Substance Abuse The Confidentiality of Alcohol and Drug Abuse Patient Records Rule applies to federally assisted alcohol and drug abuse programs as defined by 42 CFR, part 2, section 2.12. 3 The rule establishes the following content requirements for authorizations to disclose individually identifiable patient health information generated by alcohol or drug abuse programs: l The specific name or general designation of the program or person permitted to make the disclosure l The name or title of the individual or the name of the organization to which disclosure is to be made l Patient name l Purpose of disclosure l How much and what kind of information is to be disclosed l The signature of the patient or legal representative l The date on which the authorization is signed l A statement that the authorization is subject to revocation at any time except to the extent that the program or person who is to make the disclosure has already acted in reliance on it. Acting in reliance includes the provision of services in reliance on a valid authorization or consent to disclose information to a third-party payer l The date, event, or condition upon which the authorization will expire if not revoked. This date, event, or condition must ensure that the authorization will last no longer than reasonably necessary to serve the purpose for which it is given l A statement informing the requestor that any disclosure carries with it the potential for redisclosure by the recipient and is no longer protected by the releasing entity Immunizations The HITECH Omnibus Rule made access to immunization records easier for disclosure to schools in states where proof of immunization is required by law prior to admission. Written authorizations are no longer required, but an agreement must still be obtained. The agreement may be oral and must come from a parent/guardian, or other person acting in loco parentis , or directly from the individual (i.e., adult or emancipated minor). The agreement must be documented, but no signature by the parent is required. The final rule leaves it up to the covered entity about what information needs to be captured regarding the agreement to determine what is needed for their purposes. Written or e-mail requests suffice as documentation of the agreement. Agreements obtained under this provision are considered effective until revoked by the parent, guardian, or other person acting in loco parentis , or by the individual himself (i.e., adult or emancipated minor). The agreement is not a HIPAA-compliant authorization and therefore, must be captured on the accounting of disclosures 4 . Voice Authorizations In an environment of continuous technological advancement, the term “HIPAA compliant voice authorization” is occurring more frequently. However, HIPAA does not address voice authorizations. Voice authorizations are based on state law. Unless state law mandates otherwise, acceptance of voice authorizations is up to the individual organization whether or not to accept and process. Regardless of the decision, it should be addressed in the organization’s policy and procedure.
The Uniform Electronic Transaction Act (UETA) equates electronic signatures to manual signatures. It requires that
Copyright © 2013 by The American Health Information Management Association. All Rights Reserved.
Powered by FlippingBook