HIPAA authorization entails completing a form by a patient or a health plan member when a covered entity intends to disclose or use personal health information for purposes not allowed by the HIPAA Privacy Rule. If a covered entity fails to obtain HIPAA authorization and shares a patient’s personal health information, it will be considered a serious violation of HIPAA compliance.
HIPAA Authorization and the HIPAA Privacy Rule
The HIPAA Privacy Rule has been in effect since April 14, 2003. It provides standards defining the allowable use and disclosure of personal health information. For example, the standards define to whom the information can be disclosed and under what circumstances it can be shared.
The HIPAA Privacy Rule allows the sharing of a patient’s health information among:
● Health plans
● Healthcare providers
● Healthcare clearinghouses
● Business associates of HIPAA-covered entities.
● Other entities covered by HIPAA rules but under specific circumstances
Circumstances That Require HIPAA Authorization
Often, HIPAA authorization is required when:
● A covered entity intends to use or disclose personal health information in ways not allowed by the HIPAA Privacy Rule.
● A covered entity intends to use or disclose personal health information for marketing purposes unless when that information is shared face-to-face between the covered entity or an individual regarding a promotional gift.
● A covered entity wants to share or use psychotherapy notes for purposes other than for the provision of treatment, payment, or healthcare operations.
● A covered entity wants to use or disclose substance abuse and treatment records.
● A covered entity wants to disclose patient information to researchers.
● A covered entity wants to sell protected health information.
What to Include on a HIPAA Authorization Form
A HIPAA authorization form details the specific uses and disclosures of protected health information. If you sign a HIPAA Authorization form, you are giving consent to have your protected health information used or disclosed for the reasons outlined in the authorization. Organizations conducting these forms should also engage in a thorough security risk assessment to ensure the proper safeguards are in place to protect this sensitive information. Usually, a HIPAA authorization is written in plain language, and it must contain the following elements as a minimum:
● Description of how the information will be used or disclosed
● Name of the person or persons authorized to make the requested disclosure
● Identities of the persons to whom the information will be disclosed
● The purpose of the requested use or disclosure
● An expiration date for the authorization
● Date and signature of the person giving authorization
Secure Your Future With ComplyAssistant
HIPAA compliance can save your organization millions of dollars that you could pay in penalties. Comply Assistant can become your long-term partner and help you navigate the complex process of HIPAA compliance. We offer smart HIPAA-compliant software designed to streamline this process, making it less complex and more manageable.