HIPAA Release Requirements
What Does a Valid HIPPA Authorization Contain?
A valid HIPAA authorization must be in plain language and contain at least the following core elements include the following core elements:
- A description of each purpose of the requested use or disclosure of PHI
- A description of the information to be used or disclosed that identifies the information in a specific fashion
- A list of those who are authorized to use and disclose PHI
- A list of those whom may request disclosure of PHI (i.e. Institutional Review Board, Office of Human Research Protection, regulatory offices, etc.) For research purposes only, the statement "end of the research study," "none," or similar language is sufficient if the authorization is for a use or disclosure for research, including for the creation and maintenance of a research database or repository.
- Information regarding the expiration date or event of the authorization.
- Signature of the individual and the date. If the authorization is signed by a personal representative of the individual, a description of the representative's authority to act for the individual must be provided
- Information regarding individual's right to revoke the authorization in writing (either a reference to the revocation right and procedures described in the notice or a statement about the exceptions to the right to revoke, and a description of how the individual may revoke the authorization) Exceptions to the right to revoke include situations in which the covered entity has already taken action in reliance on the authorization, or the authorization was obtained as a condition of obtaining insurance coverage.
- A statement about the ability or inability of the covered entity to condition treatment, payment, enrollment, or eligibility for benefits on the authorization. The covered entity must:
- A statement that information used or disclosed pursuant to the authorization may be subject to re-disclosure by the recipient and may no longer be protected by the rule
- When a Covered Entity Requests Patient Authorization: The covered entity must provide the individual with a copy of the signed authorization when the covered entity seeks the authorization.
- When a Non-Covered Entity Requests Patient Authorization: If a non-covered entity (i.e. pharmaceutical company, attorney's office) solicits a patient's authorization to release PHI to the non-covered entity, the authorization must contain all elements of a General Authorization as required. See research authorization guidance below.
- The release must also state that it may not condition treatment, payment, enrollment, or eligibility for benefits on whether the individual signs the authorization, or describe the consequences of a refusal to sign an authorization when the covered entity conditions research-related treatment, enrollment or eligibility for benefits, or the provision of healthcare, solely for the purpose of creating protected health information for a third party on obtaining an authorization
HIPPA Release Requirements Overview
The HIPAA privacy rule became effective April 14, 2003, and established standards for information disclosure including what constitutes a valid authorization. HIPAA applies to covered entities, defined by the rule to include health plans, healthcare clearinghouses, and healthcare providers that transmit specific information electronically (and also covers information disclosed in paper form). The rule was amended by the final HITECH Omnibus Rule on January 25, 2013, with an effective date of March 26, 2013, and a compliance date of September 23, 2013.
The HITECH Omnibus Rule extends disclosure requirements and associated liabilities to business associates. Business associates are required to comply with the same disclosure requirements as a covered entity and those expectations typically will be addressed in the business associate agreement between the covered entity and the business associate. Refer to our Business Associate Guide for further guidance.
Legal Requirements - HIPAA
Section 164.508 of the final privacy rule states that covered entities may not use or disclose protected health information (PHI) without a valid authorization, except as otherwise permitted or required in the privacy rule.
An authorization may be combined with another document to create a Compound Authorization only as described below:
Research: An authorization for the use or disclosure of PHI for a research study may be combined with any other type of written permission for the same or another research study, including a consent to participate in the research or another authorization to disclose protected health information from the research.
In addition, the HITECH Omnibus Rule now permits the combining of conditioned and unconditioned authorizations. The individual must be able to opt-in to the unconditioned authorization. This simplifies authorization paperwork for the research community. For example, a researcher will be able to rely on a single authorization for a clinical trial that requires execution of the authorization to participate in the trial and that also includes an opt-in (such as a check box or a second signature line) authorizing the covered entity to use and disclose the individual's PHI for a tissue bank, as long as the authorization makes clear that the individual may choose not to opt in to the tissue bank and that the choice will not impact treatment, payment, or benefits. However, there is an exception. This provision applies to all types of research studies except when the research involves the use or disclosures of psychotherapy notes. For research purposes, psychotherapy note authorizations may not be combined with any other authorization for use or disclosure of psychotherapy notes.
- Psychotherapy notes: An authorization for the use or disclosure of psychotherapy notes may be combined with another authorization for the use or disclosure of psychotherapy notes. For example, an individual can complete an authorization that requests his psychotherapy notes be sent to his attorney and a second mental health professional. An authorization for psychotherapy notes must specifically identify psychotherapy notes when a general authorization or research authorization is executed. This can be indicated by the mark of a check box on the current form, or a separate form can be used. It is up to the covered entity whether the use of a separate form is preferred.
- General Authorizations: In accordance with §164.508 of the privacy rule, an authorization for the disclosure of health information may be combined with another authorization. For example, a patient may request lab results be disclosed to two different family members (living in separate residences) on the same form. However, an authorization that conditions treatment, payment, enrollment, or eligibility for benefits on completion may not be combined with a general authorization because a general authorization is not conditioned. For example, an insurance company may not combine an authorization they require as a condition of enrolling in their plan with a general authorization to obtain copies of patient information following the approved enrollment.
HITECH Omnibus Rules require a valid authorization be obtained from an individual before the use or disclosure of PHI for marketing purposes involving financial remuneration. The authorization must also include a statement about any direct or indirect remuneration the covered entity has received or will receive from a third party. An authorization for marketing purposes can be included on the organization's compliant HIPAA authorization form or a separate one may be created.
The following are exceptions to the marketing rule and do not require an authorization:
- Face-to-face communications from the covered entity to the individual
- Gifts of nominal value provided by the covered entity
Sale of Protected Health Information
The HITECH Omnibus Rule does not permit a covered entity to directly or indirectly receive remuneration in exchange for PHI of an individual unless covered by a valid authorization. An authorization for this purpose must include a statement that the disclosure will result in remuneration to the covered entity.
Note: The way remuneration is used pertaining to the sale of PHI is different than how is it used for marketing purposes. Remuneration here is defined to include both financial and nonfinancial benefits also known as in-kind benefits (i.e., laptops or iPads for the residency program).
The Confidentiality of Alcohol and Drug Abuse Patient Records Rule applies to federally assisted alcohol and drug abuse programs as defined by 42 CFR, part 2, section 2.12.3 The rule establishes the following content requirements for authorizations to disclose individually identifiable patient health information generated by alcohol or drug abuse programs:
- The specific name or general designation of the program or person permitted to make the disclosure
- The name or title of the individual or the name of the organization to which disclosure is to be made
- Patient name
- Purpose of disclosure
- How much and what kind of information is to be disclosed
- The signature of the patient or legal representative
- The date on which the authorization is signed
- A statement that the authorization is subject to revocation at any time except to the extent that the program or person who is to make the disclosure has already acted in reliance on it. Acting in reliance includes the provision of services in reliance on a valid authorization or consent to disclose information to a third-party payer
- The date, event, or condition upon which the authorization will expire if not revoked. This date, event, or condition must ensure that the authorization will last no longer than reasonably necessary to serve the purpose for which it is given
- A statement informing the requestor that any disclosure carries with it the potential for redisclosure by the recipient and is no longer protected by the releasing entity
The HITECH Omnibus Rule made access to immunization records easier for disclosure to schools in states where proof of immunization is required by law prior to admission. Written authorizations are no longer required, but an agreement must still be obtained. The agreement may be oral and must come from a parent/guardian, or other person acting in loco parentis, or directly from the individual (i.e., adult or emancipated minor).
The agreement must be documented, but no signature by the parent is required. The final rule leaves it up to the covered entity about what information needs to be captured regarding the agreement to determine what is needed for their purposes. Written or e-mail requests suffice as documentation of the agreement. Agreements obtained under this provision are considered effective until revoked by the parent, guardian, or other person acting in loco parentis, or by the individual himself (i.e., adult or emancipated minor). The agreement is not a HIPAA-compliant authorization and therefore, must be captured on the accounting of disclosures4.
In an environment of continuous technological advancement, the term "HIPAA compliant voice authorization" is occurring more frequently. However, HIPAA does not address voice authorizations. Voice authorizations are based on state law. Unless state law mandates otherwise, acceptance of voice authorizations is up to the individual organization whether or not to accept and process. Regardless of the decision, it should be addressed in the organization's policy and procedure.
The Uniform Electronic Transaction Act (UETA) equates electronic signatures to manual signatures. It requires that the signer execute or adopt a sound, symbol, or process with the intent to sign the record. Additionally, UETA requires that the electronic signature be linked or logically associated with the electronic record being signed.
UETA makes clear that anything electronic would suffice, including voice recordings, Web browser clicks, and other symbols or keystrokes to indicate intent. Under UETA, any type of digital information could be considered to be either a signature or a record, with the totality of all the circumstantial evidence-both digital and real world-both relevant and necessary5.
Individual states may have laws or regulations defining authorization content or limiting the time period for which an authorization may be valid. For example, some state laws require that authorizations to disclose HIV records are separate and apart from any other authorizations an individual may sign for release of protected health information. When such laws or regulations exist, consult section 160 of the HIPAA Privacy Rule to determine how to apply the preemption requirements.
- The privacy rule declares any authorization invalid with the following defects:
- The expiration date or event has passed or already occurred
- The authorization is missing one or more items of content described above
- The authorization is known to have been revoked
- The authorization violates a Privacy Rule standard on conditioning or compound authorizations
- Material information in the authorization is known to be false
Perhaps one of the unintended consequences of the Privacy Rule is that handwritten, patient-generated authorizations may often be invalid under the rule, as most do not contain an expiration date or a statement about the individual's right to revoke the authorization. To minimize the number of invalid authorizations received, the covered entity may wish to include a blank copy along with other materials provided to patients at the time of admission or may want to post its authorization form on its website and encourage individuals to review or complete prior to arrival.
Covered entities also may want to provide instructions for obtaining the authorization form on appropriate automated telephone messages. In addition, covered entities may find it beneficial to distribute new authorization forms to organizations that routinely request patient health information, such as local law firms, insurance companies, and law enforcement agencies.
Privacy and security experts recommend HIPAA-covered entities adhere to the following practices:
- Study both federal and state requirements for authorizations
- Draft an authorization form that complies with federal and state laws and regulations (see "Sample Authorization to Use or Disclose Health Information," in appendix A)
- Ask the risk manager and legal counsel to review your draft authorization form
- Update or generate new policies and procedures relative to the new authorization
- Order appropriate quantities of the approved authorization form
- Educate and train staff
- Post the approved authorization form on the organization's website
- Distribute new authorization forms to frequent requestors
The Privacy Rule allows HIPAA authorizations to be obtained electronically from individuals, provided any electronic signature is valid under applicable law. Electronic signatures are now widely accepted in most industries. However, many providers in the health industry question if eSignatures are HIPAA-compliant. In order for online signatures (eSignature standards, like 21 CFR Part 11) to be compliant with HIPAA, you must adhere to local and industry the digital signature standards required by the US Department of Health and Human Services.
UETA and ESIGN Act
Both the United States Electronic Signatures in Global and National Commerce (ESIGN) Act, and the Uniform Electronic Transactions Act (UETA), have four major requirements for an electronic signature to be recognized as valid under U.S. law. Those requirements are:
- Intent to sign - Electronic signatures, like traditional wet ink signatures, are valid only if each party intended to sign.
- Consent to do business electronically - The parties to the transaction must consent to do business electronically. Establishing that a business consented can be done by analyzing the circumstances of the interaction, but consumers require special considerations. Electronic records may be used in transactions with consumers only when the consumer has:
- Received UETA Consumer Consent Disclosures
- Affirmatively agreed to use electronic records for the transaction
- Has not withdrawn such consent
- Association of signature with the record - In order to qualify as an electronic signature under the ESIGN Act and UETA, the system used to capture the transaction must keep an associated record that reflects the process by which the signature was created, or generate a textual or graphic statement (which is added to the signed record) proving that it was executed with an electronic signature.
U.S. laws on eSignatures and electronic transactions require that electronic signature records be capable of retention and accurate reproduction for reference by all parties or persons entitled to retain the contract or record.
US life sciences regulations (21 CFR Part II)
Depending on your use case or industry, federal and state regulations may impose additional requirements beyond those of the general U.S. laws regarding eSignatures and digital transactions. For example, 21 CFR Part 11 ("Part 11") spells out requirements for electronic records and electronic signatures to be accepted by the FDA. Among other things, Part 11 requires that electronic records:
- Be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern valid or altered records
- Be able to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the FDA
- Ensure records are protected
- Limit access to authorized individuals
- Use secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records
How do e-signatures fit in?
Previously, only paper signatures would have been legally acceptable. With the passage of UETA and ESIGN laws in the United States, however, electronic signatures have become legally binding throughout the nation.
E-signatures can be legally used to sign contracts, agreements, and even consent forms. Virtually any place where a paper and pen signature could be used, an electronic or digital signature can be substituted. There are exceptions, however, although health care documents are not on the list of exceptions. Instead, the government, through the guidelines established in HIPAA, has allowed e-signatures to be used given that certain criteria are met.
HIPPAA Requirements Regarding esignatures
Originally, HIPAA had some provisions for e-signatures, but by 2003, the law had been modified to no longer include any provision for, or discussion of, e-signatures.
Since then, however, guidelines have been established regarding e-signatures and healthcare. First, in order for the digital signature to be valid, the patient must consent to its use and enter into a contract with their healthcare provider.
This process must be fully documented and include a two-factor method for identity authentication (such as a password or a photograph of some kind). In addition to this, the HIPAA Journal states that "Independent e-signatures should be used which contain all of the evidence supporting the signature in the same document, rather than one document being held by the CE and the other by the vendor of the e-signature."
Electronically signed documents, as well as the requested health information, are required to be secured appropriately to prevent unauthorized access. The signature must be encrypted and tamper-proof, or at the very least tamper-evident, so as to prevent anyone from altering or forging a signature.
This means that healthcare providers can legally utilize e-signatures under HIPAA guidelines, so long as the previously mentioned criteria is met.
Not only should the contract, document, agreement, or authorization comply with the federal rules for e-signatures, they should also clearly demonstrate the terms, clearly demonstrate the intent of the signatory, and the option should exist for the signatory to receive a printed or emailed copy of the contract. Covered entities are also advised to seek legal advice about any state or local laws that might also determine can e-signatures be used under HIPAA rules.
- User Authentication - Covered entities must implement a system to validate the identity of all transacting parties in order to avoid disputes about whether the person who entered into the agreement actually had the authority to do so. Mechanisms such as two-step verification, answering "secret knowledge" questions, implementing specialized e-signature software and phone/voice authorization can resolve this issue.
- Message Integrity - A system to prevent digitally tampering with the agreement after it has been signed must be implemented to ensure the integrity of the agreement both in transit and at rest. This condition is very similar to the safeguards of the HIPAA Security Rule and should be treated with the same level of gravity. OCR Inspectors may be looking for e-signature risk assessments and a high level of integrity in all areas when conducting the next round of HIPAA audits.
- Non-Repudiation - In order to ensure that the signatory cannot deny having signed the agreement, e-signatures used under HIPAA rules should have a timestamped audit trail indicating dates, times, location and the chain of custody. This will ensure that contracts are legally enforceable and that authorization for the disclosure of PHI cannot later be contested. Providing the signatory with a printed or emailed copy of the document is one step to avoiding repudiation.
- Ownership and Control - The final condition for e-signatures to be used under HIPAA rules relates to copies of signed documents residing on the servers of e-signature service providers. In order for a covered entity to ensure the integrity of PHI, all of the evidence supporting the e-signature should be on the same document under the ownership and control of the covered entity. All other copies - except those provided for the signatory - should be digitally shredded.
History of electronic signature law in the United States
The ESIGN Act is a federal law passed in 2000. It grants legal recognition to electronic signatures and records if all parties to a contract choose to use electronic documents and to sign them electronically.
UETA, a precursor to the ESIGN Act, was introduced in 1999 and has been adopted by 47 U.S. states, as well as the District of Columbia and the U.S. Virgin Islands. Among other things, UETA provides that when a law requires either a writing or a signature, an electronic record or an electronic signature can satisfy that requirement when the parties to the transaction have agreed to proceed electronically.
UETA and the ESIGN Act solidified the legal landscape for use of electronic records and electronic signatures in commerce by confirming that electronic records and signatures carry the same weight and have the same legal effect as traditional paper documents and wet ink signatures. *Both laws provide the following:
- No contract, signature, or record shall be denied legal effect solely because it is in electronic form
- A contract relating to a transaction cannot be denied legal effect solely because an electronic signature or record was used in its formation
*The law for electronic signatures in most countries spells out certain types of documents or document categories for which electronic signatures are not appropriate. Each customer should work with legal counsel to identify categories of exclusion in the relevant country, but common categories of exclusion are wills and trusts, powers of attorney, and declarations given under oath.