What is Authorization of Release of PHI?

Authorization of Release of PHI

Under the HIPAA Privacy Rule, healthcare providers, health plans, business associates, and others involved in administration of healthcare, may not share a patient’s protected health information (PHI) without that patient’s written authorization. The topic of what constitutes proper authorization of release of PHI is discussed below.

What is the Difference Between Authorization of Release of PHI and Consent?

The terms “authorization of release of PHI” and “consent to release or share PHI” are commonly confused. 

The HIPAA Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and healthcare operations. Covered entities that do so have complete discretion to design a process that best suits their needs. “Consent” simply means permission. Sometimes consent for something is required – i.e., a permission slip giving consent for a field trip – and other times it is not (i.e., a parent is required to have their child educated, whether the parent consents to this or does not).

Why Compliancy Group

HIPAA Compliance is an important part of your business, so why not use someone you can trust? Compliancy Group is the only compliance firm to be listed on both Inc. 2020 Best Places to Work and 2020 Inc. 5000 list of the fastest-growing private companies in America. By working with us, you are welcomed into the safety of our family.

Put your trust in us

By contrast, an authorization of release of PHI (as opposed to consent) is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. The patient must provide the authorization of release of PHI to the covered entity. If the patient does not provide a written authorization of release of PHI, the doctor may not release the PHI – even if the patient gives “verbal permission.”

An authorization of release of PHI gives a physician the legal authority to release the PHI. Generally, an authorization provides the authority for a doctor’s release of PHI for specified purposes, which are generally other than treatment, payment, or healthcare operations, or, to disclose protected health information to a third party specified by the individual.

What Must an Authorization of Release of PHI Contain?

An authorization of release of PHI must specify a number of elements, including:

A description of the protected health information to be used and disclosed;

The person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure; and

An expiration date.

In some instances, the authorization must indicate the reason for which the information may be used or disclosed. 

 The HIPAA Privacy Rule requires an authorization in certain circumstances. A covered is required to obtain a written authorization before it may use or disclose PHI under the following circumstances:

When the information sought is psychotherapy notes; and

When use or disclosure of PHI is for marketing or sale purposes.

A covered entity must obtain an authorization for any use or disclosure of protected health information for marketing, except if the communication is in the form of:

A face-to-face communication made by a covered entity to an individual; or

A promotional gift of nominal value provided by the covered entity.

If the marketing involves financial remuneration, to the covered entity from a third party, the authorization must state that such remuneration is involved.

A covered entity must obtain an authorization for any disclosure of protected health information which is a sale of protected health information. Such authorization must state that the disclosure will result in remuneration to the covered entity.

When is an Authorization of Release of PHI Invalid?

An authorization is not valid, if the document submitted has any of the following defects:

The expiration date on the authorization has passed or the expiration event is known by the covered entity to have occurred;

The signature of an individual is missing;

The date the authorization was signed is missing; 

Any material information in the authorization is known by the covered entity to be false; or 

The authorization is missing one or more of the following core elements:

A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;

The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure; 

The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure;

A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose;

An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. (The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research).

Schedule a Call

Compliancy Group’s compliance guides walk clients through every step of compliance. We provide live support through virtual meetings, and verification and validation of your efforts. Upon completion of our implementation process, your Compliance Coach™ will review your compliance program to verify and validate that you have everything you need, issuing you our Seal of Compliance™. Working with Compliancy Group gives you confidence and peace of mind in your compliance!

Talk to us today