HIPAA Consent Requirements: Business Associate Agreement (BAA) vs. Individuals’ Authorization

The Health Insurance Portability and Accountability Act (HIPAA) establishes vital regulations to ensure the privacy and security of Protected Health Information (PHI). As a covered entity, understanding and complying with HIPAA's consent provisions are crucial to maintaining trust with your patients and clients. 

In this article, we are breaking down the essentials of HIPAA's rules on consent, designed to be easily understandable for healthcare providers and administrators.

What is HIPAA?

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a U.S. federal law that was initially passed to protect health insurance coverage for workers changing or losing jobs and has since evolved to safeguard the privacy and security of individual health information (PHI). It establishes national standards for handling PHI by entities like healthcare providers and insurers through three Rules: 

• The HIPAA Privacy Rule protects all forms of PHI, ensuring confidentiality and giving individuals rights over their health information. 
• The HIPAA Breach Notification Rule mandates prompt reporting of any PHI breaches.
• The HIPAA Security Rule focuses on protecting electronic PHI with specific security measures. 

Together, these rules ensure that personal health information is managed responsibly and securely, balancing the need for information flow with privacy and security protections.

How does HIPAA define Protected Health Information (PHI) and who are the covered entities? 

Protected Health Information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to an individual. This includes conversations between doctors and nurses about treatment, billing information, and essentially any information that passes through a healthcare facility that can be tied back to a patient.

Under HIPAA, a "covered entity" refers to organizations that deal with protected health information. This includes health plans like insurance companies and government programs such as Medicare, healthcare providers who conduct certain transactions electronically, such as doctors and hospitals, and healthcare clearinghouses that process health information into a standard format. These entities must follow the HIPAA rules to protect health information.

As a covered entity, you handle PHI regularly and are therefore required to adhere to HIPAA regulations that govern its use and disclosure.

What is the definition of “consent” under HIPAA?

While HIPAA does not explicitly mention "consent" in the text of the law, it instead defines the term "authorization" to refer to the documented permission required from an individual before a covered entity can use or disclose the individual's protected health information (PHI) for purposes outside of treatment, payment, or health care operations.

The distinction is important because while general consent for treatment, payment, and health care operations can be implied (such as when a patient visits a doctor and provides information during their visit), HIPAA requires a specific and detailed "authorization" for other uses and disclosures of PHI. This authorization must be written clearly to specify what information is being disclosed, to whom, and for what purpose, among other requirements.

While you might hear "consent" used generally in healthcare contexts, HIPAA specifically mandates "authorization" for certain PHI disclosures outside standard healthcare operations.

Under HIPAA, an "authorization" is a detailed document that gives covered entities permission to use protected health information (PHI) for specific purposes or to disclose PHI to a third party specified by the individual. The authorization is distinct from the general consent that may be required for uses and disclosures for treatment, payment, or health care operations. 

What has to be included in a HIPAA-compliant authorization?

In order to ensure that individuals are fully informed and have agreed explicitly to the use and disclosure of their PHI for non-standard purposes, an authorization provides a clear, documented pathway for covered entities to follow HIPAA rules. A HIPAA-compliant authorization has to include the following: 

• Specific Information: It must clearly describe the specific information to be used or disclosed and the names of the person or entity disclosing and receiving the PHI.
• Purpose: It must state the purpose of the disclosure.
• Expiration date: It must note an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.
• Right to Revoke: It must inform the individual of the right to revoke the authorization in writing, exceptions to the right to revoke, and a description of how the individual may revoke it.
• No Conditioning: It must state that signing the authorization is not a condition for receiving treatment, payment, enrollment, or eligibility for benefits (with certain exceptions).
• Potential for Redisclosure: It must include a warning that information disclosed per the authorization may be redisclosed by the recipient and might not be protected by HIPAA rules.

What are the Requirements for Consent under HIPAA?

Under § 164.508, HIPAA delineates specific instances where explicit patient authorization (consent) is required before their PHI can be used or disclosed:

• Psychotherapy Notes: These are given heightened protections. Except for certain treatment, payment, or health care operations, any other use or disclosure requires explicit patient authorization.
• Marketing: Any use or disclosure of PHI for marketing purposes requires explicit consent, and if the marketing involves financial remuneration to the covered entity from a third party, this must be disclosed in the authorization.
• Sale of PHI: Any disclosure of PHI that constitutes a sale must also have prior patient authorization.

What is a Notice of Privacy Practices?

In § 164.520, HIPAA mandates that covered entities provide patients with a Notice of Privacy Practices (NPP). This document should clearly articulate:

• How PHI may be used and disclosed by your entity.
• The patient’s rights concerning their PHI.
• Your duties and commitment to protecting this information.

This notice must be given to the patient on their first visit or interaction and must be available upon request at any time.

The difference between an NPP and an individual’s authorization is that the NPP sets the foundation for how PHI is handled and informs patients about their rights and the general practices of the covered entity, whereas an authorization is a permission slip for specific actions outside those general practices.

Business Associate Agreement (BAA) vs. Individuals’ Authorization

Under HIPAA, both an individual's authorization and a Business Associate Agreement (BAA) deal with the handling of Protected Health Information (PHI) but serve different purposes. While they function differently, both are crucial for HIPAA compliance, helping ensure that every entity and individual handling PHI respects and upholds the privacy and security protections mandated by law.

An individual's authorization is needed when a covered entity wants to use or disclose PHI for non-routine purposes beyond treatment, payment, or healthcare operations. This authorization must clearly state what information can be shared, with whom, and why, and it must be voluntarily given by the individual, who can revoke it at any time. 

On the other hand, a BAA is a contract between a covered entity and a third party, known as a business associate, who handles PHI on behalf of the covered entity. This agreement ensures that the business associate complies with HIPAA rules and protects the PHI, detailing allowed uses and disclosures, required safeguards, and obligations to report data breaches. 

Both mechanisms are essential for ensuring that PHI is used and disclosed responsibly, safeguarding patient privacy and maintaining data security as required by HIPAA. The relationship between the two can be summed up as follows:

• While an individual's authorization provides permission to use or disclose PHI for specific purposes beyond routine healthcare operations, a BAA establishes the terms under which business associates must handle PHI in compliance with HIPAA when performing services for a covered entity.

• If a covered entity uses a business associate to carry out activities that involve the use or disclosure of PHI where such disclosure requires an individual’s authorization, the covered entity must obtain that authorization before the business associate can proceed with the activities.
• Both authorizations and BAAs are part of HIPAA’s broader goal to protect patient privacy and ensure the security of health data through careful controls on how PHI is used and disclosed.

HIPAA, Web Cookies, and Online Tracking Technologies

On March 18, 2024, the enforcing authority for the HIPAA, the OCR, updated its guidance on the use of online tracking technologies by HIPAA covered entities in an effort to help both the entities and the public gain clarity on the matter and also navigate the advancements of digital technologies. 

Because online tracking technologies, which include cookies, web beacons, and mobile app trackers, are used to collect and analyze how users interact with online services, HIPAA-covered entities need to keep in mind a series of things about using these technologies responsibly and legally.

What are Online Tracking Technologies?

Online tracking technologies are tools used on websites and in apps to collect a wide array of information about visitors and users. This might include general information like age, location, and browsing habits. More detailed data might also be gathered, such as IP addresses and specific locations, which could potentially be linked to individual health records.

HIPAA Compliance and Online Tracking

Using tracking technologies in healthcare requires strict adherence to HIPAA's privacy and security regulations. Here’s what covered entities need to consider:

1. Protected Health Information (PHI): Data gathered through tracking technologies might include details like IP addresses or device IDs that can identify individuals, thereby qualifying as PHI under HIPAA. It's crucial for covered entities to protect this information as diligently as they would any other medical data.
2. Authorization for Using PHI: If the tracking technology will collect PHI, the covered entity must first obtain explicit authorization from the individual. This authorization must comply with specific HIPAA requirements to ensure individuals are fully informed about what data is collected and how it will be used.
3. Dealing with Third-Party Vendors: Often, tracking technologies are managed by third-party vendors. Under HIPAA, these vendors are considered business associates and must sign a Business Associate Agreement (BAA). This agreement obliges them to protect PHI to the same extent as the covered entity.
4. Collecting Minimum Necessary Information: When employing tracking technologies, only the minimum amount of information needed should be gathered. This aligns with HIPAA's principle of minimum necessary use, which aims to limit access to PHI to the least amount required for a particular purpose.
5. Implementing Security Measures: Adequate security measures must be in place to safeguard any data collected through tracking technologies. This includes both technical safeguards like encryption and administrative actions such as providing privacy training to employees.

Challenges in Using Tracking Technologies

Online tracking technologies may be useful but they also pose new privacy challenges. In the healthcare realm governed by HIPAA, covered entities have an obligation to be vigilant to prevent any unauthorized access to or disclosure of PHI through these technologies, which could not only violate patient privacy but also lead to substantial penalties under HIPAA.

Additional Considerations for HIPAA Compliance and Consent

Understanding and complying with HIPAA involves more than just obtaining proper consent or authorization for the use and disclosure of Protected Health Information (PHI). Covered entities must also adhere to other crucial HIPAA rules to ensure they protect patient data adequately. Here are some additional considerations to keep in mind:

• Minimum Necessary Rule: When using or disclosing PHI, or when requesting PHI from another covered entity, you must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose.
• Breach Notification Rule: In case of a breach of unsecured PHI, covered entities must provide notification of the breach to affected individuals, the Secretary of Health and Human Services, and, in certain circumstances, to the media.
• Training and Policies: It is imperative that all staff members are trained on HIPAA rules and your entity’s specific policies and procedures regarding PHI. Regular training ensures that your staff can confidently handle information in compliance with HIPAA.

As a HIPAA covered entity, your responsibilities in handling individuals’ protected health information (PHI) extend beyond just medical or billing tasks. Understanding and implementing the consent and authorization requirements is crucial for compliance and for maintaining the confidentiality and trust of your patients. Last but not least, you should  consider regularly reviewing your policies and practices to ensure they align with HIPAA regulations and reflect best practices in patient privacy and data security.

How can Clym help?