Don't have a TCI SuperCoder account yet? Become a Member >>

Health Information Compliance Alert


Don’t Forget About Prior Authorization

OCR issues COVID-19-inspired reminder.

Due to increased reporting on the coronavirus pandemic, the feds worried that some covered entities (CEs) were letting HIPAA privacy fall to the wayside. These concerns prompted a recent update on compliance and authorization. Read on for the details.

Background: On May 5, the HHS Office for Civil Rights (OCR) doubled down with a HIPAA Privacy Rule update to remind CEs that their first priority is to safeguard patients’ protected health information (PHI). In a nutshell, CEs must ensure prior authorization is in place before allowing the media into facilities to film patients during a pandemic.

“Even during the current COVID-19 public health emergency [PHE], covered healthcare providers are still required to obtain a valid HIPAA authorization from each patient whose PHI will be accessible to the media before the media is given access to that PHI,” warns OCR in a release. “The guidance clarifies that masking or obscuring patients’ faces or identifying information before broadcasting a recording of a patient is not sufficient, as a valid HIPAA authorization is still required before giving the media such access.”

Understand the Differences Between “Consent” and “Authorization”

Simply put, patients agree to allow providers to treat them, and that registers usually as verbal consent. Moreover, CEs “voluntarily” procure this patient consent, so they can use and disclose PHI for “treatment, payment, and healthcare operations,” OCR guidance maintains.

On the other hand, authorization is something completely different and refers to a written record obtained by the CE from the patient, allowing PHI to be used for different purposes. This is usually necessary because PHI is being utilized or disclosed for something that isn’t typically sanctioned under the Privacy Rule. In this case, “voluntary consent is not sufficient to permit a use or disclosure” of PHI, so a valid authorization is required, OCR clarifies.

Here’s the Reason the Feds Offered Extra Guidance

As part of the PHE, OCR has announced several notifications of HIPAA enforcement discretion to ease restrictions due to COVID-19 (see Health Information Compliance Alert, Vol. 20, No. 5). However, just because the feds offer CEs and their business associates some regulatory relief with these good faith provisions for HIPAA noncompliance doesn’t mean that the rules don’t apply to the majority of healthcare scenarios.

With an increased media presence in many facilities, the chance for patients’ PHI to be exposed or hijacked is high. That’s why OCR felt it necessary to revisit HIPAA’s prior authorization requirements as a protection for both patients and providers.

“HHS’ guidance provides several examples of PHI in treatment areas, including how the mere presence of a patient in the area of a healthcare facility dedicated to treating a specific disease, such as COVID-19, reveals the patient’s diagnosis,” explain New York-based attorneys Victoria Anderson and Francisco Cebada with Kelley Drye & Warren LLP in online legal analysis. “As such, members of the media entering a healthcare facility’s treatment areas immediately have access to PHI they can see, hear, and record.”

Reminder: According to the HIPAA Privacy Rule, it’s never acceptable “to give the media, including film crews, access to any areas of their facilities where patients’ PHI will be accessible in any form (e.g., written, electronic, oral, or other visual or audio form), without first obtaining a written HIPAA authorization from each patient whose PHI would be accessible to the media,” notes the new OCR guidance. Plus, a HIPAA authorization should never be a condition of whether or not a patient receives treatment, the agency stresses.

Additionally, OCR reminds facilities that mask wearing does not equate HIPAA compliance and is not something the agency considers a safeguard. However, the update does offer some examples of what OCR considers security measures to go hand-in-hand with signed authorization forms. Those include:

  • Privacy screens that obscure easy-to-see PHI on computers, monitors, medical equipment, and other technical or medical devices.
  • “Opaque barriers” between areas — especially around patients without signed authorization documents.

“The last thing hospital patients need to worry about during the COVID-19 crisis is a film crew walking around their bed shooting ‘B-roll,’” said OCR Director Roger Severino, in a release.

“Hospitals and healthcare providers must get authorization from patients before giving the media access to their medical information; obscuring faces after the fact just doesn’t cut it,” Severino cautioned.

Tip: Though your organization may be in crisis mode right now, you may want to review the HIPAA Rules with your staff. It’s a good idea to check the OCR website daily for COVID-19 changes while reviewing the basics of data sharing, compliance, PHEs, and HIPAA to ensure you are in line with the regulations.

Include ‘Core Elements’ in Your Authorization Form

Though the feds offer covered entities (CEs) some leeway on their implementation of HIPAA management — including the design of authorization forms — there are some necessary parts you must add to ensure your documents are legally valid.

Context: Under the HIPAA Privacy Rule, CEs are allowed to use protected health information (PHI) for treatment purposes without patients’ authorization. However, if CEs want to use or disclose patients’ data for things as varied as marketing, social media, news reports, and more to third parties, they must have a signed authorization form on file.

There are “core elements” that your authorization form must include to make it valid under the law, indicates an HHS Office for Civil Rights (OCR) decision tool. The HIPAA Privacy Rule mandates the following requirements:

  • A specific description of the PHI to be used or disclosed.
  • The names of the person or organization authorized to make the disclosure of the PHI.
  • The names of the third parties receiving the information.
  • A description of each purpose or reason for the use or disclosure of the data.
  • An expiration date or event end date related to the data sharing.
  • The individual’s signature, whose PHI is being used or disclosed, or their representatives’ signatures with the signing date.

Resource: See more advice on authorizations at

Why? OCR has penalized covered providers in the past who failed to secure their patients’ PHI with written authorizations before the video cameras started rolling — and the fines have been steep (see Health Information Compliance Alert, Vol. 16, No. 5).

“Healthcare providers that permit filming without taking appropriate privacy measures may be televising costly HIPAA compliance failures to a watchful HHS,” warn Anderson and Cebada.

Resources: Find OCR’s updated guidance at