Whether or not you should decline a HIPAA authorization request is event specific and can depend on the purpose of the HIPAA authorization request, the content of the authorization form, and the amount of information you have been given about who your information will be shared with. If you do not have sufficient information to make an informed decision, you should always decline a HIPAA authorization request.
The HIPAA Privacy Rule stipulates that Protected Health Information (PHI) can only be used or disclosed by covered entities and business associates for required or permitted purposes. All other uses and disclosures of PHI require consent, attestation, or authorization.
- Consent is usually informal and, in some cases, can be implied. For example, when a spouse accompanies a patient to a hospital appointment, consent for the patient’s PHI to be disclosed to the spouse can be implied.
- The attestation requirements are to prevent PHI relating to reproductive healthcare being used for a prohibited purpose (see §164.502(a)(5)(iii)). Information about prohibited purposes can be found on HHS’ Model Attestation Form.
- HIPAA authorizations are required for any other purpose. §164.508 of the Privacy Rule lists the release of psychotherapy notes, the sale of PHI, and marketing as reasons for requiring a HIPAA authorization, but there can be many reasons.
What is the HIPAA Authorization Request For?
When you are presented with a HIPAA authorization request, it is important to understand the purpose of the request. Reasons for requests not covered in §164.508 include research purposes (when PHI is not deidentified), underwriting purposes, and fundraising purposes. It may also be the case that the medical practice is being sold and a HIPAA authorization is necessary before your PHI can be transferred to the new owners.
However, some HIPAA authorization requests can be misleading. In 2019, a Georgia law firm warned customers that an insurance company was requesting full medical histories before paying out insurance claims. The reason for requesting full medical histories – the law firm claimed – was to identify pre-existing conditions that may have been exacerbated in an accident, thus reducing the insurance company’s liability.
What PHI is Being Disclosed? And to Whom?
As well as the decision whether to sign or decline a HIPAA authorization request being event specific, it is also important to be aware what PHI is being disclosed and to whom. For example, if you agree to drug abuse treatment records being released, and the treatment records are disclosed in a subsequent data breach, it may be possible that sensitive information is made available in the public domain – sometimes years later.
With regards to PHI released for marketing purposes, it may be important to know how the healthcare organization intends to use the information. PHI disclosed on social media can be forwarded, screenshot, or copied and pasted – meaning it is likely to remain in the public domain even if the original post is deleted. For this reason, a healthcare organization will be unable to comply with a request to fully revoke a HIPAA authorization.
Can I Make an Informed Decision?
Covered entities may develop their own authorization forms. In addition, some states have privacy laws that preempt HIPAA, and these laws may influence the content of an authorization form. However, certain core elements are required to be in all authorization forms. If any of the following core elements are absent, you may not be able to make an informed decision and you should decline a HIPAA authorization request:
- A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
- The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
- The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
- A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description when you initiate the authorization
- An expiration date or event that relates to the purpose of the disclosure. The statement “end of the study” or “none” is sufficient if the disclosure is for research purposes.
- The signature of the individual and date. If the authorization is signed by a personal representative, a description of the representative’s authority to act for the individual must also be provided.
In addition to the required elements, a HIPAA authorization form should contain statements advising you of the right to revoke your authorization and instructions how to exercise your right. You should also be advised that the information could be redisclosed by the recipient if the recipient is not a covered entity. All of the above information must be provided to you in plain language and, where possible, in your native language.
What Happens If I Decline a HIPAA Authorization Request?
If you decline a HIPAA authorization request, the consequences depend on the purpose of the request. Generally, covered entities are not allowed to condition the provision of treatment, payment, enrollment in a health plan, or your eligibility for benefits on a HIPAA authorization. However, there are a few exceptions. For example, if you request treatment to support a research project, a covered entity can demand a HIPAA authorization before releasing the results of the treatment to the research project.
There are also certain circumstances in which a health plan can provision enrollment or your eligibility for benefits on receipt of a HIPAA authorization form if the information requested is required for a risk rating determination. In such circumstances, it is advisable not to decline a HIPAA authorization request, but to limit the amount of PHI disclosed to the minimum necessary to achieve the purpose of the authorized disclosure.