The Health Insurance Portability and Accountability Act (HIPAA) was passed into law for the purpose of protecting patients’ confidential medical records by restricting access to those records. While HIPAA allows patients to keep their medical and health care information private, these federal privacy requirements can pose problems for loved ones and caregivers in case of a sudden accident, incapacity, or unforeseen circumstances. HIPAA authorization documents work to remove this potential difficulty by establishing a clear record of trusted individuals and the types of information you would like healthcare providers to share with them. An experienced estate planning attorney with Harrison Law, PLLC, will understand the importance of incorporating all the necessary authorization forms and release documents to complement your estate plan and ensure that your loved ones will be able to access your essential medical and health care records if something happens to you. Call (480) 320-2310 to discuss your health privacy concerns and schedule a consultation to develop a HIPAA authorization that works for your needs.
What Is HIPAA Authorization?
HIPAA authorization refers to consent obtained from an individual that gives entities covered under the legislation permission to use the individual’s the individual’s protected health information, referred to as PHI, as well as to disclose that information to third parties for purposes that would otherwise be denied by the HIPAA Privacy Rule. According to the Centers for Disease Control and Prevention, the Privacy Rule regulates the use or disclosure of sensitive patient health information without the patient’s knowledge or consent.
Types of Disclosures That Do Not Require Patient Authorization Per HIPAA
Not all types of disclosures require patient authorization under the HIPAA Privacy Rule. According to the United States Department of Health and Human Services, covered entities are permitted to use a patient’s PHI without their authorization in the following six situations:
- To disclose the information to the patient in question
- When the circumstances of use or disclosure clearly provide the individual with an opportunity to agree or object
- When using the information for treatment or other health care operations
- When using the information incident to an otherwise permitted use or disclosure
- To use the information for the public interest and/or benefit activities
- When using limited data for the purposes of research or health care operations
In other situations, covered entities must first obtain a signed authorization form before using or disclosing a patient’s protected health information.
When Is HIPAA Authorization Required?
The uses and disclosures of a patient’s PHI that require authorization are governed by 45 CFR §164.508. Under the law, entities require HIPAA authorization for use or disclosure of:
- Psychotherapy notes unless the notes are being used for specified treatment or other health care operations
- PHI for marketing purposes with the exception of promotional gifts and face-to-face communications between the individual and the entity
- Records related to the patient’s substance abuse and treatment
- PHI for research purposes
- PHI in situations otherwise prohibited by the HIPAA Privacy Rule
- PHI whenever the entity is trying to sell the information in any circumstances
Whenever a party is seeking authorization from an individual to use or disclose their protected health information, that party must provide a copy of the signed authorization form.
Without access to medical records or other types of PHI, the effectiveness of estate planning documents may be diminished. If you are in the process of setting up an estate plan and are not sure whether or not HIPAA authorization is something that would be required in your particular case, consult with our team at Harrison Law, PLLC.
The Requirements for a HIPAA Authorization To Be Valid
To meet the federally mandated requirements for validity, HIPAA authorization must include certain elements and statements. These requirements include:
- A specific description of the PHI that the requesting party intends to use or disclose
- Who will be authorized to make the requested disclosure or use the PHI in the requested manner
- Who will be the recipient of the information
- The purpose for which the request is made (must be separate for each disclosure)
- The patient’s signature (if the patient is not capable of signing themselves, their representative must sign the form)
- The expiration date/event
- The date of the signing
Three Conditions for PHI Disclosures
In addition to the above-mentioned criteria, a valid HIPAA authorization also requires the following three formalities:
- The authorization must contain a relevant statement explaining the patient’s rights to privacy regarding their PHI.
- When the authorization is sought for marketing purposes, the patient must be notified in the document that the provider may receive remuneration as a result of the disclosures.
- The provider must present the authorization in plain language to ensure that the patient fully understands the consequences of signing the form.
Limitation of Authorized Disclosures to “Minimum Necessary”
Entities and persons are prohibited from using or disclosing more of the information than was requested in the authorization form. HIPAA also prohibits entities and persons with access to PHI from using or disclosing the obtained information in any manner or for any purpose that differs from those stated in the authorization.
Frequently Asked Questions About HIPAA Authorization
The estate planning attorneys at Harrison Law, PLLC often answer the same questions about the HIPAA Privacy Rule and authorizations during consultations with prospective clients. Some of the most frequently asked questions include:
What Is the Difference Between HIPAA Authorization and a Health Care Power of Attorney?
A health care power of attorney is a document in which one individual (the “principal”) designates another person – known as the agent – to make healthcare decisions on their behalf when the principal is unable to make those decisions for themselves. When a health care power of attorney is in effect, the agent does not need additional authorizations to access the principal’s medical records. However, HIPAA authorization on its own does not authorize the person with access to the patient’s medical records to make health care decisions on their behalf.
How Long Does HIPAA Authorization Remain Valid?
Once signed, the authorization will remain valid until the expiration date or event, which must be specified on the authorization form. In estate planning authorization forms, this date is of set two (2) years after the individual’s death. This allows for the deceased individual’s replenishes authority to access record after death. The only exception to this rule is if the patient revokes the authorization in writing before the expiration date/event –– in which case the authorization expires when revoked, regardless of the listed expiration date.
Does the Signed Form Need To Be Notarized?
HIPAA authorization forms do not require the services of a notary public to be valid. However, other estate planning tools often used in conjunction with HIPAA authorization may need to be signed by witnesses.
Guidance for Your Estate Plan
HIPAA authorization can be an important part of a comprehensive estate plan, regardless of whether that estate plan includes a health care power of attorney. The Arizona estate planning attorneys at Harrison Law, PLLC provide clients with the guidance they need to make sure their loved ones can access important medical and healthcare information. Take steps today to select the individuals who should have access to critical data and ensure they can use that information to make decisions related to your care when needed. Call (480) 320-2310 to schedule a consultation.
© 2024 Matthew W. Harrison and Harrison Law, PLLC All Rights Reserved
This website and article have been prepared by Harrison Law, PLLC for informational purposes only and does not, and is not intended to, constitute legal or financial advice. The information is not provided in the course of an attorney-client relationship and is not intended to substitute for legal advice from an attorney licensed in your jurisdiction.