back to articles

Patient Information Authorizations
HIPAA Compliance: How to Approach Protected Health Information

By Dr. Gerry Clum

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) assures that patients of providers, who conduct certain administrative and financial transactions electronically, receive specific protections with respect to their protected health information (PHI). Among the central rights acquired by these patients on April 14 of this year was a limitation on how a provider could use a patient’s PHI.

Providers have the ability to use PHI, without specific permission from a patient, for treatment, payment and operations (TPO) purposes. Examples of the ways in which PHI may be used in the TPO context include:

1. For the sharing of information within your office related to the appropriate delivery of chiropractic care, for referral to another provider, for consultation with another provider.
2. For the billing of services to a patient’s insurance carrier, for the preparation and submission of patient billings for payment by the patient, for use by a collection agency on your behalf.
3. For responding to needs of the patient regarding information about their case, for responding to the business needs of your office relative to a patient.

In addition, providers may be required to use a patient’s PHI in responding to various legal demands such as:

1. Responding to a court order or to an administrative order.
2. Responding to an appropriate request regarding national security and related intelligence activities.
3. Responding to a public health issue or concern.

Generally speaking, a provider is not permitted to use a patient’s PHI for any other purposes without the expressed written permission of a patient. This “permission” process is referred to under HIPAA as an “authorization.”

An authorization’s content and use requirements are outlined, in detail, under HIPAA (164.508). Authorizations are considerably more extensive than a simple “permission slip” signed by a patient. An incomplete or inadequate authorization process and form may invalidate the authorization and thereby expose the provider to liability.

Authorizations are required to contain a series of “core elements.” These basics include:

• A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
• The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
• The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
• A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
• An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.
• Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.”

In addition to the “core elements” outlined above, a series of specific statements must be included in the authorization. Among these are:

• The individual’s right to revoke the authorization in writing, and
• The inability to condition treatment for benefits on the authorization,
• The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and to no longer be protected.
  Finally, the authorization must be presented in “plain language” and the patient who completes an authorization must be given a copy of the signed, completed authorization.

The HIPAA privacy rule clearly spells out what makes an authorization invalid. The list of invalid requests includes the following situations:

• The expiration date has passed or the expiration event is known by the covered entity to have occurred,
• The authorization has not been filled out completely,
• The authorization is known by the covered entity to have been revoked,
• Any material information in the authorization is known by the covered entity to be false.

With all that being said, there are some specific situations that are common to many chiropractic practices for which you would be wise to consider seeking an authorization. Among these would be the following:

1. Use of patient testimonials. In this situation you are asking the patient to share details of their experience under chiropractic care. Included in this discussion would likely be many elements of protected health information. The use of any one of which would necessitate an authorization.
2. Use of patients’ names on referral boards in the waiting room or on similar lists in patient newsletters. In these situations you are using a patient’s name to thank them for referring someone to your office. While you may consider this a matter of common courtesy, others may view it as using the patient’s PHI for marketing purposes—something you are not entitled to do without an authorization. In this situation if you state “Thanks to Mrs. Smith for her kindly referral to our office,” you need Mrs. Smith’s authorization. If you state “Thank you Mrs. Smith for referring Mr. Wesson,” then you need an authorization from each mentioned party.
3. Use of pictures of children being seen in your office. A person’s image, whether they are a minor or an adult, is the use of their PHI. In the case of children you need the permission of the child’s legal representative to post the child’s picture on a bulletin board in your office.
4. Use of open adjusting formats. The delivery of chiropractic care in an open adjusting format by its very nature causes a patient’s privacy to be compromised. A chiropractor using an open adjusting setting would be wise to disclose this fact in the office’s privacy notice and then seek an authorization indicating the patient’s agreement to be cared for in this setting. If a patient chooses not to be adjusted in an open adjusting environment it is the provider’s responsibility to comply with this request. The patient is not required to give up their rights to comply with your choice of practice environment.

The big question relative to the examples detailed above is “What do I do with testimonials and photos from patients that existed prior to April 14, 2003?” The simple answer—and some may conclude that this is overkill—is that chiropractors should not use the testimonials and pictures, period. I can’t give you any guidance for how to handle these situations short of “Don’t do it.” Your legal counsel may be able to give you some better insight into less severe responses, and into when and how to use authorizations as you approach testimonials and referrals.

Authorizations, properly designed and executed, are the only way a provider can access and use a patient’s protected health information beyond uses for TPO or to comply with a legal demand. Your understanding of when authorizations are needed and how to assure that an authorization is valid will protect you and assure your compliance with these aspects of the newly enacted HIPAA legislation.

About the author: Gerard W. Clum, D.C. is president of Life Chiropractic College West and has held this position for over 22 years, placing him among the most senior of chiropractic college administrators in the world. In addition to his duties with Life West, Dr. Clum serves as a member of the board of directors of the following organizations: Association of Chiropractic Colleges, Council on Chiropractic Education, and World Federation of Chiropractic. He presently serves as chairman of the International Affairs Committee of the International Chiropractors Association, a member of the Education Committee of the World Federation of Chiropractic and the 2nd vice president of the World Federation of Chiropractic. Dr. Clum has served as president of the Association of Chiropractic Colleges (1990-1995), as vice president of the International Chiropractors Association (1987-1990), and a member of the board of directors of the ICA from 1983 through 2000.

Provide your feedback on this article.

© Copyright 2003 Today's Chiropractic

return to top