Required Elements Of A Patient Authorization
HIPAA
requires that certain elements be present on the authorization that the
patient is to sign. Whenever you receive an authorization (or
“release”) asking you to disclose PHI and HIPAA requires an authorization for the disclosure, use this checklist to verify that the authorization meets the HIPAA requirements. If any ONE of the following elements is missing, you should NOT release the patient’s PHI until you have a valid authorization signed by the patient. If ALL the elements are present, the authorization is valid.
•
A description of the PHI to be used or disclosed that identifies it in
a specific and meaningful fashion. They may request the entire medical
record, all records between specific dates, or other specific items.
•
The name or other specific identification of the person(s), or class
of persons, who can make the requested use or disclosure. For example,
the signed request should list either your organization or someone in
your organization by name.
• The person(s), or class of
persons, to whom you may make the requested disclosure. The specific
entity(ies) to receive the information should be identified. A cover
sheet stating who should receive the information is NOT sufficient.
•
A description of each purpose of the requested use or disclosure. The
statement “at the request of the individual” is a sufficient
description of the purpose when a patient initiates the authorization
and does not, or elects not to, provide a statement of the purpose. The
above statement or some other description must be present.
•
An expiration date or an expiration event that is related to the
individual or the purpose of the use and disclosure. The statement “end
of research study”, “none”, or similar language is sufficient if the
authorization is for a use or disclosure of PHI for research. Again,
the statement must be present.
• Signature of the patient and
date. If the authorization is signed by a personal representative of
the individual, a description of such representative’s authority to act
for the individual must also be provided.
• The individual’ s
right to revoke the authorization in writing, any exceptions to that
right, and a description of how the individual may revoke the
authorization.
• The ability or inability to condition
treatment on the authorization by stating either: (A) The covered
entity may not condition treatment on whether the individual signs the
authorization or (B) The consequences to the individual for refusal to
sign the authorization. (Remember that there are very limited
circumstances in which action can be a condition on a patient signing an
authorization.)
• A statement that informs of the potential
for information to be re-disclosed by the person or organization to
which it is sent. The privacy of this information may not be protected
under the Federal Privacy Rule depending on whom the information is
disclosed to.
• If the requested use or disclosure is for
marketing purposes. If the marketing involves direct or indirect
remuneration to the covered entity from a third party, the authorization
must state such remuneration.
--For more healthcare compliance information and discussion please join the LinkedIn group forum: The Healthcare Compliance Solutions Administrative Alert
No comments:
Post a Comment