Is there such a thing as a defective authorization?
HIPAA Weekly Advisor, March 15, 2002
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: Is there such a thing as a defective authorization? Under what circumstances can an individual revoke a signed authorization and what are our obligations if there is a revocation?
A: Yes. The regulations state that an authorization will be defective and thus, invalid in any of the following circumstances:
- The expiration date has passed or the expiration event is known by the covered entity to have occurred.
- The authorization has not been filled out completely, with respect to a required element.
- The authorization is known by the covered entity to have been revoked.
- The authorization lacks a required element.
- The authorization is an impermissible compound authorization.
- Any material information in the authorization is known by the covered entity to be false.
Question: Under what circumstances can an individual revoke a signed authorization and what are our obligations if there is a revocation?
Answer:
The regulations allow an individual to revoke an authorization at any time provided that the revocation is in writing. When an individual revokes an authorization, a covered entity that knows of such revocation must stop making uses and disclosures pursuant to the authorization to the greatest extent practical. A covered entity may continue to use and disclose protected health information in accordance with the authorization only to the extent the covered entity has taken action in reliance on the authorization. For example, a covered entity is not required to retrieve information that it has already disclosed in accordance with the authorization.
A revocation is not effective as to uses and disclosures made in reliance on the authorization. In addition, individuals do not have the right to revoke an authorization that was obtained as a condition of insurance coverage during any contestability period under other law. The HHS commentary explains that, for example, if a life insurer obtains the individual's authorization for the use or disclosure of protected health information to determine eligibility or premiums under the policy, the individual does not have the right to revoke the authorization during any period of time in which the life insurer can contest a claim for benefits under the policy in accordance with state law.
Editor's note: Brought to you by attorneys Marty Baxter and Gretchen McBeath at Bricker and Eckler, LLP (http://www.bricker.com/hipaa) and The Quality Management Consulting Group, Ltd. (http://www.qmcg.com). E-mail: mbaxter@bricker.com or gmcbeath@bricker.com.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Identify potential Medicaid RAC target areas
- HIPAA Q&A: Level of encryption needed for email
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- OB services: Coding inside and outside of the package
- QA:Coding multiple initial infusions
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- What does case-mix index mean to you?
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched