The HIPAA Authorization Requirements
By Brian Gilmore | Published October 2, 2024
Question: When is a HIPAA authorization needed from an employee or dependent, and what is the required content of the authorization?
Short Answer: Individuals generally must authorize any use or disclosure of their PHI that is not for treatment, payment, or health care operations. HIPAA authorizations must contain specific “core elements” and required statements to be valid.
General Rule: HIPAA Covered Entities and PHI
The HIPAA privacy and security rules apply to the following three types of “covered entities”:
Health Plans
Employer-sponsored group health plans
Health insurance carriers (including HMOs)
Government health programs (Medicare, Medicaid, IHS, TRICARE, etc.)
Health Care Clearinghouses
Health Care Providers (transmitting health information electronically)
Doctors, nurses, hospitals, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, etc.
Employer-sponsored group health plans (e.g., medical, dental, vision, health FSA, HRA, EAP, wellness) are a health plan covered entity subject to the HIPAA privacy and security rules. Protected Health Information (PHI) is individually identifiable health information maintained or transmitted by a covered entity (including an employer-sponsored group health plan) or a business associate (a vendor that has access to PHI).
For more details: Newfront HIPAA Training for Employers Guide
Note: HIPAA excludes enrollment/disenrollment information from the definition of PHI subject to HIPAA protection, significantly limiting the scenarios where employers interact with PHI. Enrollment/disenrollment information held by the covered entity in its role as employer is instead treated as an employment record, provided it does not include any substantial clinical information.
For more details: Types of PHI and De-Identified PHI.
General Rule: Three Permitted Uses of PHI Without Individual HIPAA Authorization
HIPAA permits covered entities to use or disclose PHI for three primary reasons without the individual’s authorization:
Treatment
The provision, coordination, or management of health care services by health care providers
Does not apply to health plan covered entities (e.g., employer-sponsored group health plans)
Note: The minimum necessary rule does not apply to treatment
Payment
To obtain premiums, determine or fulfill responsibility for coverage and provision for benefits under the health plan, to provide reimbursement
Includes eligibility determinations, subrogation, risk adjusting, billing, claims management, collection, stop-loss, medical necessity and utilization review
Health Care Operations
Quality assessment and improvement, patient safety activities, case management, care coordination, information about treatment alternatives
Underwriting, enrollment, premium rating, and other contractual processes
Customer service, plan sponsor data analysis, wellness program operations
The general rule is that any use or disclosure of PHI by a covered entity or business associate for another purpose requires the individual’s valid HIPAA authorization.
HIPAA Authorization Requirements
Employees or dependents generally need to authorize any use or disclosure of PHI that is not for treatment, payment, or health care operations. In these non-routine use and disclosure of PHI situations, HIPAA requires that the authorization meet multiple requirements to be valid.
Six Core Elements of a Valid HIPAA Authorization
A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
The name or other specific identification of the person(s) or categories of persons authorized to make the requested use or disclosure (e.g., the employer-sponsored group health plan, physician, hospital, laboratory, medical facility);
The name or other specific identification of the person(s) to whom the covered entity may disclose the PHI;
A description of each purpose of the requested use or disclosure of the PHI (“at the request of the individual” is generally sufficient);
An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure (e.g., “one year from the date the Authorization is signed,” “upon the minor’s age of majority,” “upon termination of enrollment in the health plan”); and
Signature of the individual (or personal representative) and date.
Three Required Statements in a Valid HIPAA Authorization
The individual’s right to revoke the authorization in writing (and any exceptions that may apply);
The inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization (and any exceptions that may apply); and
The potential for information disclosed pursuant to the authorization to be further disclosed by the recipient without HIPAA protections.
Two Additional Requirements for a Valid HIPAA Authorization
The authorization must be written in plain language; and
If the covered entity seeks the individual’s authorization, it must provide the individual with a copy of the signed authorization.
Exception: Disclosing PHI to Family Members Without an Authorization
There are certain limited, specified situations where a covered entity (e.g., the health plan) may disclose PHI to a family member or close personal friend for care or payment of care purposes. This situation most commonly arises with parents assisting an adult child with treatment/payment.
In general, this form of disclosure requires that the disclosure be of PHI that is directly relevant to the family member’s or close personal friend’s involvement with the individual’s care or payment for care. Depending on whether the individual has the capacity to make health care decisions, it may also require that the individual first has the opportunity to agree to, prohibit, or restrict the disclosure.
Individual Has the Capacity to Make Health Care Decisions
In this case, the covered entity may disclose PHI to the family member or close personal friend if it:
Obtains the individual’s agreement (written or oral);
Provides the individual with the opportunity to object to the disclosure (and the individual does not object); or
Reasonably infers from the circumstances, based on professional judgment, that the individual does not object to the disclosure.
Individual is Not Present, or the Opportunity to Agree or Object to the Use or Disclosure Cannot Practically be Provided Because of the Individual’s Incapacity or an Emergency Circumstance:
Under these circumstances, providing the individual with the opportunity to object to the disclosure is not possible. The covered entity may disclose PHI to the family member or close personal friend if it:
In the exercise of professional judgment, determines that the disclosure is in the best interests of the individual; and
Limits disclosure to only the PHI that is directly relevant to the person’s involvement with the individual’s care or payment related to the individual’s health care or needed for notification purposes.
For more details: Disclosing PHI to Family Members Under HIPAA
Exception: Disclosing PHI for Legal or Policy Purposes without an Authorization
Covered entities may disclose PHI without the individual’s authorization in any of the following 12 legal/policy contexts set forth by HIPAA:
The use or disclosure of PHI is required by law;
For public health activities (e.g., public health authorities, FDA, schools for proof of immunization with parental agreement);
The PHI of victims of abuse, neglect, or domestic violence where the PHI is need by a government authority to address the crime;
Certain health oversight agencies for activities authorized by law to oversee the health care system and for other similar purposes;
For judicial and administrative proceedings where required by the judicial process;
To law enforcement officials for law enforcement purposes;
PHI may be disclosed to the coroner, medical examiner, or funeral director for a deceased individual where need to perform their duties (e.g., identify body, determine cause of death);
For organ, eye, or tissue donation from a deceased individual to facilitate donation and transplantation;
For certain research purposes;
To avert a serious threat to health or safety of a person or the public;
Specialized government functions (e.g., military, national security, presidential protective services, national criminal background check system); or
To comply with workers’ compensation laws.
Note: There are new HIPAA reproductive health rules that prohibit HIPAA covered entities and business associates from a) using or disclosing PHI to conduct any form of criminal, civil, or other legal proceeding related to an individual’s reproductive health care that is lawful under the circumstances in which it is provided, and b) identifying any person for the purpose of conducting any such investigation or imposing any such liability. This includes a required new attestation that must be signed by any party requesting PHI that is potentially related to reproductive health care to confirm the use or disclosure is not for a prohibited purpose, as well as required updates to the Notice of Privacy Practices document.
For more details: New HIPAA Reproductive Health Rules
Exception: Authorization Required for Use and Disclosure of Psychotherapy Notes
Although the general rule is a covered entity or business associate may use or disclose PHI for one of the three permitted purposes (treatment, payment, health care operations) described above without an authorization, the HIPAA rules provide special protection for psychotherapy notes. With limited exceptions, and other than use by the originator of the psychotherapy notes for treatment, the covered entity must obtain the individual’s authorization prior to a disclosure of psychotherapy notes for any reason. The authorization is even required for a disclosure for treatment purposes to a health care provider other than the originator of the notes.
HIPAA defines “psychotherapy notes” as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counselling session and that are separate from the rest of the patient’s medical record. The rules treat psychotherapy notes differently because they contain particularly sensitive information and are not needed for any purpose other than by the mental health professional who created the notes.
Health Plans Generally Cannot Condition Benefits on an Authorization
To ensure that HIPAA authorizations are voluntary, health plans generally cannot condition benefits, payment, enrollment, or eligibility on the individual completing an authorization.
Note, however, that it is common for non-health plans such as life and disability programs to condition benefits on the participant’s HIPAA authorization that provides the plan with access to medical records to determine whether the individual qualifies for benefits. Furthermore, many common employer activities unrelated to the health plan can be conditioned on a HIPAA authorization. For example, employers may need access to PHI pursuant to the employee’s authorization to approve leaves, ADA reasonable accommodations, or for drug and alcohol testing purposes.
Right to Revoke HIPAA Authorization
Individuals have the right to revoke a HIPAA authorization at any time by requesting the revocation in writing.
Summary
The HIPAA rules accommodate routine uses and disclosures of PHI without the need for the individual’s authorization to ensure the health plan and health care industries can function smoothly. Those situations for which the covered entity or business associate do not need the individual’s authorization include the use or disclosure of PHI for treatment, payment, or health care operations.
In most situations where the use or disclosure does not qualify as for those three purposes, the individual will need to complete a valid HIPAA authorization to permit the usage. The HIPAA authorization must include the core elements, the required statements, and be written in plain language to be valid.
Reminder: HIPAA Training Session
Join us for our annual live HIPAA training session on October 10 from 10am-11am (available on-demand after):
Relevant Cites:
45 CFR §164.508:
(c) Implementation specifications: Core elements and requirements.
(1) Core elements. A valid authorization under this section must contain at least the following elements:
(i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
(iv) A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
(v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.
(vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided.
(2) Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following:
(i) The individual's right to revoke the authorization in writing, and either:
(A) The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or
(B) To the extent that the information in paragraph (c)(2)(i)(A) of this section is included in the notice required by §164.520 , a reference to the covered entity's notice.
(ii) The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either:
(A) The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations in paragraph (b)(4) of this section applies; or
(B) The consequences to the individual of a refusal to sign the authorization when, in accordance with paragraph (b)(4) of this section, the covered entity can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization.
(iii) The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this subpart.
(3) Plain language requirement. The authorization must be written in plain language.
(4) Copy to the individual. If a covered entity seeks an authorization from an individual for a use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization.
Disclaimer: The intent of this analysis is to provide the recipient with general information regarding the status of, and/or potential concerns related to, the recipient’s current employee benefits issues. This analysis does not necessarily fully address the recipient’s specific issue, and it should not be construed as, nor is it intended to provide, legal advice. Furthermore, this message does not establish an attorney-client relationship. Questions regarding specific issues should be addressed to the person(s) who provide legal advice to the recipient regarding employee benefits issues (e.g., the recipient’s general counsel or an attorney hired by the recipient who specializes in employee benefits law).
Brian Gilmore
Lead Benefits Counsel, VP, Newfront
Brian Gilmore is the Lead Benefits Counsel at Newfront. He assists clients on a wide variety of employee benefits compliance issues. The primary areas of his practice include ERISA, ACA, COBRA, HIPAA, Section 125 Cafeteria Plans, and 401(k) plans. Brian also presents regularly at trade events and in webinars on current hot topics in employee benefits law.
Connect on LinkedIn