HIPAA FAQs - Authorization

Home

HIPAA FAQs

Index

Privacy Notice

Authorization

Amendment

Uses & Disclosures

Restriction of Use

Patient Access

Complaints

Privacy Officer

Minimum Necessary

Business Associate

Training

Operations

What is the requirement for an authorization?
Unless release of protected health information (PHI) is allowed by other provisions of the law, or for treatment, payment, and health care operations (TPO), a valid authorization is required. There are also additional requirements for authorization for release of psychotherapy notes and most marketing uses.

Are there specific elements that must be in an authorization to make it valid?
Yes, it must contain:

A clear description of the information to be used or disclosed.
Name or other specific identification of the person(s), or class of persons, authorized to request use or disclosure of protected health information (PHI).
Name or other specific identification of the individual of the practice that may grant the requested use or disclosure.
An expiration date or event relating to the individual or purpose of the use or disclosure.
Statement of the individual’s right to revoke the authorization.
Description of how to revoke authorization.
Statement that the information disclosed may be subject to redisclosure and is no longer covered by HIPAA.
Date and signature of the individual authorizing release.
If signed by other than the individual whose records are being released, a description of the representative’s authority to act for said individual.

Is there a requirement about language?
Must be in plain (easily understood) language.

Can an authorization be verbal?
To be valid, authorizations must be in writing. A fax of a signed, properly executed authorization is valid.

Can we accept a copy of an authorization instead of the original?
Copies are acceptable if they contain the required elements.
Is there a requirement to verify the identity of the individual signing the authorization?
Only if the individual signing is not the patient whose records are to be released. It is a good practice, however, to verify the authenticity of the signature. If a person presents whose identity is not known on visual sight, you should properly identify that person.

Are there any special requirements to revoke an authorization?
An individual may revoke an authorization at any time, provided the revocation is in writing, except where action has already been taken.

Are there special requirements for authorization for research purposes?
In addition to the core elements, the authorization must contain:

A description of the extent to which protected health information (PHI) will be used or disclosed to carry out treatment, payment, and health care operations (TPO).
A description of any PHI that will not be used or disclosed for purposes permitted.

Is there any easier way to obtain authorization for research purposes?
An authorization can be a part of another document, such as a consent to participate in research, a consent to use or disclose protected health information (PHI) to carry out treatment, payment, and health care operations (TPO), or a Notice of Privacy Practices (NPP).

Are there any exceptions to the requirement for an authorization for disclosure for marketing purposes?
ALL marketing communications require a written authorization from the patient except when a face-to-face communication is made by your practice to an individual or when the communication is a promotional gift of nominal value provided by your practice.