Despite scrapping the consent provisions of the HIPAA privacy rule, the Department of Health and Human Services is vowing to protect patients' rights by cracking down on covered entities that don't toe the line when it comes to authorizations. In comments accompanying the proposed changes to the privacy rule, HHS promises to "strictly enforce" the rule's authorization requirements. But the threat comes with a silver lining as the department has proposed changes that would make compliance with those requirements a little easier. Under the current rule, covered entities must choose between four different authorization forms based on the purpose of the authorization and who is requesting the authorization. If the modification is finalized and experts say it will be covered entities will have just one form for all authorizations.
"It was just a complexity that didn't need to be there," says Robyn Meinhardt of Foley & Lardner. "But now that they've recognized it and removed it it's a very good thing."
Under the proposed changes, all valid authorizations must contain the following elements:
(1) a description of the information to be used or disclosed;
(2) the identification of the persons or class of persons authorized to make the use or disclosure;
(3) the identification of the persons or class of persons to whom the covered entity is authorized to make the use or disclosure;
(4) a description of each purpose of the use or disclosure, expect in cases where the patient requests the disclosure;
(5) an expiration date or event;
(6) the individual's signature and date; and
(7) if signed by a personal representative, a description of his or her authority to act for the individual.