Learn about the 12 requirements for a HIPAA compliant authorization.

Anyone can go to their doctor and ask for their medical records. Additionally, there may be other people who need those records, like other doctors for continuity of care, law offices, insurance companies, family members, Veterans Affairs, and numerous others.

When sharing this Protected Health Information (PHI), health care organizations must adhere to HIPAA regulations. So, how do you balance the need to release information with the need to protect it? To start, you require patient permission to release their PHI. Just like anything else with HIPAA, if it’s not written, it didn’t happen, so you need to provide and document a patient authorization that must be filled out before you can release the information.

So, now you know you need an authorization form, but what needs to be in it? Here are the 12 requirements for a HIPAA compliant authorization:

1. Patient name
This is pretty self-explanatory. You need to know whose information you will be releasing, so you will need the patient’s name on the authorization form.

2. “Release from” section
This is where the records are being requested from. If a patient was seen by their podiatrist and the patient wants that information sent to their lawyer, it would be the name and address of the podiatrist’s office.

3. “Release to” section
This is the location where the information is being sent. In the example above, that means it would be the name and address of the law office.

4. Date of service
This is extremely important as you will need to know what information to send. A patient may be seen every week for lab tests, but may only want one specific date of service to be sent.

5. Type of information
Again, this is important to know, as the patient may only want labs sent to that law office.

6. Purpose
This would be the reason the patient wants the records sent to the law office. Obviously, this example would be for legal reasons. Other reasons might include for continuity of care, insurance claims, personal (maybe they just want to see what is in their record), government, etc.

There is no “wrong” purpose. It might help you to determine how much to send. Remember that minimum necessary thing? Even if a patient says he wants all his records to be sent to his doctor, the doctor doesn’t want to see every little thing in that record. You could easily just send dictated reports and the doctor and staff will thank you for not blowing up their fax machine.

7. “Right to revoke” statement
There should be a statement on the authorization showing that the patient understands he or she has the right to revoke the authorization. There is no penalty for doing so, but if the transaction has been completed, you can’t pull the records back. The patient should understand all of this.

8. “Re-disclosure” statement
There should also be a statement that specifies that once you release a patient’s records, you cannot be held liable if the person you released them to goes on to share them with someone else. Once they are out of your hands, they are no longer under your protection.

9. Expiration date
The authorization should also have an expiration date. It can be anywhere from one week to an indefinite amount of time. Once it expires, that means you cannot release information. To do so, you would need a new authorization.

10. Ability or inability to condition treatment
This statement stipulates that you, as a covered entity, cannot change the patient’s ability to get care at your organization if they decide to fill out or not fill out an authorization form. This form is for the sole purpose of getting information. It cannot affect a patient’s right to care.

11. Patient signature
This one helps you to prove that the patient is who they say they are. Often, it’s best to get a copy of a photo ID to match the two signatures.

12. Date of signature
This is important for that expiration date. If the expiration date is set at one year, the authorization would be valid until one year after the date this authorization was signed.
Note: While it is not a requirement, it would be beneficial to have a line for the date of birth. Trust me, you don’t realize how important that is until you’ve had three Joe White’s come in to get their records.

For access to our HIPAA Compliant Authorization form template and other important templates, sign up with HIPAAgps today!

HIPAA Compliant Authorization