Days Hours Mins Secs

Back To Previous Page
HIPAA IMPLEMENTATION RECOMMENDATIONS & CONSIDERATIONS
HIPAA Regulation: Privacy Rule: Consent Requirement Section 164.506(a)
The following guidelines should be considered to comply with the above regulation:
  • Develop a procedure and a consent form to secure written consent for use or disclosure of protected health information to carry out treatment, payment, and health care operations when an individual first presents himself or herself.

  • If protected health information is used or disclosed for treatment, payment, or health care operations without consent in an emergency, or as required by law, or if consent could not be obtained because of barriers in communication, attempt to get consent as soon as possible. If consent cannot be obtained, document the effort to get consent and state the reason consent was not obtained.
  • Determine what action will be taken if an individual will not consent to use or disclosure of protected health information or treatment, payment, or health care operations.

  • Identify actions to be taken when an individual revokes his or her consent. (The health care provider must comply with the revocation, except to the extent that theprovider has taken action in reliance upon the original consent.)

  • Develop a procedure to document and retain an individual's signed consent.

  • Adopt a standard form for consent requests that contains all necessary elements cited in §164.506(c), as follows:

    a) is written in plain language;
    b) informs the individual that protected health information may be used and disclosed for treatment, payment, or health care operations;
    c) informs the individual that the health care provider may change its privacy practices as described in its privacy notice and tells the individual how to get a revised notice;
    d) states that the individual has a right to request restrictions upon use and disclosure of protected health information for treatment, payment and health care operations; that the provider does not have to agree to requested restrictions; and that if the provider does agree to restrictions, the restrictions are binding.




  • Prohibit the use or disclosure of protected health information for marketing, sale, fund raising, employment determinations, or disclosure to non-authorized individuals unless patient authorization is secured under Section 64.508.

  • Consider obtaining consent for use or disclosure of protected health information even when it is not required.

  • Consider using a time and date stamp on consent forms to be sure the handling of patient information was appropriate at the time it was done.

  • Consider having a single area for disclosure of all information such as a private office, even if decisions to use or disclose are made elsewhere.

  • Make sure that contracts and business associate agreements reflect appropriate concern for the privacy and security of patient information.

  • Consult with legal counsel about the documentation needed to support use or disclosure of protected health information when the health care provider was unable to obtain consent.


[ Back To Previous Page]