Yes. The Privacy Rule requires providers to obtain authorization and not consent to use or disclose PHI maintained in psychotherapy notes for treatment by persons other than the originator of the notes, for payment, or for health care operations purposes, except as specified in the Privacy Rule (§ 164.508(a)(2)).
In addition, because the consent is only for a use or disclosure of PHI for the TPO purposes of the covered entity obtaining the consent, an authorization is also required if the disclosure is for the TPO purposes of an entity other than the provider who obtained the consent. For example, a health plan seeking payment for a particular service from a second health plan, such as in coordination of benefits or secondary payer situations, may need PHI from a physician who rendered the health care services. In this case, the provider typically has been paid, and the transaction is between the plans. Since the provider’s disclosure is for the TPO purposes of the plan, it would not be covered by the provider’s consent. Rather, an authorization, and not a consent, would be the proper document for the plan to use when requesting such a disclosure.
Also, learn more about how we may help you become compliant with HIPAA Security Standards with our HIPAA Security Assessment ToolKit™ and HIPAA compliance software tool.
Thank you for reading our HIPAA Privacy FAQ posts which are intended to help you understand and comply with the HIPAA laws.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.