorization can provide their signature.
Summary – HIPAA Consent Requirements
Under the HIPAA Privacy Rule, covered entities are required to follow specific rules when handling PHI. The use and disclosure of PHI requires certain types of consent including; nonverbal consent, or written consent depending on the use case. If you think your information was possibly used or disclosed in an inappropriate manner, the best course of action would be to contact HHS.
If your company is interested in more information about HIPAA audits, feel free to reach out for more information.
Also see the following Linford & Co’s past blog post for more information:
- 2019 HIPAA Wall of Shame: Recent Security Breaches & Examples for Companies to Learn From
- What is HIPAA Compliance? Certification? A Summary of HIPAA
- Breach Notification Rule: Requirements for HIPAA & SOC 2
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.