Health Information Compliance Alert

Published on Thu Jan 03, 2013 PDF

It’s time for a vocabulary lesson that will make your HIPAA privacy compliance efforts much easier: Do you know the difference between “consent” and “authorization”?

In hair-splitting that has left even attorneys baffled, the privacy rule demands that you obtain patients’ “consent” for certain uses of their protected health information, and obtain their “authorization”
for other uses. HIPAA experts break down the difference below.

Consent: Broad, One Page, One Time

“A consent is what the individual gives to the provider to permit the provider to use or disclose PHI about that individual for purposes of treatment, payment and health care operations,” explains attorney John Gilliland of Gilliland & Caudill in Indianapolis, IN.

This should be a general document, Gilliland says. It should explain how you use their information, but doesn’t need to delve too deeply into detail. “It’s a one-pager,” Gilliland says.

So, at the first encounter with the patient on or after April 14, 2003, you need to get her to sign a consent allowing you to use or disclose PHI for the three basics: treatment, payment and health care operations. The consent form should indicate that the patient has received or been offered a copy of the entity’s notice of privacy practices explaining how that PHI is used, notes Becky Bueghel, director of health information management at the Casa Grande Medical Center in Casa Grande, AZ.

A consent lasts indefinitely, until revoked. A consent needs to be signed only once, unless you’ve substantially changed your notice of privacy practices, according to Bueghel. In this case the patient must sign a new, revised consent or an addendum that says she has seen the changes.

Getting into the habit of distributing consents takes some practice. Attorney Michael Blau, from the Boston office of McDermott Will & Emery says that, as of today, few health care providers are regularly giving out consents that would pass muster under HIPAA.

Authorization: Hit the Specifics

“Authorization is necessary to use or disclose PHI for reasons other than treatment, payment or health care operations,” explains Bueghel. An authorization therefore needs to be specific — explaining  exactly what you’ll do with the PHI — and probably longer than a consent form, Gilliland says. If, for example, you’re requesting authorization to use someone’s PHI as part of a marketing program, explain  what you’ll be doing with the PHI, when, and with whom you are sharing it.

Bueghel predicts that authorizations will most often be needed when insurance companies want to look at PHI to write policies on patients. The provider would need to obtain the patient’s authorization before releasing the info to the insurance company.

Authorizations are time specific, Gilliland notes. They need to have either an expiration date or an expiration event (such as discharge from a hospital).

There are some exceptions when it comes to authorizations. It is sometimes permissible to disclose PHI without consent or authorization for matters such as communicable disease reporting, Gilliland points out.

One sticking point is the exact definition of “health care operations.” You don’t need authorization — only consent — to use PHI for normal health care operations, but what are health care operations?

Bueghel can think of at least one gray area Whenever a child is born in her hospital, she has to report certain PHI to the Bureau of Vital Statistics. “I’m allowed by law to report that info, however it’s not considered health care operations under what most people have interpreted. So if the mother was to come to me and say, ‘I’d like an accounting of who you gave my information to without my specific  authorization,’ I’d have to be listing that,” she explains.

Blau recommends that someone in your organization be responsible for determining what exactly your patients have consented to in their consent forms, and whether you’ll need to obtain authorizations from them to use their PHI in other ways.