Valid HIPAA Authorizations: A Checklist
by Kim C. Stanger, Holland & Hart LLP
The HIPAA privacy rules generally prohibit healthcare providers and their business associates from using or disclosing protected health information (“PHI”) unless (1) they have a valid written HIPAA authorization signed by the patient or the patient’s personal representative, or (2) a specific regulatory exception applies.1 Many if not most authorizations received by providers are invalid. To be valid, a HIPAA authorization must satisfy the following2:
- No Compound Authorizations. The authorization may not be combined with any other document such as a consent for treatment.3 An authorization to use or disclose psychotherapy notes may not be combined with an authorization to disclose other forms of PHI.4
- Core Elements. The authorization must contain the required “core elements”5 –
- A description of the PHI to be used or disclosed that identifies the PHI in a specific and meaningful fashion.
- The name or specific identification of the person(s) or class of person(s) authorized to make the use or disclosure.
- The name or identification of the person(s) or class of person(s) to whom the provider may make the requested use or disclosure.
- A description of each purpose for the requested use or disclosure. If the patient initiates the authorization, a statement that the disclosure is “at the request of the individual” is sufficient.
- An expiration date or event that relates to the patient or the purpose of the use or disclosure (e.g., “until completion of the litigation.”).
- The date and signature of the patient or the patient’s personal representative.
- If the authorization is signed by the personal representative, a description of the personal representative’s authority to act for the patient.
- Required Statements. The authorization must also contain certain required statements regarding patient
rights6 –- The patient or personal representative has the right to revoke the authorization at anytime by submitting a written revocation except to the extent the provider has taken action in reliance on the authorization.
- The provider generally may not condition its healthcare on the provision of the authorization except (i) for research-related treatment, or (ii) if the purpose of the healthcare is to create information for disclosure (e.g., an employment physical or independent medical exam), in which case the provider may refuse to provide the healthcare if the patient refuses to execute an authorization.
- The information disclosed per the authorization may be subject to redisclosure by the recipient and no longer protected by HIPAA.
- Marketing or Sale of PHI. If the authorization is to permit the use or disclosure of PHI for purposes of marketing (as defined by HIPAA) or the sale of PHI, and the provider will receive remuneration for the PHI, the authorization must notify the patient that the provider will receive the remuneration.7
- Completed in Full. The authorization and its required elements must be completely filled out, i.e., there should be no blanks concerning the required terms.8
- Written in Plain Language. The authorization must be written in plain language.9 For patients with limited English proficiency, the provider may need to translate the authorization for the patient.
- Give the Patient a Copy. If the provider is requesting the authorization from the patient, the provider must give the patient or personal representative a signed copy of the authorization.10 The provider is not required to give a copy if the patient initiated the authorization.
- Retain the Authorization. The provider must retain a copy of the authorization for six years.11
If an authorization is required, HIPAA prevents providers and business associates from using or disclosing more PHI than is allowed or in a manner that is different than as stated in the authorization, so providers should ensure that the authorization is broad enough to cover the requested use or disclosure, including any disclosure of oral information in addition to records.
For questions regarding this update, please contact:
Kim C. Stanger
Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702
email: kcstanger@hollandhart.com, phone: 208-383-3913
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
145 CFR 164.502.
245 CFR 164.508(b).
3A limited exception allows an authorization for the disclosure of research information to be combined with a consent to participate in the research 45 CFR 164.508(b)(3)(i).
445 CFR 164.508(b)(3)(ii).
545 CFR 164.508(c)(1).
645 CFR 164.508(c)(2).
745 CFR 164.508(a)(3)-(4).
845 CFR 164.508(b)(2).
945 CFR 164.508(c)(3).
1045 CFR 164.508(c)(4).
1145 CFR 164.508(b)(6).