HIPAA Authorizations



In order to have your medical information released or to provide someone access to it, you need to formally authorize the physician, hospital or other medical provider. This checklist will help you properly complete such an authorization.


A medical provider ("covered entity") cannot disclose your Protected Health Information (PHI) without your authorization to do so. Exceptions are provided that permit disclosure for treatment, payment, and health care operations. You, as a patient, have the right to authorize the release of your PHI. Someone who qualifies as your HIPAA personal representative can also authorize the release of your PHI. There are a number of specifics requirements to address to make such an authorization valid. 45 CFR 164.508.


Writing: The authorization should be in writing. The authorization should acknowledge that you are making it voluntarily and that your treatment, payment and health plan eligibility should not be affected whether or not you authorize the release of information.


What: It should describe the health information to be disclosed. This could be your entire medical record, or only specified components.  You might specify that your medical records between certain dates be released. If you wish alcohol and drug treatment, HIV testing, and mental health information released (or not), expressly state so. The HIPAA paradigm is that only as much info as necessary should be disclosed. However, it would unreasonable to expect a medical provider to make this type of determination, so the authorization you sign should be explicit.


Who: Which medical provider should make the disclosure? This could be a specific physician, hospital or a list of providers. A broader approach could be used to indicate a category of providers. For example, "any physicians, hospitals or other medical providers who have provided treatment, other medical services or payment for same, from June 1, 2004 through and including the date of this Authorization".


Term: When does the authorization to disclose PHI expire? This could be: "upon a child attaining age 21", which might suffice for a minor's care. It could be "2 years from the signing of the authorization", which should be more than adequate for a life insurance application. "Upon the conclusion of my court case" may suffice for a litigation matter, although issues of appeals, etc. might warrant consideration in setting the parameters. "One year from death". This might be used in a health care proxy to assure the agent access to your records while alive, and possibly to evaluate post-death records without the need to qualify as the executor of your estate. If feasible for a trustee it might be "so long as serving as trustee of the [identify trust]".


Revocation: A statement that you retain the right to revoke any authorization to disclose your PHI. Any revocation, however, is not binding on a medical provider until they receive it. This minimizes the issue of their liability for disclosing information based on an authorization they held prior to the revocation.


Re-Disclosure: The release may state that certain information, such as HIV testing results, cannot be disclosed by the person receiving it. However, the release should also acknowledge that once other information is disclosed, it may thereafter be re-disclosed by the person receiving it without the HIPAA safeguards.


Purpose: The purpose for the disclosure should be explained. This might be limited to the minimum information to determine whether you have the ability to function as a trustee or should be replaced, or only that information necessary to underwrite you for life insurance.


Signer: If you are signing the authorization the signature line should merely state that you are the patient. If, however, another person is signing for your, the authorization should state that that person qualifies as your personal representative under HIPAA 45 CFR 164.502(g)(2), that they have authority to make health care decisions for you (which is required for them to be your HIPAA personal representative), and what is the scope of the representative's authority. It might also be advisable to indicate what is the source of the person's authority to be your personal representative.  For an adult or emancipated minor this could be a health care proxy, court appointment as guardian, or a general power of attorney. Arguably it could be a trust agreement depending on the terms of the trust. Perhaps an argument could be made that it would include a shareholders' agreement or other business document. For a minor patient, it might be the person's position as parent or guardian. For an estate, it's the person's position as executor.

Our Consumer Webcasts and Blogs

Subscribe to our email list to receive information on consumer webcasts and blogs, for practical legal information in simple English, delivered to your inbox. For more professional driven information, please visit Shenkman Law to subscribe.

Ad Space