What is Authorization of Release of PHI?

Authorization of Release of PHI

Under the HIPAA Privacy Rule, healthcare providers, health plans, business associates, and others involved in administration of healthcare, may not share a patient’s protected health information (PHI) without that patient’s written authorization. The topic of what constitutes proper authorization of release of PHI is discussed below.

What is the Difference Between Authorization of Release of PHI and Consent?

The terms “authorization of release of PHI” and “consent to release or share PHI” are commonly confused. 

The HIPAA Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and healthcare operations. Covered entities that do so have complete discretion to design a process that best suits their needs. “Consent” simply means permission. Sometimes consent for something is required – i.e., a permission slip giving consent for a field trip – and other times it is not (i.e., a parent is required to have their child educated, whether the parent consents to this or does not).

By contrast, an authorization of release of PHI (as opposed to consent) is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. The patient must provide the authorization of release of PHI to the covered entity. If the patient does not provide a written authorization of release of PHI, the doctor may not release the PHI – even if the patient gives “verbal permission.”

An authorization of release of PHI gives a physician the legal authority to release the PHI. Generally, an authorization provides the authority for a doctor’s release of PHI for specified purposes, which are generally other than treatment, payment, or healthcare operations, or, to disclose protected health information to a third party specified by the individual.

What Must an Authorization of Release of PHI Contain?

An authorization of release of PHI must specify a number of elements, including:

A description of the protected health information to be used and disclosed;

The person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure; and

An expiration date.

In some instances, the authorization must indicate the reason for which the information may be used or disclosed. 

 The HIPAA Privacy Rule requires an authorization in certain circumstances. A covered is required to obtain a written authorization before it may use or disclose PHI under the following circumstances:

When the information sought is psychotherapy notes; and

When use or disclosure of PHI is for marketing or sale purposes.

A covered entity must obtain an authorization for any use or disclosure of protected health information for marketing, except if the communication is in the form of:

A face-to-face communication made by a covered entity to an individual; or

A promotional gift of nominal value provided by the covered entity.

If the marketing involves financial remuneration, to the covered entity from a third party, the authorization must state that such remuneration is involved.

A covered entity must obtain an authorization for any disclosure of protected health information which is a sale of protected health information. Such authorization must state that the disclosure will result in remuneration to the covered entity.

When is an Authorization of Release of PHI Invalid?

An authorization is not valid, if the document submitted has any of the following defects:

The expiration date on the authorization has passed or the expiration event is known by the covered entity to have occurred;

The signature of an individual is missing;

The date the authorization was signed is missing; 

Any material information in the authorization is known by the covered entity to be false; or 

The authorization is missing one or more of the following core elements:

A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;

The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure; 

The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure;

A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose;

An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. (The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research).

Modernize Your Compliance

Say goodbye to spreadsheets and hello to automated software!

Global CTAs Image