HIPAA Authorizations

Summary:

In order to have
your medical information released or to provide someone access to it, you need
to formally authorize the physician, hospital or other medical provider. This
checklist will help you properly complete such an authorization.

A medical provider
(“covered entity”) cannot disclose your Protected Health Information (PHI)
without your authorization to do so. Exceptions are provided that permit
disclosure for treatment, payment, and health care operations. You, as a
patient, have the right to authorize the release of your PHI. Someone who
qualifies as your HIPAA personal representative can also authorize the release
of your PHI. There are a number of specifics requirements to address to make
such an authorization valid. 45 CFR 164.508.

Writing: The
authorization should be in writing.
The authorization should acknowledge that you are making it voluntarily
and that your treatment, payment and health plan eligibility should not be affected
whether or not you authorize the release of information.

What: It should
describe the health information to be disclosed. This could be your entire
medical record, or only specified components.  You might specify that your medical records between certain
dates be released. If you wish alcohol and drug treatment, HIV testing, and
mental health information released (or not), expressly state so. The HIPAA
paradigm is that only as much info as necessary should be disclosed. However,
it would unreasonable to expect a medical provider to make this type of
determination, so the authorization you sign should be explicit.

Who: Which medical
provider should make the disclosure? This could be a specific physician,
hospital or a list of providers. A broader approach could be used to indicate a
category of providers. For example, “any physicians, hospitals or other medical
providers who have provided treatment, other medical services or payment for
same, from June 1, 2004 through and including the date of this Authorization”.

Term: When does the
authorization to disclose PHI expire? This could be: “upon a child attaining
age 21”, which might suffice for a minor’s care. It could be “2 years from the
signing of the authorization”, which should be more than adequate for a life
insurance application. “Upon the conclusion of my court case” may suffice for a
litigation matter, although issues of appeals, etc. might warrant consideration
in setting the parameters. “One year from death”. This might be used in a
health care proxy to assure the agent access to your records while alive, and
possibly to evaluate post-death records without the need to qualify as the
executor of your estate. If feasible for a trustee it might be “so long as
serving as trustee of the [identify trust]”.

Revocation: A
statement that you retain the right to revoke any authorization to disclose
your PHI. Any revocation, however, is not binding on a medical provider until
they receive it. This minimizes the issue of their liability for disclosing
information based on an authorization they held prior to the revocation.

Re-Disclosure: The
release may state that certain information, such as HIV testing results, cannot
be disclosed by the person receiving it. However, the release should also
acknowledge that once other information is disclosed, it may thereafter be
re-disclosed by the person receiving it without the HIPAA safeguards.

Purpose: The
purpose for the disclosure should be explained. This might be limited to the
minimum information to determine whether you have the ability to function as a
trustee or should be replaced, or only that information necessary to underwrite
you for life insurance.

Signer: If you are signing the
authorization the signature line should merely state that you are the patient.
If, however, another person is signing for your, the authorization should state
that that person qualifies as your personal representative under HIPAA 45 CFR
164.502(g)(2), that they have authority to make health care decisions for you
(which is required for them to be your HIPAA personal representative), and what
is the scope of the representative’s authority. It might also be advisable to
indicate what is the source of the person’s authority to be your personal
representative.  For an adult or
emancipated minor this could be a health care proxy, court appointment as
guardian, or a general power of attorney. Arguably it could be a trust
agreement depending on the terms of the trust. Perhaps an argument could be
made that it would include a shareholders’ agreement or other business
document. For a minor patient, it might be the person’s position as parent or
guardian. For an estate, it’s the person’s position as executor.