Valid HIPAA Authorizations: A Checklist

The HIPAA privacy rules generally prohibit healthcare providers and their business associates from using or disclosing protected health information (“PHI”) unless (1) they have a valid written HIPAA authorization signed by the patient or the patient’s personal representative, or (2) a specific regulatory exception applies.¹ Many if not most authorizations received by providers are invalid. To be valid, a HIPAA authorization must satisfy the following²:

1. No Compound Authorizations. The authorization may not be combined with any other document such as a consent for treatment.³ An authorization to use or disclose psychotherapy notes may not be combined with an authorization to disclose other forms of PHI.⁴
2. Core Elements. The authorization must contain the required “core elements”⁵ -
   • A description of the PHI to be used or disclosed that identifies the PHI in a specific and meaningful fashion.
   • The name or specific identification of the person(s) or class of person(s) authorized to make the use or disclosure.
   • The name or identification of the person(s) or class of person(s) to whom the provider may make the requested use or disclosure.
   • A description of each purpose for the requested use or disclosure. If the patient initiates the authorization, a statement that the disclosure is “at the request of the individual” is sufficient.
   • An expiration date or event that relates to the patient or the purpose of the use or disclosure (e.g., “until completion of the litigation.”).
   • The date and signature of the patient or the patient’s personal representative.
   • If the authorization is signed by the personal representative, a description of the personal representative’s authority to act for the patient.
3. Required Statements. The authorization must also contain certain required statements regarding patient
   rights⁶ -
   • The patient or personal representative has the right to revoke the authorization at anytime by submitting a written revocation except to the extent the provider has taken action in reliance on the authorization.
   • The provider generally may not condition its healthcare on the provision of the authorization except (i) for research-related treatment, or (ii) if the purpose of the healthcare is to create information for disclosure (e.g., an employment physical or independent medical exam), in which case the provider may refuse to provide the healthcare if the patient refuses to execute an authorization.
   • The information disclosed per the authorization may be subject to redisclosure by the recipient and no longer protected by HIPAA.
4. Marketing or Sale of PHI. If the authorization is to permit the use or disclosure of PHI for purposes of marketing (as defined by HIPAA) or the sale of PHI, and the provider will receive remuneration for the PHI, the authorization must notify the patient that the provider will receive the remuneration.⁷
5. Completed in Full. The authorization and its required elements must be completely filled out, i.e., there should be no blanks concerning the required terms.⁸
6. Written in Plain Language. The authorization must be written in plain language.⁹ For patients with limited English proficiency, the provider may need to translate the authorization for the patient.
7. Give the Patient a Copy. If the provider is requesting the authorization from the patient, the provider must give the patient or personal representative a signed copy of the authorization.¹⁰ The provider is not required to give a copy if the patient initiated the authorization.
8. Retain the Authorization. The provider must retain a copy of the authorization for six years.¹¹

If an authorization is required, HIPAA prevents providers and business associates from using or disclosing more PHI than is allowed or in a manner that is different than as stated in the authorization, so providers should ensure that the authorization is broad enough to cover the requested use or disclosure, including any disclosure of oral information in addition to records.

¹45 CFR 164.502.
²45 CFR 164.508(b).
³A limited exception allows an authorization for the disclosure of research information to be combined with a consent to participate in the research 45 CFR 164.508(b)(3)(i).
⁴45 CFR 164.508(b)(3)(ii).
⁵45 CFR 164.508(c)(1).
⁶45 CFR 164.508(c)(2).
⁷45 CFR 164.508(a)(3)-(4).
⁸45 CFR 164.508(b)(2).
⁹45 CFR 164.508(c)(3).
¹⁰45 CFR 164.508(c)(4).
¹¹45 CFR 164.508(b)(6).

For questions regarding this update, please contact
Kim C. Stanger
Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702
email: kcstanger@hollandhart.com, phone: (208) 383-3913

This news update is designed to provide general information on pertinent legal topics.  The statements made are provided for educational purposes only.  They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author.  This news update is not intended to create an attorney-client relationship between you and Holland & Hart LLP.  If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.