Under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, healthcare patients must give their written permission to a covered entity in order for that covered entity to disclose their Protected Health Information (PHI). This is among the many stipulations set forth in the Privacy Rule, and is designed to protect the privacy of healthcare patients. But what if a patient no longer wants his or her PHI disclosed? Are they allowed to revoke this type of authorization?
Before we answer this question, let's first talk about what's inside a typical HIPAA authorization form. While there's no specific format that covered entities must follow, the Privacy Rule requires all authorization forms to include several basic “core” elements, such as the following:
- Description of PHI, written in plain English, to be accessed, used and/or disclosed.
- Name of the person, persons or organization to whom authorization is given.
- Description of the reason for obtaining the patient's disclosure (e.g. research purposes).
- Expiration on date on which the authorization will terminate.
- Signature of the healthcare patient and date.
Assuming the covered entity is seeking authorization and not a third-party entity or business associate, a copy of the authorization form must also be provided to the healthcare patient. This form may be drafted by the covered entity or an outside organization (HIPAA does not specify who must create the authorization form).
Now back to the question at hand: can a healthcare patient revoke his or her authorization? The answer is yes. HIPAA's Privacy Rule grants healthcare patients the right to revoke authorization at any given time. However, there are a few things that you should first. Much like granting authorization, revoking authorization must be done in writing. A healthcare patient cannot verbally tell his or her doctor, for instance, that they no longer want their PHI to be accessed or disclosed. Revocations such as this must be done in writing in order for them to abide by HIPAA. Furthermore, written authorization revocations are not effective with actions taken prior to the revocation.
All HIPAA authorization forms must clearly state that the healthcare patient or individual has the right to revoke his or her authorization at any time. The method for revoking authorization must also be included in the form. Revocations are rare, but they do happen, and it's important for covered entities to go about them in the right way.