HIPAA authorization is necessary when a covered entity or a business associate intends to use or disclose an individual’s PHI for purposes not otherwise permitted by the HIPAA Privacy Rule, and the individual’s written permission is obtained. The authorization must be specific, in plain language, and include certain elements outlined in the HIPAA regulations. It should also clearly identify the information to be disclosed, the purpose of the disclosure, and the individuals or entities to whom the disclosure may be made.
There are several situations in which HIPAA authorization is required:
- HIPAA authorization is necessary when there is a need to disclose PHI for marketing purposes. Marketing refers to communications about products or services that encourage individuals to purchase or use them. This includes sending promotional materials, advertisements, or making marketing calls, except in limited circumstances. Exceptions to the authorization requirement exist for face-to-face communication and providing promotional gifts of nominal value.
- Authorization is required when using or disclosing PHI for fundraising activities by a covered entity or its business associate. However, there is an exception for cases where the PHI used or disclosed is limited to demographic information, and the covered entity provides an opportunity for the individual to opt-out of future fundraising communications.
- Generally, HIPAA authorization is needed for the use or disclosure of PHI for research purposes. However, an Institutional Review Board (IRB) or Privacy Board may grant a waiver of authorization under specific criteria. The waiver must ensure that the research poses minimal risk to privacy, that the research could not be conducted without the waiver, and that an adequate plan is in place to protect the privacy of the PHI.
- For disclosure of PHI related to psychotherapy notes, which are specifically defined by the HIPAA Privacy Rule, an individual’s authorization is required in most circumstances. Psychotherapy notes are distinct from regular treatment notes and contain the therapist’s personal observations and analysis.
- If a covered entity intends to sell PHI, meaning the transfer of PHI for direct or indirect remuneration, HIPAA authorization from the individual is mandatory. However, certain exceptions exist, such as disclosures for public health activities, research, or the sale of PHI to a business associate for the covered entity’s own management and administration purposes.
- Authorization is required for purposes not covered by other exceptions. For example, if a covered entity intends to disclose PHI to an employer, to the media, or for law enforcement purposes, HIPAA authorization from the individual is necessary.
Even in situations where an individual’s authorization is not required, covered entities and business associates must still adhere to the minimum necessary standard. This means they should ensure that only the minimum amount of PHI necessary to accomplish the intended purpose is used or disclosed.
HIPAA authorization is required when a covered entity or business associate intends to use or disclose an individual’s PHI for marketing, fundraising, research (in most cases), psychotherapy notes, the sale of PHI, or other purposes not explicitly permitted by the HIPAA Privacy Rule. Obtaining written authorization from the individual is crucial to ensure compliance with HIPAA laws and respect for individuals’ privacy rights.