FAQs: Authorization for Release of Health Care Records Pursuant to HIPAA and Other Laws

Information that Could Save Your Life

Summary

What does the HIPAA privacy rule do?

• The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information.
• It sets boundaries on the use and release of health records.
• It establishes appropriate safe-guards that health care providers and others must achieve to protect the privacy of health information.
• It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
• It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
• It empowers individuals to control certain uses and disclosures of their health information.

Who needs a HIPAA authorization?

Anyone eighteen years of age or older who wants to ensure that their surrogate or health care agent is able to receive his or her Protected Health Information (“PHI”) should have one.

When is a HIPAA authorization specifically required?

The HIPAA Authorization is required if:

1. The health care provider’s internal policy does not expressly allow use or disclosure of the PHI¹. Because of the civil penalties, health care providers will tend to err on the side of withholding PHI.
2. The use or disclosure is of certain mental health records².
3. 3. The disclosure is for marketing purposes³.

What are the requirements for a valid HIPAA authorization⁴?

1. A specific and meaningful description of the PHI to be used or disclosed;
2. The name of the person, class of persons, or organization that will be making the disclosure of PHI;
3. The specific name or other identification of the person, class of persons, or organization to whom disclosure is made;
4. A description of the purpose of the use or disclosure of PHI;
5. An expiration date or an expiration event of the authorization that relates to the purpose of the use or disclosure;
6. A statement that the patient has a right to revoke the authorization;
7. The potential that the patient’s PHI may be redisclosed by the recipient and no longer be protected by the federal privacy regulations;
8. The patient’s or Patient Representative’s⁵ signature and the date of signature;
9. If the authorization is executed by a Patient Representative, a description of that person’s authority to act for the individual;
10. A statement that the health care provider cannot condition treatment on whether the patient signs the authorization.

When might the health care provider condition treatment on obtaining authorization?

Staff at a health care provider might condition treatment on obtaining authorization in the following circumstances:

1. The patient is participating in research, and the authorization is sought in connection with that research.
2. The patient has requested the health care provider staff to do an examination or provide other treatment, in order to disclose that information to a third party.

When will covered entities have to meet these HIPAA privacy standards?

All covered entities were required to be in compliance with HIPAA by April 14, 2004.

Where do I keep it?

We suggest that our office retain the original in our fire proof safe. Otherwise, you may retain it with your important documents in your own fire proof safe. You should provide copies to your health care providers for their patient records.

Must an authorization include an expiration date?

The Privacy Rule requires that an Authorization contain either an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. For example, an Authorization may expire "one year from the date the Authorization is signed," "upon the minor’s age of majority," or "upon termination of enrollment in the health plan." An Authorization remains valid until its expiration date or event, unless effectively revoked in writing by the individual before that date or event. The fact that the expiration date on an Authorization may exceed a time period established by State law does not invalidate the Authorization under the Privacy Rule, but a more restrictive State law would control how long the Authorization is effective.

Does a physician need the patient’s written authorization to send a copy of the patient’s medical records to a specialist or other health care provider who may treat the patient?

No. The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider for that provider’s treatment of the individual⁶.

How often should it be updated?

It should be reviewed periodically to ensure that the expiration date has not expired.

Conclusion

The HIPAA Privacy Rule has become a headache for health care providers and patients alike. At Goodson, Manley, Forakis and Deloughery, PLC we are trying to prevent future headaches by addressing issues such as this in advance of their being needed. We hope that by having this document in your possession ahead of time, you will feel more secure that your health care will not be thwarted by bureaucratic technicalities if and when the need arises.

For additional information, please call (602) 252-5110.

For additional Preventive Law Studies, visit our website: www.goodsonmanleyforakis.com

DISCLAIMER