Elements of a HIPAA authorization

by Barbara Haubrich-Hass, ACP/CAS, July 2014

Most civil legal professionals understand the importance of complying with the Health Insurance Portability and Accountability Act (“HIPAA”). HIPAA established the Federal standards for the security of electronically protected health information (“e-PHI”). The purpose of HIPAA is to ensure that every covered entity has protected the confidentiality, integrity, and availability of e-PHI. Legal professionals are considered a covered entity under HIPAA and are required to safeguard a client’s protected health information.

At the same time, HIPPA provides the standard by which a covered entity is permitted to disclose health information for patient care or other purposes, such as in the legal arena. This article will focus on the elements of a HIPAA compliant authorization for use by a legal professional to obtain a client’s protected health records.

A. HIPPA Authorization:

A covered entity may not disclose protected health information without a valid authorization. Some medical providers are so concerned about complying with HIPAA prior to producing a patient’s medical records that they create their own authorization that must be used for every request, such as a Kaiser Permanente medical authorization.

An authorization is a client’s signed permission to allow a legal professional to obtain the client’s PHI from a covered entity. The authorization must be written in plain language, not legalese. 45 C.F.R. § 164.508 contains the core elements and required statements that must be included in a HIPAA compliance authorization. The authorization will not be valid unless all of the required elements and language is contained in the authorization.

B. Authorization Core Elements:

An authorization requesting PHI must include the following core elements:

A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;
The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure;
A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose;
An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository; and,
Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided. [See 45 C.F.R. §164.508(c)(1)]

C. Authorization Required Statements:

In addition to the core elements, an authorization must contain statements adequate to place the individual on notice of all of the following:

The individual’s right to revoke the authorization in writing, and either (1) the exceptions to the right to revoke and a description of how the individual may revoke the authorization, or (2) reference to the corresponding section(s) of the covered entity’s Notice of Practice Practices;
Notice of the covered entity’s ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, including research-related treatment, and, if applicable, consequences of refusing to sign the authorization; and,
The potential for PHI to be re-disclosed by the recipient and no longer be protected by HIPAA. [See 45 C.F.R. § 164.508(c)(2)]

D. Mental Records:

Psychotherapy records have a higher protection under HIPAA. HIPAA distinguishes between mental health information in a mental health professional’s private notes and that contained in the medical records. HIPAA does not provide a right of access to psychotherapy notes. Psychotherapy notes mean notes recorded, by any medium, by a health care provider who is a mental health professional the contents of conversation during a private counseling session. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment, results of clinical tests, and any summary of the following: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date. [See 45 C.R.F. § 164.501]

E. Creating a HIPAA Authorization:

If you are a legal professional creating a HIPAA Authorization to obtain a client’s health records, ask yourself these questions:

• Is the authorization written in plain language?
• Does the authorization identify the name of the client who you are requesting the records of?
• Does the authorization identify the type of information to be disclosed?
• Does the authorization identify the names or classes of persons or types of healthcare providers authorized to produce the health records and to whom?
• Does the authorization identify the purpose of the disclosure?
• Does the authorization contain the signature of the client or the client’s authorized legal representative?
• If the authorization is signed by a legal representative, does the authorization identify the relationship of that person to the client?
• Does the authorization include the date the authorization as signed by the client?
• Does the authorization identify the time period for which the authorization is effective and expiration date?
• Does the authorization contain a statement informing the client his or her right to revoke the authorization in writing and a description of how to do so?
• Does the authorization contain a statement informing the client about the potential for information to be re-disclosed and no longer protected by the federal privacy rule?
• Does the authorization contain a statement that the client is entitled to a copy of the authorization?
• Does the authorization contain a statement that the client may inspect or copy the medical information produced to the attorney?