HIPAA Policy Section 4.11: Obtaining and Relying Upon an Authorization

Document Description

System shall obtain an Individual’s written Authorization before requesting, Using or Disclosing the Individual’s PHI when such request, Use or Disclosure is not permitted by the HIPAA Privacy Standards without an Authorization.

4.11(1) Obtaining an Individual’s Written Authorization

Except as otherwise provided in this Manual, System shall obtain an Individual’s signed, written Authorization before requesting, Using, or Disclosing the Individual’s PHI in situations when the intended request, Use or Disclosure is not otherwise permitted by the HIPAA Privacy Standards. System’s Authorization for the Use and Disclosure of Protected Health Information form, a copy of which is attached as a Form in the Appendix to this Manual and which contains the elements required by the HIPAA Privacy Standards, or another specific form for specific circumstances shall be used whenever possible to ensure that the Authorization is valid An Individual may, but is not required to initiate an Authorization to obtain the Individuals PHI or to direct the release of PHI to a third party, in which case the Individual shall not be required to reveal the purpose of the requested Use or Disclosure.

4.11(2) Personal Representative

In accordance with Section 4.12 of this Manual, an Individual’s Personal Representative has the authority to give and revoke Authorizations on behalf of the Individual.

4.11(3) Provision of Copies to the Individual

System shall provide each Individual with a copy of any signed Authorization received on behalf of the Individual by System provided that the specific Authorization is adequately identified in the request. System will not comply with global requests for all Authorizations received concerning a particular Individual, except as part of a Individual’s request for access to PHI or provision of access to a third party on behalf of the Individual’s PHI made in accordance with Section 7.2 of this Manual.

4.11(4) Reliance on an Authorization

Prior to Using, or Disclosing PHI in reliance on an Authorization, the Privacy Officer or a Privacy Officer’s designee shall review the Authorization to ensure that:

  1. the Authorization contains all applicable elements described in this Section;
  2. any expiration date has not passed, and any expiration event is not known by System to have occurred;
  3. the Authorization has been filled out completely;
  4. the Authorization has not been revoked in accordance with this Section;
  5. to the extent known by System, the Authorization was not obtained due to a condition that violates this Section;
  6. the Authorization is not combined with another document in violation of this Section; and
  7. no material information in the Authorization is known by System to be false.

Upon receipt of a valid Authorization, the Authorization shall be filed with the Individual’s Designated Record Set, in accordance with Section 9.2 of this Manual.

4.11(5) Contents of an Authorization

An Authorization, to be valid, must contain all of the following elements written in plain and understandable language:

  1. a description of the information to be Used or Disclosed that identifies the information in a specific and meaningful fashion;
  2. a statement System or a System employee of one of these entities is authorized to make the requested Use or Disclosure;
  3. the name or other specific identification of the persons, or class of persons, to whom the requested Use or Disclosure may be made;
  4. a description of each purpose of the requested Use or Disclosure, except that, if an Individual initiates the Authorization and does not provide a statement of the purpose, the statement “at the request of the Individual” is sufficient;
  5. an expiration date or an expiration event that relates to the Individual or the purpose of the Use or Disclosure;
  6. a statement that places the Individual on notice of the Individual’s right to revoke the Authorization in writing, and either (i) the exceptions to the right to revoke and a description of how the Individual may revoke the Authorization or (ii) to the extent such information is included in the Plan’s notice of privacy practices, a reference to the notice;
  7. a statement that places the Individual on notice of the ability or inability of the person requesting the Authorization to condition Treatment, Payment,  enrollment, or eligibility for benefits on the Authorization, by stating either (i) if Treatment, enrollment, or eligibility for benefits is conditioned on whether the Individual signs the Authorization, the consequences to the Individual of a refusal to sign the Authorization, or (ii) that Treatment, Payment, enrollment, or eligibility for benefits is not conditioned on whether the Individual signs the Authorization;
  8. if the Authorization is for Marketing that involves direct or indirect remuneration from a third party, a statement that such remuneration is involved;
  9. a statement that places the Individual on notice of the potential for information Disclosed pursuant to the Authorization to be subject to re-disclosure by the recipient and to no longer be protected by the HIPAA Privacy Standards; and
  10. a description of and the signature of the Individual with the date signed and, if the Authorization is signed by a personal representative of the Individual, a description of such representative’s authority to act for the Individual.

4.11(6) Revocation of an Authorization

An Individual shall have the right to revoke his or her Authorization at any time, provided that the Individual’s revocation is in writing. The revocation is effective upon its receipt by the Privacy Officer. A System form Revocation of Authorization, a copy of which is contained in the Appendix to this Manual, may be used by the Individual. When the Privacy Officer receives an Individual’s written revocation the Privacy Officer shall notify applicable parties of the revocation of Authorization and document the revocation or information concerning the revocation received by the person obtaining the authorization. System shall stop Using and Disclosing the Individual’s PHI in reliance on the Authorization, except to the extent System has already taken action in reliance on the Authorization. If System has not yet Used or Disclosed the PHI, System shall refrain from doing so, pursuant to the revocation. If EGI has already Disclosed the information, System need not retrieve the information. Notwithstanding the above, if an Authorization is obtained as a condition of obtaining insurance coverage under a policy or certificate, a revocation of the Authorization shall not be effective to the extent any law provides an insurer with the right to contest either a claim under the policy or certificate or the policy or certificate itself and the revocation would cause Uses or Disclosures for such purpose to be prohibited.

4.11(7) Conditioning Activities on the Provision of an Authorization

The provision of Treatment, Payment, health plan enrollment, or eligibility for health plan benefits may not be conditioned on an Individual’s provision of an Authorization, except as follows:

  1. a Covered Entity, including System may condition the provision of health care on an Individual’s provision of an Authorization if (i) such health care is solely for the purpose of creating PHI for Disclosure to a third party and (ii) such Authorization is for the Disclosure of such PHI to such third party; or
  2. enrollment in a health plan may be conditioned upon an Individual’s provision of Authorization if the Authorization (i) is requested prior to the Individual’s enrollment in the health plan; (ii) is sought for an eligibility or enrollment determinations relating to the Individual or for its underwriting or risk rating determinations; and (iii) does not authorize a Use or Disclosure of Psychotherapy Notes.

4.11(8) Combining Authorizations.

An Authorization may not be combined with any other document, except as follows:

  1. an Authorization for the Use or Disclosure of PHI for a specific research study may be combined with any other type of written permission for the same research study; and
  2. an Authorization may be combined with another Authorization if they are visually and organizationally separate and are separately signed and dated, unless (i) one Authorization is for a Use or Disclosure of Psychotherapy Notes, and the other is not, or (ii) the provision of Treatment, Payment, plan enrollment, or eligibility for plan benefits was conditioned on the provision of one of the Authorizations.

4.11(9) Retention of Authorizations

System shall maintain any written Authorization, or the electronic record of any Authorization, that it receives in accordance with Section 9.2 of this Manual.


45 C.F.R. §§ 164.508, 164.532


Release Date

Responsible Office(s)

Employee Benefits

Document Type