Insight Is Your HIPAA Authorization Valid?

The HIPAA privacy rules prohibit the use or disclosure of protected health information unless (1) a specific exception applies; or (2) you obtain a valid written authorization from the patient. (45 C.F.R. § 164.508). To be valid, the authorization must contain certain “core elements” set forth in HIPAA; if it does not, the authorization is invalid and you will violate HIPAA by making the disclosure even though the patient signed the form—because there is no “good faith” compliance. (45 C.F.R. § 164.508(b)).

Most of the authorizations you see do not contain the required elements and are, therefore, invalid. The following is a checklist that covered entities can use to confirm the validity of their own authorization or an authorization received from a third party; to be valid, the authorization must satisfy the following:

1. The authorization may not be combined with any other document such as a consent for treatment.

2. The authorization must contain the required “core elements”—

• A specific description of the information to be used or disclosed.
• The name or identification of the person(s) or class of person(s) authorized to make the disclosure.
• The name or identification of the person(s) or class of person(s) to whom the provider may make the requested disclosure.
• A description of each purpose for the requested disclosure. If the patient requests the disclosure, a statement that the disclosure is “at the request of the patient” is sufficient.
• An expiration date or event that relates to the patient or the purpose of the disclosure (e.g., “until completion of the litigation.”).
• The date and signature of the patient or the patient’s personal representative.
• If the authorization is signed by the personal representative, a description of the personal representative’s authority

3. The authorization must contain the required statements concerning patient rights—

• The patient has the right to revoke the authorization at anytime (with certain exceptions) by submitting a written statement to the covered entity.
• The health care provider generally may not condition treatment on the provision of the authorization.
• The information disclosed per the authorization may be subject to redisclosure and no longer protected.All of the foregoing must be completely filled out, i.e., there should be no blanks concerning the required terms.

4. Additional rules apply to certain types of records, namely psychotherapy notes and information concerning drug and alcohol treatment.

5. If you are requesting the authorization from the patient, you must give the patient a copy of the authorization. You must also retain a copy of the authorization.

If you have questions about these or other legal issues, please contact a member of our Health Law group call 208.344.6000.

(45 C.F.R. § 164.508). HIPAA prevents you from disclosing more information than is allowed by the authorization, so you should ensure that the authorization is broad enough to cover the requested disclosure, including any disclosure of oral information in addition to records.

If you have questions about these or other legal issues, please contact a member of our health law group at call 208.344.6000.