authorization (HIPAA)

Covered entities are permitted a broad range of uses and disclosures of protected health information (PHI) for treatment, payment and other health care operations (TPO), without any permission from the patient. (Covered entities may optionally obtain a consent for such uses.)

For some "extra" activities, the HIPAA Privacy Rule requires that a patient provide an authorization. There are at least five notable areas where authorizations are likely to come into use.

The first is for psychotherapy notes. Use or disclosure of such notes requires an authorization, except for:

  • treatment uses by the originator of the notes (i.e., the therapist);
  • supervised training of other mental health practitioners within the covered entity; or
  • defense against a legal action brought by the subject of the notes.

(Other than psychotherapy notes, the privacy regulations do not identify additional categories of PHI deserving of "extra protection." It is possible that genetic information might come to be included in the near future, but this is purely speculative.)

The second important area where authorizations are required is research, except where waived by an IRB or Privacy Board determination. (The privacy regulations do not include research within the broad definition of healthcare operations.)

The third major area for authorizations is marketing activity that fails to meet certain criteria for exception.

The fourth is in the area of fundraising, for uses of PHI beyond basic demographic information and dates of past services.

The fifth is general requests for, and release of, protected health information, such as information required as part of an insurance coverage application.

Treatment and payment for health services cannot be conditioned on an authorization except for:

  • the provision of research-related treatment, which can be conditioned on provision of an authorization for research uses and disclosures;
  • enrollment in the health plan or eligibility for benefits can be conditioned on provision of a pre-enrollment authorization for risk-rating or underwriting determinations (except for psychotherapy notes);
  • a claim under plan coverage, if the disclosure of information is necessary to determine the level or validity of the payment (again, except for psychotherapy notes); or
  • provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party can be conditioned on an authorization for disclosure to that third party (e.g., a life insurance physical exam).

An authorization must be in writing -- "in plain language so that individuals can understand the information contained in the form, and thus be able to make an informed decision." And it must include include all of the following core elements to be valid:

  • a description of the information to be used or disclosed;
  • an identification of the persons or class of persons authorized to make the use or disclosure of the protected health information;
  • an identification of the persons or class of persons to whom the covered entity is authorized to make the use or disclosure;
  • a description of each purpose of the use or disclosure;
  • an expiration date or event (except for research, where a statement that there is no expiration date may be inserted instead);
  • the individual's signature and date; and

Valid authorizations must also contain the following statements, in addition to the above elements:

  • that the individual may revoke the authorization in writing, and either a statement regarding the right to revoke, and instructions on how to exercise such right or, to the extent this information is included in the covered entity's Notice of Privacy Practices, a reference to the notice;
  • that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on obtaining the authorization if such conditioning is prohibited by the Privacy Rule or, if conditioning is permitted, a statement about the consequences of refusing to sign the authorization; and
  • that, generally, the health information may no longer be protected by the Privacy Rule once it is disclosed by the covered entity (or a more specific statement of redisclosure risks where appropriate).

Covered entities must provide individuals with a copy of the signed authorization.

Multiple authorizations may be combined into a single document. (However, authorizations for use or disclosure of psychotherapy notes may only be combined with other psychotherapy note authorizations.)

In general, authorizations may not be combined with other types of documents, such as the Notice of Privacy Practices or an optional consent. (Informed consents for participation in research and authorizations for use of PHI for research can be combined.)

In the event that multiple authorizations conflict, the institution is bound by the more restrictive arrangement unless/until the conflict is resolved.

Note that the minimum necessary standard does not apply to authorizations of any kind. The rationale is that a person who has signed an authorization has waived a right to limits other than those specified in that authorization. (That said, we believe it is always a good idea to adhere to the minimum necessary standard, even where HIPAA appears not to require it.)

An individual may revoke an authorization at any time, provided that the revocation is in writing, except to the extent that the covered entity has taken actions relying on it. (See especially the discussion of such revocations in the context of research.)

As with other HIPAA documentation retention requirements, covered entities must keep a signed authorization for six years from the date of its creation or the date when it last was in effect, whichever is later.

See also:


   © 2002-2006 Contributing authors and University of Miami School of Medicine