Distinguishing Consent to Treat from Notice of HIPAA Privacy Policy

The November 2003 and January 2004 issues of EMS Magazine contained related articles by Denise Graham, titled Strategic Documentation: A Key for Survival in the HIPAA Era and When They Just Say No: Documenting Patient Refusals in the Era of HIPAA, respectively. The basic concept of these articles-that good documentation helps show that what you did was appropriate, correct and required-is a sound principle and always good advice. This may especially be true in cases of "informed consent" for treatment, when such is required. However, for purposes of HIPAA, it may not be necessary. The articles by Ms. Graham were based on the Department of Health and Human Services' (HHS) publications of the final HIPAA Privacy Rule, but the subsequent HHS modifications, technical corrections and additional clarifications of the Final Rule made significant additional revisions, including removal of the actual consent requirement for the disclosure of health information. Therefore, we offer below an updated view of what HIPAA does and does not require.

What Does the Rule Require?

Originally, consent was the key requirement of the Privacy Rule. Covered healthcare providers were required to get a patient's written consent before using or disclosing protected health information (PHI) for purposes of treatment, payment or healthcare operations (TPO). Basically, for most uses and disclosures, you were required to have written consent. Remember, this applied to oral communications as well. However, under the revisions, consent is optional. Therefore, there is currently no mandate to get a patient's consent prior to disclosing his or her health information for TPO purposes.

The Notice requirement has now been revised as well. Notice now has to be accompanied by a signed acknowledgment that the patient has received the Privacy Policy Notice. There has been no major change in the amount of paperwork you are required to do, but instead of being required to get a patient's signed consent to disclose his PHI for TPO purposes, you now have to get the patient's signed acknowledgment that he or she understands that you will disclose his/her PHI for purposes of TPO, whether the patient consents to it or not.

There is an emergency exception to this requirement. You may disclose PHI for TPO purposes without written consent or a signed acknowledgment of the Notice in the case of an emergency, as defined by you using your own "professional judgment," when you are required by law to treat the individual or when there are substantial barriers to communication. In the Department of Health and Human Services' HIPAA Standards Q&A issued for the original rule, they put it this way:

"Healthcare providers must exercise their professional judgment to determine whether obtaining a written consent (or now a signed notice) would interfere with the timely delivery of necessary healthcare. If, based on professional judgment, a provider reasonably believes at the time the patient presents for treatment that a delay involved in obtaining the patient's written consent of use or disclosure of information would compromise the patient's care, the provider may use or disclose PHI that was obtained during the emergency treatment, without prior consent, to carry out TPO. The provider must attempt to obtain written consent as soon as reasonably practicable after the provision of treatment. If the provider is able to obtain the patient's consent regarding use or disclosure of information before providing care, without compromising the patient's care, we require the provider to do so."

While this Q&A was written prior to the removal of the consent requirement, the revisions make it clear that you should not seek to get the Notice of Privacy Policy acknowledgment signed if a patient is in a state of excitement. The idea is to give them notice of their rights and what their health information is to be used for, and if they are too excited or upset, they may not be able to understand these things and therefore actually receive this notice in a meaningful manner. For that reason, the tips in Ms. Graham's articles on documentation are useful to follow.

Under the original rule, you could deny a patient coverage or treatment if the patient refused to give consent. The removal of required consent has assumedly removed the denial-of-treatment argument. If a patient refuses to sign the acknowledgment of receipt of your Privacy Policy Notice, then you should get a witness to sign that the patient refused, and continue with your treatment. If the patient is given the Notice but is unable to sign, you should document that as well. Remember, you no longer have to get a patient's approval; you just have to let them know that their health information will be disclosed for certain purposes and that they have specific rights regarding their privacy. If you advise them accordingly but they refuse to sign the acknowledgment, they have still received the Notice. And again, for these reasons, the documentation of these events as suggested by Ms. Graham is beneficial.

While the Centers for Medicare and Medicaid Services (CMS) has never issued any official forms for this Notice that you must give to the patient, last fall it did issue a Program Memorandum (AB-03-147) that set out the "core elements" and "required statements" for a valid HIPAA authorization form. Keep in mind, the Notice is all that's required for treatment, payment and healthcare operations disclosures. Authorization is required for disclosing health information for purposes outside of TPO-for example, disclosures to a patient's personal injury attorney. While the acknowledgement of receipt of the Privacy Policy Notice is a fairly simple form, the authorization is a bit more complicated, as is evident from the reprinted portion of the Program Memo set out below:

"The core elements of a valid authorization must contain at least the following elements:

1. A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;

2. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;

3. The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure;

4. A description of each purpose of the requested use or disclosure. The statement, ‘at the request of the individual,' is a sufficient description of the purpose when the beneficiary initiates the authorization and does not, or elects not to, provide a statement of the purpose;

5. An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure; and

6. The signature of the individual and date. If a personal representative of the individual signs the authorization, a description of such representative's authority to act for the individual must also be provided. Although the HIPAA Privacy Rule only requires a description of the representative's authority to act for the individual, the CMS is requiring that documentation showing their authority be attached to the authorization (e.g., Power of Attorney).

In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following:

1. The individual's right to revoke the authorization in writing, how the individual may revoke the authorization, and the exceptions to the right to revoke. To assist you in this, you may choose to use the following:

‘You have the right to take back (‘revoke') your authorization at any time, in writing, except to the extent that Medicare has already acted based on your permission. To revoke your authorization, send a written request to: [Each Medicare contractor or CMS: Please insert name, address and telephone number of your organization here],'

2. The inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization. You may choose to use the following:

‘I understand refusal to authorize disclosure of my personal medical information will have no effect on my enrollment, eligibility for benefits, or the amount Medicare pays for the health services I receive';

3. The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer protected. You may choose to use the following:

‘Your personal medical information that you authorize Medicare to disclose may be subject to re-disclosure and no longer protected by law';

4. The authorization must be written in plain language.

5. A signed copy of the authorization must be provided to the individual."

Follow these guidelines for disclosures outside of TPO. And make sure your patients each receive your Notice of Privacy Policy and sign an acknowledgment that they did. If you take these simple steps, you should stay in compliance with the signature-for-disclosure section of the HIPAA Privacy Rule.

For more information on HIPAA and for help with your compliance program, go to www.emshipaa.com.

Nothing in this article is intended to be construed as legal advice. For specific, up-to-date legal advice about the laws mentioned in this article or about your state's laws, consult an attorney.