Consent and authorization

Eric Barnes
Dec 21, 2000

If that's perfectly clear, we'll move on. HIPPAA provides two separate authorization mechanisms for permitted uses of health information: consent and authorization. Under the rules, treatment, billing and operations require consent, under which the provider, plan or clearinghouse must obtain signed and written forms that:

  • Tell patients their protected health information can be used or disclosed for treatment, payment or healthcare operations.

  • Refer patients to the notice that fully describes all of the organization's policies and procedures regarding how it will use the information.

  • Tell patients how they will be notified if the policies and procedures change.

  • Tell patients they have the right to limit the information that is disclosed, and revoke their consent at any time.

Unlike consent, the stricter standard of patient authorization is generally required for any information use or disclosure that isn't explicitly "required" or "permitted" by the rules. The sale of PHI, its disclosure to employers, or the provision of PHI to a non-healthcare portion of a company owned by a covered entity are three examples where the authorization standard will apply, Rosati said.

Another difference: While treatment can generally be withheld for failure to provide consent, failure to provide authorization for other uses cannot generally be used as a basis for withholding treatment.

If the final rules are consistent with the proposed regulations, authorization will need to include all of the elements of patient consent, as well as a description of who will receive the information, and a description of how the information will be used.

"Everyone is going to need new forms," she said.

There are also a couple of favorable changes in the final regulations. One is the elimination of the "minimum necessary" standard in the treatment of patients. In the proposed rules, the provider was limited to disclosing only the minimum information needed to provide treatment -- a standard that was considered extremely unwieldy in that it's impossible to know in advance how much patient information will be needed to provide treatment.

The final rules leave the nature of patient information used or disclosed for treatment to the discretion of the provider, while information used in billing and operations is still subject to the "minimum necessary" standard.

To put the two changes together, a stricter standard will apply at the beginning of treatment, since consent will be required to access even routine information, Rosati said. However, once that consent is obtained, the healthcare team can use as much information as it deems necessary to provide proper care.

Another favorable change was in the business associate agreements, which no longer need to include a third-party beneficiary clause, she said.

"For example, if the doctor was sending information to a lab in order to do labwork, the lab would be considered a business associate of the doctor's, and the proposed rules also required the contract to have a third-party beneficiary clause -- which would make the patient whose information was being transmitted (a beneficiary) able to sue under the contract if something went wrong with the disclosure of information," she said.

Thankfully the requirement has been eliminated, but patients can still sue for violation of their privacy rights under common law, she said.

Overall, the rules will have a huge impact on the operations of the providers, who are going to need extensive new policies, procedures, and staff to comply. An entire new "privacy bureaucracy" will need to be created, with as yet unpredictable effects on costs and workflow, Rosati said. The government now estimates net savings with HIPAA of $12.3 billion over the next 10 years, a figure both attorneys consider overoptimistic.

For disclosures made in error, non-criminal penalties are $100 per year, per standard, up to $25,000 per year, per standard, according to DHHS. Criminal violations committed knowingly can result in penalties of $50,000 plus a year in prison. Violations for obtaining or disclosing PHI under false pretenses can raise the bill to $100,000 per year and up to five years in prison. Finally, obtaining PHI with the intent to sell, transfer or use it for commercial gain, personal gain or malicious harm can yield fines of up to $250,000 and 10 years in prison.

The costs of administrative compliance as well as potential penalties make the privacy standards far too detailed and burdensome, according to Rosati. The rules will impose astronomical costs on the healthcare industry, possibly outstripping the cost savings expected to result from the standard format for electronic financial transactions, she said.

According to Goldberg, "getting consent might seem like a good idea to some, but they are not the ones who will have to set up the procedures, create the forms, maintain the files, and otherwise deal with the administrative process that will significantly add to the already great burden hospitals and others face, as medical records and related files grow in size exponentially."

"Maintaining an access log that is accurate and not does not interfere with the timely availability of necessary information will also not be easy to do," he added. "And putting the burden on providers and others to include business associates within the circle of protective parties adds administrative and operational requirements to operational activities already causing stresses and resulting in economic losses."

By Eric Barnes
Auntminnie.com staff writer
December 22, 2000

Additional HIPAA resources can be found at:

www.wedi.org

www.aha.org

www.hipaadvisory.com

www.hipaacomply.com

Related Reading

HIPAA hopefuls get religion from privacy guru, December 11, 2000

Encryption is key to medical data security, September 19, 2000

Biometrics comes of age as security takes center stage, September 19, 2000

New HIPAA rules portend sweeping changes in medical data security, June 27, 2000

Click here to post your comments about this story in our new HIPAA forum. Please include the headline of the article in your message.

Copyright © 2000 AuntMinnie.com

Latest in IS
2017 03 30 15 16 56 745 Mammogram Calendar 400
Can self-scheduling and referral close breast cancer screening gaps?
July 31, 2023
2018 11 19 17 20 4754 Back Pain 400
Simple EHR intervention reduces unnecessary lower-back x-rays
July 30, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Amazon Web Services releases imaging data platform
July 25, 2023
2021 06 16 23 10 5735 Student Doctor Laptop Test 400
Online course teaches students about appropriate imaging use
July 19, 2023
Related Stories
187x200 Am Logo
Companies
AuntMinnie.com
Back To Top
IS
Vocal Discord: voice recognition technology dictates expanded role for radiologists
More in IS
Can self-scheduling and referral close breast cancer screening gaps?
By Amerigo Allegretto
Online patient portal self-scheduling and self-referral methods can help mitigate health disparities in breast cancer screening, according to research published July 26 in the Journal of the American College of Radiology.
July 31, 2023
2017 03 30 15 16 56 745 Mammogram Calendar 400
Simple EHR intervention reduces unnecessary lower-back x-rays
By Kate Madden Yee
A relatively simple electronic health record (EHR) intervention reduces the incidence of unnecessary x-rays for patients presenting with low back pain, a study published July 28 in the Journal of the American College of Radiology has found.
July 30, 2023
2018 11 19 17 20 4754 Back Pain 400
Amazon Web Services releases imaging data platform
By AuntMinnie.com staff writers
Amazon Web Services has launched an imaging data platform for storing, accessing, and analyzing medical images at petabyte scale.
July 25, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Online course teaches students about appropriate imaging use
By Amerigo Allegretto
An online elective course can effectively educate radiology students on the concept of appropriateness in medical imaging, according to an Israeli study published July 18 in Academic Radiology.
July 19, 2023
2021 06 16 23 10 5735 Student Doctor Laptop Test 400
CMS proposes radiology reimbursement cuts, AUC pause for 2024 MPFS
By Erik L. Ridley
In what has seemingly become an annual event, the U.S. Centers for Medicare and Medicaid Services (CMS) has once again included radiology reimbursement cuts in its Medicare Physician Fee Schedule (MPFS) Proposed Rule.
July 13, 2023
2019 07 31 17 01 7432 Medicare Puzzle 400
Summary reports improve CT planning for ovarian cancer surgery
By Kate Madden Yee
A synoptic, or summary radiology report, improves pretreatment CT planning for patients with advanced ovarian cancer compared to a simple structured report, according to a study published on July 12 in the American Journal of Roentgenology.
July 12, 2023
2023 07 12 19 50 6142 2023 07 12 Ajr Ct Ovarian 400
PET/CT shows value in patients with portal vein thrombosis
By Will Morton
PET/CT could be a valuable new imaging technique for distinguishing benign from malignant portal vein thrombosis in liver cirrhosis patients, according to a group in Egypt.
June 26, 2023
2023 06 22 23 04 9721 2023 06 23 Pet Pvt 20230622231003
Ransomware affects emergency radiology workflows
By Amerigo Allegretto
Ransomware attacks have a significant effect on emergency radiology workflows, as well as on acute care delivery and the personal well-being of healthcare providers, according to a study published June 15 in the Annals of Emergency Medicine.
June 19, 2023
2021 08 10 16 10 2928 Cybersecurity Lock V2 400
SIIM: Can Microsoft Teams lessen radiologist interruptions?
By Erik L. Ridley
AUSTIN, TX - Asynchronous forms of communication such as Microsoft Teams are much less disruptive to radiologists than phone calls or in-person visits, according to a talk delivered at the annual Society for Imaging Informatics in Medicine (SIIM) meeting.
June 18, 2023
2020 04 16 18 17 3383 Radiologist Ct Scan Brain Tumor 400
Turing debuts MRI visual feedback module at ISMRM 2023
By AuntMinnie.com staff writers
Neuroimaging software company Turing Medical Technologies (formerly Nous Imaging) used the venue of ISMRM 2023 in Toronto to launch FIRMM-pix, an in-bore visual feedback module designed to actively reduce head motion during brain MRI scans.
June 8, 2023
2023 01 30 21 50 9506 Computer Display Monitor Lab Mri V2 400
ImagineSoftware acquires Within Health
By AuntMinnie.com staff writers
Radiology billing and RIS developer ImagineSoftware has acquired artificial intelligence software developer Within Health. Terms of the deal were not disclosed.
May 23, 2023
2020 08 20 17 37 8876 Business Handshake Man 400
DetectedX touts learning platform success
By AuntMinnie.com staff writers
DetectedX is highlighting that the user base for its Radiology Online Learning Centre has exceeded 4,500 users, which the company says range from large radiology groups to individuals around the world.
May 3, 2023
2020 06 16 22 09 9134 Doctor Virtual Meeting Laptop Computer 400
Page 1 of 603
Next Page