The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule is a set of standards designed to protect the medical records and personal information of patients. All covered entities are required by law to follow these standards. But there's a great deal of confusion surrounding the Privacy Rule and how it pertains to privacy authorizations. In an effort to clear up this confusion, we're going to take a closer look at some of the most frequently asked questions about HIPAA privacy authorization.

Do Privacy Authorization Forms Need a Witness?

It's a common assumption that Privacy Authorizations forms need a witness to be legally binding. According to the the U.S. Department of Health and Human Services (HHS), however, Authorization forms do not need a witness nor notarization. As long as the wording is correct and abides by the HIPAA Privacy Rule, the form is valid.

Can a Patient Revoke His or Her Authorization

Here's a scenario to consider: a patient grants his or her friend authorization to access their medical records. Later, however, the patient changes their mind. This begs the question: can a patient revoke his or her authorization? The HIPAA Privacy Rule states that yes, a patient can revoke authorization at any time they please. However, it must be done in writing and will not take effect until the covered entity receives the written revocation.

Do I Need To Include an Expiration Date In a Privacy Authorization Form?

Yes, Privacy Authorization forms must include either a date or “expiration event” for which the authorization is no longer valid. This doesn't necessarily mean that Privacy Authorization forms can only have a date. Expiration events may consist of “upon termination of health plan,” or “when the patient reaches the age of majority,” etc.

Can The Covered Entity Use a PHI Based on Authorization?

Assuming the Privacy Authorization form describes the information used by the covered entity in a specific and meaningful fashion, then yes, the covered entity may use the patient's PHI. With that said, authorization is only valid if the form authorizes the covered entity to either use or disclose it. The wording of the form plays a key role in determining whether or not the covered entity is authorized to use it.


Image credit: Hilary Dotson via Flickr Creative Commons.

Subscribe to our mailing list

* indicates required