Health Information Compliance Alert

Authorizaitions:

5 AUTHORIZATION PERILS FOR PHYSICIAN PRACTICES

When it comes to authorization requirements, physician practices had better mind their p's and q's to avoid running afoul of HIPAA's privacy rules.

An authorization allows for uses and disclosures of protected health information unrelated to treatment, payment, or health care operations, and in most cases physician practices cannot condition treatment on receipt of an authorization. While that's simple enough, there are a few occasions when authorizations are required that practices may not be aware of:

  • Patient mailing lists. Health care companies typically want to get their hands on patient mailing lists to direct their marketing ventures. But doctors would need to obtain an authorization prior to using or disclosing PHI if, for example, an obstetrician wished to sell a patient mailing list to a diaper company or to a pharmaceutical company.

    And PHI isn't just what we think of as medical records. A photo is identifying information, for example, so if a practice wanted to use a patient's picture in a brochure designed to advertise a new pain management clinic, they would have to get the patient's authorization to use the image or any reference to the patient, says Scott Edelstein with the Los Angeles office of McDermott, Will & Emery.

  • Disclosure to an employer. If an employer wished to obtain PHI in order to make an employment decision, an authorization is required.

  • Disclosures regarding insurance. If a patient is applying for life insurance and the insurance company seeks PHI to determine eligibility for an insurance policy, the insurer must first obtain an authorization prior to using or disclosing the PHI.

  • Disclosures to other medical groups. Practices should consider requiring an authorization for the release of PHI outside the practice, even when it's not required under the privacy rule, urges Edelstein. For purposes involving treatment, even though the rules don't require the practice to do so, it's a good idea to get one.

    "Ultimately the burden is going to be on the provider to show that they had the necessary permission to transmit the information," he warns. The safer approach is to ensure that the patient is aware that their information is being communicated to another provider.

  • Keep track of expiration dates. Authorizations are only good for as long as has been specified in the form. After that period they are no longer effective in any uses or disclosures of PHI, and using an expired form would render you in violation of the privacy rules.

    Violations could result in a claim filed by the patient, and the HHS can levy civil monetary penalties as well as criminal sanctions. Monetary penalties are as high as $250,000 and prison terms are as high as 10 years. "So that's why it's very important that providers make sure they can either point to something in the rules that permits them to disclose information, and if they can't, then they need to get the patient's permission to do so," advises Edelstein.

    Under the proposed changes to the provision, a valid authorization must contain: a description of the information to be used or disclosed; the identification of the persons or class of persons authorized to make the use or disclosure; the identification of the persons or class of persons to whom the covered entity is authorized to make the use or disclosure; a description of each purpose of the use or disclosure, except in cases where the patient requests the disclosure; an expiration date or event; the individual's signature and date; and, if signed by a personal representative, a description of his or her authority to act for the individual (see HICA, Vol. 2, No. 4, P. 35).

  • Other Articles in this issue of

    Health Information Compliance Alert

    View All