Home / Insights / Is Your HIPAA Authorization Valid?

Insight Is Your HIPAA Authorization Valid?

The HIPAA privacy rules prohibit the use or disclosure of protected health information unless (1) a specific exception applies; or (2) you obtain a valid written authorization from the patient. (45 C.F.R. § 164.508). To be valid, the authorization must contain certain “core elements” set forth in HIPAA; if it does not, the authorization is invalid and you will violate HIPAA by making the disclosure even though the patient signed the form—because there is no “good faith” compliance. (45 C.F.R. § 164.508(b)).

Most of the authorizations you see do not contain the required elements and are, therefore, invalid. The following is a checklist that covered entities can use to confirm the validity of their own authorization or an authorization received from a third party; to be valid, the authorization must satisfy the following:

1. The authorization may not be combined with any other document such as a consent for treatment.

2. The authorization must contain the required “core elements”—

  • A specific description of the information to be used or disclosed.
  • The name or identification of the person(s) or class of person(s) authorized to make the disclosure.
  • The name or identification of the person(s) or class of person(s) to whom the provider may make the requested disclosure.
  • A description of each purpose for the requested disclosure. If the patient requests the disclosure, a statement that the disclosure is “at the request of the patient” is sufficient.
  • An expiration date or event that relates to the patient or the purpose of the disclosure (e.g., “until completion of the litigation.”).
  • The date and signature of the patient or the patient’s personal representative.
  • If the authorization is signed by the personal representative, a description of the personal representative’s authority

3. The authorization must contain the required statements concerning patient rights—

  • The patient has the right to revoke the authorization at anytime (with certain exceptions) by submitting a written statement to the covered entity.
  • The health care provider generally may not condition treatment on the provision of the authorization.
  • The information disclosed per the authorization may be subject to redisclosure and no longer protected.All of the foregoing must be completely filled out, i.e., there should be no blanks concerning the required terms.

4. Additional rules apply to certain types of records, namely psychotherapy notes and information concerning drug and alcohol treatment.

5. If you are requesting the authorization from the patient, you must give the patient a copy of the authorization. You must also retain a copy of the authorization.

If you have questions about these or other legal issues, please contact a member of our Health Law group call 208.344.6000.

(45 C.F.R. § 164.508). HIPAA prevents you from disclosing more information than is allowed by the authorization, so you should ensure that the authorization is broad enough to cover the requested disclosure, including any disclosure of oral information in addition to records.

If you have questions about these or other legal issues, please contact a member of our health law group at call 208.344.6000.

Related Insights

Corporate Transparency Act - Beneficial Ownership Information Reporting Requirement

The Corporate Transparency Act requires certain entities to disclose the beneficial ownership information from people who own or control a company. We're here to help…


Finding Investment Opportunities in the Modern Zoning Code

The Boise City Council unanimously approved a new zoning code, known as the Modern Zoning Code (MZC), that will go into effect on December 1,…


SECURE 2.0 Update

It has been almost six months since “SECURE 2.0” was enacted as part of the Consolidated Appropriations Act, 2023. There has been no shortage of…


Idaho Liquor License Update

During the final days of the 2023 term of the Idaho legislative session, Senate Bill 1120 (“SB1120”) was passed and signed into law. SB1120 makes…