Covered entities must obtain authorization prior to releasing a patient’s protected health information. This is true for any reason besides those listed under the HIPAA Privacy Rule as events that do not require authorization, such as for treatment, payment and health care operations.
HIPAA does not provide a specific authorization form, but the law does require the authorization to contain certain components. This includes the patient signature, an expiration date or event, specifics on what information is being released and for what purpose, and the names of the individuals who will disclose and receive PHI. Covered entities can release PHI to only the listed recipients. Disclosing information to undesignated parties would constitute as a violation.
How HIPAA Help Center can assist in preventing the undesignated release of PHI
When ensuring the validity of authorization forms, it is important to have a template that requests all the necessary information and to verify that the entire document has been filled out. Release of information to an undesignated party can occur when covered entities disclose information to an individual who is not listed on the authorization or if no recipient is listed at all.
The Policies and Procedures module provides a place for a practice’s procedures to live, including those regarding the proper process of obtaining authorization. As such, workforce members can also access directions about who is considered a designated party.
HIPAA Help Center training features also walk covered entities through compliance with the minimum necessary standard, which ultimately protects practices from releasing PHI to undesignated parties. Additionally, users can store the authorization form itself within the application, allowing health care providers to more readily verify that the document complies with the HIPAA Privacy Rule.
Frequently asked questions about releasing information to an undesignated party:
How specific does the designated party identification need to be on the authorization form?
Covered entities may list the party on the authorization by class without specifically naming the individuals, according to the U.S. Department of Health and Human Services. For example, covered entities may sufficiently identify the designated party with the phrase “Employees of the Data Center of XYZ research group.”
What happens if covered entities release PHI to an undesignated party?
Release of PHI to an undesignated party, even accidentally, would result in a violation of the HIPAA Privacy Rule. The offenders would be subject to civil and possibly criminal penalties depending on the circumstances.