HIPAA authorizations: Why signed authorizations are required

When is the last time you thought about a HIPAA Authorization Form? You know, the one that people have been filling out and signing for over 20 years since the Privacy Rule was published in doctors' offices, dentist offices, laboratories, hospitals and walk-in clinics, as well as in telehealth and other settings? Many of us don't give it a second thought until information is wrongfully disclosed (Bryne v. Avery Center for Obstetrics & Gynecology, P.C. (Conn. 2018)), a legitimate and lawful change is requested by the patient or legally authorized representative, and/or a change is made to the form by an unauthorized individual.

45 CFR § 164.508 sets forth in different sections why a written authorization is required.

• § 164.508(a)(1) – Authorization required: general rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization.
• § 164.508(b)(1) – Implementation specifications: general requirements – (1)(i) Valid authorization is a document that meets the requirements in (a)(3)(ii), (c)(1), and (c)(2) of this section, as applicable. (ii) A valid authorization may contain elements or information in addition to the elements required by this section, provided that such additional elements or information are not inconsistent with the elements required by this section.

Equally as important is what constitutes a defective authorization. 45 CFR § 164.508(2)(i)-(v) states, (2) Defective authorizations. An authorization is not valid, if the document submitted has any of the following defects: (i) The expiration date has passed or the expiration event is known by the covered entity to have occurred; (ii) The authorization has not been filled out completely, with respect to an element described by paragraph (c) of this section, if applicable; (iii) The authorization is known by the covered entity to have been revoked; (iv) The authorization violates paragraph (b)(3) or (4) of this section, if applicable; [and] (v) Any material information in the authorization is known by the covered entity to be false. (emphasis added).

States have similar requirements. For example, Texas developed an Authorization to Disclose Protected Health Information, which states that “[c]overed entities as that term is defined by HIPAA and Texas Health & Safety Code § 181.001 must obtain a signed authorization from the individual or the individual’s legally authorized representative to electronically disclose that individual’s protected health information. Authorization is not required for disclosures related to treatment, payment, health care operations, performing certain insurance functions, or as may be otherwise authorized by law.” (emphasis added).

A valid HIPAA Authorization protects an individual's privacy, a cornerstone of HIPAA and the related Privacy Rule, while protecting covered entities from potential liability because they know who the information can be disclosed to in addition to the exceptions set forth in HIPAA.

What are some prudent steps that covered entities should take? Below is a non-exhaustive list:

1. Know what effective period is on the authorization. For example, "[t]his authorization is valid until the earlier of the occurrence of the death of the individual; the individual reaches the age of majority; or permission is withdrawn; or the following specific date (optional): Month _______ Day __________ Year _____." Some forms automatically expire after one (1) year and require a new signature, regardless of whether or not there are any changes.
2. The individual's decision-making capacity. If the individual has decision-making capacity, then no one, not even a legal representative can make a change. Someone simply listed as being able to receive the patient's protected health information does not have the legal right to change the authorization. A legal representative is often designated in a durable medical power of attorney, which is separate from a durable power of attorney. Regardless, capacity, which is determined by a physician, is a cornerstone of when a power of attorney's authority becomes legal and effective in Texas and in other states.
3. Confirming that the changes were legal and legitimate. With telehealth and online form completion, the best step that covered entities, especially providers, can take is to confirm that the patient made any changes. If there is a power of attorney, then the provider should note that in the record and lack of decision-making capacity must be documented. By confirming that the patient signed the electronic form and made any relevant changes, including the addition or removal of a person, the provider limits liability and also protects the patient, especially elderly who may be subject to financial exploitation and elder abuse by others.

In sum, the ever-present HIPAA Authorization Form serves a valid purpose in maintaining a patient's confidentiality, as well as addressing other social factors, which are unfortunately common with certain vulnerable segments of the population. By taking proactive steps and appropriately verifying and documenting information in the medical record, as well as checking the HIPAA Authorization Form before information is sent out, providers can mitigate legal liability.

Rachel V. Rose, J.D., MBA, advises clients on compliance, transactions, government administrative actions and litigation involving health care, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rose can be reached through her website, www.rvrose.com.