Mental & Behavioral Health

Practice Update from the National Association of Social Workers

© NASW January 2002

Consent, Authorization, and Notice under HIPAA Privacy Regulations

With the advent of the new Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy regulations, the terms "consent" and "authorization" are taking on a new meaning and representing new practices. In the health and behavioral health care field, it is not unusual to use these terms interchangeably to refer to the written permission that clients grant providers for use and disclosure of their confidential health information. No longer are the terms synonymous. Under the HIPAA privacy regulations, a written consent is required for a covered health plan provider to use and disclose client health information for the purposes of health care treatment, payment, and operations . An authorization is required for use and disclosure of client health information for other purposes , excluding the exceptions included in the regulations or as defined by other laws. Consistent with these practices, covered entities are required under the HIPAA regulations to provide written notice of their privacy practices. Social workers who meet the definition of a covered entity need to be in compliance with the privacy regulations by April 2003, and as such have an understanding of the provisions of the regulations, including the requirements for consent, authorization, and client notice.

The HIPAA privacy regulations are permissive (§164.502). They define situations and conditions under which covered entities are permitted to use and disclose protected health information, unless mandated by other laws. Under these regulations, covered entities are required to disclose protected health information only to the individual who is the subject of the protected health information and to the U.S. Department of Health and Human Services (HHS) for purposes of enforcing the regulations. Furthermore, the regulations stipulate that a covered entity is expected to limit information disclosed to the minimum necessary (§164.502b) to accomplish the intended purpose of the requested disclosure. There are several exceptions to this requirement: disclosures to a health care provider for treatment, disclosures to the individual, disclosures to the Secretary of HHS, disclosures required by law, and disclosures as required to comply with this regulation (§164.502b2).

Social workers must consider their professional code of ethics, their best judgment, and other relevant state and federal laws in making decisions on when to use or disclose clients' protected health information. As professionals, social workers are expected to honor the primacy of client privacy and confidentiality. The NASW Code of Ethics delineates the standards and principles that guide the conduct and professional practice of social workers. Specific standards are included on consent and disclosure. Sections 1.01 (Commitment to Clients), 1.02 (Self-Determination), 1.03 (Informed Consent), and 1.07 (Privacy and Confidentiality) should be reviewed and consulted or considered when making decisions about disclosure of protected client health information. Social workers must also consider state privacy and confidentiality laws. According to the HIPAA privacy regulations, if a state law is stronger than the HIPAA requirements—that is, more protective of the client's health information—then the state law should be followed.

Consent (§164.506(c))

According to the HIPAA privacy regulations, a consent is required when client information is used or disclosed for purposes of treatment, payment, and health care quality operations, such as when submitting claims billing, or for utilization review and quality management. A valid consent must:

• be written in plain language
• inform the client that his or her health information may be used or disclosed for treatment, payment, and health care operations.
• refer to the required notice of privacy practices and to the client's right to review this notice prior to signing the consent form. (See section below on Notice of Privacy Practices.)
• indicate the individual's right to request restriction of uses and disclosure of their protected health information. The restriction is binding if the covered entity agrees; however, the covered entity does not have to agree to the restriction.
• indicate that the client has a right to revoke the consent (in writing); however, actions taken by the covered entity prior to revocation of the consent are not subject to the revocation—that is, if the provider had provided service to the client prior to the consent being revoked, they may still bill for service that occurred during that time period.
• include the client's signature and the date signed.
• be retained by the provider or covered entity for six years.

Authorization (§164.508)

An authorization is required in most cases for uses and disclosures of client-protected health information for purposes other than treatment, payment, and health care operations. An authorization must

• be written in plain language
• include a description of the protected health information that is to be disclosed
• identify the person(s) authorized to make the requested use or disclosure
• identify the person(s) to whom the covered entity can disclose protected health information
• state the client's right to revoke, in writing, the authorization and any exceptions to this right
• note that the client's health information may be redisclosed by the recipient and at that time would no longer be protected by these regulations
• include an expiration date or event
• include the client's signature and date
• provide the client with a copy of the signed authorization.

Exceptions (§164.512)

There are a number of circumstances under which the privacy regulations permit use and disclosure of protected health information without the client's consent or authorization. We refer you to the appropriate section of the regulations for a more detailed explanation of the exceptions; however, the exceptions do include

• public health activities as required by state and federal law for such purposes as vital statistics collection and disease reporting
• reporting of abuse, neglect, or do

  The authorization can be revoked (in writing) except to the extent that the covered entity has already acted in relation to the consent.

  An authorization is required to disclose psychother

  mestic violence to the extent required by law
• oversight of the health care system
• law enforcement
• judicial and administrative proceedings
• serious, imminent threat to health or safety
• research purposes
• specialized government functions
• worker's compensation—to comply with laws relating to worker's compensation or other similar programs
• uses and disclosures about decedents (generally to enable coroners, medical examiners, and funeral directors to carry out functions of their job as applicable or authorized by law).

Notice of Privacy Practices (§164.520)

The regulations require that covered entities provide a written notice of the permitted uses and disclosures of client-protected health information, as well as the client's rights regarding their protected health information.

The notice must

• contain the following statement, either as a header or as prominently displayed text:

"This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully."

• address uses and disclosures, including
  • •  a description of the permitted disclosure for treatment, payment, and health care operations including at least one example
  • •  a description (with sufficient detail) of other disclosures permitted without the individual's written consent or authorization
  • •  a statement that an individual's written authorization is required for other disclosures, and that the individual may revoke authorization.
• address the individual's rights to
  • •  request restrictions on certain uses and disclosures, but note that the provider is not required to agree to the restrictions
  • •  gain access to protected health information except for psychotherapy notes and several other exceptions defined in §164.524.
• include statements as follows about covered entities responsibilities:
  • •  That by law they must maintain the privacy of client health information and notify clients of their legal duties and privacy practices
  • •  That the provider must abide by the terms of the current notice
  • •  That the provider has the right to make changes to current provisions of the notice but must indicate how individuals will be provided with the new notice.
• include a statement of the clients' right to complain to the provider and secretary of HHS if they believe a violation of their privacy rights has occurred and provide a brief description of the complaint filing process, including the contact information for the person designated to receive complaints (§164.530). It must also state that there will be no retaliation against a client for filing a complaint.

• include the effective date.

If a provider engages in the following types of activities, a separate description of these activities must be included:

• contacts to remind clients about appointments or provide information about treatment alternatives and other health-related benefits.
• fundraising efforts on behalf of the covered entity
• disclosures of protected health information by the health plan, HMO, or health insurance issuer to the sponsor of the plan

Practice Recommendations

NASW recommends that you study the privacy regulations and the guidance documents being produced by HHS to further define and clarify the regulations (see reference section). To assist members in this process, NASW is reviewing the regulations and guidance and

providing Practice Updates. This update focuses on the consent, authorization, and notice requirements of the regulations, referencing applicable sections of the regulations. An earlier

Mental and Behavioral Health Practice Update (What Social Workers Should Know about the HIPAA Privacy Regulations, July 2001) offers a general overview of the regulations and is available on the NASW Web site ( www.socialworkers.org ). These practice updates should not be construed to represent all the requirements of the regulations. The regulations should be referenced for further clarification. In addition, questions of interpretation can be directed to HHS by calling 1-866-627-7748, 1-866-788-4989 (TTY) or submitting an e-mail to: ocrprivacy@os.dhhs.gov .

• Familiarize yourself with the HIPAA privacy regulations (see References and Resources section); determine if you meet the definition of a covered entity and are subject to compliance with the regulations. Study your state privacy and confidentiality regulations.
• Maintain a file for HIPAA reference and resource materials.
• Review your current privacy practices and procedures and develop a timeline and strategies for compliance with HIPAA regulations by April 14, 2003 .
• Review and revise consent and authorization forms to comply with HIPAA privacy regulations and state requirements. Develop a notice form and plan for posting and distribution.
• Have legal counsel review and approve related policies, procedures, and forms. Policies and procedures should be developed for obtaining consents, and addressing requests for restrictions, revocations of consents, and authorizations.
• Train staff in use of new forms, policies, and procedures.
• Develop a plan to monitor compliance.

References & Reading

References:

 

Bateman, N. (2001, July). What social workers should know about the HIPAA privacy regulations . Mental and Behavioral Health Practice Update [Online]. Available: www.socialworkers.org.

Health Privacy Project, Institute for Healthcare Research and Policy, Georgetown University . (2000). Overview of privacy regulations [Online]. Available: http://www.healthprivacy.org .

 

Hughes, G. (2001). Practice Brief: Consent for the use or disclosure of individually identifiable health information (Updated) [Online]. Available: http://www.ahima.org/journal/pb/01.05.2.htm .

Litwak, P. (2001, April). HIPAA privacy rules: What plans, providers must know. Behavioral Healthcare Tomorrow, 10 (2), 12, 13, 31-32, 34, 36.

 

National Association of Social Workers. (2000). NASW Code of ethics . Washington , DC : Author. [Copies may be obtained by contacting 800-638-8799 ext. 429 or downloaded from www.socialworkers.org.]

Polowy, C. I. , & Gorenberg, C. (1997, May). Client confidentiality and privileged communications [Law Note]. Washington , DC : National Association of Social Workers, Office of General Counsel. [Copies may be purchased for $5.00 each from: NASW Legal Defense Fund, 750 First Street, NE , Washington , DC 20002 or contact 800-638-8799 ext. 290 for further information.]

 

Polowy, C. I. , & Kraft, E. G. (1999, February). The social worker and protection of privacy [Law Note]. Washington , DC : National Association of Social Workers, Office of General Counsel. [Copies may be purchased for $5.00 each from: NASW Legal Defense Fund, 750 First Street, NE , Washington , DC 20002 or contact 800-638-8799 ext. 290 for further information.]

Polowy, C. I. , & Morgan, S. L. (2001, November). Social workers and clinical notes [Law Note]. Washington , DC : National Association of Social Workers, Office of General Counsel. [Copies may be purchased for $5.00 each from: NASW Legal Defense Fund, 750 First Street, NE , Washington , DC 20002 or contact 800-638-8799 ext. 290 for further information.]

 

Redhead, C. S. (2001, April 18). Medical records privacy: Questions and answers on the HIPAA final rule (CRS Report for Congress, Order Code RS20500, Updated April 18, 2001 ). Washington , DC : Congressional Research Service, Library of Congress.

 

 

U.S. Department of Health and Human Services. (2001). Standards for privacy of individually identifiable health information [Online]. Available: http://www.hhs.gov/ocr/hipaa/ . (this site contains the full text of the regulations as well as any published HHS guidance documents)

Nancy Bateman, LCSW-C, CAC
Senior Staff Associate
Behavioral Healthcare
nbateman@naswdc.org

Doc #939