Outlineof this section:
1.Language from Federal Rule
3.Reminder about "minimum necessary" disclosure.
Preparedby M.P. Dunlap & B. McDowell for HIPAA Training
AUTHORIZATION-a customized document that gives covered entities permission to use specifiedProtected Health Information (PHI) for specified purposes, which are generallyother than Treatment, Payment, and health care operations (TPO), or to disclosePHI to a third party specified by the individual. Authorizations should not be construed to waive, directly orindirectly, any privilege granted under federal, state, or local laws orprocedures.
Coreelements and requirements.—(1)
Coreelements. A validauthorization under this section must contain at least the following elements:
i) Adescription of the information used or disclosed that identifies the informationin a specific and meaningful fashion.
ii)The name or other specific identification of the person(s), or class of persons,authorized to make the requested use or disclosure.
(iii)The name or other specific identification of the person(s), or class of persons,to whom the covered entity may make the requested use or disclosure.
(iv)A description of each purpose of the requested use or disclosure. The statement‘‘at the request of the individual’’ is a sufficient description thepurpose when an individual initiates the authorization and does not, or electsnot to, provide a statement of the purpose.
(v)An expiration date or an expiration event that relates to the individual or thepurpose of the use or disclosure. The statement ‘‘end of the researchstudy,’’ ‘‘none,’’ or similar language is sufficient if theauthorization is for a use or disclosure of protected health information forresearch, including for the creation and maintenance of a research database orresearch repository.
(vi)Signature of the individual and date. If the authorization is signed by personalrepresentative of the individual, a description of such representative’sauthority to act for the individual must also be provided.
(2)Required statements.In addition to the coreelements, the authorization must contain statements adequate to place theindividual on notice of all of the following:
(i)The individual’s right to revoke the authorization in writing, and either:
(A)The exceptions to the right to revoke and a description of how the individualmay revoke the authorization; or
(B)To the extent that the information in paragraph (c)(2)(i)(A) of this section isincluded in the notice required by ß 164.520, a reference to the coveredentity’s notice.
(ii)The ability or inability to condition treatment, payment, enrollment oreligibility for benefits on the authorization, by stating either:
(A)The covered entity may not condition treatment, payment, enrollment oreligibility for benefits on whether the individual signs the authorization whenthe prohibition on conditioning of authorizations in paragraph (b)(4) of thissection applies; or
(B)The consequences to the individual of a refusal to sign the authorization when,in accordance with paragraph (b)(4) of this section, the covered entity cancondition treatment, enrollment in the health plan, or eligibility for benefitson failure to obtain such authorization.
(iii)The potential for information disclosed pursuant to the authorization to besubject to redisclosure by the recipient and no longer be protected by thissubpart.
(3) Plainlanguage requirement. The authorization must be written in plain language.
(4)Copy to the individual. If a covered entity seeks an authorization froman individual for a use or disclosure of protected health information, thecovered entity must provide the individual with a copy of the signedauthorization. Per FederalRegister/ Vol 67, No. 157, / Wednesday, August 14, 2002/ Rules and Regulations
Psychotherapynotes: (p 53268)
psychotherapynotes. Notwithstanding anyprovision of this subpart, other than the transition provisions in ß 164.532, acovered entity must obtain an authorization for any use or disclosure ofpsychotherapy notes, except:
(i)To carry out the following treatment, payment, or health care operations:
(A) Use by the originator of the psychotherapy notes for treatment;
(B) Use or disclosure by the covered entity for its own training programs inwhich students, trainees, or practitioners in mental health learn undersupervision to practice or improve their skills in group, joint, family, orindividual counseling; or
Useor disclosure by the covered entity to defend itself in a legal action or otherproceeding brought by the individual; and (ii) A use or disclosure that isrequired by ß 164.502(a)(2)(ii) or permitted by ß 164.512(a); ß 164.512(d)with respect to the oversight of the originator of the psychotherapy notes; ß164.512(g)(1); or ß 164.512(j)(1)(i).
to use and disclose the specific protected health information describedbelow
asis necessary to: __ release information to, and/or ___ receive information from:
address city/ state (phone)
The information to be used or disclosed includes:
Social, medical or psychological reports.
| || |
Medications used in treatment.
| || |
Treatment goals and results.
| || |
Information about drug and/or alcohol abuse or treatment
| || |
Court or probation records
| || |
| || |
This information disclosure is necessary for the following purpose(s): …………………………………..
Diagnosis and evaluation.
| || |
| || |
To facilitate treatment.
| || |
| || |
Ifwe are requesting this Authorization from you for our own use and disclosure orto allow another health care professional or health care entity to discloseinformation to us: (1) We cannot deny our services or treatment to you if yourefuse to make this signed authorization; (2) You have the right to inspect acopy of the protected health information to be used or disclosed; (3) You mayrefuse to sign this Authorization; and (4) We must provide you with a copy ofthe signed authorization. You have the right to revoke this Authorization at anytime, provided that you do so in writing and except to the extent that we havealready used or disclosed the information in reliance on this Authorization. Unlessrevoked earlier or otherwise indicated, this Authorization will expire 180 daysfrom the date of signing or shall remain in effect for the period reasonablyneeded to complete the request.
Bysigning this Authorization, you may be directing us to disclose your healthinformation to a person or organization that does not have the same obligationsto protect privacy required of health care practitioners, health plans and otherhealth care entities observe under state and federal law. The disclosure of theinformation specified above may carry with it the potential for unauthorizeddisclosure of your protected health information and loss of protection understate and federal law.
Youmay request that we require the recipient of your protected health informationto sign a Confidentiality Agreement in which the recipient agrees tolimit its use and disclosure of your information as specified by the ConfidentialityAgreement. If the intended recipient refuses to sign the confidentialityagreement you request, we will not release the information.
_______(Your Initials) I requestthat the recipient of the information identified above for disclosure sign aConfidentiality Agreement.
_______ (Your Initials) Iunderstand that my alcohol and/or drug treatment records are protected underfederal and state regulations (42 CFR Part 2 and ORS 430.399(5), 179.505)governing Confidentiality of Alcohol and Drug Abuse Patient Records, and cannotbe disclosed without my written authorization unless otherwise provided for inthe regulations. I also understand that I may revoke this authorization inwriting at any time except to the extent that action has been taken in relianceon it, and that in any
eventthis authorization expires automatically as follows: ________________________________________________________________________________
(Specifythe date, event, or condition upon which the Authorization expires)
I have reviewed this Authorization and Iunderstand it. I understand that the information used or disclosed under thisAuthorization may be subject to re-disclosure by the recipient and may no longerbe protected under federal privacy law.
_____________________________ ______________________________________ _________
Client/patient (or)legal representative & legal representative’s authority Date
_________________________________ Reminder Note! _________________________
Below, you will find direct quotes from the Privacy Rule concerning the“minimum necessary” amount of information to release. Here are the highlights: 1)When you release protected information, make reasonable efforts to limitit to the minimum; 2) You must have “policies and procedures”concerning the “minimum necessary” standard; 3) Thecovered entity who holds the information always retains discretion to makeits own minimum necessary determination.
See ß 164.502(b). Protected healthinformation includes individually identifiable health information (with limitedexceptions) in any form, including information transmitted orally, or in writtenor electronic form….
Further, the Privacy Rule does not permita health plan to condition enrollment, eligibility for benefits, or payment of aclaim on obtaining the individual’s authorization to use or disclosepsychotherapy notes. Nor may a health care provider condition treatment on anauthorization for the use or disclosure of psychotherapy notes. Thus, theDepartment believes that these additional protections appropriately andeffectively protect an individual’s privacy with respect to psychotherapynotes.