Skip to main content

How to Fill out a HIPAA Compliant Authorization


Every covered entity must implement a special document or form, which should be completed in its entirety whenever an individual wishes to authorize a specific use and/or disclosure of its protected health information.

Section 164.508 of the Privacy Rule, Uses and disclosures for which an authorization is required, specifically describes the required contents of this document.

It is important to understand that according to Section 164.508 (b) (2) of the Privacy Regulation, this form must be filled out completely in order for the same to be valid. Hence, the complete and accurate provision of the required information on this form is important, not only to adequately document the event, but also to achieve the validity required by the Standard. This article will explain how to properly fill out the authorization form.

First, provide all necessary demographic information as requested in the form. Though requesting this information is not part of the Standard, it is logically necessary for proper documentation and tracking of the authorization form. For this article we will assume that the information requested on your form is, for the most part, in the same order as it appears in the Regulation.

Somewhere on your form, you must describe the information to be used and/or disclosed by the covered entity in a "specific and meaningful fashion", as stated in Section 164.508 (c) (1) (i). For example:

* A copy of the entire clinical record.

* The complete Claims Payment History Report.

* All laboratory results from 1/1/2004 through 31/12/2006.

Do not write something like "All PHI", or "Everything". This is not "specific and meaningful" enough.

Following this, on Section 164.508 (c) (1) (ii), the form is supposed to request "the name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure". If the form that you are using has a line that goes as the example that follows, then this element is pretty much taken care of:

"I hereby authorize Dr. Berry Well to use and/or disclose the Protected Health Information described next:"

Note that in the sentence above, you are actually complying with two elements in the Standard, element (i) and (ii). Of course, more than likely this sentence would be found only in the form provided by Dr. Berry Well's office, the example.

If the form that you are filling out does not have a sentence like the one above, then provide the name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure, in compliance with Section 164.508 (c) (1) (ii) above. Some examples:

* I authorize any clinical record technician at Doingwell General Hospital to use and/or disclose my Protected Health Information.

* I hereby authorize Dr. John Bandage, Dr. Nancy Betadine, and Dr. Stet O. Scope to use and/or disclose my Protected Health Information.

* I authorize Neverworry Health Plan to use and/or disclose my PHI.

According to Section 164.508 (c) (1) (iii), the next thing required on the form is "the name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure." Even though it is not required by the Regulation, it is good practice to provide the mailing address of the person receiving the information. For example:

* John Doe. 9898 Whatever Street, Anytown, California 00777.

* Any of the Attorneys or their properly identified assistants from Jane Doe's Legal Offices. 8787 Trustme St. Anytown, Texas 00999.

Do not write something like "Any attorney", or "My friend" alone. As expressed above, the Regulation requires: "the name or other specific identification of the person"... You may have many friends (or know a lot of people that would claim to be your friends), and "any attorney" is just that, any attorney.

Section 164.508 (c) (1) (iv) requires "a description of each purpose of the requested use or disclosure. The statement "at the request of the individual" is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose." These are some examples:

* At the request of the individual.

* To conduct an investigation related to fraud and abuse.

* Information necessary for a lawsuit.

* To coordinate for health benefits.

Next, you have to provide an authorization "expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure, according to Section 164.508 (c) (1) (v) of the Privacy Rule. Examples:

* December 31, 2015.

* As soon as the minor reaches adult age.

* One year after the date on which the authorization is signed.

* Sixty days after the date on which the authorization is signed.

* As soon as the health plan's coverage expires.

Do not write something like "no expiration date", "forever", or "indefinite". These do not really constitute an expiration date or expiration event, as required by the Regulation.

Finally, the authorization form must be signed and dated by the individual. Whenever an individual is not able to sign the authorization form, an authorized representative may do so for him/her. Section 164.508 (c) (1) (vi) of the Regulation states that "if the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided." For example:

* I am the subscriber's legal guardian, and I am including a copy of a power of attorney.

* I am the patient's son, and she is not able to use her hands to sign.

* I am the patient's wife, and he is in a comma at this Hospital.

There are additional elements in Section 164.508 that should be studied and reviewed. These are listed in paragraphs:

* (d) Implementation Specifications: Authorizations requested by a covered entity for its own uses and disclosures.

* (e) Implementation Specifications: Authorizations requested by a covered entity for disclosures by others.

* (f) Implementation Specifications: Authorizations for uses and disclosures of protected health information created for research that includes treatment of the individual.

A properly filled out authorization form may considerably speed the process for obtaining PHI, and avoids possible delays. The form described in this Section does not take the place of a legal power of attorney. This form's only purpose is to authorize use and/or disclosure of protected health information.

Comments and Discussion

Questions and AnswersHave Your Say: We welcome relevant discussions, criticism and your unique insights. Comments are moderated and will not appear until approved. NOTE: We do not verify information posted in the comment section.




Newsletter

     What will I receive?
Finance icons
Information
for low income singles, families, seniors and disabled. Programs include grants, home ownership, vehicle modification loans, personal loans and scholarships.