AMC/HIPAA Workgroup 81 Section Two: Consent and Authorization

AMC/HIPAA Workgroup

Section Two: Consent and Authorization

Websuche.info die frische Suchmaschine alteredrealitycc derkach private Krankenversicherung Autoversicherung KFZ Versicherung Lebensversicherung KFZ Versicherungsvergleich Autoversicherungen KFZ Versicherungen Lebensversicherungen Horoskop Horoskope Eintrag bbsnet Reisen Urlaub Baufinanzierung Hausfinanzierung Immobilienfinanzierung Erotik Hallenbau Vermieterrechtsschutz Last Minute Algarve Ferienhaus Portugal Werbemittel Werbeartikel Viking Buerobedarf Bueroartikel Bueromaterial Kalender Drucker Druckerpatronen Tintenpatronen HP Drucker Werbeartikel Werbemittel Bueromoebel Kopierer Krankenversicherungsvergleich Werbeartikel Werbemittel Kreditvergleich

tableofcontents.htm start.htm securitysectiontwo.htm securitysectionthree.htm securitysectionone.htm securitycategories.htm references.htm privacysectiontwo.htm privacysectionthree.htm privacysectionone.htm privacysectionfour.htm privacysectionfive.htm privacycategories.htm jobdescriptions.htm introduction.htm index.htm hipaatrifold.htm hipaasuppliment.htm hipaaresources.htm hipaaexecsummary.htm guidelinesorganization.htm generalpolicyguidelines.htm generalcategories.htm definitions.htm contractsandpolicies.htm contact.htm amchipaasecurityandprivacyguidelines.htm acronyms.htm acknowledgements.htm

Page 2

AMC/HIPAA Workgroup

PRIV.07 Consent

requirement

§ 164.506(a)

HIPAA Requirement

Standard:

(a)

consent requirement.

(1)

Except as provided in paragraph (a)(2) or (a)(3) of this section, a covered

health care provider must obtain the individual's consent, in accordance with this

section, prior to using or disclosing protected health information to carry out

treatment, payment, or health care operations.

(2)

A covered health care provider may, without consent, use or disclose

protected health information to carry out treatment, payment, or health care

operations, if:

(i)

The covered health care provider has an indirect treatment relationship

with the individual; or

(ii)

The covered health care provider created or received the protected health

information in the course of providing health care to an individual who is an

inmate.

(3)

(i)

A covered health care provider may, without prior consent, use or disclose

protected health information created or received under paragraph (a)(3)(i)(A)-

(C) of this section to carry out treatment, payment, or health care operations:

(A) In emergency treatment situations, if the covered health care provider

attempts to obtain such consent as soon as reasonably practicable after the

delivery of such treatment;

(B) If the covered health care provider is required by law to treat the individual,

and the covered health care provider attempts to obtain such consent but is

unable to obtain such consent; or

(C) If a covered health care provider attempts to obtain such consent from the

individual but is unable to obtain such consent due to substantial barriers to

communicating with the individual, and the covered health care provider

determines, in the exercise of professional judgment, that the individual's consent

to receive treatment is clearly inferred from the circumstances.

(ii)

A covered health care provider that fails to obtain such consent in

accordance with paragraph (a)(3)(i) of this section must document its attempt to

obtain consent and the reason why consent was not obtained.

(4)

If a covered entity is not required to obtain consent by paragraph (a)(1) of

this section, it may obtain an individual's consent for the covered entity's own use

or disclosure of protected health information to carry out treatment, payment, or

health care operations, provided that such consent meets the requirements of this

section.

(5)

Except as provided in paragraph (f)(1) of this section, a consent obtained

by a covered entity under this section is not effective to permit another covered

entity to use or disclose protected health information.

(b) Implementation specifications: general requirements.

Page 3

AMC/HIPAA Workgroup

(1)

A covered health care provider may condition treatment on the provision

by the individual of a consent under this section.

(2)

A health plan may condition enrollment in the health plan on the provision

by the individual of a consent under this section sought in conjunction with such

enrollment.

(3)

A consent under this section may not be combined in a single document

with the notice required by

§ 164.520

(4)

(i) A consent for use or disclosure may be combined with other types of written

legal permission from the individual (e.g., an informed consent for treatment or a

consent to assignment of benefits), if the consent under this section:

(A) Is visually and organizationally separate from such other written legal

permission; and

(B) Is separately signed by the individual and dated.

(ii) A consent for use or disclosure may be combined with a research

authorization under

§ 164.508(f).

(5)

An individual may revoke a consent under this section at any time, except

to the extent that the covered entity has taken action in reliance thereon. Such

revocation must be in writing.

(6)

A covered entity must document and retain any signed consent under this

section as required by

§ 164.530(j).

(c)

Implementation specifications: content requirements. A consent under

this section must be in plain language and:

(1)

Inform the individual that protected health information may be used and

disclosed to carry out treatment, payment, or health care operations;

(2)

Refer the individual to the notice required by

§ 164.520

for a more

complete description of such uses and disclosures and state that the individual

has the right to review the notice prior to signing the consent;

(3)

If the covered entity has reserved the right to change its privacy practices

that are described in the notice in accordance with

§ 164.520(b)(

1)(v)(C), state

that the terms of its notice may change and describe how the individual may

obtain a revised notice;

(4) State

that:

(i) The individual has the right to request that the covered entity restrict how

protected health information is used or disclosed to carry out treatment, payment,

or health care operations;

(ii) The covered entity is not required to agree to requested restrictions; and

(iii) If the covered entity agrees to a requested restriction, the restriction is

binding on the covered entity;

(5)

State that the individual has the right to revoke the consent in writing,

except to the extent that the covered entity has taken action in reliance thereon;

and

(6)

Be signed by the individual and dated.

(d)

Implementation specifications: defective consents. There is no consent

under this section, if the document submitted has any of the following defects:

Page 4

AMC/HIPAA Workgroup

(1)

The consent lacks an element required by paragraph (c) of this section, as

applicable; or

(2)

The consent has been revoked in accordance with paragraph (b)(5) of this

section.

AMC Explanation of HIPAA Regulation

A covered entity must have written consent from an individual before using or disclosing the

individual's protected health information for treatment, payment, and health care operations. It

is worth noting that the way the term "consent" is used in the regulation is different from the way

it has traditionally been used. As traditionally used, "general consent" has meant consent for

treatment, as an agent for collecting funds, and for assignment of benefits. In the regulation,

"consents" are for the use and disclosure of information in the pursuit of providing health care.

Consent under the regulation expands the type of information that can be released.

Key Issues

When and where will consent be secured from individuals?

How can a covered entity make consent information available in each setting where it has

contact with an individual?

How and when will the entity inform individuals of the entity's Privacy Notice as

required under §164.520?

How will a covered entity decide when or whether to agree to an individual's request that

it restrict use and disclosure of protected health information for treatment, payment, or

health care operations?

What is the process for an individual to request restrictions upon use and disclosure of

protected health information, or to change his or her consents for use and disclosure?

If a covered entity does agree to restrictions, how will it track the status of consent related

to any specific protected health information?

What will an entity do if an individual does not consent to use or disclosure of protected

health information? (Refusing to provide treatment or permit enrollment in a health plan

are valid responses to an individual's failure to provide consent.)

What is the duration of a consent?

How can a consent be revoked?

Category I Guidelines-Actions must be taken to address these

Develop a procedure and a consent form to secure written consent for use or disclosure of

protected health information to carry out treatment, payment, and health care operations

when an individual first presents himself or herself to the covered entity.

If protected health information is used or disclosed for treatment, payment, or health care

operations without consent in an emergency, or as required by law, or if consent could

not be obtained because of barriers in communication, attempt to get consent as soon as

possible. If consent cannot be obtained, document the effort to get consent and state the

reason consent was not obtained.

Determine what action the covered entity will take if an individual will not consent to use

or disclosure of protected health information or treatment, payment, or health care

operations.

Page 5

AMC/HIPAA Workgroup

Identify actions to be taken when an individual revokes his or her consent. (The covered

entity must comply with the revocation, except to the extent that the covered entity has

taken action in reliance upon the original consent.)

Develop a procedure to document and retain an individual's signed consent.

Adopt a standard form for consent requests that contains all necessary elements cited in

§164.506(c), as follows:

is written in plain language;

informs the individual that protected health information may be used and disclosed

for treatment, payment, or health care operations;

informs the individual that the covered entity may change its privacy practices as

described in its privacy notice and tells the individual how to get a revised notice;

states that the individual has a right to request restrictions upon use and disclosure of

protected health information for treatment, payment and health care operations; that

the covered entity does not have to agree to requested restrictions; and that if the

covered entity does agree to restrictions, the restrictions are binding.

Prohibit the use or disclosure of protected health information for marketing, sale, fund

raising, and health plan enrollment decisions, employment determinations, or disclosure

to non-related divisions and employers unless patient authorization is secured under

§164.508/PRIV.10.

Category II Guidelines-Actions should be taken to address these

Consider obtaining consent for use or disclosure of protected health information even

when it is not required.

Consider using a time and date stamp on consent forms to be sure the handling of patient

information was appropriate at the time it was done.

Consider having a single point for disclosure of all information from the covered entity,

even if decisions to use or disclose are made elsewhere.

Instruct the privacy official to work with legal staff to ensure that contracts and business

associate agreements reflect appropriate concern for the privacy and security of patient

information.

Consult with legal counsel about the documentation needed to support use or disclosure

of protected health information when the entity was unable to obtain consent.

Roadblocks

Meeting use and disclosure consent requirements may require major organizational and

educational effort within an AMC. An AMC may need to "prove" after the fact that it did not

inappropriately use or disclose information, which could require a central record keeping system

to track consents for use and disclosure.

Comments

The covered entity should make sure its decision-makers have a clear understanding of the

differences between consent and authorization and the appropriate use of each under the HIPAA

privacy regulations.

See §164.520/PRIV.43, the requirement to have a notice of privacy practices.

Page 6

AMC/HIPAA Workgroup

PRIV.08

Resolving conflicting consents and authorizations §

164.506(e)

HIPAA Requirement

(e) Standard: resolving conflicting consents and authorizations.

(1)

If a covered entity has obtained a consent under this section and receives

any other authorization or written legal permission from the individual for a

disclosure of protected health information to carry out treatment, payment, or

health care operations, the covered entity may disclose such protected health

information only in accordance with the more restrictive consent, authorization,

or other written legal permission from the individual.

(2)

A covered entity may attempt to resolve a conflict between consent and an

authorization or other written legal permission from the individual described in

paragraph (e)(1) of this section by:

(i) Obtaining a new consent from the individual under this section for the

disclosure to carry out treatment, payment, or health care operations; or

(ii) Communicating orally or in writing with the individual in order to determine

the individual's preference in resolving the conflict. The covered entity must

document the individual's preference and may only disclose protected health

information in accordance with the individual's preference.

AMC Explanation of HIPAA Regulation

If a covered entity has more than one consent document for an individual, it must adhere to the

most restrictive one. The covered entity should attempt to resolve any differences between

documents providing for differing consent.

Key Issues

Does the covered entity have a procedure for securing consents and agreeing to

revocations so as to minimize consent conflicts and aid in resolving differences?

How will a covered entity know if it has multiple consent documents for use and

disclosure of protected health information for an individual?

How can a covered entity track its consents for individuals?

Who determines whether or not one consent is more restrictive than another?

Category I Guidelines-Actions must be taken to address these

Develop a procedure to determine whether more than one consent for use and disclosure

of protected health information exists for an individual.

If more than one consent exists, determine if any conflicts exist between them, and if

conflicts exist adhere to the most restrictive.

Category II Guidelines-Actions should be taken to address these

Develop a procedure for securing consents that will minimize the number of consents

from any one individual and thus reduce the incidence of conflicts.

Consider developing a single standard consent form for use in all encounters with an

individual, and changing it infrequently.

Page 7

AMC/HIPAA Workgroup

If a consent conflict exists, contact the individual to clarify his or her preference and

either:

Obtain a new written consent for use and disclosure or other clarification in writing,

indicating that this document supercedes all other consents; or

Communicate with the individual, obtain verbal clarification, and document the

conversation; and

Either way, from this point on, only use or disclose protected health information for

treatment, payment, or health care operations as clarified by this contact.

Roadblocks

Any covered entity with a decentralized system of consents will have problems with this

provision.

Comments

Remember that restrictiveness, not signing date, is the deciding factor between consents. A

covered entity should be careful not to assume that the consent with the most recent date is the

one that it should follow unless the later consent form explicitly supercedes the earlier one.

This problem would be easier to deal with if consent forms were standardized among referring

entities.

Page 8

AMC/HIPAA Workgroup

PRIV.09 Joint

consents

§ 164.506(f)

HIPAA Requirement

(1)

Standard: joint consents. Covered entities that participate in an

organized health care arrangement and that have a joint notice under

§ 164.520(d)

may comply with this section by a joint consent.

Implementation specifications: requirements for joint consents.

(i) A joint consent must:

(A) Include the name or other specific identification of the covered entities, or

classes of covered entities, to which the joint consent applies; and

(B) Meet the requirements of this section, except that the statements required by

this section may be altered to reflect the fact that the consent covers more than

one covered entity.

(ii) If an individual revokes a joint consent, the covered entity that receives the

revocation must inform the other entities covered by the joint consent of the

revocation as soon as practicable.

AMC Explanation of HIPAA Regulation

Separate covered entities that have formally agreed to participate in an organized health care

arrangement may use a joint consent form covering all of the entities to obtain consent to use and

disclose protected health information for the purposes of treatment, payment, and health care

operations.

Key Issues

Who will determine whether the consent form conforms to the requirements of this

standard?

How will a reliable process be established to notify each of the entities in the joint

arrangement of a revoked consent?

How will a reliable process be established for each covered entity to act in accordance

with the revoked consent?

Category I Guidelines-Actions must be taken to address these

Determine if the covered entity is eligible to, or wants to, participate in a joint consent with

others. If so:

Create a joint consent form that meets the requirements of this standard:

Include on the joint consent form the individual names of each organization in the

joint organization;

Include the other requirements of consent forms as specified in § 164.506(a).

Establish a process for revocation of consent.

Establish a process to notify each covered entity in the joint arrangement of revoked

consents.

Develop and use a joint notice of privacy practices.

Page 9

AMC/HIPAA Workgroup

Category II Guidelines-Actions should be taken to address these

Establish a process to recognize which individuals have no consent or have revoked

consent for the use or disclosure of their protected health information for the purpose of

treatment, payment, or health care operations.

Establish a procedure that protects the protected health information of individuals with a

revoked consent from use or disclosure.

Roadblocks

Tracking joint consents and revocations with multiple systems in different entities will be a

difficult task.

Comments

Reference (§ 164.506(a).)/PRIV.07 and the section on notice of privacy practices

§164.520(a)/PRIV.43.

It is not certain whether the existence of a more restrictive consent form for one of the entities

would affect the responsibilities of other entities in the joint arrangement.

Page 10

AMC/HIPAA Workgroup

PRIV.10

Authorizations for uses and disclosures

§ 164.508(a)

HIPAA Requirement

Standard: authorizations for uses and disclosures.

(1)

Authorization required: general rule. Except as otherwise permitted or

required by this subchapter, a covered entity may not use or disclose protected

health information without an authorization that is valid under this section. When

a covered entity obtains or receives a valid authorization for its use or disclosure

of protected health information, such use or disclosure must be consistent with

such authorization.

(2)

Authorization required: psychotherapy notes. Notwithstanding any other

provision of this subpart, other than transition provisions provided for in

§ 164.532

, a covered entity must obtain an authorization for any use or disclosure

of psychotherapy notes, except:

(i) To carry out the following treatment, payment, or health care operations,

consistent with consent requirements in

§ 164.506

(A)

Use by originator of the psychotherapy notes for treatment;

(B) Use or disclosure by the covered entity in training programs in which

students, trainees, or practitioners in mental health learn under supervision to

practice or improve their skills in group, joint, family, or individual counseling;

(C) Use or disclosure by the covered entity to defend a legal action or other

proceeding brought by the individual; and

(ii) A use or disclosure that is required by

§ 164.502(a)(

2)(ii) or permitted by

§ 164.512(a);

§ 164.512(d)

with respect to the oversight of the originator of the

psychotherapy notes;

§ 164.512(g)(

1); or

§ 164.512(j)(

1)(i).

(b) Implementation specifications: general requirements.

(1) Valid

authorizations.

(i) A valid authorization is a document that contains the elements listed in

paragraph (c) and, as applicable, paragraph (d), (e), or (f) of this section.

(ii) A valid authorization may contain elements or information in addition to the

elements required by this section, provided that such additional elements or

information are not be inconsistent with the elements required by this section.

(2)

Defective authorizations. An authorization is not valid, if the document

submitted has any of the following defects:

(i) The expiration date has passed or the expiration event is known by the covered

entity to have occurred;

(ii) The authorization has not been filled out completely, with respect to an

element described by paragraph (c), (d), (e), or (f) of this section, if applicable;

(iii) The authorization is known by the covered entity to have been revoked;

(iv) The authorization lacks an element required by paragraph (c), (d), (e), or (f)

of this section, if applicable;

(v) The authorization violates paragraph (b)(3) of this section, if applicable;

(vi) Any material information in the authorization is known by the covered entity

to be false.

Page 11

AMC/HIPAA Workgroup

(3)

Compound authorizations. An authorization for use or disclosure of

protected health information may not be combined with any other document to

create a compound authorization, except as follows:

(i)

An authorization for the use or disclosure of protected health information

created for research that includes treatment of the individual may be combined as

permitted by

§ 164.506(b)(

4)(ii) or paragraph (f) of this section;

(ii)

An authorization for a use or disclosure of psychotherapy notes may only

be combined with another authorization for a use or disclosure of psychotherapy

notes;

(iii) An authorization under this section, other than an authorization for a use

or disclosure of psychotherapy notes may be combined with any other such

authorization under this section, except when a covered entity has conditioned the

provision of treatment, payment, enrollment in the health plan, or eligibility for

benefits under paragraph (b)(4) of this section on the provision of one of the

authorizations.

(4)

Prohibition on conditioning of authorizations. A covered entity may not

condition the provision to an individual of treatment, payment, enrollment in the

health plan, or eligibility for benefits on the provision of an authorization, except:

(i) A covered health care provider may condition the provision of research-

related treatment on provision of an authorization under paragraph (f) of this

section;

(ii) A health plan may condition enrollment in the health plan or eligibility for

benefits on provision of an authorization requested by the health plan prior to an

individual's enrollment in the health plan, if:

(A) The authorization sought is for the health plan's eligibility or enrollment

determinations relating to the individual or for its underwriting or risk rating

determinations; and

(B) The authorization is not for a use or disclosure of psychotherapy notes under

paragraph (a)(2) of this section;

(iii) A health plan may condition payment of a claim for specified benefits on

provision of an authorization under paragraph (e) of this section, if:

(A) The disclosure is necessary to determine payment of such claim; and

(B) The authorization is not for a use or disclosure of psychotherapy notes under

paragraph (a)(2) of this section; and

(iv) A covered entity may condition the provision of health care that is solely for

the purpose of creating protected health information for disclosure to a third

party on provision of an authorization for the disclosure of the protected health

information to such third party.

(5)

Revocation of authorizations. An individual may revoke an authorization

provided under this section at any time, provided that the revocation is in writing,

except to the extent that:

(i) The covered entity has taken action in reliance thereon; or

(ii) If the authorization was obtained as a condition of obtaining insurance

coverage, other law provides the insurer with the right to contest a claim under

the policy.

Page 12

AMC/HIPAA Workgroup

(6)

Documentation. A covered entity must document and retain any signed

authorization under this section as required by

§ 164.530(j).

(c) Implementation specifications: core elements and requirements.

(1)

Core elements. A valid authorization under this section must contain at

least the following elements:

(i) A description of the information to be used or disclosed that identifies the

information in a specific and meaningful fashion;

(ii) The name or other specific identification of the person(s), or class of persons,

authorized to make the requested use or disclosure;

(iii) The name or other specific identification of the person(s), or class of persons,

to whom the covered entity may make the requested use or disclosure;

(iv) An expiration date or an expiration event that relates to the individual or the

purpose of the use or disclosure;

(v) A statement of the individual's right to revoke the authorization in writing and

the exceptions to the right to revoke, together with a description of how the

individual may revoke the authorization;

(vi) A statement that information used or disclosed pursuant to the authorization

may be subject to redisclosure by the recipient and no longer be protected by this

rule;

(vii) Signature of the individual and date; and

(viii) If the authorization is signed by a personal representative of the individual,

a description of such representative's authority to act for the individual.

(2)

Plain language requirement. The authorization must be written in plain

language.

(d)

Implementation specifications: authorizations requested by a covered

entity for its own uses and disclosures. If an authorization is requested by a

covered entity for its own use or disclosure of protected health information that it

maintains, the covered entity must comply with the following requirements.

(1)

Required elements. The authorization for the uses or disclosures

described in this paragraph must, in addition to meeting the requirements of

paragraph (c) of this section, contain the following elements:

(i) For any authorization to which the prohibition on conditioning in paragraph

(b)(4) of this section applies, a statement that the covered entity will not condition

treatment, payment, enrollment in the health plan, or eligibility for benefits on the

individual's providing authorization for the requested use or disclosure;

(ii) A description of each purpose of the requested use or disclosure;

(iii) A statement that the individual may:

(A) Inspect or copy the protected health information to be used or disclosed as

provided in

§ 164.524

; and

(B)

Refuse to sign the authorization; and

(iv) If use or disclosure of the requested information will result in direct or

indirect remuneration to the covered entity from a third party, a statement that

such remuneration will result.

(2)

Copy to the individual. A covered entity must provide the individual with

a copy of the signed authorization.

Page 13

AMC/HIPAA Workgroup

(e)

Implementation specifications: authorizations requested by a covered

entity for disclosures by others. If an authorization is requested by a covered

entity for another covered entity to disclose protected health information to the

covered entity requesting the authorization to carry out treatment, payment, or

health care operations, the covered entity requesting the authorization must

comply with the following requirements.

(1)

Required elements. The authorization for the disclosures described in this

paragraph must, in addition to meeting the requirements of paragraph (c) of this

section, contain the following elements:

(i) A description of each purpose of the requested disclosure;

(ii) Except for an authorization on which payment may be conditioned under

paragraph (b)(4)(iii) of this section, a statement that the covered entity will not

condition treatment, payment, enrollment in the health plan, or eligibility for

benefits on the individual's providing authorization for the requested use or

disclosure; and

(iii) A statement that the individual may refuse to sign the authorization.

(2)

Copy to the individual. A covered entity must provide the individual with

a copy of the signed authorization.

(f)

Implementation specifications: authorizations for uses and disclosures of

protected health information created for research that includes treatment of the

individual.

(1)

Required elements. Except as otherwise permitted by

§ 164.512(i

), a

covered entity that creates protected health information for the purpose, in whole

or in part, of research that includes treatment of individuals must obtain an

authorization for the use or disclosure of such information. Such authorization

must:

(i) For uses and disclosures not otherwise permitted or required under this

subpart, meet the requirements of paragraphs (c) and (d) of this section; and

(ii) Contain:

(A) A description of the extent to which such protected health information will be

used or disclosed to carry out treatment, payment, or health care operations;

(B) A description of any protected health information that will not be used or

disclosed for purposes permitted in accordance with

§§ 164.510

and

164.512

provided that the covered entity may not include a limitation affecting its right to

make a use or disclosure that is required by law or permitted by

§ 164.512(j)(

1)(i); and

(C) If the covered entity has obtained or intends to obtain the individual's consent

under

§ 164.506

, or has provided or intends to provide the individual with a

notice under

§ 164.520

, the authorization must refer to that consent or notice, as

applicable, and state that the statements made pursuant to this section are

binding.

(2)

Optional procedure. An authorization under this paragraph may be in the

same document as:

(i) A consent to participate in the research;

(ii) A consent to use or disclose protected health information to carry out

treatment, payment, or health care operations under

§ 164.506

; or

Page 14

AMC/HIPAA Workgroup

(iii) A notice of privacy practices under

§ 164.520

AMC Explanation of HIPAA Regulation

Although this section is lengthy, the gist of the HIPAA requirement is that a covered entity must

have written authorization from an individual before using or disclosing the patient's protected

health information and that the individual has the right to revoke that authorization.

The usual exceptions of treatment, payment, and health care operations do not require

authorization (but do require consent; see § 164.506). Neither is authorization required for uses

and disclosures under §§ 164.510 and 164.522, for public health and health oversight, certain law

enforcement requirements, to medical examiners, and required disclosure to the Secretary, and

§§ 164.514(e) and 164.514(f) for marketing and fundraising. In AMCs, typical examples of

uses that would require authorizations are research without an IRB waiver and special marketing

or press events featuring patients.

Key Issues

How will a covered entity track the status of an authorization related to any specific

patient information?

How will a covered entity determine expiration dates (or events) for an authorization?

Category I Guidelines-Actions must be taken to address these

Develop a clearly written and complete statement covering use and disclosure practices

for the covered entity, and publish it in the privacy notice.

Develop policies to document and retain any signed authorization.

Ensure that policies are in place and are followed for authorizations for use and

disclosure of protected health information for psychotherapy notes, for compound

authorizations, and for treatment related to research.

Adopt appropriate forms for use and disclosure authorizations that contains each of the

core elements cited in the regulation as follows:

describes the information to be used or disclosed;

identifies the person authorized to make the requested use or disclosure;

identifies the person to whom the covered entity may make the requested use or

disclosure;

includes an expiration date or an event that triggers expiration;

states that the individual has a right to revoke the authorization, with exceptions

identified, and describes how revocation may be done;

includes the individual's signature and the date;

if signed by a personal representative, includes a description of the representative's

authority;

is written in plain language.

Develop policies to ensure that the individual is given a copy of each signed authorization

requested by a covered entity for its own use and disclosure or for disclosures requested

by others.

Page 15

AMC/HIPAA Workgroup

Prohibit use or disclosure of protected health information for sale, health plan enrollment

decisions, and employment determinations, and prohibit disclosure to non-related

divisions and employers unless appropriate patient authorization has been secured.

Category II Guidelines-Actions should be taken to address these

Consider having a single point for disclosure of all information from the covered entity,

even if decisions to use or disclose are made elsewhere.

Have the privacy official should work with legal staff to ensure that the covered entity's

contracts and business partner agreements reflect appropriate concern for the privacy and

security of patient information.

Develop clearly understood use and disclosure guidelines for development and marketing

functions.

Consider defining a set of reasonably broad authorizations and developing the ability to

track what the user has authorized.

Roadblocks

An AMC will likely need a central record keeping system to track authorizations for use and

disclosure for the clinical enterprise, and to retain them in case they are needed in order to prove

it did not inappropriately disclose information. The IRB may need additional resources to

manage the authorizations for protected health information created for research.

Comments

An AMC should carefully consider how to incorporate HIPAA requirements into existing

research efforts and not assume that all research use and disclosure will be covered by IRB

requirements. The HIPAA requirements do add to the activities of the IRB for review of

informed consent, particularly in the core elements (c)(iii), (vi), and (viii). Current IRB

regulations allow for "verbal" informed consent in limited situations; verbal consent is not

adequate under the HIPAA privacy regulations. A standard IRB informed consent can be used

for the authorization for research provided that the additional elements required by HIPAA are

included. Consider how these requirements might affect research that is unrelated to treatment,

and how these requirements could be incorporated into clinical trials.

An AMC might need a time and date stamp on permissions and revocations to ensure that it can

document that its handling of patient information was appropriate at the time it was done.

Page 16

AMC/HIPAA Workgroup

PRIV.11

Right of an individual to request restriction of uses and disclosures

164.522(a)(1)

HIPAA Requirement

Standard: right of an individual to request restriction of uses and disclosures.

(i) A covered entity must permit an individual to request that the covered entity

restrict:

(A) Uses or disclosures of protected health information about the individual to

carry out treatment, payment, or health care operations; and

(B) Disclosures permitted under

§ 164.510(b).

(ii) A covered entity is not required to agree to a restriction.

(iii) A covered entity that agrees to a restriction under paragraph (a)(1)(i) of this

section may not use or disclose protected health information in violation of such

restriction, except that, if the individual who requested the restriction is in need of

emergency treatment and the restricted protected health information is needed to

provide the emergency treatment, the covered entity may use the restricted

protected health information, or may disclose such information to a health care

provider, to provide such treatment to the individual.

(iv) If restricted protected health information is disclosed to a health care

provider for emergency treatment under paragraph (a)(1)(iii) of this section, the

covered entity must request that such health care provider not further use or

disclose the information.

(v) A restriction agreed to by a covered entity under paragraph (a) of this section,

is not effective under this subpart to prevent uses or disclosures permitted or

required under

§§ 164.502(a)(

2)(i),

164.510(a)

164.512

(2)

Implementation specifications: terminating a restriction. A covered entity

may terminate its agreement to a restriction, if :

(i)

The individual agrees to or requests the termination in writing;

(ii) The individual orally agrees to the termination and the oral agreement is

documented; or

(iii) The covered entity informs the individual that it is terminating its agreement

to a restriction, except that such termination is only effective with respect to

protected health information created or received after it has so informed the

individual.

(3) Implementation specification: documentation. A covered entity that agrees to

a restriction must document the restriction in accordance with

§164.530(j)

AMC Explanation of HIPAA Regulation

A covered entity must have a process to accept and respond to a patient's request for restrictions

on uses and disclosures of his or her protected health information for treatment, payment, or

health care operations. A covered entity is not, however, required to accede to such requests.

Key Issues

Within the covered entity, who makes the decision about handling patient restriction

requests?

Page 17

AMC/HIPAA Workgroup

Should covered entities attempt to comply with "reasonable" patient restriction requests

or should they deny all requests?

Who will be responsible for communicating restrictions on protected health information

disclosed to providers for emergency care?

Who will be responsible for implementing procedures that comply with this standard

when the covered entity decides to terminate a restriction?

Category I Guidelines-Actions must be taken to address these

Establish a policy to allow or deny restrictions.

Establish procedures for patients to request restrictions.

Document any agreed-to restrictions.

Establish a process to ensure communication of and compliance with any agreed-to

restrictions.

Notify others to whom restricted information is released of such restrictions.

Establish a process to notify providers to whom protected health information has been

disclosed for emergency care of any restrictions on use or disclosure that apply.

Establish procedures for documenting and terminating a restriction for each of the

following circumstances:

When an individual requests a termination in writing;

When an individual orally agrees to the termination;

When the covered entity informs the individual that it is terminating its agreement to

a restriction.

Category II Guidelines-Actions should be taken to address these

Develop an integrated audit function to track protected health information covered by

restriction requests.

Develop consistent policies regarding the application of restrictions for any provider

agreeing to restrictions.

Maintain a comprehensive record of any agreed-to restrictions.

Identify any agreed to restrictions within each affected patient's record.

Road Blocks

AMCs may not currently have the technology or the administrative processes to comply with a

wide range of restriction requests. Without fully integrated computer systems, complying with

access restriction requests will be extremely difficult. A decentralized administrative or

computer structure will make complying with access restriction requests even more difficult.

Comments

An AMC may want to consider notifying patients of the

known

exceptions to restrictions. A

health care provider cannot agree to restrictions on disclosures that are required by the HIPAA

regulations or other laws. (See §§ 164.502(a)(2)(i), 164.510(a) or 164.512.)

An AMC may also want to consider if denying patient restriction requests will ultimately have a

negative impact on the provider. (Is this ultimately a

business

decision or a

health care

decision?)

Page 18

AMC/HIPAA Workgroup

PRIV.12

Effect of prior consents and authorizations

§ 164.532(a)

HIPAA Requirement

Standard: effect of prior consents and authorizations. Notwithstanding other

sections of this subpart, a covered entity may continue to use or disclose protected

health information pursuant to a consent, authorization, or other express legal

permission obtained from an individual permitting the use or disclosure of

protected health information that does not comply with

§§ 164.506

164.508

this subpart consistent with paragraph (b) of this section.

(b) Implementation specification: requirements for retaining effectiveness of prior

consents and authorizations. Notwithstanding other sections of this subpart, the

information pursuant to a consent, authorization, or other express legal

permission obtained from an individual permitting the use or disclosure of

protected health information, if the consent, authorization, or other express legal

permission was obtained from an individual before the applicable compliance

date of this subpart and does not comply with §§ 164.506 or 164.508 of this

subpart.

(1) If the consent, authorization, or other express legal permission obtained from

an individual permits a use or disclosure for purposes of carrying out treatment,

payment, or health care operations, the covered entity may, with respect to

protected health information that it created or received before the applicable

compliance date of this subpart and to which the consent, authorization, or other

express legal permission obtained from an individual applies, use or disclose such

information for purposes of carrying out treatment, payment, or health care

operations, provided that: following provisions apply to use or disclosure by a

covered entity of protected health

(i) The covered entity does may not make any use or disclosure that is expressly

excluded from the a consent, authorization, or other express legal permission

obtained from an individual; and

(ii) The covered entity complies with all limitations placed by the consent,

authorization, or other express legal permission obtained from an individual.

(2) If the consent, authorization, or other express legal permission obtained from

an individual specifically permits a use or disclosure for a purpose other than to

carry out treatment, payment, or health care operations, the covered entity may,

with respect to protected health information that it created or received before the

applicable compliance date of this subpart and to which the consent,

authorization, or other express legal permission obtained from an individual

applies, make such use or disclosure, provided that:

(i) The covered entity does not make any use or disclosure that is expressly

excluded from the consent, authorization, or other express legal permission

obtained from an individual; and

(ii) The covered entity complies with all limitations placed by the consent,

authorization, or other express legal permission obtained from an individual.

Page 19

AMC/HIPAA Workgroup

(3) In the case of a consent, authorization, or other express legal permission

obtained from an individual that identifies a specific research project that

includes treatment of individuals:

(i) If the consent, authorization, or other express legal permission obtained from

an individual specifically permits a use or disclosure for purposes of the project,

the covered entity may, with respect to protected health information that it

created or received either before or after the applicable compliance date of this

subpart and to which the consent or authorization applies, make such use or

disclosure for purposes of that project, provided that the covered entity complies

with all limitations placed by the consent, authorization, or other express legal

permission obtained from an individual.

(ii) If the consent, authorization, or other express legal permission obtained from

an individual is a general consent to participate in the project, and a covered

entity is conducting or participating in the research, such covered entity may,

with respect to protected health information that it created or received as part of

the project before or after the applicable compliance date of this subpart, make a

use or disclosure for purposes of that project, provided that the covered entity

complies with all limitations placed by the consent, authorization, or other

express legal permission obtained from an individual.

(4) If, after the applicable compliance date of this subpart, a covered entity

agrees to a restriction requested by an individual under

§ 164.522(a),

subsequent use or disclosure of protected health information that is subject to the

restriction based on a consent, authorization, or other express legal permission

obtained from an individual as given effect by paragraph (b) of this section, must

comply with such restriction.

AMC Explanation of HIPAA Regulation

Covered entities may continue to use prior consents, authorizations, and legal permissions for

use and disclosure of protected health information

created prior to the HIPAA compliance date

for treatment, payment, health care operations, and other purposes. If the prior consent or

authorization is in regard to a research project, the covered entity may use or disclose protected

health information received or created either before or after the HIPAA compliance date for that

purpose.

Key Issues

How will a covered entity identify and track prior consents and authorizations for

protected health information?

How can a covered entity be sure of the date any specific protected health information

was created or received?

Category I Guidelines-Actions must be taken to address these

Decide whether or not to treat protected health information created or received before the

HIPAA compliance date with a different set of privacy consents and authorizations from

protected health information created or received after the HIPAA compliance date.

Page 20

AMC/HIPAA Workgroup

100

If protected health information will be handled in different ways depending on the date it

was created or received, clearly identify the protected health information that existed

before the HIPAA compliance date.

Verify that uses and disclosures of protected health information are in accordance with

the consent, authorization, or other documented wishes of the individual that were

effective at the time the protected health information was created or received.

Category II Guidelines-Actions should be taken to address these

Consider using HIPAA standards for all uses and disclosures of protected health

information, whether it was created before or after the HIPAA compliance date, once the

HIPAA regulations are in effect.

Roadblocks

Keeping track of differing consents and authorizations for use and/or disclosure of protected

health information will be difficult, as it will require the covered entity to treat protected health

information with different standards depending upon its date of creation or receipt.

Comments

None.