Policy Materials

HIPAA Authorization


* Source: http://privacyruleandresearch.nih.gov/authorization.asp

A Privacy Rule Authorization is an individual’s signed permission to allow a covered entity to use or disclose the individual’s protected health information (PHI) that is described in the Authorization for the purpose(s) and to the recipient(s) stated in the Authorization. In contrast, an informed consent document is an individual’s agreement to participate in the research study and includes a description of the study, anticipated risks and/or benefits, and how the confidentiality of records will be protected, among other things. An Authorization can be combined with an informed consent document or other permission to participate in research. If a covered entity obtains or receives a valid Authorization for its use or disclosure of PHI for research, it may use or disclose the PHI for the research, but the use or disclosure must be consistent with the Authorization.

The Authorization must be written in plain language. A copy of the signed Authorization must be provided to the individual signing it if the covered entity itself is seeking the Authorization. The Privacy Rule does not specify who must draft the Authorization, so a researcher could draft one. The Privacy Rule specifies core elements and required statements that must be included in an Authorization. An Authorization is not valid unless it contains all of the required elements and statements. An Authorization form may also, but is not required to, include additional, optional elements so long as they are not inconsistent with the required elements and statements and are not otherwise contrary to the Authorization requirements of the Privacy Rule.

An Authorization, whether prepared by a covered entity or by a person requesting PHI from a covered entity, must include the following core elements and required statements:

Authorization Core Elements (see Privacy Rule, 45 C.F.R. 164.508(c)(1))

  • Description of PHI to be used or disclosed (identifying the information in a specific and meaningful manner).
  • The name(s) or other specific identification of person(s) or class of persons authorized to make the requested use or disclosure.
  • The name(s) or other specific identification of the person(s) or class of persons who may use the PHI or to whom the covered entity may make the requested disclosure.
  • Description of each purpose of the requested use or disclosure. Researchers should note that this element must be research study specific, not for future unspecified research. Authorization may be used to create a repository or database.
  • Authorization expiration date or event that relates to the individual or to the purpose of the use or disclosure (the terms “end of the research study” or “none” may be used for research, including for the creation and maintenance of a research database or repository).
  • Signature of the individual and date. If the Authorization is signed by an individual’s personal representative, a description of the representative’s authority to act for the individual.

Authorization Required Statements (see Privacy Rule, 45 C.F.R. 164.508(c)(2))

  • The individual’s right to revoke his/her Authorization in writing and either (1) the exceptions to the right to revoke and a description of how the individual may revoke his/her Authorization or (2) reference to the corresponding section(s) of the covered entity’s Notice of Privacy Practices.
  • Notice of the covered entity’s ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the Authorization, including research-related treatment, and, if applicable, consequences of refusing to sign the Authorization.
  • The potential for the PHI to be re-disclosed by the recipient and no longer protected by the Privacy Rule. This statement does not require an analysis of risk for re-disclosure but may be a general statement that the Privacy Rule may no longer protect health information.*

A research subject may revoke his/her Authorization at any time. However, a covered entity may continue to use and disclose PHI that was obtained before the individual revoked his or her Authorization to the extent that the entity has taken action in reliance on the Authorization. In cases where the research is conducted by the covered entity, this would permit the covered entity to continue using or disclosing the PHI as necessary to maintain the integrity of the research, as, for example, to account for a subject’s withdrawal from the research study, to conduct investigations of scientific misconduct, or to report adverse events.

* If an Authorization permits disclosure of PHI to a person or organization that is not a covered entity (such as a sponsor or funding source of the research), the Privacy Rule does not continue to protect the PHI disclosed to the noncovered entity. However, other applicable federal and state laws as well as agreements between the disclosing covered entity and the PHI recipient may establish continuing protections for the disclosed information.