Authorization Requirements for Use and Disclosure of PHI
About This Policy
- Effective Date:
- Date of Last Review/Update:
- Responsible University Office:
- HIPAA Privacy and Security Compliance Office
- Responsible University Administrator:
- Vice President for University Clinical Affairs
This policy applies to all personnel, regardless of affiliation, who have access to Protected Health Information (“PHI”) under the auspices of Indiana University (IU), including IU HIPAA Affected Areas.
IU HIPAA Affected Areas shall obtain a valid, signed Authorization from an individual prior to using or disclosing the individual’s protected health information (PHI), unless the use or disclosure is otherwise permitted or required by federal and/or state law.
Except as otherwise permitted or required by HIPAA, IU HIPAA Affected Areas may not use or disclose PHI without a valid Authorization.
When IU HIPAA Affected Areas obtain or receive a valid Authorization for its use or disclosure of PHI, such use or disclosure shall be consistent with such authorization.
Use and disclosure of Psychotherapy Notes is subject to a heightened level of privacy/security under HIPAA/HITECH. Hence, Psychotherapy Notes may not be disclosed without first obtaining the patient’s authorization except under specific circumstances.
Notwithstanding any other provision of HIPAA, IU HIPAA Affected Areas shall obtain an Authorization for any use or disclosure of PHI for all communications, whether for “treatment” or “health care operations” purposes, where the IU HIPAA Affected Area receives payment (direct or indirect) for making the communication from a third party whose product or service is being marketed. Unless the communication is:
- A refill reminder or other communications that are about a drug or biologic that is currently being prescribed for the individual;
- A face-to-face communication made by the IU Affected Area to the individual; or
- A promotional gift of nominal value provided by the IU HIPAA Affected Area.
If the IU HIPAA Affected Area will be paid by a third party for the marketing activity the Authorization must include a statement the marketing involves payment by a third party
The following communications are exempt from the marketing requirements:
- Communications promoting health in general, which do not promote a product or service from a particular provider
- Communications about government and government-sponsored programs, such as Medicare, Medicaid, or the State Children’s Health Insurance Program.
The HIPAA Privacy Rule states: A covered entity is permitted to use and disclose PHI for research with an individual authorization or without individual authorization under limited circumstances set forth in the Privacy Rule (e.g. waiver of authorization to release PHI for research purposes).
IU HIPAA Affected Areas shall obtain an Authorization for use or disclosure of PHI for research purposes in accordance with the HIPAA Privacy Rule, § 45 CFR 164.508, IU’s Human Subject Research SOP, § 3.2.8: Use and Disclosure of a Health Care Provider’s Patient Information for Research Purposes and this Policy; or
IU HIPAA Affected Areas shall obtain an IRB-approved waiver of Authorization for use or disclosure of PHI for research purposes in accordance with the HIPAA Privacy Rule, § 45 CFR 164.512 and IU’s Human Subject Research SOP, § 18.104.22.168: Waiver of Authorization; or
IU HIPAA Affected Areas are not required to obtain an Authorization or a waiver of Authorization when there is a documented exception that applies in accordance with the HIPAA Privacy Rule, § 45 CFR 164.506.
Authorizations by Minors
In situations where the parent or guardian of a minor has the authority to act on behalf of the minor as the minor’s legally authorized representative, and an Authorization to use or disclose the minor’s PHI is required, the Authorization may be signed by the minor’s legally authorized representative.
If the minor has the authority to act on his or her own behalf in receiving health care services, then the minor must sign his or her own Authorization. In this situation, the minor must authorize any disclosures to parents or guardians. IU HIPAA Affected Areas shall refer to relevant state law for information about the legal rights of minors to act on his or her own behalf.
Required Contents of Authorization
Authorizations shall be written in plain language and shall include, at a minimum, the following required elements:
- A specific description of the PHI to be used or disclosed – must identify the information in a specific fashion (e.g. not just entire chart or all medical records);
- The name of the organization or other specific identification of the person(s) or class of persons (e.g., billing office, human resources department, medical director, etc.) being authorized to make the requested use or disclosure;
- The name of the organization or other specific identification of the person(s) or class of persons being authorized to receive the requested disclosure;
- A description of the purpose for each use or disclosure being requested. “At the request of the individual” is sufficient description when the individual initiates the request;
- A specific expiration date or expiration event relating to the purpose; and
- Individual signature and date. If signature is by the personal representative, a description of the representative’s authority (e.g., custodial parent, executor, conservator).
A valid Authorization shall also include the following required statements to notify an individual of
- The right to revoke the Authorization at any time in writing; that the revocation is effective upon receipt, but a use or disclosure that has already occurred cannot be withdrawn;
- How to revoke an Authorization;
- Whether or not the individual’s treatment or payment is conditioned on the Authorization (see Prohibition on Conditioning of Authorization below); and
- The potential for re-disclosure of PHI by a recipient who is not required by HIPAA to protect PHI.
- Individual’s signature and date
Authorizations are not valid, if:
- The expiration date has passed or the expiration event is known by the covered entity to have occurred;
- The Authorization has not been filled out completely, if applicable;
- The Authorization is known to have been revoked;
- The Authorization violates any state or federal law, if applicable;
- Any material information in the Authorization is known by the covered entity to be false.
An Authorization for use or disclosure of PHI may not be combined with any other document to create a compound Authorization, except as follows:
- Authorization to use or disclose PHI for a research study may be combined with other types of written permission for the same research study provided the conditions for a valid Authorization are satisfied.
- Authorization to use or disclose psychotherapy notes may only be combined with another authorization for the same psychotherapy notes.
Authorizations may be combined with other authorizations, except in the instance where a covered entity has conditioned the provision of treatment, payment, health plan enrollment or health benefits eligibility upon one of the Authorizations.
Prohibition on Conditioning of Authorization
IU HIPAA Affected Areas shall not condition an individual’s treatment or payment on whether the Individual signs a requested Authorization, except for:
- Research related treatment may be conditioned on an Authorization to use or disclose PHI for the research project; and
- Healthcare provided solely for the purpose of creating PHI for disclosure to a third party may be conditioned on an Authorization to disclose to the third party (e.g., pre-employment examinations, research treatments, school physicals).
Copy to Individual
IU HIPAA Affected Areas shall provide a copy of the signed Authorization to the individual.
Revocation of Authorization
IU HIPAA Affected Areas shall permit an individual to revoke an Authorization at any time, provided that the revocation is in writing, except to the extent that the IU Affected Area has taken action in reliance of the Authorization.
Authorization Not Required
As provided in the IU HIPAA Policy on Uses and Disclosures
- to carry out treatment, payment or health care operations;
- for its own training programs;
- to defend a legal action or other proceeding brought by the individual;
- as required by the Secretary of HHS;
- for health oversight activities;
- as required by law;
- as required to public health authorities; or
- to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
Changes to the Authorization
This authorization to release health information for research purposes is in compliance with the requirements in the HIPAA Privacy Rule as well as Indiana State Law.
- This authorization may not be modified except as described in Appendix 2. Any other modifications of this document must be approved by the Human Subjects Office.
- Sponsors are not permitted to change this authorization.
Reason for Policy
To establish when a valid Authorization using, requesting or disclosing PHI is required, what a valid Authorization must contain and when uses and disclosures may be made without an Authorization.