Everything You Need to Know About HIPAA Authorization

What Is HIPAA Authorization and When Is It Needed?

The privacy of your medical information and records is protected under the law. No one other than yourself and those authorized by law can get access to your health information without your consent. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rule protects your medical information and personal identifiers from unauthorized use or disclosure by a covered entity. This information is known as protected health information (PHI) under HIPAA, and it includes:

• Your past, present, and future physical or mental health
• Treatment for your medical conditions
• The payment for such treatments

A covered entity means healthcare providers, health plans, and healthcare clearinghouses who share and transmit medical information covered under HIPAA electronically.

The HIPAA Privacy Rule allows a covered health care provider and its business associates to use your PHI without authorization for treatment, payment, health care operations, law enforcement investigations, and emergencies.

Any access to your medical information for a purpose not covered under the privacy rule will require your authorization, including access by your family members or lawyer.

In this case, you must give your healthcare provider HIPAA authorization, giving them consent to use or disclose your medical records. This authorization is voluntary, and you can revoke it anytime.

Is Authorization the Same as Consent Under HIPAA?

HIPAA authorization differs from informed consent documents or other permission forms in several ways. Here are some of the main differences:

• Authorization is required under the HIPAA Privacy Rule as opposed to consent, which is voluntary. Health care providers can ask for your consent before sharing your information for covered purposes but are required to do so for all other uses.
• Consent has no specific format or content requirements. Covered entities can design their own consent procedures. However, patient authorization should be in writing and include the required core elements.

Patient consent and authorization forms are similar in that they express the patient’s permission to share their medical information. The main difference lies in what type of information is concerned and for what purpose.

A healthcare provider can combine HIPAA authorization and an informed consent document to create a research database or conduct a research study. However, the patient can revoke consent and authorization forms at any time. The revocation must be clearly expressed in writing.

How To Create a Valid Authorization Form

Here are the steps and elements for making a valid HIPAA authorization form:

Step 1: Consult an estate planning attorney for legal guidance on your unique situation. A lawyer is better suited to determine whether you should give HIPAA authorization and what information should be disclosed. They will also inform you on how this authorization will interact with other estate planning documents you may have.

Step 2: Identify yourself and the person or entity you are authorizing. Include your name, address, date of birth, and Social Security number.

Step 3: Specify the purpose and scope of the authorization and the name of the authorized person or entity. State why you are giving the authorization and what PHI you allow to be used or disclosed.

Step 4: Include an expiration date or event.

Step 5: Acknowledge your rights and responsibilities. These include:

• The right to refuse to sign the authorization

• The right to revoke the authorization at any time by notifying the person or entity in writing

• The right to request an accounting of disclosures of your PHI

• The responsibility to inform the entity of changes in your PHI

• The responsibility to ensure that the entity complies with the terms and conditions

Step 6: Sign and date the authorization form.