Being a professional or a business dealing with patients’ healthcare information, you must know how important data security and confidentiality are to your organization’s reputation. A patient’s health information frequently includes their family’s medical history, treatment details, and financial information, making safeguarding even more critical. The Health Insurance Portability and Accountability Act (HIPAA) comes in here.
HIPAA (Health Insurance Portability and Accountability Act) is a federal compliance law enacted by the Department of Health and Human Services (HHS) of the United States in 1996. Its primary objective is to keep patients’ protected health information (PHI) out of the hands of the general public. HIPAA also aims to provide security for electronic patient records, simplify administrative procedures and ensure insurance portability. Failing to maintain confidentiality can result in the Office of Civil Rights (OCR) levying hefty fines on the company in accordance with the HIPAA regulatory standard, leading to financial losses.
This blog addresses one of the key elements – HIPAA authorization.
What is HIPAA Authorization?
A HIPAA authorization is a patient’s approval to allow a covered entity or business partner to use or reveal that individual’s protected health information (PHI) to someone else for a purpose not allowed by the HIPAA Privacy Rule. An authorization must be in writing, plainly worded, and include specific clauses to be deemed legal.
The HIPAA Privacy Rule permits certain HIPAA-covered entities, such as healthcare providers, health plans, healthcare clearinghouses, and their business associates, to exchange health information. Without HIPAA authorization, such use or disclosure of PHI would violate the HIPAA Privacy Rule, resulting in a serious financial penalty and even being considered a criminal act.
When is HIPAA Authorization Required?
The Code of Federal Regulations (CFR) Section 45 CFR 164.508 describes the uses and disclosures of PHI that require permission from a patient/plan member before the information is shared or used. HIPAA authorization is needed for the following:
- Otherwise prohibited by the HIPAA Privacy Rule, use or sharing of PHI.
- Except when face-to-face communication between the covered entity and the individual or when the communication involves a promotional gift of nominal value, the use or disclosure of PHI for marketing purposes is prohibited.
- Other than for particular treatment, payment, or health care activities (see 45 CFR 164.508 (a)(2)(i), (a)(2)(ii)), use or disclosure of psychotherapy notes is prohibited.
- Using or sharing substance abuse and treatment data.
- Before the sale of protected health information, use or disclosure of PHI for research reasons.
What is to be included in a HIPAA Authorization Form?
A HIPAA authorization is a comprehensive agreement that explains specific uses and disclosures of protected health information in depth.
By signing the authorization, an individual grants permission for their health information to be used or disclosed for the purposes mentioned in the authorization. The covered entity’s or business associate’s use or disclosure must be consistent with what is mentioned on the form.
The authorization form must be written in plain language to ensure that it is readily understood and must include the following elements at a minimum:
- Specific and meaningful information about the information will be used or shared, including a description.
- The name or other particular identification of the individual or group authorized to make the requested use or disclosure.
- The name(s) or other particular identification of the individual or group of individuals to whom the information will be disclosed.
- A description of the requested use or disclosure’s aim. In cases where a purpose statement is not given, “at the individual’s request” suffices.
- A time limit for the authorization, including an expiry date. In the case of research-related uses and disclosures, “at the end of the study” or “none” can be used, or “none” in the case of the establishment of a research database or research repository.
- Date and signature from the person issuing the permit. If an individual’s authorized representative gives the authorization, a comprehensive explanation of the person’s authority to act on the individual’s behalf must be provided.
The HIPAA authorization must also include statements informing the person of the following:
The ability to revoke the authorization in writing and to do one of the following:
- Exceptions to the right to revoke and an explanation of how to exercise the right to revoke; or,
- The degree to which the material is included in the organization’s privacy practices notice.
The authorization’s ability or inability to condition treatment, payment, enrollment, or eligibility for benefits by saying either:
- That the covered entity may not make treatment, payment, enrollment, or eligibility for benefits contingent on whether or not the person signs the authorization; or,
- When the covered entity is allowed to condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain authorization, the repercussions of refusing to sign the authorization are severe.
A copy of the authorization form must be given to the person providing consent for their own records.
What are the Requirements of HIPAA Authorization?
There are seven requirements for the HIPAA Authorization Document that must be fulfilled to adhere to the protocols of this compliance standard:
- Clear and comprehensive language must be used.
The form must be written in simple language that the individual can understand. This guarantees that the individual is fully informed about the disclosure of their PHI and agrees to its purpose.
- The purpose of disclosure must be stated implicitly.
The permission must specify the reason for the disclosure. PHI may be disclosed without consent for three reasons: treatment, payment, and healthcare operations. However, imagine the disclosure is for a reason other than these three. In that instance, the authorization must clearly state the reason for disclosing the PHI.
- A description of the PHI must be provided
This means whether the disclosure involves the patient’s medical test results, diagnoses, treatment plans, or financial statements must be stated.
- The date of expiration must be stipulated.
A HIPAA Authorization form isn’t valid for an indefinite period of time. It must be stated how long the disclosure is valid for, i.e., there must be an expiration date beyond which the use of such personal information is limited.
- The signature of the concerned individual is necessitated.
The person or their legal representative must sign and mark the authorization. This confirms that the person has agreed to the disclosure of their PHI and knows the authorization’s terms.
- The right to repeal authorization must be included.
The authorization must contain a statement stating that the individual may revoke the authorization at any moment. This allows the person to change their mind about disclosing their PHI and withdraw their consent.
- Revoking authorization must not interfere with the individual’s right to receive medical care.
The authorization must state that the person’s freedom to refuse to sign it will not affect their access to care or benefits. This ensures that the individual is not coerced into completing the authorization and that their access to healthcare or benefits will not be jeopardized if they do not.
It is critical to remember that not all PHI disclosures require HIPAA permission. In some cases, healthcare workers may disclose PHI without a patient’s consent, such as when it is required for payments, treatments, or healthcare operations.
HIPAA Compliance With Akitra!
Establishing trust is a crucial competitive differentiator when prospecting new SaaS businesses in today’s era of data breaches and compromised privacy. Customers and partners want assurances that their organizations are doing everything possible to prevent disclosing sensitive data and putting them at risk, and compliance certification fills that need.
Akitra offers an industry-leading, AI-powered Compliance Automation platform for SaaS companies. Using automated evidence collection and continuous monitoring, together with a full suite of customizable policies and controls as a compliance foundation, our service helps customers become certified for HIPAA along with other frameworks like SOC 1, SOC 2, ISO 27001, ISO 27701, ISO 27017, ISO 27018, ISO 13485, GDPR, PCI DSS, FedRAMP, NIST 800-53, NIST 800-171, NIST CSF, CMMC, and other specific frameworks such as CIS AWS Foundations Benchmark, etc. Our compliance and security experts will provide customized guidance to navigate the end-to-end compliance process confidently.
The benefits of our solution include enormous savings in time, human resources, and cost savings—including discounted audit fees with our audit firm partners. Customers achieve compliance certification fast and cost-effectively, stay continuously compliant as they grow, and can become certified under additional frameworks using a single compliance automation platform.
Build customer trust. Choose Akitra TODAY!
To book your FREE DEMO, contact us right here.