Does your office disclose patient information properly? The following list can be used to determine if a records request meets HIPAA’s requirements for a valid authorization.
Does the authorization contain:
- Patient’s name
- Type of information to be disclosed
- Name of the provider from whom the information is being requested
- Name of the recipient of the information
- Purpose for the disclosure
- Signature of patient (or legal representative and their relationship)
- Date of signature
- Effective date and expiration date or event
- Statement informing the patient of their right to revoke the authorization
- Statement that the patient may inspect or copy the information disclosed
- Statement regarding any assessment of fees for providing the copy
This list may not be all-inclusive. There may be additional elements required by state law.
HIPAA requires that the authorization contain either an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. Examples provided by the Department of Health and Human Services include “one year from the date the Authorization is signed”; “upon the minor’s age of majority”.
An Authorization remains in effect until its expiration date, expiration event or until the individual revokes it in writing.
Be aware of both incoming records requests and the forms that your office uses to request records!