The Health Insurance Portability and Accountability Act (HIPAA), which was passed by the US Congress in 1996, does several important things, including the following: (1) it allows Americans to transfer and continue health insurance coverage when they change or lose their jobs; (2) it takes steps to reduce healthcare fraud and abuse; (3) it formalizes industry-wide standards for healthcare information that is used in electronic billing and other administrative processes; and (4) it requires that protected health information remains secure and confidential.1
The HIPAA Privacy Rule, which has been in effect since April 2003, outlines specific rules about who can use and share a patient’s protected health information. Specifically, the HIPAA Privacy Rule allows protected health information to be shared among healthcare providers, insurance plans, healthcare clearinghouses, business associates of HIPAA-covered entities, and other entities that are covered by HIPAA.2 Overall, the HIPAA Privacy Rule is intended to balance a person’s right to privacy with the need for health providers to communicate with others and provide care.3
When patients are asked to provide HIPAA authorization, they are really being asked to allow their doctor’s office or hospital (or other covered entity or business) to use or disclose the patient’s protected health information to another doctor or hospital (or other entity) for a purpose that is otherwise not permitted by the HIPAA Privacy Rule. If HIPAA authorization is not provided, sharing of protected health information would violate HIPAA Rules, resulting in a severe financial penalty and/or criminal prosecution.2
HIPAA authorization is required in the following specific circumstances2:
- When use or disclosure of protected health information is needed for reasons that are otherwise not permitted by the HIPAA Privacy Rule.
- When use or disclosure of psychotherapy notes is needed for reasons other than specific treatment, payment, or healthcare operations.
- When use or disclosure of substance abuse and treatment records is needed.
- When use or disclosure of protected health information is needed for medical research purposes.
- When use or disclosure of protected health information is needed for certain marketing purposes.
- Prior to the sale of protected health information.
It is very common for healthcare providers to ask patients to sign written HIPAA authorizations. This desire for written consent typically reflects the doctors’ office or hospital policies; these entities want to avoid being accused of failing to protect a patient’s confidentiality.3
The HIPAA authorization form outlines specific uses and disclosures of protected health information that are allowed. By signing this form, patients allow their protected health information to be used or disclosed to specific covered entities for the reasons that are stated.2 Of note, caregivers are not “covered entities”; they are not legally responsible for protecting their loved one’s health information in the same way as the patient’s doctor or insurance company.3
Each HIPAA authorization form must be written in plain language and contain the following2:
- A description of the protected health information that will be used or disclosed
- The name of the person or class of persons who can make the requested use or disclosure of protected health information
- The name of the person or class of persons to whom protected health information will be disclosed
- The purpose of the requested use or disclosure of protected health information
- A specific time frame for the HIPAA authorization, including an expiration date
- A date and signature line for the patient or their legal representative.
The patient or authorized person who signs the HIPAA authorization must receive a copy of the form for their records.2
References
- California Department of Health Care Services. Health Insurance Portability and Accountability Act. Updated June 13, 2019. www.dhcs.ca.gov/formsandpubs/laws/hipaa/Pages/1.00WhatisHIPAA.aspx. Accessed March 31, 2020.
- HIPAA Journal. What is HIPAA authorization? www.hipaajournal.com/what-is-hipaa-authorization/. Accessed March 31, 2020.
- Kernisan L. 10 things to know about HIPAA & access to a relative’s health information. https://betterhealthwhileaging.net/hipaa-basics-and-faqs-for-family-caregivers/. Accessed March 31, 2020.