Under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, certain disclosures of protected health information (PHI) require specific authorization from the individual whose information is at issue.
A HIPAA authorization is fundamentally a formal, detailed document through which an individual gives permission to a covered entity (such as a health care provider, health plan, or their business associate) to use or disclose PHI for purposes not otherwise permitted by the Privacy Rule.
Unlike voluntary consent forms—which covered entities may use at their discretion for treatment, payment, and health care operations—an authorization is required when the Privacy Rule does not independently allow a use or disclosure or when an individual specifically directs a disclosure to a third party, such as to an attorney.
HIPAA authorizations must contain specific elements to be valid. These elements include a description of the PHI to be disclosed, identification of the persons authorized to make the disclosure, and who may receive the information, an expiration date or event, and in many cases the purpose of the requested disclosure.
In addition, state licensure laws govern what must go into the client authorization and consent to release PHI.
Without all these elements under HIPAA and state licensure law, the authorization is not valid. The Privacy Rule also allows covered entities to accept copies, facsimiles, or electronically transmitted versions of a valid signed authorization.
An authorization remains in effect until it reaches its expiration date or event, unless it is revoked earlier in writing by the individual. HIPAA requires that such an expiration date or event be included—examples range from a specific calendar date to a defined event like “termination of plan enrollment.” State laws may further govern how long authorizations remain valid.
One common point of confusion involves subpoenas and whether they function as authorizations for PHI disclosures. HIPAA distinguishes subpoenas from court orders. A subpoena alone is merely an “invitation” to provide the PHI.
On the other hand, a court order, issued by a judge or equivalent administrative tribunal, can direct disclosure of PHI without individual authorization, but disclosure is limited to only the PHI specifically described. In addition, other privacy and confidentiality provisions may be issued by the judge or administrative tribunal.
In contrast, subpoenas alone as issued by attorneys or court clerks do not by themselves override HIPAA authorization requirements. Before disclosing PHI in response to such a subpoena, the Privacy Rule generally requires either proof that reasonable efforts were made to notify the subject of the PHI (so they can object), or that a qualified protective order has been obtained to protect the PHI. If those conditions are not met, the covered entity must treat the request as any other disclosure outside the rule’s permitted uses, which means relying on a valid HIPAA authorization or another permitted exception.
Finally, HIPAA has not altered other federal regulations (such as the rules governing research subjects and records) merely by establishing authorizations or waiver criteria under the Privacy Rule; both regulations must be followed when applicable.
Areas Covered in the Session
- What is a HIPAA Authorization?
- Required Elements of a Valid Authorization
- Validity of Copies/Electronic Versions
- Expiration and Revocation
- Subpoenas vs. Court Orders
- Requirements When Responding to Subpoenas
- Examples of State Licensure Laws Governing Authorized Release by a Client or Patient
Why should you Attend?
Find out how HIPAA authorizations work and how they work together with court orders and subpoenas.
Who will Benefit?
Healthcare practitioners who may find themselves in a position where they need to submit healthcare records to a court of law
