HIPAA Patient Authorizations


HIPAA patient authorizations are an important part of running your behavioral health practice. HIPAA regulation sets specific standards for the use and disclosure of patients’ sensitive health care information, all of which stem from receiving the proper authorizations directly from your patients before the start of care.

Under HIPAA regulation, health care professionals have limitations and restrictions on what, how, when, and with whom patient’s protected health information (PHI) may be shared. PHI is defined as any demographic information that can be used to identify a patient. Common examples of PHI include names, addresses, dates of birth, phone numbers, Social Security numbers, insurance ID numbers, medical records, and full facial photos, to name a few.

Over the course of treatment, behavioral health professionals like yourself will often need to share patient PHI, either with other providers, vendors, health plans, or partners. These are considered “uses and disclosures” under HIPAA regulation.

The HIPAA rules outline many standards that dictate the exact processes that must be followed when handling uses and disclosures. However, the rule of thumb to remember is that you cannot freely use and disclose a patient’s PHI without first obtaining express HIPAA patient authorization.

HIPAA patient authorizations should be part of onboarding any new patients or clients, and should be gathered using an appropriate HIPAA patient authorization form.

HIPAA Patient Authorizations for Media, Marketing, and Fundraising

Some of the most important elements of HIPAA patient authorization pertain specifically to instances involving media access, marketing, and fundraising. In these instances, granting access to patient PHI to news media, marketing firms, or PR agencies is strictly forbidden unless you have gathered express authorization for these specific instances. Behavioral health providers cannot simply use the same HIPAA patient authorization form for treatment and payment as they can for media, marketing, and fundraising.

A recent HIPAA fine for nearly $1 million was issued by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for a PHI breach involving filming patients without their express HIPAA authorization. Patients were filmed by a local, Boston-area news crew and claimed that they did not give authorization for this use of PHI.

Keep this Boston HIPAA fine example in mind to avoid rising HIPAA fines and potential HIPAA violations that can occur because of improper patient authorizations!

If you need assistance with HIPAA compliance, consider working with our TBHI affiliate, the HIPAA Compliancy Group. (When you purchase services from them, TBHI will be paid a small commission.) They can help you support your HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance. The Guard is built to address the HIPAA regulations, including guided walkthroughs of HIPAA Risk Assessments. With The Guard, you can focus on running your practice while keeping your patients’ data protected and secure.Compliancy Group’s team of expert Compliance Coaches® can also field questions and guide you through the implementation process, taking the stress out of managing compliance. Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!

Basic Telehealth Legal Issues: Rules, Regulations & Risk Management

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to TBHI Privacy Policy and Terms and Conditions.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x