Required Elements Of A Patient Authorization
HIPAA requires that certain elements be present on the authorization that the patient is to sign. Whenever you receive an authorization (or “release”) asking you to disclose PHI and HIPAA requires an authorization for the disclosure, use this checklist to verify that the authorization meets the HIPAA requirements. If any ONE of the following elements is missing, you should NOT release the patient’s PHI until you have a valid authorization signed by the patient. If ALL the elements are present, the authorization is valid.
• A description of the PHI to be used or disclosed that identifies it in a specific and meaningful fashion. They may request the entire medical record, all records between specific dates, or other specific items.
• The name or other specific identification of the person(s), or class of persons, who can make the requested use or disclosure. For example, the signed request should list either your organization or someone in your organization by name.
• The person(s), or class of persons, to whom you may make the requested disclosure. The specific entity(ies) to receive the information should be identified. A cover sheet stating who should receive the information is NOT sufficient.
• A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when a patient initiates the authorization and does not, or elects not to, provide a statement of the purpose. The above statement or some other description must be present.
• An expiration date or an expiration event that is related to the individual or the purpose of the use and disclosure. The statement “end of research study”, “none”, or similar language is sufficient if the authorization is for a use or disclosure of PHI for research. Again, the statement must be present.
• Signature of the patient and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.
• The individual’ s right to revoke the authorization in writing, any exceptions to that right, and a description of how the individual may revoke the authorization.
• The ability or inability to condition treatment on the authorization by stating either: (A) The covered entity may not condition treatment on whether the individual signs the authorization or (B) The consequences to the individual for refusal to sign the authorization. (Remember that there are very limited circumstances in which action can be a condition on a patient signing an authorization.)
• A statement that informs of the potential for information to be re-disclosed by the person or organization to which it is sent. The privacy of this information may not be protected under the Federal Privacy Rule depending on whom the information is disclosed to.
• If the requested use or disclosure is for marketing purposes. If the marketing involves direct or indirect remuneration to the covered entity from a third party, the authorization must state such remuneration.
--For more healthcare compliance information and discussion please join the LinkedIn group forum: The Healthcare Compliance Solutions Administrative Alert