Do You Want a HIPAA Authorization for Christmas?

"HIPAA Authorization"
Please Share!

Do you have a current HIPPA Authorization?


I get it.

Most of the folks I meet for an initial consultation give me that “thousand-mile stare” when I as whether they have a current HIPPA Authorization.

Note: this blog post is a cursory introduction to a rather complex yet critical body of law to apprehend.

So, what is HIPAA Authorization?

As you may have gleaned from the title, “HIPPA Authorization” triggers my mind’s playlist to play that novelty song commonly heard in November and December each year coinciding with Christmas: “I Want a Hippopotamus for Christmas.

That link takes you to the backstory of the song, but if you want to hear the song, click here.

Yes, I digress, but that is how my mind works.

My apologies.

So, what exactly is HIPAA?

The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients various rights concerning that information.

Legally speaking, 45 CFR §164.508 states the uses and disclosures of PHI that require HIPAA Authorization from a patient/plan member before information can be shared or used.

Also, some organizations are considered “partial” or “hybrid” entities.

A recent HIPAA Journal article entitled “What is HIPAA Authorization? explains that, in some situations, informal consent rather than formal authorization is enough to satisfy the requirement of the HIPAA Privacy Rule.

Execute your HIPAA Authorization before you need it.

What are these circumstances?

They are called “Uses and Disclosures with an Opportunity to Agree or Object” and include inclusion in facility directories and notifications to friends and family (of admission into the hospital).

If you cannot give your HIPAA Authorization, covered entities must wait until you or your legal representative can provide authorization.

When only informal consent is required, covered entities can use their professional judgment to determine whether the use or disclosure of PHI is in your best interests.

Note that the requirements for a HIPAA Authorization are not the same throughout the country.

Nope, the HIPAA Privacy Rule is a “federal floor” for permissible uses and disclosures.

However, some state laws may pre-empt a HIPAA Authorization if they have more stringent regulations.

The clause “covered entities cannot condition treatment, payment, enrollment, or eligibility for benefits” means that a covered entity cannot withhold treatment, payment, enrollment, or eligibility for benefits because a patient or plan member refuses to sign a HIPAA Authorization giving the covered entity additional uses for their PHI, which stands for Protected Health Information (PHI).

A patient or plan member should not be put under any duress to approve the uses and disclosures of PHI, in addition to those permitted by the Privacy Rule.

Furthermore, the law stipulates that there must be written authorization for every use or disclosure of PHI not required or permitted by the Privacy Rule.

The retraction of your HIPAA Authorization also must be written.

However, HIPAA Authorization can be verbal only when consent – rather than HIPAA Authorization – is an option.

You should have both a HIPAA Authorization and an Advance Health Care Directive (i.e., a Health Care Treatment Directive and Durable Power of Attorney for Health Care Decisions).

Consequently, each of your appointed agents will have full access to your medical personnel (doctors, nurses, staff, etc.) and medical records.

This is critical when life and death decisions must be made on your behalf and second opinions secured before making them.

Know your rights and know your options.

Reference: HIPAA Journal (October 9, 2021) “What is HIPAA Authorization?

Get All The Marketing Updates
Recent Posts
Search Our 2,400 Blog Post Archive