February 25, 2014 Leave a comment
What information must be included in an authorization for the use and disclosure of protected health information?
According to the U.S. Department of Health and Human Services, an “authorization must be in plain language, and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data.”1
All authorizations must meet the following criteria to be considered valid:
√ Written in plain language.
√ Describe the information to be used or disclosed.
√ Identify the person(s) authorized to use or disclose the requested information.
√ Identify the person(s) to whom a covered entity may disclose the requested information.
√ Identify the purpose of the use or disclosure.
√ Provide a specific date upon which the authorization expires.
√ Include a signature of the individual or personal representative, including the personal representative’s authority to act for the individual, if applicable, and date signed.
√ Provide a statement regarding the individual’s right to revoke the authorization in writing, including either exceptions to this right in accordance with paragraph 164.508(b)(5) and how an individual may revoke the authorization, or a reference to the covered entity’s notice of privacy practices.
√ Provide a statement that the covered entity may not condition treatment, payment, enrollment, or eligibility for benefits on an individual granting an authorization, or the consequences to the individual when the authorization is not signed if the covered entity is permitted to condition treatment, enrollment, or eligibility of benefits under paragraph 164.508(b)(4).
√ Provide a statement regarding the potential for information disclosed in accordance with the authorization to be subject to re-disclosure by the recipient and no longer protected by the Privacy Rule.
√ If the authorization is for marketing purposes and the marketing involves payment to the covered entity by a third party, a statement revealing this information must also be included in the authorization.
√ If the authorization is for the sale of protected health information, a statement is required identifying that the authorized disclosure will result in payment to the covered entity.
Good to Know
“Consent” vs “Authorization.” Covered entities are permitted, but not required to voluntarily obtain consent from an individual to use or disclose their protected health information for the purpose of treatment, payment, or health care operations. On the other hand, a use or disclosure for a purpose other than treatment, payment, or health care operations requires a written authorization from the individual. In this case, voluntary consent from an individual is not sufficient to permit the use or disclosure of protected health information unless that consent also meets the requirements of an authorization.2
Witness and notarization not required. Authorizations do not require a witness signature or notarization.3
Categories or classes of persons or entities may be used when identifying who may use or disclose information. The Privacy Rule does not require that an authorization name a specific person or entity that may use or disclose protected health information. It is sufficient for a single authorization to name a category or class of persons or entities, such as “all medical sources” or “any health care provider who has provided treatment or services to me.” Categories or classes of persons or entities are also sufficient when naming to whom a covered entity may make a disclosure.4
An expiration date or event is required. An authorization is required to identify either a specific date when the authorization will expire, or an event, such as “one year from the date the authorization is signed,” after which the authorization will not longer be valid. The authorization will remain valid until it has expired or is revoked by the individual prior to the expiration date/event. Keep in mind, State law may limit the length of time an authorization is effective.5
Health Insurance Portability and Accountability Act of 1996 relevant Standards and Implementation Specifications:
§ 164.508 – Uses and disclosures for which an authorization is required
U.S. Department of Health and Human Services Resources:
1. ”Summary of the HIPAA Privacy Rule,” hhs.gov, accessed February 14, 2014, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/.
2. “What is the difference between “consent” and “authorization” under the HIPAA Privacy Rule?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/264.html.
3. “Does the Privacy Rule require that an Authorization be notarized or include a witness signature?” hhs.gov, last modified August 8, 2005, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/478.html.
4. “May a valid Authorization list categories of persons who may use or disclose protected health information, without naming specific individuals or entities?” hhs.gov, last modified August 8, 2005, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/473.html.
5. “Must an Authorization include an expiration date?” hhs.gov, last modified August 8, 2005, http://www.hhs.gov/ocr/privacy/hipaa/faq/authorizations/476.html.