Invalid authorizations

May 6, 2005

A medical records retrieval service has been sending us signed authorizations that don't contain all the HIPAA-required items, although the service insists that its forms are in compliance. Should we honor these requests for information?

Q: A medical records retrieval service has been sending us signed authorizations that don't contain all the HIPAA-required items, although the service insists that its forms are in compliance. Should we honor these requests for information?

A: No. To be valid, an authorization must contain, at minimum, the following elements: (1) a description of the information to be disclosed; (2) the name of the authorized discloser; (3) the name of the recipient; (4) the purpose of the disclosure (which, in special circumstances, may be satisfied with the phrase, "at the request of the individual"); (5) an expiration date or event (for example, "at the conclusion of the research project"); and (6) the patient's signature and date.

A valid authorization must also make clear the patient's right to revoke the authorization in writing at any time; whether, in special circumstances, any treatment, payment, enrollment, or benefit eligibility is dependent upon the authorization; and the potential for the information to be redisclosed by the recipient and, therefore, no longer protected by HIPAA.

Alert the retrieval service to whatever items you believe are missing from their authorizations, asking them to make the necessary changes.