Releasing unauthorized health information

Authorized health information refers to protected health information that a patient has given approval for a covered entity to release to a designated party. Patients grant this authorization through a signed document that states who will disclose the PHI, the names of the individuals who will receive it, an expiration date or event, the right to revoke and details on what PHI will be disclosed and for what reason. Covered entities can release only the information specified in the authorization. All other PHI is unauthorized and disclosing it would constitute a HIPAA Privacy Rule violation.

How HIPAA Help Center can assist in avoiding unauthorized release of PHI

The Training module prepares all workforce members for HIPAA compliance. Through this feature, covered entities can remain fully aware of what counts as unauthorized information. The glossary of links provided in the Resource section of HIPAA Help Center additionally allows practices to manage any difficult questions regarding this particular type of violation.

HIPAA also requires covered entities to have policies and procedures in place to safeguard PHI and prevent these violations from happening altogether. The Policies and Procedures module allows users to create and implement policies that coincide with their practices’ specific needs.

Frequently asked questions about the release of unauthorized health information:

Can a patient’s entire medical record be used or disclosed with a single authorization?

Yes. According to the U.S. Department of Health and Human Services, covered entities can use and disclose a patient’s entire medical record so long as that authorization describes what PHI will be used. However, the HHS noted that while the term “entire medical record” sufficiently identifies to-be-disclosed information, the description “all protected health information” may not.

Can PHI be disclosed if it was created after the authorization was signed?

Yes. Information, regardless of when it was created, can be released so long as the PHI falls into the specified category and patients have not revoked their authorizations. For example, if patients authorized the sharing of their contact information with an insurance company, then any updated information, such as a new phone number, may be disclosed as well.

Who can receive unauthorized health information?

Covered entities can still disclose PHI that is not specified in an authorization to health care providers, such as nurses and laboratory technicians, for treatment, payment and health care operations. In these situations, it is not considered unauthorized information, as its release for these purposes does not necessitate patient consent.

Make time for what matters most
Your Patients