The U.S. Department of Health and Human Services, Office of Civil Rights (DHHS/OCR) recently posted to its web site nine new questions and answers related to the use of authorizations under the HIPAA Privacy Rules. Highlights of each question and answer are given below. The full text of the questions and answers can be viewed at:
http://questions.cms.hhs.gov/cgi-bin/cmshhs.cfg/php/enduser/std_alp.php
- A covered entity may use or disclose an entire medical record based on a signed authorization, if the authorization describes the information to be used or disclosed by the covered entity in a “specific and meaningful fashion”, such as “entire medical record” or “complete patient file”, but not “all protected health information.” However, although this is not expressly prohibited by 42 C.F.R. Part 2, we do not believe that having a check box for “entire medical record” is consistent with the intent of 42 C.F.R. Part 2 to limit disclosures as much as possible. Section 2.31 requires that how much and what kind of information to be disclosed is described in the authorization.
- An authorization form may be prepared by a third party, as long as it meets the Privacy Rule’s requirements (so it would be valid to use an authorization created by another covered entity or by a third party such as an insurance company or researcher).
- A valid authorization may list classes or categories of persons who may use or disclose protected health information, without naming particular persons or entities (e.g. any health plan, physician or health care professional involved in my treatment). However, this is not permitted by 42 C.F.R. Part 2, which requires that the authorization contain the name or title of the individual or the name of the organization to which disclosure is to be made. [42 C.F.R. §2.31]
- An individual may revoke an authorization at any time. Although the Office of Civil Rights states that the revocation must be in writing, we would recommend that staff honor verbal revocations. The patient should be encouraged to confirm the revocation in writing. The revocation (whether verbal or in writing) is not effective until the covered entity receives it and is not effective with respect to actions the covered entity took in reliance on the authorization. The authorization must also clearly state a right to revoke, as well as the process to revoke (if not included in the Notice of Privacy Practices).
- A copy, fax, or electronically transmitted version of a signed authorization is valid under the Privacy Rule.
- An authorization must include either an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.
- An authorization may apply to protected health information created after the authorization was signed, if the authorization encompasses the category of information that was later created, and the authorization is valid.
- The Privacy Rule does not require that an authorization be notarized or include a witness signature.
- A cover letter or other transmittal can be used to narrow or provide specifics about an accompanying authorization, but it cannot expand the scope of information or extend the date of the authorization. For example, if an individual has authorized the disclosure of “all medical records” to an insurance company, the insurance company could by cover letter narrow the request to the medical records from the last 12 months. An insurance company could NOT by cover letter expand the scope of information set forth in the authorization.
|