The HIPAA privacy rules generally prohibit healthcare providers and their business associates from using or disclosing protected health information (“PHI”) unless (1) they have a valid written HIPAA authorization signed by the patient or the patient’s personal representative, or (2) a specific regulatory exception applies.1 Many if not most authorizations received by providers are invalid. To be valid, a HIPAA authorization must satisfy the following2:
- No Compound Authorizations. The authorization may not be combined with any other document such as a consent for treatment.3 An authorization to use or disclose psychotherapy notes may not be combined with an authorization to disclose other forms of PHI.4
- Core Elements. The authorization must contain the required “core elements”5 -
- A description of the PHI to be used or disclosed that identifies the PHI in a specific and meaningful fashion.
- The name or specific identification of the person(s) or class of person(s) authorized to make the use or disclosure.
- The name or identification of the person(s) or class of person(s) to whom the provider may make the requested use or disclosure.
- A description of each purpose for the requested use or disclosure. If the patient initiates the authorization, a statement that the disclosure is “at the request of the individual” is sufficient.
- An expiration date or event that relates to the patient or the purpose of the use or disclosure (e.g., “until completion of the litigation.”).
- The date and signature of the patient or the patient’s personal representative.
- If the authorization is signed by the personal representative, a description of the personal representative’s authority to act for the patient.
- Required Statements. The authorization must also contain certain required statements regarding patient
- The patient or personal representative has the right to revoke the authorization at anytime by submitting a written revocation except to the extent the provider has taken action in reliance on the authorization.
- The provider generally may not condition its healthcare on the provision of the authorization except (i) for research-related treatment, or (ii) if the purpose of the healthcare is to create information for disclosure (e.g., an employment physical or independent medical exam), in which case the provider may refuse to provide the healthcare if the patient refuses to execute an authorization.
- The information disclosed per the authorization may be subject to redisclosure by the recipient and no longer protected by HIPAA.
- Marketing or Sale of PHI. If the authorization is to permit the use or disclosure of PHI for purposes of marketing (as defined by HIPAA) or the sale of PHI, and the provider will receive remuneration for the PHI, the authorization must notify the patient that the provider will receive the remuneration.7
- Completed in Full. The authorization and its required elements must be completely filled out, i.e., there should be no blanks concerning the required terms.8
- Written in Plain Language. The authorization must be written in plain language.9 For patients with limited English proficiency, the provider may need to translate the authorization for the patient.
- Give the Patient a Copy. If the provider is requesting the authorization from the patient, the provider must give the patient or personal representative a signed copy of the authorization.10The provider is not required to give a copy if the patient initiated the authorization.
- Retain the Authorization. The provider must retain a copy of the authorization for six years.11
If an authorization is required, HIPAA prevents providers and business associates from using or disclosing more PHI than is allowed or in a manner that is different than as stated in the authorization, so providers should ensure that the authorization is broad enough to cover the requested use or disclosure, including any disclosure of oral information in addition to records.