Editor’s note: The following article supplants information contained in the October 2002 “Required Content for Authorizations to Disclose” Practice Brief.
The HIPAA privacy rule became effective April 14, 2003, and established standards for information disclosure including what constitutes a valid authorization. HIPAA applies to covered entities, defined by the rule to include health plans, healthcare clearinghouses, and healthcare providers that transmit specific information electronically. The rule was amended by the final HITECH Omnibus Rule on January 25, 2013, with an effective date of March 26, 2013, and a compliance date of September 23, 2013.
The HITECH Omnibus Rule extends disclosure requirements and associated liabilities to business associates. Business associates are required to comply with the same disclosure requirements as a covered entity and those expectations typically will be addressed in the business associate agreement between the covered entity and the business associate. Refer to the Business Associate Practice Brief for further guidance.
This Practice Brief will explore the requirements for the appropriate disclosure of protected health information (PHI) including authorization content. It will also provide an overview of other federal and state laws and regulations and the impact to specific types of PHI disclosures (i.e. substance abuse records, psychotherapy notes).
Section 164.508 of the final privacy rule states that covered entities may not use or disclose protected health information (PHI) without a valid authorization, except as otherwise permitted or required in the privacy rule.
General Authorization content: The rule states that a valid authorization must be in plain language and contain at least the following core elements:
- A specific and meaningful description of the information to be used or disclosed
- The name or other specific identification of the person(s) or class of persons authorized to use or disclose the information
- The name or other specific identification of the person(s) or class of persons to whom the covered entity may make the use or disclosure
- A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is sufficient when an individual initiates the authorization and does not provide a statement of the purpose
- An expiration date or event that relates to the individual or the purpose of the use or disclosure.
- For research purposes only – The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure for research, including for the creation and maintenance of a research database or repository
- Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of the representative’s authority to act for the individual must be provided
In addition to the core elements, the rule states that a valid authorization must include:
- A statement of the individual’s right to revoke the authorization, in writing, and either:
- A reference to the revocation right and procedures described in the notice, or
- A statement about the exceptions to the right to revoke, and a description of how the individual may revoke the authorization
Exceptions to the right to revoke include situations in which the covered entity has already taken action in reliance on the authorization, or the authorization was obtained as a condition of obtaining insurance coverage.
- A statement about the ability or inability of the covered entity to condition treatment, payment, enrollment, or eligibility for benefits on the authorization:
- The covered entity must state that it may not condition treatment, payment, enrollment, or eligibility for benefits on whether the individual signs the authorization, or
- The covered entity must describe the consequences of a refusal to sign an authorization when the covered entity conditions research-related treatment, enrollment or eligibility for benefits, or the provision of healthcare, solely for the purpose of creating protected health information for a third party on obtaining an authorization
- A statement that information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and may no longer be protected by the rule
When a Covered Entity Requests Patient Authorization: The covered entity must provide the individual with a copy of the signed authorization when the covered entity seeks the authorization.
When a Non-Covered Entity Requests Patient Authorization: If a non-covered entity (i.e. pharmaceutical company, attorney’s office) solicits a patient’s authorization to release PHI to the non-covered entity, the authorization must contain all elements of a General Authorization as required. See research authorization guidance below.
An authorization may be combined with another document to create a Compound Authorization only as described below:
- Research: An authorization for the use or disclosure of PHI for a research study may be combined with any other type of written permission for the same or another research study, including a consent to participate in the research or another authorization to disclose protected health information from the research.
In addition, the HITECH Omnibus Rule now permits the combining of conditioned and unconditioned authorizations. The individual must be able to opt-in to the unconditioned authorization. This simplifies authorization paperwork for the research community. For example, a researcher will be able to rely on a single authorization for a clinical trial that requires execution of the authorization to participate in the trial and that also includes an opt-in (such as a check box or a second signature line) authorizing the covered entity to use and disclose the individual’s PHI for a tissue bank, as long as the authorization makes clear that the individual may choose not to opt in to the tissue bank and that the choice will not impact treatment, payment, or benefits. However, there is an exception. This provision applies to all types of research studies except when the research involves the use or disclosures of psychotherapy notes. For research purposes, psychotherapy note authorizations may not be combined with any other authorization for use or disclosure of psychotherapy notes.
- Psychotherapy notes: An authorization for the use or disclosure of psychotherapy notes may be combined with another authorization for the use or disclosure of psychotherapy notes. For example, an individual can complete an authorization that requests his psychotherapy notes be sent to his attorney and a second mental health professional. An authorization for psychotherapy notes must specifically identify psychotherapy notes when a general authorization or research authorization is executed. This can be indicated by the mark of a check box on the current form, or a separate form can be used. It is up to the covered entity whether the use of a separate form is preferred.
- General Authorizations: In accordance with §164.508 of the privacy rule, an authorization for the disclosure of health information may be combined with another authorization. For example, a patient may request lab results be disclosed to two different family members (living in separate residences) on the same form. However, an authorization that conditions treatment, payment, enrollment, or eligibility for benefits on completion may not be combined with a general authorization because a general authorization is not conditioned. For example, an insurance company may not combine an authorization they require as a condition of enrolling in their plan with a general authorization to obtain copies of patient information following the approved enrollment.
The HITECH Omnibus Rule requires a valid authorization be obtained from an individual before the use or disclosure of PHI for marketing purposes involving financial remuneration. The authorization must also include a statement about any direct or indirect remuneration the covered entity has received or will receive from a third party. An authorization for marketing purposes can be included on the organization’s compliant HIPAA authorization form or a separate one may be created.
The following are exceptions to the marketing rule and do not require an authorization:
- Face-to-face communications from the covered entity to the individual
- Gifts of nominal value provided by the covered entity
Refer to the Release of Information for Marketing or Fundraising Purposes practice brief for further requirements.
Sale of Protected Health Information
The HITECH Omnibus Rule does not permit a covered entity to directly or indirectly receive remuneration in exchange for PHI of an individual unless covered by a valid authorization. An authorization for this purpose must include a statement that the disclosure will result in remuneration to the covered entity.
Note: The way remuneration is used pertaining to the sale of PHI is different than how is it used for marketing purposes. Remuneration here is defined to include both financial and nonfinancial benefits also known as in-kind benefits (i.e., laptops or iPads for the residency program).
The Confidentiality of Alcohol and Drug Abuse Patient Records Rule applies to federally assisted alcohol and drug abuse programs as defined by 42 CFR, part 2, section 2.12.3 The rule establishes the following content requirements for authorizations to disclose individually identifiable patient health information generated by alcohol or drug abuse programs:
- The specific name or general designation of the program or person permitted to make the disclosure
- The name or title of the individual or the name of the organization to which disclosure is to be made
- Patient name
- Purpose of disclosure
- How much and what kind of information is to be disclosed
- The signature of the patient or legal representative
- The date on which the authorization is signed
- A statement that the authorization is subject to revocation at any time except to the extent that the program or person who is to make the disclosure has already acted in reliance on it. Acting in reliance includes the provision of services in reliance on a valid authorization or consent to disclose information to a third-party payer
- The date, event, or condition upon which the authorization will expire if not revoked. This date, event, or condition must ensure that the authorization will last no longer than reasonably necessary to serve the purpose for which it is given
- A statement informing the requestor that any disclosure carries with it the potential for redisclosure by the recipient and is no longer protected by the releasing entity
The HITECH Omnibus Rule made access to immunization records easier for disclosure to schools in states where proof of immunization is required by law prior to admission. Written authorizations are no longer required, but an agreement must still be obtained. The agreement may be oral and must come from a parent/guardian, or other person acting in loco parentis, or directly from the individual (i.e., adult or emancipated minor).
The agreement must be documented, but no signature by the parent is required. The final rule leaves it up to the covered entity about what information needs to be captured regarding the agreement to determine what is needed for their purposes. Written or e-mail requests suffice as documentation of the agreement. Agreements obtained under this provision are considered effective until revoked by the parent, guardian, or other person acting in loco parentis, or by the individual himself (i.e., adult or emancipated minor). The agreement is not a HIPAA-compliant authorization and therefore, must be captured on the accounting of disclosures4.
In an environment of continuous technological advancement, the term “HIPAA compliant voice authorization” is occurring more frequently. However, HIPAA does not address voice authorizations. Voice authorizations are based on state law. Unless state law mandates otherwise, acceptance of voice authorizations is up to the individual organization whether or not to accept and process. Regardless of the decision, it should be addressed in the organization’s policy and procedure.
The Uniform Electronic Transaction Act (UETA) equates electronic signatures to manual signatures. It requires that the signer execute or adopt a sound, symbol, or process with the intent to sign the record. Additionally, UETA requires that the electronic signature be linked or logically associated with the electronic record being signed.
UETA makes clear that anything electronic would suffice, including voice recordings, Web browser clicks, and other symbols or keystrokes to indicate intent. Under UETA, any type of digital information could be considered to be either a signature or a record, with the totality of all the circumstantial evidence—both digital and real world—both relevant and necessary5.
Individual states may have laws or regulations defining authorization content or limiting the time period for which an authorization may be valid. For example, some state laws require that authorizations to disclose HIV records are separate and apart from any other authorizations an individual may sign for release of protected health information. When such laws or regulations exist, consult section 160 of the HIPAA Privacy Rule to determine how to apply the preemption requirements.
The privacy rule declares any authorization invalid with the following defects:
- The expiration date or event has passed or already occurred
- The authorization is missing one or more items of content described above
- The authorization is known to have been revoked
- The authorization violates a Privacy Rule standard on conditioning or compound authorizations
- Material information in the authorization is known to be false
Perhaps one of the unintended consequences of the Privacy Rule is that handwritten, patient-generated authorizations may often be invalid under the rule, as most do not contain an expiration date or a statement about the individual’s right to revoke the authorization. To minimize the number of invalid authorizations received, the covered entity may wish to include a blank copy along with other materials provided to patients at the time of admission or may want to post its authorization form on its website and encourage individuals to review or complete prior to arrival.
Covered entities also may want to provide instructions for obtaining the authorization form on appropriate automated telephone messages. In addition, covered entities may find it beneficial to distribute new authorization forms to organizations that routinely request patient health information, such as local law firms, insurance companies, and law enforcement agencies.
Privacy and security experts recommend HIPAA-covered entities adhere to the following practices:
- Study both federal and state requirements for authorizations
- Draft an authorization form that complies with federal and state laws and regulations (see “Sample Authorization to Use or Disclose Health Information,” in appendix A)
- Ask the risk manager and legal counsel to review your draft authorization form
- Update or generate new policies and procedures relative to the new authorization
- Order appropriate quantities of the approved authorization form
- Educate and train staff
- Post the approved authorization form on the organization’s website
- Distribute new authorization forms to frequent requestors
An appendix to this Practice Brief, “Appendix A: Sample Authorization Form” is available online in the AHIMA HIM Body of Knowledge.
Prepared by (2013)
Rose T. Dunn, MBA, RHIA, CPA, CHPS, FACHE
Angela Dinh Rose, MHA, RHIA, CHPS, FAHIMA
LaVonne Wieland, RHIA, CHP
Marisa Coloso, RHIA, CCS
Jane DeSpiegelaere, MBA, RHIA, CCS, FAHIMA
Kim Turtle Dudgeon, RHIT, CHTS-IS/TS, CMT
Elisa R. Gorton, RHIA, CHPS, MAHSM
Lesley Kadlec, MA, RHIA
Diana Reed, RJIT, CCS-P
Tina Sander, RHIT
Peg Schmidt, RHIA, CHPS
Diana Warner, MS, RHIA, CHPS, FAHIMA
Gail Woytek, RHIA
Prepared by (2002)
Gwen Hughes, RHIA
Prepared by (Original)
Gwen Hughes, RHIA
Cheryl Smith, BS, RHIT, CPHQ
Holly Ballam, RHIA
Mary D. Brandt, MBA, RHIA, CHE, CHP
Jill Callahan Dennis, JD, RHIA
Michelle Dougherty, RHIA
Beth Hjort, RHIA, CHP
Harry Rhodes, MBA, RHIA
Dorothy Grandolfi Wagg, JD, RHIA, CHP
- “Standards for Privacy of Individually Identifiable Health Information: Final Rule.” 45 CFR Parts 160 and 164. Federal Register 67, no. 157 (August 14, 2002).
- “Standards for Privacy of Individually Identifiable Health Information: Final Rule.” 45 CFR Parts 160 and 164. Federal Register 67, no. 157 (August 14, 2002).
- “Confidentiality of Alcohol and Drug Abuse Patient Records.” 42 e-CFR part 2. http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&rgn=div5&view=text&node=42:188.8.131.52.2&idno=42#42:184.108.40.206.220.127.116.11
- AHIMA. “Analysis of Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rule.” January 25, 2013.
- AHIMA. “Electronic Signature, Attestation, and Authorship. Appendix B: Laws, Regulations, and Electronic Signature Acts.” Journal of AHIMA 80, no.11 (November-December 2009)
Brandt, Mary D. Release and Disclosure: Guidelines Regarding Maintenance and Disclosure of Health Information. Chicago, IL: AHIMA, 1997.
Department of Health and Human Services’ Public Health Service. “Confidentiality of Alcohol and Drug Abuse Patient Records.” Code of Federal Regulations. 42 CFR, Chapter I, Part 2. 2000.
“Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.” 45 CFR Parts 160 and 164. Federal Register 78, no.17 (January 25, 2013)
“Standards for Privacy of Individually Identifiable Health Information: Final Rule.” 45 CFR Parts 160 and 164. Federal Register 67, no. 157 (August 14, 2002).
Schmidt, Peg, Kathy Downing..“Release of Information for Marketing or Fund-raising Purposes (Updated).” (AHIMA Practice Brief, updated August 2013).
AHIMA. “Guidelines for a Compliant Business Associate Agreement.” Journal of AHIMA 84, no.11 (November–December 2013): expanded web version.
AHIMA Practice Brief. "Authorization Requirements for the Disclosure of Protected Health Information - Retired"
(Updated November 2013)