• E-mail
• Print
• RSS

Ask the expert: If a third party, such as an insurance company, requests that we release patient information, should we deny sending patient records if the request doesn't include the following statement required by HIPAA?

HIM Connection, January 22, 2008

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

"I understand that I may refuse to sign this authorization, and that my refusal to sign will not affect my ability to obtain treatment or payment, enrollment, or my eligibility for benefits."

A: Authorization is not necessary if you are releasing information to an insurance company that is paying for the individual's healthcare. The privacy rule permits disclosure of protected health information without authorization for treatment, payment, and healthcare operations. If you are disclosing information for other purposes, a valid authorization is necessary, unless the disclosure is required by law. For example, if a life insurance company requests information, authorization is necessary because the life insurance company does not pay for healthcare services.

To be valid under the privacy rule, an authorization must contain the minimum following core elements:

• The name of the institution/individual authorized to release the information
• The name of the institution/individual authorized to receive the information
• A description of the information to be disclosed that identifies the information in a specific and meaningful fashion, including dates of treatment
• A description of each purpose for the requested use or disclosure
• An expiration date or expiration event that relates to the patient or the purpose of the request
• The patient's signature or his or her personal representative's signature, and the date on which either of those individuals signed the authorization
• A description of the representative's authority to act on the patient's behalf (if the patient's personal representative signed the authorization)

In addition to these core elements, a valid authorization must also contain the following:

• Statement of the patient's right to revoke the authorization in writing and exceptions to the right to revoke, as well as a description of how the patient may revoke the authorization
• Statement that treatment, payment, or enrollment or eligibility for benefits may not be conditional based on whether the individual signs the authorization
• Statement that the information disclosed may be subject to redisclosure by the recipient, and that in this scenario, the information may no longer protected by state or federal law or regulations

Editor's note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, answered this question.

This Q&A was adapted from the January 2008 issue of Briefings on HIPAA. For more information, visit www.hcpro.com/content/202350.cfm.

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

• Comment
• E-mail to a Colleague
• Print
• RSS
• Archive

Comments