Definition

HIPAA Waiver of Authorisation

  • Updated on

What is the HIPAA Waiver of Authorisation?

It is a type of legal instrument that permits the use or sharing an individual's personal health information with third parties. The waiver is an element of the HIPAA (Health Insurance Portability and Accountability) Act of 1996, which specifies the number of patient-privacy safeguards. Furthermore, it permits healthcare professionals to share information about a patient's health with any other parties.

Who can be included in this third-party list to receive personal information about the patient's health? Family members, researchers, other doctors, or attorneys could be the third party. It had become required because, in the digital era, healthcare secrecy has become more crucial; it is significantly easier for doctors to communicate information about a patient's health over the internet than it was when documents needed to be faxed.

Furthermore, under HIPAA, PHI, or protected health information, is details regarding a patient's health. PHI is information on a specific individual possessed by a covered entity, like a healthcare clearinghouse, a healthcare provider, or a health insurer. HIPAA specifies 18 identifiers that, when linked to medical data, produce PHI. HIPAA regulations permit researchers to obtain authorisation for accessing and using PHI when doing research.

Since April 14, 2003, the HIPAA Privacy Rule has been in effect. It specifies criteria for the allowed disclosures and uses of a person's medical data, such as who can see the data and what situations PHI can be disclosed.

HIPAA authorisation is a health plan member or patient's consent that authorises a business associate or a covered entity to disclose or use PHI to the entity/individual for a purpose that the HIPAA Privacy Rule would prohibit. Such use or disclosure of PHI would be illegal without HIPAA authorisation, resulting in severe financial fines and possibly even criminal charges.

Here are the examples of studies involving the use of PHI include:

  • Studies that include evaluating current medical records, such as retrospective chart reviews or other studies that require data abstraction from the subject's health record for research.
  • Studies in which new medical data is established due to a healthcare service provided as part of the research. Most studies that diagnose a health issue or include new medications or technologies, for instance, generate PHI that will be recorded into a patient's medical record.

In addition, three criteria for the use of PHI must be met for a HIPAA waiver to be approved for research purposes:

  • The disclosure of health information must provide a low danger to the disclosing party's privacy.
  • Researchers must ensure that study work should not be conducted without the essential data.
  • Without the waiver, the research could not be carried out.
Highlights
  • HIPAA Waiver of Authorisation is a legal instrument that permits the use or sharing of an individual's personal health information with third parties.
  • PHI is information on a specific individual possessed by a covered entity, like a healthcare clearing house, a healthcare provider, or a health insurer.
  • HIPAA permits healthcare professionals to share information about a patient's health with any other parties.

Frequently Asked Questions (FAQs)

When is it essential to obtain HIPAA authorisation?

Source: © Designer491 | Megapixl.com

HIPAA regulations specify the disclosures and uses of PHI, and they need written authorisation from a patient or a plan member before their PHI could be shared or even used.

Forms of HIPAA authorisation is needed prior to:

  • The covered entity would be allowed to disclose or utilise PHI in ways that the HIPAA Privacy Rule does not allow.
  • For marketing reasons, the covered entity may disclose or utilise PHI. If a third party provides indirect or direct remuneration to the covered entity as part of the marketing message, the authorisation must declare this in this case.

Prior marketing authorisation, on the other hand, is not needed when:

  • The individual and the covered entity communicate face to face.
  • When the communication necessitates a small promotional gift.

Source: © Sherryyates | Megapixl.com

What data should a HIPAA authorisation include to be valid?

A legitimate HIPAA authorisation form must have some key elements, according to the rules. The following is a list of these key elements:

  • A description of the information that will be disclosed or utilised.
  • The name or other identifying data of the person (s) or group of people permitted to make the proposed disclosure or use.
  • The covered entity may make the proposed disclosure or use of any third parties, including their names or other identifiable data.
  • A thorough description of every request for disclosure or use.
  • An expiration event or date that corresponds to the individual or the disclosure or use's purpose.
  • An individual's signature, as well as the date.

What statements must be included on the HIPAA authorisation form?

In addition to the key elements, the HIPAA authorisation should contain sufficient statements to put an individual on notice of all that follows:

  • Individuals have the right to revoke their authorisation in writing.
  • There are several limitations to the right to revoke: a person can cancel an authorisation in writing unless the covered entity has acted in reliance on it.
  • Except in the following circumstances, the covered entity may not condition enrolment, payment, treatment or eligibility for benefits on whether the person signs the authorisation:
  1. Any research-related treatment may require authorisation from a covered health care professional.
  2. Enrolment in the health plan or eligibility for benefits may require the provision of authorisation.
  • The information given in the authorisation requires HIPAA redisclosure by the recipient and, as a result, is no longer covered under the Privacy Rule.

Furthermore, HIPAA regulations mandate that HIPAA authorisations be written in easy language. Therefore, when a covered entity requests a person for a HIPAA authorisation for a PHI disclosure or use, the covered entity should give the individual a copy of the signed authorisation.