AHIMA Professional Practice Experience Workbook

Authorization Requirements for the Disclosure of Protected Health Information - Retired

Editor’s note: The following article supplants information contained in the October 2002 “Required Content for Authorizations to Disclose” Practice Brief.

The HIPAA privacy rule became effective April 14, 2003, and established standards for information disclosure including what constitutes a valid authorization. HIPAA applies to covered entities, defined by the rule to include health plans, healthcare clearinghouses, and healthcare providers that transmit specific information electronically. The rule was amended by the final HITECH Omnibus Rule on January 25, 2013, with an effective date of March 26, 2013, and a compliance date of September 23, 2013. The HITECH Omnibus Rule extends disclosure requirements and associated liabilities to business associates. Business associates are required to comply with the same disclosure requirements as a covered entity and those expectations typically will be addressed in the business associate agreement between the covered entity and the business associate. Refer to the Business Associate Practice Brief for further guidance. This Practice Brief will explore the requirements for the appropriate disclosure of protected health information (PHI) including authorization content. It will also provide an overview of other federal and state laws and regulations and the impact to specific types of PHI disclosures (i.e. substance abuse records, psychotherapy notes). Legal Requirements

HIPAA

Section 164.508 of the final privacy rule states that covered entities may not use or disclose protected health information (PHI) without a valid authorization, except as otherwise permitted or required in the privacy rule.

General Authorization content: The rule states that a valid authorization must be in plain language and contain at least the following core elements:

l A specific and meaningful description of the information to be used or disclosed l The name or other specific identification of the person(s) or class of persons authorized to use or disclose the information l The name or other specific identification of the person(s) or class of persons to whom the covered entity may make the use or disclosure l A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is sufficient when an individual initiates the authorization and does not provide a statement of the purpose l An expiration date or event that relates to the individual or the purpose of the use or disclosure. ¡ For research purposes only – The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure for research, including for the creation and

Copyright © 2013 by The American Health Information Management Association. All Rights Reserved.

Powered by