Banner
  • Revenue Cycle Management
  • COVID-19
  • Reimbursement
  • Diabetes Awareness Month
  • Risk Management
  • Patient Retention
  • Staffing
  • Medical Economics® 100th Anniversary
  • Coding and documentation
  • Business of Endocrinology
  • Telehealth
  • Physicians Financial News
  • Cybersecurity
  • Cardiovascular Clinical Consult
  • Locum Tenens, brought to you by LocumLife®
  • Weight Management
  • Business of Women's Health
  • Practice Efficiency
  • Finance and Wealth
  • EHRs
  • Remote Patient Monitoring
  • Sponsored Webinars
  • Medical Technology
  • Billing and collections
  • Acute Pain Management
  • Exclusive Content
  • Value-based Care
  • Business of Pediatrics
  • Concierge Medicine 2.0 by Castle Connolly Private Health Partners
  • Practice Growth
  • Concierge Medicine
  • Business of Cardiology
  • Implementing the Topcon Ocular Telehealth Platform
  • Malpractice
  • Influenza
  • Sexual Health
  • Chronic Conditions
  • Technology
  • Legal and Policy
  • Money
  • Opinion
  • Vaccines
  • Practice Management
  • Patient Relations
  • Careers

Invalid authorizations

Article

A medical records retrieval service has been sending us signed authorizations that don't contain all the HIPAA-required items, although the service insists that its forms are in compliance. Should we honor these requests for information?

Q: A medical records retrieval service has been sending us signed authorizations that don't contain all the HIPAA-required items, although the service insists that its forms are in compliance. Should we honor these requests for information?

A: No. To be valid, an authorization must contain, at minimum, the following elements: (1) a description of the information to be disclosed; (2) the name of the authorized discloser; (3) the name of the recipient; (4) the purpose of the disclosure (which, in special circumstances, may be satisfied with the phrase, "at the request of the individual"); (5) an expiration date or event (for example, "at the conclusion of the research project"); and (6) the patient's signature and date.

A valid authorization must also make clear the patient's right to revoke the authorization in writing at any time; whether, in special circumstances, any treatment, payment, enrollment, or benefit eligibility is dependent upon the authorization; and the potential for the information to be redisclosed by the recipient and, therefore, no longer protected by HIPAA.

Alert the retrieval service to whatever items you believe are missing from their authorizations, asking them to make the necessary changes.

Related Videos
Jennifer N. Lee, MD, FAAFP
© National Institute for Occupational Safety and Health
© National Institute for Occupational Safety and Health
© National Institute for Occupational Safety and Health
© National Institute for Occupational Safety and Health
© National Institute for Occupational Safety and Health