What is the difference between consent and authorization under the HIPAA Privacy Rule
Show
Don’t expect another delay. The privacy component of the Health Insurance Portability and Accountability Act (HIPAA) will take effect on April 14, 2003, and by then, your practice should have made a good-faith attempt to be ready. HIPAA requires, among other things, that you safeguard patients’ individually identifiable information (also referred to as protected health information or PHI) by restricting access to it and seeking patient permission to disclose it in certain circumstances. Some (but not all) of the safeguards can be established with the forms that appear on the following pages. Notice of privacy practicesHIPAA legislation grants patients several new rights, among them greater access to and control over their medical records. (To learn more about HIPAA, see “The HIPAA Privacy Rule: Answers to Frequently Asked Questions,” FPM, November/December 2002, page 35 and the box on page 30.) Organizations considered covered entities under HIPAA are mandated to inform patients of the new privacy rights and their privacy policies and procedures (to determine whether you’re a covered entity, go to www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp). To comply, you’ll need to develop a Notice of Privacy Practices and provide it to your patients at the first office visit after April 14, 2003 (or earlier, if you have it ready). HIPAA also requires you to obtain patients’ written acknowledgement that notice has been received and file the acknowledgement in the patient record. A patient’s refusal to sign the acknowledgement should be documented and filed in the patient record. A sample Notice of Privacy Practices can be . It is intended as a guideline only and should be tailored to reflect your practice policies and your state’s privacy laws. State privacy laws should continue to be followed if they are more stringent than the HIPAA regulations. Authorization formFortunately, the HIPAA privacy regulations do not require you to obtain patients’ consent to use their PHI for routine disclosures, such as those related to treatment, payment or health care operations (TPO). However, the regulations do mandate that you obtain written patient consent before releasing their information for any reason other than TPO (e.g., disclosure of psychotherapy notes). To comply, you’ll need to identify situations in your practice where special authorization is needed (see page 31 for a list) and develop an authorization form for patients to sign. The sample authorization form that can be can be adapted for use in your practice. A signed copy or documentation of the patient’s refusal to sign should be retained in the patient record. HIPAA RESOURCESTo learn more about HIPAA, visit: Patient consent formAlthough not specifically required by HIPAA, you may also want to consider using a Patient Consent Form in your practice ( ). A consent form specifies methods by which a patient agrees to let your practice use his or her protected information for routine TPO purposes. Should a patient complain that his or her privacy rights have been violated, a consent form may afford you an extra measure of protection if your practice is investigated for HIPAA noncompliance. FPM article series on HIPAA
This article is part of a series designed to educate and prepare family physicians to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Any practice, hospital or health plan in the United States that electronically transmits patient-identifiable health care information must comply with the HIPAA regulations or face civil and criminal penalties. Don’t delayDon’t delay, but don’t panic either. The government realizes that full compliance takes time. Perfection isn’t expected, but a reasonable effort to comply is. You still have about 90 days. Granted, it’s not much time, but it’s enough to get you where you need to go.
SITUATIONS REQUIRING PATIENT AUTHORIZATIONUnder the HIPAA privacy rule, your practice must obtain patient authorization to use patients’ protected health information (PHI) for reasons other than routine treatment, payment or health care operations, including:
Copyright © 2002 Gates, Moore & Company. Used by permission. Note: You should also consult with advisors (e.g., your state or local medical or specialty society, or legal or other counsel) familiar with your state’s privacy laws. Editor’s note: The forms provided in this article have been adapted from the AAFP’s Health Insurance Portability and Accountability Act (HIPAA) Privacy Manual: A How-To Guide for Your Medical Practice. What is authorization in privacy rule?A Privacy Rule Authorization is an individual's signed permission to allow a covered entity to use or disclose the individual's protected health information (PHI) that is described in the Authorization for the purpose(s) and to the recipient(s) stated in the Authorization.
What is authorization consent?A HIPAA authorization is consent obtained from an individual that permits a covered entity or business associate to use or disclose that individual's protected health information to someone else for a purpose that would otherwise not be permitted by the HIPAA Privacy Rule.
What is the difference between consent and?Assent or Consent? The primary distinction between these two words is that to assent is to denote agreement with an opinion. If you assent to something, you agree with something that someone has said. To consent is to denote agreement to let something happen.
Which situation would require a written authorization from a patient to disclose the PHI?Authorization. A covered entity must obtain the individual's written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.
|