Getting patient authorization can feel like a hurdle in your daily workflow. However, it’s key to maintaining patients’ right to their private medical information. With a patient’s authorization, you have permission to use and disclose their medical record according to the agreement. Without it, using and disclosing a patient’s medical record would violate HIPAA and could result in hefty fines or prosecution. So, you must know how to get an authorization correctly.
Maybe you, like many others, feel uncertain about the specifics. If so, you’re in the right place. This post will answer a few crucial questions about HIPAA authorizations:
- When is authorization not required?
- What is an authorization form, and when do I need it?
- What goes in an authorization form?
- How long is it valid, and when does it become defective?
- Do I need the original copy, and do I need to get it notarized?
Q: When is HIPAA authorization NOT required?
A: In some cases, you don’t need patient authorization to use and disclose their protected health information (PHI). For instance, you can use and disclose PHI for treatment, payment, and healthcare operations (TPO). Other special circumstances include:
- disclosing to the patient themselves,
- disclosing to the secretary of HHS Office for Civil Rights,
- incidental disclosures,
- National Priority Purpose disclosures,
- using PHI for a limited data set, and
- disclosures for fundraising.
In all other cases, you can’t use their PHI unless you first get a signed authorization form.
Q: What is an authorization form, and when should I use one?
A: A HIPAA authorization form represents an agreement between a patient and a HIPAA-covered organization. A signed form gives your organization permission to use the patient’s PHI or disclose it to another person or entity. You need a signed form to:
- use or disclose PHI for marketing, except if it takes place one-on-one between your organization and the person or if it’s a small promotional gift,
- use or disclose PHI for research, unless they have waived authorization for this purpose,
- use or disclose psychotherapy notes, except for TPO purposes,
- use or disclose substance use disorder and treatment records,
- use or disclose PHI for any reason not allowed by HIPAA, or
- sell PHI.
Q: What goes in an authorization form?
A: You must write the form in plain language and include the following parts:
- A description of the information that you will use or disclose and the purpose of it. “At the request of the individual” is a sufficient statement of purpose.
- The name(s) or other identification of the person (or class of persons) authorized to request the use or disclosure of PHI.
- The name(s) or other identification of the person (or class of persons) authorized to receive the PHI.
- The authorization timeframe, including its expiration date. If the use or disclosure is for research, you may put “at the end of the study.” However, if you’re creating a research database/repository, the expiration date would be “none.”
- The patient’s date and signature. If a representative is signing for the patient, they must describe their authority to do so.
You must also include some important notifications to the patient, such as:
- A description of the patient’s right to revoke the authorization in writing, how they can exercise that right, and exceptions to that right. However, if this notification is in your Notice of Privacy Practices, you don’t need to include how they can exercise their right to revoke or its exceptions on the authorization form.
- Whether or not your organization can make treatment, enrollment, or eligibility for benefits contingent upon the signed form and, if so, the consequences if the patient refuses to sign.
Q: How long does an authorization remain valid?
A: It remains valid until the expiration date/event, unless the patient revokes it beforehand in writing. A revocation doesn’t affect actions your organization took while the authorization was still valid.
Q: What can make the authorization defective?
A: It becomes defective when:
- the expiration date/event has passed,
- the form hasn’t been completely filled out and is missing core elements or required statements,
- it’s a compound authorization or inappropriately makes treatment, payment, enrollment in a health plan, or eligibility for benefits conditional upon the signed form,
- your organization knows that the patient has revoked it, or
- your organization knows that some information in the form is false.
Q: Do I need the original copy to act upon it?
A: No. You can use a copy, fax, or other electronically signed form in place of the original copy. As long as they’re signed, these copies are valid and allow you to use or disclose PHI. Note: you must provide a copy of the form to the patient.
Q: Do I need to notarize the signed form?
A: No. The HIPAA Privacy Rule does not require you to notarize authorization forms or have a witness.
Though taking the time to fill out an authorization form and get a patient’s signature is an extra step, it’s an important one that you can’t afford to overlook. Furthermore, patients’ right to privacy should be at the forefront of everything your organization does.
Need More Guidance?
Grab Our PHI Decision Tree!
This simple cheat sheet makes it easy to recognize protected health information.
Manage Your Forms the Easy Way
The HIPAAtrek platform helps you stay on top of your forms and other documents by housing them in a single convenient space. Gone are the days of juggling binders full of papers. Learn how to create and maintain your important forms and documents with our software by contacting us or requesting a demo.