Featured Jobs
|
Nova 401(k) Associates
|
|
Internal Channel Sales Team Lead July Business Services
|
|
Automotive Industries Trust Funds
|
|
Daybright Financial
|
|
Attorney - ERISA, Benefits, & PRT Securian Financial Group
|
|
Relationship Manager – Defined Contributions Daybright Financial
|
|
EPIC RPS
|
|
The Pension Source
|
|
Senior Client Service Specialist EPIC RPS
|
|
Regional Sales Director-Heartland July Business Services
|
|
Director, Strategic Accounts and Channel Development July Business Services
|
|
Stones River Consulting
|
|
Regional Sales Director-Mid Atlantic July Business Services
|
|
Pentegra
|
|
Experienced Employee Benefits Attorney Shipman & Goodwin LLP
|
|
Daybright Financial
|
|
Independent Retirement
|
|
Compass
|
|
Independent Retirement
|
|
Mergers & Acquisition Specialist Compass
|
Free Newsletters
“BenefitsLink continues to be the most valuable resource we have at the firm.”
-- An attorney subscriber
|
|
Guest Article
(From the Employer's Guide to HIPAA Privacy Requirements, Thompson Publishing Group)
Authorizations May Cover Broad Categories of PHI Sources and Recipients, HHS Says
Summary: A single HIPAA authorization form may allow multiple entities to use or disclose an individual's protected health information (PHI), according to the U.S. Department of Health and Human Services (HHS). The agency also clarified issues regarding the scope, time period and other aspects of authorizations required by HIPAA's privacy rules. |
A single authorization form for using or disclosing an individual's protected health information (PHI) under HIPAA's privacy rules may cover PHI use, disclosure and receipt by a broad, open-ended set of entities, according to the U.S. Department of Health and Human Services (HHS). The agency also clarified issues regarding the scope, time period and other aspects of the authorization requirements.
"A separate Authorization specifically naming each health care provider from whom [PHI] may be sought is not required," HHS announced Sept. 24 on its "frequently asked questions" (FAQs) Web page. "For example, it would be sufficient if an Authorization authorized disclosures by 'any health plan, physician, health care professional, hospital, clinic, laboratory, pharmacy, medical facility, or other health care provider that has provided payment, treatment or services to me or on my behalf' or if an Authorization authorized disclosures by 'all medical sources.'"
Similarly, an authorization may be broad in its description of the covered entity's personnel to whom PHI may be disclosed, HHS added. For example, it would be permissible to describe the intended recipients simply as "the employees of XYZ division of ABC insurance company," according to the agency.
Authorizations may be prepared by an entity other than the covered entity seeking to use or disclose the PHI, according to a separate FAQ: "The Privacy Rule requires that an Authorization contain certain core elements and statements, but does not specify who may draft an Authorization (i.e., it could be drafted by any entity) or dictate any particular format for an Authorization." Taken together, these two FAQs imply that an employer may draft and issue to employees a single authorization form for release of all of the employee's health records.
However, HHS cautioned against using a statement such as "all protected health information" in an authorization because it may not be specific enough. PHI includes a wider range of information than typically is understood to be in a medical record, and individuals are less likely to understand the breadth of the information that could be defined as PHI.
Other FAQs issued the same day cover authorizations' expiration dates, combination with other instructions and use for subsequently created PHI.
Regarding the requirement that an authorization specify an expiration date or event, HHS clarified that "termination of enrollment in the health plan" would qualify. However, HHS noted that state laws might impose additional limits on the term of the authorization. "The fact that the expiration date on an Authorization may exceed a time period established by State law does not invalidate the Authorization under the Privacy Rule, but a more restrictive State law would control how long the Authorization is effective," HHS explained.
An authorization may be accompanied by other instructions, such as a transmittal or cover letter, but this other material may not expand the authorization's scope of extend its term, according to HHS: "For example, if an individual has authorized the disclosure of 'all medical records' to an insurance company, the insurance company could by cover letter narrow the request to the medical records for the last 12 months."
An authorization also may apply to PHI created after it is signed, HHS added, "provided that the Authorization encompasses the category of information that was later created, and that the Authorization has not expired or been revoked by the individual."
Implications
These FAQs are consistent with earlier comments HHS made regarding an authorization form developed by the Social Security Administration. In general, these new guidelines will make the process of obtaining an authorization much less burdensome for employers. A separate form will not have to be prepared for each item of information in a medical record or for each entity intended to receive the PHI. The FAQs also address several practical questions that occur in trying to obtain an authorization.
Reprinted with permission from the November 2003 newsletter of the Employer's Guide to HIPAA Privacy Requirements, © Thompson Publishing Group, Inc., 2003. All rights reserved.
BenefitsLink is an independent national employee benefits information provider, not formally affiliated with the firms and companies who kindly provide much of the content and advertisements published on this Web site, including the article shown above.