The Health Insurance Portability and Accountability Act of 1996, or HIPAA, requires doctors and health plans to obtain written authorization from patients to share information in their medical records for purposes unrelated to treatment, payment or routine health care operations. The authorization form can originate from the hospital or health plan or it can come from the organization seeking the data, such as a researcher, an employer, a marketing firm or an insurance company. A valid form must include several core elements.
Description of Information
For all disclosures of protected health information, which may include a patient’s name and health status, HIPAA requires hospitals and health plans to disclose only the minimum amount of information necessary for its intended purpose. Rather than a general request to disclose a patient’s entire medical record, a valid HIPAA authorization form must include a detailed description of specific information in the patient's medical record the hospital or health plan may disclose.
Name of Individual
The authorization form needs to state the name of the individual or that of a personal representative authorized to make the requested disclosure.
Name of Recipient
The authorization must state the name or identity of the recipient of the information or the name of the person who can use the information. Hospitals and health plans may disclose information to the named recipients upon receiving a fax or a photocopy of a valid authorization.
Purpose of Disclosure
The form must include a description of each purpose for the information requested. For example, researchers must include a study-specific statement of purpose. They can’t submit a statement that involves future unspecified research. When patients request disclosure of information in their medical file without giving a reason, the authorization form can state “at the request of the individual,” according to U.S. Department of Health & Human Services, or HHS, guidelines on patient-initiated authorizations.
Expiration Date
A valid HIPAA authorization to release medical information must include an expiration date or an expiration event. Researchers can write the terms "end of the research study" or "none" as an expiration event on an authorization form requesting the patient information for a health study or to create and maintain a research database, HHS advises.
Signature and Date
Additionally, the individual’s signature or that of a person authorized to make health care decisions on his behalf, along with the date must appear on a valid authorization form. The regulation doesn’t require a witness to the authorization or a notarized form, according to HHS.
Right to Revoke
Individuals have the right to revoke an authorization at any time. The authorization form must state this right and specify the process for revocation, which takes effect when the hospital or health plan receives a written request from the individual.
References
Writer Bio
Cassie M. Chew is a multimedia journalist who covers politics, health care, education policy and technology news for print and online newspapers, magazines and trade press journals. When she's not pursuing a story, Chew enjoys independent film, biographies and books about nutrition and health. She holds a Master of Science in journalism from Northwestern University.