Policy Summary
The HIPAA Privacy Rule requires that, in most situations, patients provide written authorization prior to uses or disclosures of their protected health information. This policy is to ensure that UW–Madison follows HIPAA regulations regarding patient authorizations for uses and disclosures of protected health information. This policy addresses clinical, non-research circumstances.
To ensure the privacy of patient health information, UW–Madison obtains patient authorization for uses and disclosures of health information that require authorization by law. In addition, when UW–Madison uses or discloses health information pursuant to a patient authorization, it does so only in a manner consistent with the authorization.
Policy Detail
- Authorization Not Required. Patient authorization is not required for:
- The use of protected health information by individuals within the UW HCC or UW ACE for most treatment, payment, and health care operations (note, however, that the more stringent state and/or federal law requirements concerning the use and disclosure of alcohol and other substance abuse records and HIV test results continue to be in effect).
- The disclosure of protected health information by individuals within the UW HCC or UW ACE for most treatment, payment, and many health care operations with another HIPAA-covered entity that shares a relationship with the patient (note, however, that the more stringent state and/or federal law requirements concerning the use and disclosure of alcohol and other substance abuse records and HIV test results continue to be in effect).
- Required public health reporting.
- Mandatory reporting under state law (e.g., suspected child abuse, elder abuse, required reports to state licensing agencies).
- Disclosures pursuant to a court order.
For additional, less frequently occurring circumstances under which patient authorization is not needed for the use or disclosure of protected health information, see UW-104 “Uses and Disclosures of PHI Not Requiring Patient Authorization.”
- Authorization Required. Patient written authorization is required to use or disclose protected health information in circumstances including, but not limited to:
- When the patient requests the use or disclosure, other than to themself.
- For most marketing purposes. See UW-109 “Uses and Disclosures for Marketing” for additional information.
- For a number of disclosures to the patient’s employer including pre-employment or continuing employment determinations, and Family and Medical Leave Act. (However, authorization is not required to release protected health information for Workers’ Compensation purposes.)
- For use or disclosure of psychotherapy notes, except when the use or disclosure is specifically permitted by law.
- For research purposes in most but not all cases.
- For most fundraising purposes. See UW-110 “Uses and Disclosures for Fundraising” for additional information.
- For any sale of protected health information. In this case, the authorization must specifically state that disclosure will result in remuneration to the UW HCC. See UW-104 “Sale of Protected Health Information Generally Prohibited” for additional details.
- For disclosures to a patient’s attorney.
- Copy to the Patient. After an individual within the UW HCC or UW ACE obtain authorization from a patient to use or disclose protected health information, the individual will provide the patient with a copy of the signed authorization.
- Prohibited Authorizations. Individuals within the UW HCC or UW ACE are prohibited from obtaining authorization under the following circumstances:
- In general, authorization for use or disclosure of health information may not be combined with any other document to create a compound authorization, except:
- Authorization for use or disclosure of protected health information for research may be combined with any other type of written permission for the same or another research study (e.g., combining an authorization to participate in a research study with an authorization for the creation of a research database or repository, or with a consent to participate in the research).
- Where research-related treatment is conditioned on provision of one of the authorizations, any compound authorization must clearly differentiate between the conditioned and unconditioned components and must provide the individual with an opportunity to opt-in to the research activities described in the unconditioned authorization.
- Authorization for use or disclosure of psychotherapy notes may only be combined with another authorization for use or disclosure of psychotherapy notes.
- An authorization (except for psychotherapy notes) may be combined with any other authorization except when the treatment, payment, or enrollment in a health plan or eligibility for benefits has been conditioned upon one of the authorizations.
- An authorization may not condition treatment, payment, enrollment, or eligibility for benefits on receipt of authorization. Exceptions to this include:
- If protected health information is created (or accessed) for treatment-related research, a research authorization may be required.
- If protected health information is created solely for disclosure to another organization, authorization for disclosure to that organization may be required.
- Requirements of a Valid Authorization. To be valid, an authorization must be written in plain language. In obtaining authorization, use the approved UW–Madison Authorization for Disclosure of Medical Information form (available at hipaa.wisc.edu within the Forms tab). The following are required elements:
- A meaningful description of the health information to be used or disclosed.
- A description of each purpose of the use or disclosure in question.
- The name or specific identification of the person(s) or class of persons authorized to make the requested use or disclosure.
- The name or specific identification of the person(s) or class of persons to whom the use or disclosure may be made.
- An expiration date or event (except when this is not required, such as in a research authorization).
- A statement of the patient/client’s right to revoke the authorization in writing and the limitations on that right.
- A description of how the patient/client may revoke the authorization.
- A statement acknowledging that the health information disclosed pursuant to the authorization may be re-disclosed by the recipient and no longer protected by the Privacy Rule.
- A statement regarding remuneration, either direct or indirect, if the entity is to receive such remuneration for a use or disclosure for marketing purposes.
- A statement of UW–Madison’s ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization.
- Signature of the patient/client or the patient/client’s legal representative and the date signed. The signature of a legal representative must be accompanied by a description of the representative's authority to act for the patient/client.
- Invalid Authorizations. An authorization is invalid if any of the following occur:
- The expiration date or event has passed.
- The authorization is not properly completed.
- The authorization contains material information that the recipient of the authorization knows to be false.
- The recipient of the authorization knows that the authorization has been revoked.
- The authorization is of a type prohibited by law. See “Prohibited authorizations” above.
- Revocation of Authorizations. All revocations of authorizations must be in writing. A patient may revoke an authorization except to the extent that, if the authorization was obtained as a condition of obtaining insurance coverage, another law provides the insurer with the right to contest a claim under the policy or the policy itself.
A revocation revokes all uses of the authorization after receipt of the revocation, except where the recipient of the authorization has taken action in reliance upon the authorization prior to receipt of the revocation.
Consequences for Noncompliance
Failing to comply with this policy may result in discipline for the individual(s) responsible for such non-compliance.
Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.
Supporting Tools
Additional information may be found at www.compliance.wisc.edu/hipaa.