The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits, but does not require, a physician to obtain patient consent for uses and disclosures of protected health information for treatment, payment, or health care operations. If you do decide to obtain consent, you have complete discretion to design a process that best suits your needs.
By contrast, the Privacy Rule requires an "authorization" for uses and disclosure of protected health information not otherwise allowed by the rule. An authorization is a detailed document that gives your practice permission to use protected health information for specified purposes (generally for other than treatment, payment, or health care operations) or to disclose protected health information to a third party specified by the patient. With limited exceptions, you may not condition treatment of patients on their providing authorization.
An authorization must specify:
- A description of the health information to be used and disclosed,
- The person authorized to make the disclosure,
- The person to whom the disclosure may be made,
- An expiration date, and
- The purpose for which the information may be used or disclosed (in some cases).
For more information about HIPAA, visit the TMA HIPAA Resource Center.
Content reviewed: 3/2/2007
TMA Practice E-tips main page