Privacy of health information is an area of growing concern to most Americans. Vast quantities of patient information are now disclosed through a single stroke on the keyboard. The disclosure of such information may result in lost job opportunities and other forms of personal harm. Moreover, the likelihood of injury resulting from such disclosures will increase due to the growing use of genetic profiling. As a result of these concerns, many health care consumers will not disclose even to physicians information which is necessary for proper medical diagnosis and treatment. Medical records may be the most personal information which is recorded about an individual, and yet, until recently, the federal government has done little to ensure the privacy of this data.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, constitutes the first comprehensive federal effort to ensure the security and confidentiality of protected health information. (1) As such, it represents a landmark attempt to enact patient privacy protections. This article analyzes the distinction between consents and authorizations under the recently promulgated regulations implementing HIPAA.
Under HIPAA, Congress legislated measures to improve the efficiency of claims processing through increased use of electronic transmission standards. However, Congress further recognized that increased reliance upon electronic transmission of health information also presents heightened privacy concerns. HIPAA addresses these concerns through its landmark patient privacy protections.
The primary focus of HIPAA pertains to the electronic exchange of health information. However, the implementing regulations are not limited in their applicability to medical records stored in electronic form. Rather, under HIPAA, the 'protected health information' to which the privacy protections apply includes all health information, regardless of the medium on which stored. (2) For example, the privacy protections apply to paper medical records as well as the oral transmission of protected health information.
Initially, it is important to understand that the privacy provisions of HIPAA apply only to 'covered entities.' (3) This term includes health care providers, health plans, and health care clearinghouses. (4) These categories are defined rather broadly, and will include the vast majority of entities involved in the provision of any health care services. Additionally, virtually all health insurance companies and group health plans are covered.
There is one caveat to the scope of this definition: Only entities which transmit health information in electronic form are covered by the privacy protections. (5) However, once a health care provider becomes a covered entity, i.e., transmits or stores any health information in electronic form, then all 'protected health information' which it uses or discloses will be covered under the privacy provisions, regardless of whether it is stored on paper or otherwise. (6) Additionally, HHS has indicated that entities will become covered under the privacy rule when other firms, such as a billing service or a hospital, conduct electronic transactions on their behalf. (7) As electronic payment and claims processing occurs almost universally, most health care providers will as a practical matter fall within the definition of a 'covered entity.'
It must also be recognized that the regulations impose restrictions upon the 'use or disclosure' of protected health, information. (8) Therefore, HIPAA prohibitions may be triggered even if there is no disclosure outside of the covered entity. Rather, the mere 'use' of protected health information under certain circumstances may be prohibited. For example, an entity which merely analyzes protected health information engages in a 'use' regulated by HIPAA, even if no disclosure is involved. The HIPAA prohibitions are generally equivalent regardless of whether a 'use' or a 'disclosure' occurs.
Consents under HIPAA
Typically, covered entities must obtain consent for uses or disclosures of protected health information to carry out 'treatment, payment, or health care operations.' (9) Each of these three categories is separately defined by the implementing regulations.
The term 'treatment' is defined to include the provision, coordination, or management of health care by one or more health care providers; or the coordination of health care between health care providers and third parties. (10) This is a rather broad definition. Included within this definition are most uses or disclosures involved in obtaining a patient's medical history, providing treatment, etc.
The term 'health care operations' includes most administrative and business functions in which a covered entity typically engages. Also included within this definition is a variety of quality assessment and improvement activities, including outcome evaluation, protocol development, and training. (11) However, it is imperative to recognize that research activities conducted for the purpose of obtaining generalized knowledge are not included within the scope of health care operations. (12)
Finally, the term 'payment' is broadly defined as most activities that are required to both establish eligibility for payment as well as to obtain such payment, including all of the steps required to process any payment claims. (13) A provider may engage the services of an outside billing entity under a validly drawn consent. However, such a billing entity will fall within the business associate rules to which a separate set of requirements apply. (14)
It will be readily observed from the above description that most of the routine day-to-day activities of health care providers are covered within the definition of treatment, payment, or health care operations. Accordingly, health care providers will almost always be required to obtain a validly drawn consent in order to continue their routine activities under HIPAA.
Under HIPAA, the required format for consents is relatively simple. Indeed, it is generally anticipated that consent forms will be broadly drawn to cover the entire range of uses or disclosures for which a consent is effective, i.e. 'treatment, payment, or health care operations.' (15) As such, we may reasonably anticipate that most consents will become relatively boilerplate within a short period of time.
It must be emphasized that the HIPAA consent is conceptually different from the informed consent typically required by most health care providers. The informed consent is intended to provide individuals with a complete understanding of the treatment to be provided so that patients may make conscious and informed decisions on whether to accept such treatment. However, the purpose underlying the HIPAA consent is to obtain an individual's agreement to the use or disclosure of protected health information. It should be noted that a HIPAA consent may be combined with the informed consent for medical treatment. (16) However, if combined, the HIPAA consent must be both visually and organizationally separate from any other consent. (17)
Under HIPAA, an individual may limit the scope of any consent which is provided. For example, a patient may request that a particular health care provider not disclose protected health information to another health care provider, even if such disclosure would otherwise be desirable in treating the patient. (18) Providers will be bound to adhere to any such restrictions if they agree to them. (19) However, a provider may condition its willingness to furnish treatment to an individual upon the latter's agreement to the unrestricted use or disclosure of information for any health care operation, treatment, or payment purpose. (20) Covered entities should generally refrain from agreeing to limitations on HIPAA consents so as to avoid any additional compliance burdens.
It is imperative that covered entities understand the types of uses or disclosures which are permitted by consents. The existence of a lawfully executed consent will in no manner mitigate a covered entity's liability under HIPAA when it is subsequently determined that the use or disclosure was for other than 'treatment, payment, or health care operations.'
Authorizations under HIPAA
With few exceptions, all 'uses or disclosures' for other than 'treatment, payment, or health care operations' will require authorizations. The rules governing authorizations are far more stringent than are applicable to consents. Thus, valid authorizations must contain at least the following:
1) Description of the information to be used or disclosed.
2) Name or other specific identification of the persons authorized to make the disclosure.
3) Names or other identification of the persons who will receive the use or disclosure.
4) An expiration date for the authorization.
5) A statement of the individual's right to revoke the authorization.
6) A statement that information so used or authorized may be subject to redisclosure by the recipient.
7) Signature of the individual and date.
8) If authorization is signed by a personal representative, a description of the representative's authority. (21)
It is apparent from the foregoing that most authorizations will necessarily be tailored to the specific circumstances of each use or disclosure. As such, authorizations, unlike consents, are not subject to being reduced to a boilerplate.
It is critical that covered entities understand the circumstances when an authorization rather than a consent is required. This is particularly true given the obvious distinction in the written formalities required for consents versus authorizations.
As noted above, all uses or disclosures require a specific authorization unless covered by the term 'treatment, payment, or health care operations,' or unless a specific exception applies. Therefore, it is impossible to define the universe of uses or disclosures requiring an authorization. However, as an example, authorizations typically will be required for the use or disclosure of health information for marketing purposes, fundraising, research, etc.
Health care attorneys should generally assume that an authorization is required, unless a specific exception applies. Virtually all health care transactions must now be reviewed in terms of HIPAA compliance. For example, two health care entities engaged in merger negotiations may exchange patient data with each other for the purpose of determining the profitability of the proposed transaction. Such a use would likely not fall within the definition of 'treatment, payment, or health care operations'; nor is there any other exception which would permit the release of such information. Accordingly, a specific authorization under HIPAA will likely be required if such patient data is to be lawfully exchanged.
There are several other aspects to the requirement for a valid authorization that merit further attention. One such area involves the administrative difficulties that may be posed when an individual attempts to revoke a prior authorization. This is particularly true with respect to larger providers who must ensure that the terms of an authorization, or a revocation thereof, are communicated to all of the various components within the organization that may be involved in the use or disclosure of an individual's health information.
The implementing regulations state that an authorization is not valid if it 'is known by the covered entity to have been revoked.' (22) However, the regulations are ambiguous as to whether receipt by one component of the covered entity of notice of revocation will constitute constructive knowledge by all other components.
The preamble to the regulations states as follows:
We note that, although an authorization must be revoked in writing, the covered entity may not always know that an authorization has been revoked. The writing required for an individual to revoke an authorization may not always trigger the knowledge required for a covered entity to consider an authorization defective. (23)
Unfortunately, this language does not inform the reader of what constitutes the required 'knowledge.' Covered entities are best advised to handle this problem by clearly specifying the individual or department within the covered entity to whom such a revocation must be furnished.
Unlike consents, authorizations must also include a specific description of the information to be used or disclosed. (24) An authorization may be specific even if it applies to a very broad category of records. For example, an individual could authorize disclosure of his or her entire medical record. However, an authorization which is in any manner ambiguous probably will not be effective. Thus, an authorization to use or disclose 'medical records' probably will not be valid. In the above example, if an individual intended to authorize the disclosure of all of his or her medical records, the word 'all' should have been used.
Any information disclosed subject to a properly drawn authorization may be rereleased without further restriction. (25) For example, protected health information released to a marketing firm may be rereleased by that firm without any HIPAA-imposed limitation whatsoever. Indeed, the redisclosure of protected health information is not protected under HIPAA, even if the initial disclosure was unlawful. HHS asserts that it lacks authority under HIPAA to regulate the use or disclosure of protected health information by any person or entity other than a provider, health plan, or health care clearinghouse. (26) As the release under the example noted above was to a marketing firm, redisclosure by that firm would not be subject to regulation under HIPAA.
The implementing regulations distinguish between authorizations requested by the individual to whom protected health information applies and authorizations requested by a covered entity. All authorizations must contain the minimum core elements discussed above. However, authorizations requested by a covered entity must additionally contain the following information: 1) a statement that the entity will not condition treatment or payment on receipt of the individual's authorization; 2) a description of the purpose of the requested use or disclosure; 3) a statement that the individual may inspect or copy the information to be used or disclosed and may refuse to sign the authorization; and 4) a statement of any financial gain that will accrue to the entity requesting the authorization as a result of the proposed release. (27)
Moreover, a blanket statement of the purpose to which the requested information is to be used will not be sufficient. For example, a pharmaceutical company seeking to market directly to individuals with specific health conditions may request release of patient data from a health plan. Any authorization sought by the health plan must specifically disclose that the information to be released will be used for marketing purposes by the pharmaceutical company. Further, the health plan must also disclose any remuneration which it will receive from the pharmaceutical company as a result of the release.
Other Distinctions
As noted above, covered entities need not agree to any restrictions on the scope of the consent. Accordingly, a covered entity may refuse to provide a service if an individual insists upon such limitations. However, the rule is quite different with respect to authorizations. Covered entities may not condition their willingness to provide a service based upon the execution of an authorization for the release of protected health information. (28) As an example, a health care entity generally would be prohibited from conditioning treatment upon receipt of an individual's authorization for release of health information to that person's employer.
Covered entities generally should refrain from requesting an authorization when consent would be sufficient. For example, a patient's new physician may need the records of a prior provider in order to furnish treatment. Such a release typically would be permitted by consent, and therefore an authorization would not need to be furnished. However, certain providers may nonetheless insist upon receipt of an individual's authorization to obtain such records. A provider who insists upon an authorization when none is needed will be required to adhere to any restrictive covenants contained in that authorization.
Finally, it must be recognized that the furnishing of an otherwise lawful consent or authorization does not permit the carte blanche use or disclosure of health information. HIPAA requires that covered entities neither use nor disclose more information than is reasonably necessary, even if such use or disclosure is otherwise permissible. (29) Covered entities must ensure that they do not act in an indiscriminate or unreasonable manner in using or disclosing health care information under any circumstance, regardless of whether consent or authorization has been provided.
In conclusion, it is imperative that all covered entities fully appreciate the distinction between consents and authorizations. A thorough understanding of the distinction between these two documents is necessary to avoid liability under HIPAA. The rules governing the required use of consents and authorization are not always obvious. Nonetheless, it is clear that consents will not serve as substitutes for authorizations, nor will authorizations serve as substitutes for consents. Providers who understand these distinctions will avert potentially needless liability under HIPAA's complex regulatory provisions.
(1) Pub. L. No. 104-191, [section] 262 deals with the privacy and security of health information. See generally 42 U.S.C. [section] 1320d et seq. The authority of the Secretary to issue regulations implementing the privacy protections is specified in Pub. L. No. 104-191, [section] 264.
(2) 45 C.F.R. [section] 164.501. The implementing regulations were published in the December 28, 2000 FEDERAL REGISTER, and were effective on February 26, 2001. See 65 Fed. Reg. 82462. However, under the transition provisions, the compliance date for the health information privacy provisions is April 14, 2003. Small health plans must comply with the privacy standards not later than April 14, 2004. See 45 C.F.R. [section] 164.534.
(3) 45 C.F.R. [section] 164.500(a).
(4) 45 C.F.R. [section] 160.103.
(5) 45 C.F.R. [section] 160.103.
(6) The term 'protected health information' specifically applies to information which has never been electronically stored or transmitted. See 45 C.F.R. [section] 164.501.
(7) See Section by Section Description of Rule Provisions, Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82477, December 28, 2000.
(8) See 45 C.F.R. [section] 164.506 (consent for uses or disclosures to carry out treatment, payment, or health care operations); 45 C.F.R. [section] 164.508 (uses and disclosures for which an authorization is required).
(9) 45 C.F.R. [section] 164.506(a).
(l0) 45 C.F.R. [section] 164.501.
(11) Id.
(12) Id.
(13) Id.
(14) 45 C.F.R. [section] 164.506(e).
(15) 45 C.F.R. [section] 164.506(a).
(16) 45 C.F.R. [section] 164.506(b)(4).
(17) Id.
(18) 45 C.F.R. [section] 164.506(c)(4).
(19) Id.
(20) 45 C.F.R. [section] 164.506(b)(1).
(21) 45 C.F.R. [section] 164.508(c).
(22) 45 C.F.R. [section] 164.508(b)(2).
(23) 65 Fed. Reg. 82515, December 28, 2000.
(24) 45 C.F.R. [section] 164.508(c).
(25) Id.
(26) 65 Fed. Reg. 82567, December 28, 2000.
(27) 45 C.F.R. [section] 164.508(d).
(28) 45 C.F.R. [section] 164.508(b)(4).
(29) 45 C.F.R. [section] 164.514(d).
Jeffrey A. Lovitky is a member of the District of Columbia, Florida, and Connecticut bars. He is board certified in health law by The Florida Bar, and received an LL.M. degree from George Washington University in government procurement law. He is a sole practitioner in Washington, D.C., where he practices in the areas of health law and government contracts law.
Author's Postscript
On March 27, 2002, the Department of Health and Human Services issued significant proposed revisions to the final privacy rules. The proposed rules are subject to a 30-day public comment period. After evaluation of the comments received in response to the proposed rule, a modification to the privacy regulations likely will be issued. It is impossible at this time to predict the extent to which the proposed rules will be adopted by the department. However, there can be little doubt that the privacy regulations are likely to undergo several major revisions before they are finally implemented.
The consent requirement has been significantly altered under the proposed rules. Pursuant to the department's rule issued on December 28, 2000, providers in most cases are required to obtain an individual's consent prior to the use or disclosure of protected health information for payment, treatment, or health care operations. Many providers believe that such a provision will needlessly complicate the delivery of health care services. Pharmacists particularly were concerned that they would be unable to take prescription orders over the telephone without first obtaining a written consent from the patient. The industry argued that this would result in needless schedule delays and considerable inconvenience to patients.
The proposed rule would essentially eliminate the requirement for mandatory consent. Accordingly, providers could use or disclose protected health information for payment, treatment, or health care operations, even in the absence of a validly executed consent.
While the proposed regulations limit the need for consent, they also tighten requirements with respect to the notice of privacy practices to be issued by providers. Under the proposed rules, providers are required to undertake a good-faith effort to obtain an individual's written acknowledgment of receipt of the provider's notice of privacy practices. Generally, this acknowledgement should be obtained at the time of first service delivery, except in emergency situations.
The proposed modifications also streamline the authorization requirement. Thus, the distinctions between authorizations requested by covered entities, authorizations requested by individuals, and research authorizations are largely eliminated. Moreover, a covered entity would be permitted to condition the furnishing of research-related treatment on the providing of an authorization. Additionally, a covered entity would have to disclose any direct or indirect remuneration from a third party only if the authorization related to marketing purposes.
This brief synopsis is provided to assist the reader in analyzing the impact of the proposed regulations on consents and authorizations. It is strongly recommended that the reader monitor any ongoing regulatory changes on a continual basis. The best source of information on the status of these revisions may be found at the department's Web site at www.hhs.gov/ocr/hipaa.
