HIPAA Authorization to Use and Disclose Protected Health Information (PHI)
REG12.60.10 Current Version
History: Effective: September 19, 2013
Revised: January 8, 2004; October 8, 2010; September 18, 2013
Transitioned from Interim to Permanent: July 17, 2014.
Related Policies: Permitted Uses and Disclosures of PHI
Use and Disclosures of PHI for Marketing
Use and Disclosure of PHI for the Sale of Protected Health Information
Additional Resources: 45 CFR 164 Subpart E: Privacy of Individually Identifiable Health Information
"Modification to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule," 78 Federal Register 17 (25 January 2013), pp. 5566-5702.
ECU Healthcare Components
ECU HIPAA Privacy Forms
Contact Information: ECU HIPAA Privacy Office, 252-744-5200
1.1. To provide guidance to East Carolina University's Health Care Components ("ECU Health Care Components") concerning circumstances in which an authorization signed by the individual or his/her personal representative is required to use or disclose that individual's protected health information ("PHI").
2.1. Compound Authorization means an authorization for use and disclosure of PHI that is combined with any other legal permission.
2.2. Core Elements means the required elements that must be present for an authorization to use or disclose PHI to be valid. At the very least, the following elements must be contained in an authorization:
2.2.1. A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
2.2.2. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
2.2.3. The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the required use or disclosure.
2.2.4. A description of each purpose of the requested use or disclosure.
188.8.131.52. The statement "at the request of the individual" is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
2.2.5. An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.
184.108.40.206. The statement "end of the research study," "none," or similar language is sufficient if the authorization is for a use or disclosure of PHI for research, including for the creation and maintenance of a research database or research repository.
2.2.6. Signature of the individual and date.
220.127.116.11. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided.
2.3. Defective Authorization means an authorization that is not valid because of any of the following defects:
2.3.1. The expiration date has passed or the expiration event is known by an ECU Health Care Component to have occurred;
2.3.2. The authorization has not been filled out completely, with respect to containing both the Core Elements and Required Statements; written in plain language; and a copy of the signed authorization is provided to the individual if an ECU Health Care Component requests the authorization from an individual for a use or disclosure of PHI.
2.3.3. The authorization is known by an ECU Health Care Component to have been revoked;
2.3.4. The authorization violates paragraphs 3.2 and 3.3, if applicable;
2.3.5. Any material information in the authorization is known to be false by an ECU Health Care Component.
2.4. Required Statements means the statements that must be contained in an authorization to use or disclose PHI to place the individual on notice for the following:
2.4.1. The individual's right to revoke the authorization in writing, and either:
18.104.22.168. The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or
22.214.171.124. To the extent that the information in paragraph 126.96.36.199 is included in the ECU Health Care Component Notice of Privacy Practice, a reference to the Notice.
2.4.2. The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either:
188.8.131.52. The ECU Health Care Component may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations is required per paragraph 3.2; or
184.108.40.206. The consequences to the individual of a refusal to sign the authorization when an ECU Health Care Component can condition treatment, enrollment in a health plan, or eligibility for benefits on failure to obtain such authorization per paragraph 3.2.
2.4.3. The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by HIPAA.
220.127.116.11. For example, if an individual authorizes an ECU Health Care Component to disclose his or her PHI to a person or organization that is not covered by HIPAA (e.g., a friend or family member), then that person or organization may share the individual's PHI with anyone and it will no longer be protected by HIPAA.
2.5. Valid Authorization means a document that
2.5.1. Contains the Core Elements, Required Elements, and the following, as applicable:
18.104.22.168. If the authorization is for marketing, and involves financial remuneration, the authorization must state that such remuneration is involved.
22.214.171.124. If the authorization is for the sale of PHI, then the authorization must state that the disclosure will result in remuneration to an ECU Health Care Component.
2.5.2. A valid authorization may contain elements or information in addition to the Core Elements and Required Elements, provided that such additional elements or information are not inconsistent with such elements.
3.1.1. Examples of when a signed authorization is required includes, but is not limited to:
126.96.36.199. Psychotherapy Notes
188.8.131.52. Sale of PHI
3.2. Prohibition on Conditioning of Authorization. ECU Health Care Components may not condition the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits on the provision of an authorization to use or disclose PHI except:
3.2.1. When research related treatment is conditioned on certain uses or disclosures or when PHI is created for the sole purpose of disclosure to a third party.
3.2.2. When the purpose of creating the PHI is solely for disclosure to a third party on provision of an authorization for the disclosure of the PHI to such third party (e.g., employment physicals).
3.3. Compound Authorization. An authorization to use or disclose PHI may not be combined with any other document to create a compound authorization, except as follows:
3.3.1. Research. An authorization for the use of disclosure of PHI for a research study may be combined with any other type of written permission for the same or another research study.
184.108.40.206. Any compound authorization created under paragraph 3.3.1 must clearly differentiate between the conditioned and unconditioned components and provide the individual with an opportunity to opt in to the research activities described in the unconditioned authorization.
3.3.2. Psychotherapy Notes. An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes.
3.3.3. Non-Psychotherapy Notes. An authorization for a use or disclosure, other than for psychotherapy notes, may be combined with any other such authorization except when one of the authorizations has been conditioned, per paragraph 3.2.
3.4. Revocation of Authorization. Individuals may revoke their authorizations at any time in writing except to the extent that an ECU Health Care Component has already taken action in reliance on the authorization.
3.5. Designation of Responsibility. Each ECU Health Care Component must designate and document the titles of persons or offices responsible for receiving and processing authorizations to use and disclose PHI.
4.1. Authorization for Use or Disclosure of PHI
4.1.1. Valid Authorization. ECU Health Care Component's must obtain a Valid Authorization prior to the use or disclosure of PHI that is not otherwise permitted or required by law by using one of the following methods:
220.127.116.11. ECU Authorization for Use or Disclosure of PHI form.
18.104.22.168.1. This form should be used when an ECU Health Care Component receives a request directly from the individual.
22.214.171.124. External Authorization for Use or Disclosure of PHI form.
126.96.36.199.1. An ECU Health Care Component may use a Valid Authorization request received from an external entity (e.g., attorney's office, government agency, independent health care provider) as long as the Core Elements, paragraph 2.2, and Required Statements, paragraph 2.3, are provided.
4.1.2. Defective Authorization. ECU Health Care Components must not act on a Defective Authorization.
188.8.131.52. If an authorization is determined to be a Defective Authorization, then the person requesting the use or disclosure on behalf of the individual or the individual should be contacted and informed of the deficiencies contained in the authorization.
4.2. Requests Received by ECU Health Care Components
4.2.1. Individual Requests Received in Person.
184.108.40.206. Verify the identity of the individual; and
220.127.116.11. Provide the individual with an ECU Authorization for Use or Disclosure of PHI to complete and forward to designated office or person within the ECU Health Care Component; or
18.104.22.168. Direct the individual to the designated office or person within the ECU Health Care Component to obtain and complete the authorization.
4.2.2. Individual Requests Received by Mail
22.214.171.124. Forward all requests to the designated office or person within the ECU Health Care Component to review for validity of authorization.
4.3. Denial of Authorization for Use or Disclosure of PHI. If an ECU Health Care Component denies an individual's request for use or disclosure of PHI, the Component must provide notice to the individual in writing using the ECU Denial of Individual's Request for Access, Use or Disclosure of Protected Health Information form.
4.4. Provision of a Copy
4.4.1. If an ECU Health Care Component seeks an authorization from an individual for a use or disclosure of PHI, then a copy of the signed authorization must be provided to the individual.
4.5.1. ECU Health Care Component's must document and retain the Valid Authorization in the individual's designated record set for six years from the date of its creation or the date when it last was in effect, whichever is later.