• E-mail
• Print
• RSS

Make sure authorization forms are complete

HIM Connection, November 28, 2003

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

Dear Colleagues:

Before it uses or discloses PHI, a covered entity must obtain a patient's authorization or determine that the HIPAA privacy regulations expressly allow the proposed use or disclosure without the patient's permission.

The privacy regulations require covered entities to obtain a patient's authorization for use of disclosure of his or her PHI in any situation not covered by the patient's consent or excepted by the regulations.

Each authorization must be written in plain language and contain at least the following core content:

• A specific description of the PHI to be used or disclosed (e.g., "all information from my March 2002 hospitalization" instead of "my medical records")
• A specific identification of the persons or class of persons authorized to make the use or disclosure (e.g., "my physicians" instead of "any physician")
• A specific identification of the persons or class of persons to whom the disclosure may be made (e.g. "the law firm of X, Y & Z" instead of "any attorneys")
• A description of each purpose of the requested use or disclosure ("at the request of the individual" is sufficient if the patient initiates the authorization and does not wish to state a purpose)
• An expiration date or event for the authorization (e.g., "March 20, 2002" or "my discharge from this hospitalization or "end of the research study" or "none" if the use of disclosure is for research)
• A statement the PHI disclosed may be re-disclosed and no longer protected by HIPAA
• The patient's signature
• The date signed
• If signed by the patient's representative, a description of the representative's authority to act for the patient

Each authorization must also notify the patient of the following:

• The patient's right to revoke the authorization in writing and either the exceptions to the right to revoke and a description of how to make a revocation or a reference to the entity's notice of privacy practices required by the privacy regulations
• The ability or inability of the entity under the regulations to condition treatment, payment or enrollment or eligibility for benefits on whether the patient gives the authorization (must state whether a condition is allowed and, if not, why)
• The potential for the information disclosed as permitted by the authorization to be re disclosed by the recipient and no longer protected by HIPAA

A covered entity must ensure that its authorization forms contain these required elements and that appropriate personnel are trained to use them properly.

This week's HIM Connection was adapted from the new special report, "Privacy Primer Special Report: Analysis and advice for an effective HIPAA training program." Call 800/650-6787 for more information or to order. See the Editor's Choice section for a special HIPAA training handbook just for HIM staff.

Sincerely,

Lauren McLeod
Senior Managing Editor
lmcleod@hcpro.com

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

• E-mail to a Colleague
• Print
• RSS
• Archive