HIPAA patient authorizations are an important part of running your behavioral health practice. HIPAA regulation sets specific standards for the use and disclosure of patients’ sensitive health care information, all of which stem from receiving the proper authorizations directly from your patients before the start of care.
Under HIPAA regulation, health care professionals have limitations and restrictions on what, how, when, and with whom patient’s protected health information (PHI) may be shared. PHI is defined as any demographic information that can be used to identify a patient. Common examples of PHI include names, addresses, dates of birth, phone numbers, Social Security numbers, insurance ID numbers, medical records, and full facial photos, to name a few.
Over the course of treatment, behavioral health professionals like yourself will often need to share patient PHI, either with other providers, vendors, health plans, or partners. These are considered “uses and disclosures” under HIPAA regulation.
The HIPAA rules outline many standards that dictate the exact processes that must be followed when handling uses and disclosures. However, the rule of thumb to remember is that you cannot freely use and disclose a patient’s PHI without first obtaining express HIPAA patient authorization.
HIPAA patient authorizations should be part of onboarding any new patients or clients, and should be gathered using an appropriate HIPAA patient authorization form.
HIPAA Authorizations for Media, Marketing, and Fundraising
Some of the most important elements of HIPAA patient authorization pertain specifically to instances involving media access, marketing, and fundraising. In these instances, granting access to patient PHI to news media, marketing firms, or PR agencies is strictly forbidden unless you have gathered express authorization for these specific instances. Behavioral health providers cannot simply use the same HIPAA patient authorization form for treatment and payment as they can for media, marketing, and fundraising.
A recent HIPAA fine for nearly $1 million was issued by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for a PHI breach involving filming patients without their express HIPAA authorization. Patients were filmed by a local, Boston-area news crew and claimed that they did not give authorization for this use of PHI.
Keep this Boston HIPAA fine example in mind to avoid rising HIPAA fines and potential HIPAA violations that can occur because of improper patient authorizations!
If you need assistance with HIPAA compliance, consider working with our TBHI affiliate, the HIPAA Compliancy Group. (When you purchase services from them, TBHI will be paid a small commission.) They can help you support your HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance. The Guard is built to address the HIPAA regulations, including guided walkthroughs of HIPAA Risk Assessments. With The Guard, you can focus on running your practice while keeping your patients’ data protected and secure.Compliancy Group’s team of expert Compliance Coaches® can also field questions and guide you through the implementation process, taking the stress out of managing compliance. Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.