AMARILLO, TX – The Health Insurance Portability and Accountability Act (HIPAA) restricts a covered entity’s ability to use or disclose protected health information (PHI). HIPAA requires a covered entity to obtain a valid authorization from an individual before using or disclosing PHI to market a product or service to the individual or before making a sale of the individual’s PHI.  PHI is a subset of “individually identifiable health information,” which is defined as:

• information that is a subset of health information, including demographic information collected from an individual;
• is created or received by a health care provider…; and
• related to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual…; and
• identifies the individual; or with respect to which there is a reasonable basis to believe the information could be used to identify the individual.

HIPAA broadly defines “use” of PHI to include the sharing, employment, application, utilization, examination, or analysis of such information.  The HIPAA definition of marketing excludes certain communications as follows:

Marketing does not include a communication made: . . . [f]or the following treatment and health care operations purposes, except where the covered entity receives financial remuneration in exchange for making the communication[,] . . . to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits.

HIPAA defines a “marketing communication” as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”

A sale of PHI means any disclosure of PHI by a covered entity, where the covered entity directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI.  “Disclosure” means the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.

HIPAA requires covered entities to obtain prior valid authorization from a patient to use or disclose PHI that is not otherwise permitted under the rules.  “A valid authorization is a document that meets [specific] requirements…”

Electronic Authorization
The HIPAA Privacy Rule allows HIPAA authorizations to be obtained electronically from individuals, provided the electronic signature is valid under applicable law.  HIPAA requires that the authorization not be combined with any other document, be written in plain language, and include:

1) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
2) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
3) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
4) A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
5) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.
6) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.

In addition to the core elements listed above, the authorization must contain statements adequate to place the individual on notice of all of the following:
1) the individual’s right to revoke the authorization in writing, including exceptions and explanation of how to revoke;
2) the ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization,
3) the potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this subpart.

Also, if the authorization is for marketing and “involves direct or indirect financial remuneration …to the covered entity from a third party,” or if the authorization is for the sale of PHI, then the authorization must also state that such remuneration is involved.

The signed authorization should be retained for six years from the date of its expiration.  The covered entity must also provide the individual with a copy of the signed authorization.

Electronic Signatures in Global and National Commerce Act
The Electronic Signatures in Global and National Commerce Act (the “E-Sign Act”) generally gives electronic signatures the same effect as written signatures in the context of any transaction in or affecting interstate or foreign commerce, when certain additional requirements are met. The E-sign Act allows the use of electronic records to satisfy any statute, regulation, or rule of law requiring that such information be provided in writing, if:

1) The consumer has affirmatively consented to such use and has not withdrawn such consent.
2) Prior to obtaining their consent, the entity must provide the consumer, a clear and conspicuous statement informing the consumer:

a) of any right or option to have the record provided or made available on paper or in a non electronic form, and the right to withdraw consent, including any conditions, consequences, and fees in the event of such withdrawal;

b) whether the consent applies only to the particular transaction that triggered the disclosure or to identified categories of records that may be provided during the course of the parties’ relationship;

c) of the procedures the consumer must use to withdraw consent and to update information needed to contact the consumer electronically;

d) how the consumer may nonetheless request a paper copy of a record and whether any fee will be charged for that copy; and

e) of the hardware and software requirements for access to and retention of the electronic records; and consents electronically, or confirms his or her consent electronically, in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent.

In addition to the federal E-Sign Act, the Uniform Electronic Transactions Act (“UETA”), which has been adopted by 47 states, the District of Columbia, Puerto Rico, and the Virgin Islands, also validates the use of electronic records and signatures. Each statute provides that electronic contracts and signatures shall not be denied legal effect or enforceability because they are electronic.  In some cases the federal legislation uses the language of UETA without change.  

The E-Sign Act governs in the absence of a state law or where states have made modifications to UETA that are inconsistent with the E-Sign Act.  By adopting the official version of UETA, states have the authority to specify alternative procedures or requirements for the use or acceptance of electronic records and signatures if such alternatives are consistent with the E-Sign Act and do not show preference for specific technology.

Jeffrey S. Baird, JD, is chairman of the Health Care Group at Brown & Fortunato PC, a law firm based in Amarillo, Tex. He represents pharmacies, infusion companies, HME companies, and other health care providers throughout the United States. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization and can be reached at (806) 345-6320 or [email protected].