When it comes to authorization requirements, physician practices had better mind their p's and q's to avoid running afoul of HIPAA's privacy rules. An authorization allows for uses and disclosures of protected health information unrelated to treatment, payment, or health care operations, and in most cases physician practices cannot condition treatment on receipt of an authorization. While that's simple enough, there are a few occasions when authorizations are required that practices may not be aware of:
And PHI isn't just what we think of as medical records. A photo is identifying information, for example, so if a practice wanted to use a patient's picture in a brochure designed to advertise a new pain management clinic, they would have to get the patient's authorization to use the image or any reference to the patient, says Scott Edelstein with the Los Angeles office of McDermott, Will & Emery. Violations could result in a claim filed by the patient, and the HHS can levy civil monetary penalties as well as criminal sanctions. Monetary penalties are as high as $250,000 and prison terms are as high as 10 years. "So that's why it's very important that providers make sure they can either point to something in the rules that permits them to disclose information, and if they can't, then they need to get the patient's permission to do so," advises Edelstein. Under the proposed changes to the provision, a valid authorization must contain: a description of the information to be used or disclosed; the identification of the persons or class of persons authorized to make the use or disclosure; the identification of the persons or class of persons to whom the covered entity is authorized to make the use or disclosure; a description of each purpose of the use or disclosure, except in cases where the patient requests the disclosure; an expiration date or event; the individual's signature and date; and, if signed by a personal representative, a description of his or her authority to act for the individual (see HICA, Vol. 2, No. 4, P. 35).
"Ultimately the burden is going to be on the provider to show that they had the necessary permission to transmit the information," he warns. The safer approach is to ensure that the patient is aware that their information is being communicated to another provider.