ROI Tracking
HIPAA’s Privacy Rule and Release of Information AUTHORIZATIONSSection 164.508
Unless otherwise permitted, PHI may not be used or disclosed without a valid authorization.
Special rules apply to:
disclosure of psychotherapy notes
Marketing
Seven Core Elements of a Valid Authorization
A description of information to be used or disclosed
The identification of the person or class of persons authorized to make the use or disclosure of the PHI
The identification of the persons or class of persons to whom the covered entity is authorized to make the use or disclosure
A description of each purpose of the use or disclosure
An expiration date or event
The individual’s signature and date
If signed by a person representative, a description of his/her authority to act for the individual
Three Required Statements of a Valid Authorization
An individual may revoke an authorization in writing. Plus:
An additional statement regarding the exceptions to an individual’s right to revoke and specific instructions on how to revoke or
A reference to the covered entity’s Notice of Privacy Practices, if this information is included
Treatment, payment, enrollment, or eligibility of benefits may not be conditioned on obtaining the individual’s authorization. (In other words, one cannot say “sign this or we won’t treat you” or “sign this or we won’t cover your care.”
OR:
Where the Privacy Rule allows for such conditioning, delineation of the specific consequences to an individual if he/she refuses to sign the authorization form
The potential for the PHI to be redisclosed by the recipient and thus, no longer protected under the Privacy Rule
An example of a redisclosure:
| You send patient information to Happy Hospital. Two years later Happy Hospital includes that information in a disclosure to an attorney. (This should not happen but it could. We should never disclose information we received from another facility. The requestor should go back to that facility for that information) |
Other Considerations for a Valid Authorization
All authorizations “must be in plain language”
Other elements or information may be included as long as they are not in conflict with requirements
Combined Authorizations
In general, an authorization for use and disclosure of PHI may not be combined with any other document to create a compound authorization except for:
Research
Psychotherapy notes
Another authorization under Section 164.508
Documentation Requirements
A copy of the signed authorization form can be given to the patient or individual
Covered entities must document and retain all signed authorizations for a period of six years from date of creation or when last in effect, whichever is later.
Revoking an Authorization
Revocation of an authorization is allowed at any time as long as:
It is requested by the individual in writing
Unless:
The covered entity has already taken action based on the originally-signed authorization or
When the authorization was obtained as a condition of obtaining insurance coverage
When is Use/Disclosure of PHI Allowed Without an Authorization
For treatment, payment or health care operations (TPO)
For public health or health oversight activities
When use is for victims of abuse, neglect or domestic violence or other persons at risk
For judicial and administrative proceedings
To employers (under certain conditions)
For use by coroners, medical examiners, and funeral directors in the case of deceased persons
For cadaveric organ, eye, or tissue donation
To avert a serious threat to public health or safety
When is Use/Disclosure of PHI Allowed Without an Authorization
For law enforcement purposes
For Workers’ Compensation and specialized government functions
As otherwise required by law
For research (waiver approval required)
Section 164.514
A covered entity must make reasonable efforts to limit access of PHI to that which is minimally necessary to meet the purpose of the use or disclosure
“Minimum” determination need not be made for reasonable requests made by public officials, other CE’s, members of workforce, business associates, or researchers
A covered entity may not use, disclose, or request an entire medical record unless need for such is specifically justified
Section 164.528
Must be able to provide individuals with a record of disclosures for a period of six (or fewer) years prior to the date of their request.
What must be included in a disclosure accounting?
Date of each disclosure
Name of the organization or person who received the PHI
Address of the organization or person who received the PHI
A brief description of the information disclosed
A brief statement of the purpose of the disclosure
Charges for an Accounting of Disclosure
Individuals have a right to receive one free accounting per 12 month period
For each additional request within a 12 month period the covered entity may charge a reasonable, cost-based fee.
If a fee is charged, the covered entity must inform the individual of the fee in advance
Retrieval and Copying of PHI
A “reasonable, cost-based fee” for requested copies may be charged
For a summary or explanation of PHI, a preparation fee may be charged
Costs associated with searching for and retrieving the requested information may not be charge to patients
Charges for ROI
You may charge for search and retrieval and preparation time
You may charge per page for the copies
Check with your state statues to find out what are considered to be reasonable charges
Many states have set guidelines on what you may charge per page
