How can I prove that we need to have a signed authorization?
HIPAA Weekly Advisor, July 25, 2003
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: Our hospital provides outpatient lab services for local physicians. Typically, we send results to the ordering physician. But if the ordering physician asks us to send the results to another physician, we require the patient to sign an authorization. I have a physician who doesn't like this arrangement. How can I prove that we need to have a signed authorization?
A: HIPAA does not require or even promote the practice of obtaining patient authorization for providers to share PHI with each other regarding the treatment of an individual. HHS believes that patients have a reasonable expectation that professionals involved in their care can and will share relevant information about them as needed, so it imposes no constraints in this area. (It is possible that state law requires patient consent, however). Unfortunately, mistakenly blaming a cumbersome process on HIPAA gives HIPAA a bad name.
On the other hand, hospitals must take reasonable steps to ensure that PHI is only released when appropriate. The organization should clarify that this is its own policy and explain the reasons for it. At the same time the organization can review its policy and procedures to find a simpler, less burdensome way to achieve the same goal without requiring formal authorization.
While HIPAA myths linger, most organizations have a good grasp of the obvious requirements. And now, more subtle questions are arising as the full implications of the rule sink in. Some of these are in gray areas of the rule where organizations legitimately come to different conclusions. For these, only time and test cases will tell what HHS expects. But many other questions can be answered by applying the rule to less public or widespread practices.
Editor's note: Answered by Kate Borten, CISSP, president of The Marblehead Group, in Marblehead, MA, and excerpted from the upcoming August 2003 issue of Briefings on HIPAA. This is not legal advice. Be sure to consult with your facility's legal counsel for legal matters.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- HIPAA Q&A: Level of encryption needed for email
- Identify potential Medicaid RAC target areas
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- CMS has reformulated payments for some bilateral procedures
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched