HIPAA Authorizations

HIPAA authorizations, must include certain information to be valid. What constitutes valid HIPAA authorizations, as well as defective HIPAA authorizations, is discussed below, as is the topic of compound authorizations.  Compound authorizations consist of an authorization for use or disclosure of protected health information, combined with another document. 

What Must be Included in Valid HIPAA Authorizations?

A valid HIPAA authorization must contain at least the following elements, referred to as “core elements”:

  • A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion. 
  • The name or other specific identification of the persons, or class of persons, authorized to make the requested use or disclosure.
  • The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
  • A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose. 
  • An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.
  • Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.

What is a Defective Authorization?

An authorization is not valid (i.e., is defective) if the document submitted has any of the following defects:

  • The expiration date has passed or the expiration event is known by the covered entity to have occurred.
  • The authorization has not been filled out completely, with respect to a core element.
  • The authorization is known by the covered entity to not have been revoked.
  • Any material information in the authorization is known by the covered entity to be false

What is a Compound Authorization?

The HIPAA Privacy Rule generally prohibits “compound authorizations.” Compound authorizations are authorizations that are combined with some other form of legal permission.

An exception to the rule against compound authorizations exists.  An authorization for the use or disclosure of protected health information for a research study may be combined with any other type of written permission for the same or another research study. This exception includes combining an authorization for the use or disclosure of protected health information for a research study with another authorization for the same research study, with an authorization for the creation or maintenance of a research database or repository, or with a consent to participate in research.