The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights concerning that information. 45 CFR §164.508 states the uses and disclosures of PHI that require authorization from a patient/plan member before information can be shared or used.

It’s important to know that some organizations are considered “partial” or “hybrid” entities. These are usually organizations whose primary function isn’t healthcare or health insurance but who have access to health information that should be protected. An educational institution that provides health services to the public is an example of a partial or hybrid entity.

HIPAA Journal’s recent article entitled “What is HIPAA Authorization?” explains that in some situations, informal consent rather than formal authorization is enough to satisfy the requirement of the HIPAA Privacy Rule. These circumstances are called “Uses and Disclosures with an Opportunity to Agree or Object” and include inclusion in facility directories and notifications to friends and family (of admission into the hospital).

If an individual cannot give their authorization, covered entities must wait until the patient or their legal representative can give their authorization. When only informal consent is required, covered entities can use their professional judgment to determine whether the use or disclosure of PHI is in the patient´s best interests.

Note that the requirements for HIPAA authorizations aren’t the same throughout the country. The HIPAA Privacy Rule is a “federal floor” for permissible uses and disclosures. However, some state laws may pre-empt HIPAA, if they have more stringent regulations.

The clause “covered entities cannot condition treatment, payment, enrollment, or eligibility for benefits” means that a covered entity can’t withhold treatment, payment, enrollment, or eligibility for benefits because a patient or plan member refuses to sign an authorization giving the covered entity additional uses for their PHI, which stands for Protected Health Information (PHI). A patient or plan member shouldn’t be put under any duress to approve the uses and disclosures of PHI, in addition to those permitted by the Privacy Rule.

The law stipulates that there has to be written authorization for every use or disclosure of PHI not required or permitted by the Privacy Rule. The retraction of HIPAA authorization also has to be written. However, HIPAA consent can be verbal, but only when consent – rather than authorization – is an option.

Reference: HIPAA Journal (October 9, 2021) “What is HIPAA Authorization?”