Understanding HIPAA Authorization Forms

Understanding when an authorization form is required to release protected health information (PHI) has been a challenge for the healthcare community since HIPAA required compliance with the Privacy Rule in April of 2003. Generally, a HIPAA-compliant authorization form is not necessary for most uses and disclosures that take place in the average medical practice. However, due to a lack of understanding and a level of fear generated by penalties for HIPAA violations, many practices and other healthcare organizations continue to require patients to complete authorization forms for disclosures that are permitted by the Privacy Rule without a patient’s authorization.

In an effort to clear up some of this confusion, the following information describes the circumstances when an authorization is not required, when an authorization is required, and what information must be included for an authorization to be considered HIPAA-compliant.

For starters, a covered entity may not use or disclose PHI except as the Privacy Rule permits or requires; or as authorized by the patient or the patient’s personal representative.

Required Disclosures

There are only two situations under the Privacy Rule that require disclosure of an individual’s PHI. Covered entities are required to disclose PHI to the patient or the patient’s personal representative (under HIPAA, a personal representative has the same rights as the patient) and to Health and Human Services for a compliance investigation or review of an enforcement action. Required disclosures do not require authorization by the patient.

Permitted Uses and Disclosures

There are several types of permitted uses and disclosures of PHI under the Privacy Rule, but for purposes of this article, the focus is on treatment, payment, and health care operations (TPO), ­specifically treatment disclosures. An authorization form is not required when sharing PHI with other healthcare providers for treatment purposes, even in situations when the healthcare provider did not refer the patient to the practice requesting the information. The Department of Health and Human Services (HHS) has addressed this type of disclosure in one of their frequently asked questions:

Does a physician need a patient's written authorization to send a copy of the patient's medical record to a specialist or other health care provider who will treat the patient?

Answer: No. The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider for that provider’s treatment of the individual. See 45 CFR 164.506 and the definition of “treatment” at 45 CFR 164.501. 

Patient Authorized Uses and Disclosures

Generally, a covered entity may not use or disclose an individual’s PHI without an authorization unless the use or disclosure is otherwise permitted or required under HIPAA, as described above. There are also circumstances when an authorization is specifically required. The use or disclosure of psychotherapy notes, using PHI for marketing purposes and the sale of PHI all require a patient’s authorization. When an authorization is required, certain language must be included in order for it to be considered valid under the Privacy Rule.

For an authorization to be considered valid, the following core elements must be included:

• A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion
• The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure
• The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure
• A description of each purpose of the requested use or disclosure
• An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure
• Signature of the individual and date (If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.)

In addition to the core elements, the following required statements must be included:

• The individual’s right to revoke the authorization in writing and instructions for how to do so (Instructions may be included on the authorization form or in the covered entity’s Notice of Privacy Practices.)
• The inability of the covered entity to condition treatment on the authorization
• The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected

The following circumstances require additional actions beyond the core elements and required statements above. If the covered entity is going to receive payment specifically for the use or disclosure of patient information, then a statement to that effect must be included on the authorization form. If the authorization is for the covered entity’s own use (i.e., marketing), a copy of the signed authorization must be given to each patient and a copy must be kept by the covered entity.

Using PHI for Marketing Purposes

Some healthcare organizations are using patient information for promotional purposes. The use of patient photos, testimonials, or other patient information to promote or market a practice, whether online or in print, requires a signed HIPAA-compliant authorization form from the patient since this type of use or disclosure does not fit the criteria of a permitted or required use or disclosure. Keep in mind that there may be other state/federal laws that relate to using an individual’s photo or likeness for promotional purposes. It is recommended that covered entities seek advice from legal counsel familiar with using patient information for marketing/advertising purposes to ensure that all laws are being followed appropriately.

Treatment Disclosures/Disclosures to the Patient

The typical uses and disclosures of PHI for most healthcare providers relate to the patient’s treatment and payments from health plans. In these cases, it is not necessary to have the patient sign an authorization form. However, a practice may choose to have a policy on disclosures that is more stringent than the Privacy Rule, such as requiring a patient to sign a medical records release prior to sending records to another healthcare provider. Having this type of policy is not violating HIPAA, but practices should make sure that this type of policy does not cause an unreasonable burden on the patient or slow down the patient’s care, especially since this is not a HIPAA requirement.

When a patient requests a copy of their medical records, some practices require the patient to complete an authorization form or a medical records release. Again, this is not required by HIPAA but a practice may do this as long as it does not cause an unreasonable burden on the patient. For example, if a patient calls and asks for their records to be mailed to their home address, the practice should not require the patient to physically come to the office to fill out an authorization form.

The practice is required to verify the patient’s identity prior to releasing PHI. This may be accomplished in writing or verbally. If done verbally, the patient could be asked to verify two or three pieces of information such as their date of birth, last four digits of their social security number or home mailing address. This verification process should be outlined in the practice’s policy and procedures for uses and disclosures of PHI. Verbal verification should also be documented in the patient’s electronic health record for tracking purposes.

HIPAA’s intent is to make it easier for the patient to have access to their PHI, while at the same time protecting the patient’s privacy. More information regarding providing individuals with access to their PHI can be found in the SVMIC Education Center. 

For more information or questions about the use of authorization forms, contact Rana McSpadden at RanaM@svmic.com.