Employee Handbook

14.14 Authorization for Use or Disclosure of PHI

14.14.1 Policy Statement

All uses and disclosures of protected health information (PHI) beyond those otherwise permitted by current HIPAA law, and not otherwise prohibited under another applicable law, require a signed authorization. In addition, the Health Plan may obtain a signed authorization in situations where it is not required, but the Health Plan chooses to obtain the authorization.

14.14.2 Policy Interpretation and Implementation

Responsibility For Obtaining Authorizations

The HIPAA Privacy Officer or his/her designee will be responsible for obtaining authorizations when use or disclosure of protected health information is necessary.

 

 

Provision of Treatment, Payment, or Eligibility

The provision of treatment, payment, or eligibility for benefits may not be conditioned on the individual's provision of an authorization for the use or disclosure of PHI.

 

 

Content of Authorization

Each authorization for the use or disclosure of an individual's PHI will be written in easy to read language and will include, at a minimum, the following information:

  • A specific and meaningful description of the information to be used or disclosed;
  • The name or identification of the person or class of person(s) authorized to make the use or disclosure;
  • The name or identification of the person or class of person(s) to whom the requested use or disclosure may be made;
  • An expiration date, condition or event that relates to the individual or the purpose of the use or disclosure; the authorization shall state that it will expire after ninety (90) days unless the individual has opted for a shorter or longer time. An individual may specify a longer period of time for the duration of the authorization only if the person:
    • Is part of an approved research study and has given authorization for a longer period of time; or
    • Is expected to continue receiving services beyond ninety (90) days and has given authorization for a longer period of time, which may be up to one calendar year.
  • A statement of the individual's right to revoke the authorization in writing, and exceptions to the right to revoke, together with a description of how the individual may revoke the authorization. Upon written notice of revocation, further ruse or disclosure of PHI shall cease immediately except to the extent that the facility, program or individual has acted in reliance upon the authorization or to the extent that use or disclosure is otherwise permitted or required by law; (See policy entitled Revocation of an Authorization.)
  • A statement that the information may only be re -released with the written authorization of the individual, except as required by law;
  • The dated signature of the individual; and
  • If the authorization is signed by a personal representation of the individual, a description of the representative's authority to act on behalf of the individual.

 

 

Request Form

The Health Plan may develop a standard form for authorizing use and disclosure of PHI. If the Health Plan develops a form, the form must be used for all authorizations.

 

 

Requests to Use or Disclose PHI for Own Purposes

If the authorization is requested by the Health Plan for its own use or disclosure of the PHI it maintains, for purposes outside of treatment, payment or health care operations (TPO), health care oversight or public health activities, the following elements are required in addition to those specified in paragraph 2 above:

  • Except in circumstances where it is allowed, a statement that treatment, payment and eligibility for benefits will not be conditioned upon the individual's provision of an authorization;
  • A description of each purpose of the requested use or disclosure;
  • A statement that the individual may refuse to sign the authorization;
  • If applicable, a statement that the use or disclosure will result in direct or indirect remuneration for a third party; and
  • A copy of the signed authorization provided to the individual.

 

 

Requests for PHI from Others

If the authorization is requested for disclosures of PHI by others, the following elements are required in addition to those specified in paragraph 3 above:

  • A description of each purpose of the requested disclosure;
  • Except in circumstances where it is allowed, a statement that treatment, payment and eligibility for benefits will not be conditioned upon the individual's provision of an authorization;
  • A statement that the individual may refuse to sign the authorization; and
  • A copy of the signed authorization provided to the individual.

 

 

Use or Disclosure of PHI for Research

Use or disclosure of PHI created for research generally requires an authorization unless such use or disclosure is permitted by law. Such authorization must include the basic elements specified in paragraphs 3 and 4 above, as well as the following information:

  • A description of the extent to which PHI will be used to carry out treatment, payment or health care operations (TPO);
  • A description of any PHI that will not be used or disclosed for purposes otherwise permitted, provided that the limitation may not preclude disclosures required by law or to avert serious threat to health or safety; and
  • References to any privacy notice expected to be given to the individual, which must include statements that the terms outlined in the privacy notice are binding.
  • The authorization for the use and disclosure of PHI created for research may be combined in the same document with the consent to participate in research, or the privacy notice.

 

 

Record Retention

A copy of all HIPAA covered information and any revisions shall be maintained for a period of at least six (6) years. Such retention may be in printed or electronic format, or both.

nbsp;

 

Privacy Officer

The Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays at (651) 696-6280.

 

 

Violations

Violations of this policy will be subject to discipline.