HIPAA Update - Check List for HIPAA Authorizations
Attached is a 12- item checklist for HIPAA Authorization to Release/Request for an Individual's Health Information. Any Authorization form that you receive requesting health information must contain all12 items.
If the compliant Authorization is accompanied by a cover letter that is more specific than the Authorization, you may be able to rely on the more specific request. Send the Authorization and letter or documentation to the Office of Legal Counsel for assistance.
CHECK LIST FOR HIPAA AUTHORIZATION MEDICAL RECORDS REQUEST (12 Item Check list)
1. A description of the protected health information to be used or disclosed that identifies it in a specific and meaningful fashion. The form may request the entire health record, all records between specific dates, or other specific items. It can be as simple as '... the complete medical record of ... ' but it must be "stated". Note: A single Authorization form may not be used to authorize the release of Psychotherapy Notes and other medical records. A separate from is required for Psychotherapy Notes.
2. The name or other specific identification of the person(s), or class of persons, who can make the requested use or disclosure. For instance, the signed form should list either your department or someone in your department by name.
3. The name or other specific identification of the person(s), or class of persons, to whom you may make the requested disclosure. The specific entity(ies) to receive the information must be identified on the form. A cover sheet stating who should receive the information is NOT sufficient.
4. A description of each purpose of the requested use or disclosure. The statement "at the request of the individual" is a sufficient description of the purpose when a patient initiates the Authorization and does not, or elects not to, provide a statement of the purpose. The above statement or some other description must be included.
5. An expiration date or an expiration event that relates to the individual or the purpose stated of the use or disclosure. The statement "end of research study," "none," or similar language is sufficient if the Authorization is for a use or disclosure of protected health information for research including for the creation and maintenance of a research database or research repository. A statement or date must be included.
6. Signature of the patient and date. If the Authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided. 6.1 Relationship to patient
7. The individual's right to revoke the Authorization in writing, and any exceptions to that right, and a description of how the individual may revoke the Authorization.
8. The ability or inability to condition treatment or payment, for care, by stating either:
- The covered entity may not condition treatment or payment, on whether the individual signs the Authorization..... or
- The consequences to the individual of a refusal to sign the Authorization. (Remember that there are very limited circumstances in which action can be conditioned on a patient's signing an Authorization.)
9. The potential for information disclosed pursuant to the Authorization to be subject to re-disclosure by the recipient and no longer be protected by federal law. This 'notice' must be included.
10. The information authorized for release may include protected health information related to mental health. Release of mental health records or psychotherapy notes may require consent of the treating provider or a court order.
11. Oklahoma law requires that the following or similar language appear in the Authorization: "THE INFORMATION AUTHORIZED FOR RELEASE MAY INCLUDE RECORDS THAT MAY INDICATE THE PRESENCE OF A COMMUNICABLE DISEASE OR NONCOMMUNICABLE DISEASE."
12. The following language must also be included when Drug/Alcohol Abuse Treatment records are involved: Drug/Alcohol Abuse Treatment Records: The information authorized for release may include drug/alcohol abuse treatment records. This category of medical information/records is protected by Federal confidentiality rules (42 CFR Part 2). The Federal rules prohibit anyone receiving this information or record from making further release unless further release is expressly permitted by the written Authorization of the person to whom it pertains or is otherwise permitted by 42 CFR Part 2. A general Authorization for the release of medical or other information is not sufficient for this purpose. The Federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient. As a result, by signing below, I specifically authorize any such records included in my health information to be released.
UNIVERSITY OF OKLAHOMA
HIPAA Privacy Policies
Page: 1 of 3
Policy #: Privacy-23 (Uses & Disclosures)
Approved: October 8, 2002
Effective Date: April 1, 2003
Revised: 04/26/10; 09/14/12; 09/16/13
To establish Authorization requirements for Uses and Disclosures of Protected Health Information other than for Treatment, Payment, and Health Care Operations.
Health Care Components cannot Use or Disclose Protected Health Information for purposes other than Treatment, Payment, and Health Care Operations without a valid written Authorization from the patient, except as otherwise permitted by these Policies. The Use or Disclosure made must be consistent with the Authorization.
Information released pursuant to Authorization may include alcohol and/or drug abuse records protected under federal and/or state law. Re-disclosure of such alcohol and/or drug abuse records by the recipient is prohibited without specific Authorization, as stated on the Authorization form.
Except as otherwise permitted by the Privacy Regulations, an Authorization is required in order for a Health Care Component to disclose PHI for purposes other than Treatment, Payment, or Health Care Operations and for Use by or Disclosures to departments of the University that are not designated Health Care Components.
University Personnel must obtain an Authorization for any Use or Disclosure of Psychotherapy Notes, except in limited circumstances. See, Privacy-24, Mental Health Records.
Health Care Components must obtain an Authorization to Use and Disclose PHI for certain fundraising activities. See Privacy-29, Fundraising.
Health Care Components must obtain an Authorization for any Use or Disclosure of Protected Health Information for marketing, except in certain circumstances. See, Privacy-28, Marketing.
*Capitalized terms are defined in Privacy-01, Definitions
Conditioning of Authorizations
Generally, Health Care Components may not condition the provision of Treatment to a patient on the receipt of an Authorization, except in the context of Research involving Treatment. See, Privacy-30, Research. Health Care Components may not condition the provision of Treatment or Payment for Treatment on the receipt of an Authorization, unless the purpose of the Authorization is to determine payment of a claim.
One exception to the prohibition on conditioning Treatment on the receipt of Authorization relates to Health Care services provided at the request of a third party. For example, Health Care Components can require an Authorization as a condition to providing a drug screening test or physical requested by an employer.
Revocation of Authorizations
Health Care Components must permit patients to revoke their Authorizations, except to the extent the Health Care Component has already taken action in reliance on the Authorization. To revoke an Authorization, a patient must provide written notice to the Health Care Component that received the original Authorization or to the University Privacy Official.
A. Any individual desiring access to or a copy of his PHI must submit a valid Authorization to the Health Care Component or University Privacy Official. The Authorization must contain all of the elements required by the Privacy Regulations and State law (See Request for Individual’s Health Information/Authorization form on the HIPAA website.)
B. Prior to Using or Disclosing Protected Health Information pursuant to an Authorization, University Personnel must review the Authorization to determine if it is valid. Health Care Components may contact the Office of Legal Counsel or the University Privacy Official for help in determining whether an Authorization is valid. An Authorization is not valid if it contains any of the following defects:
1. the expiration date has passed or the expiration event is known to have occurred;
2. the Authorization has not been filled out completely;
3. University Personnel have knowledge that the Authorization has been revoked;
4. University Personnel have knowledge that some material information in the Authorization is false;
5. the Authorization was obtained by improperly conditioning Treatment upon its receipt;
6. the Authorization is missing one of the elements required by the Privacy Regulations or State law; or
7. if the Authorization is for Psychotherapy Notes, it is combined with another type of Authorization or document.
C. If a Health Care Component seeks an Authorization from a patient for a Use or Disclosure of Protected Health Information, the Health Care Component must provide the patient with a copy of the signed Authorization.
D. Health Care Components must keep copies of Authorizations in the patient file for at least six (6) years.
- HIPAA Privacy Regulations, 45 C.F.R. 164.508
Return to FAQ List