Failing to include the right to revoke clause

Health care providers cannot disclose protected health information without patient authorization. Patients grant authorization through a signed form that contains the names of those who will disclose and receive the PHI, an expiration date or event, details on what PHI the covered entity will disclose and for what reason, and the right to revoke clause. The document is not valid unless it contains each of these components, but health care professionals frequently neglect to include the right to revoke clause.

The right to revoke clause is a statement that tells patients that they may legally void their approval for a covered entity to use and disclose PHI. The patient must also have access to directions on how to revoke authorization. Using or disclosing PHI without that statement included on the authorization constitutes a HIPAA violation.

Not including the right to revoke clause

How HIPAA Help Center can assist in including the right to revoke clause

Covered entities often neglect to include the right to revoke clause in authorizations due to a lack of knowledge on HIPAA compliance. The Training module walks all workforce members through compliance details, educating everyone on all aspects of the law. Additionally, the Learning Management System’s assignment and tracking capabilities let practices know who has completed training. The application also requires awareness training every quarter to ensure that practices remain informed.

Frequently asked questions about including the right to revoke clause:

Must covered entities include directions on how to revoke with the right to revoke statement?

Covered entities must provide patients with instructions on how to revoke their authorizations, but those details do not need to be on the authorization form itself. However, a covered entity can list directions alongside the right to revoke clause if it so chooses. If the authorization document does not outline the process, covered entities must provide it elsewhere, such as on the Notice of Privacy Practices.

Can covered entities use written authorizations provided by patients?

These authorizations are typically not valid, as they usually do not contain the right to revoke clause. Even if the patient specifically writes the document, it still needs this statement. Releasing PHI otherwise would constitute a violation.

How can a patient revoke authorization?

Patients must submit revocations in writing, and they are effective upon receipt by the covered entity. Your practice must also document these refusals and have them available for audits. HIPAA Help Center's Audit Readiness module helps covered entities secure all necessary documents ahead of time.

Make time for what matters most
Your Patients