HIPAA Authorization

What Is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that resulted in significant impacts on healthcare and health insurance. 

One of those impacts was the development of privacy protections for medical records. Under HIPAA, your personal health information is generally protected from disclosure to third parties, except as you authorize or as is required by law.

Want to learn more about HIPAA and what it means? We’re sharing everything you need to know, including:

  • What is HIPAA Authorization?
  • What to include in your HIPAA Authorization
  • Other common questions

What is HIPAA Authorization?

HIPAA Authorization is a document that authorizes the release of medical records which are protected under HIPAA. The authorization names designated representatives who may receive protected medical records, despite the privacy protections of HIPAA. 

HIPAA is an important piece of legislation. It was originally an attempt at healthcare reform. It passed with two main objectives:

  1. To ensure healthcare stability between jobs (insurance portability)
  2. To ensure both security and confidentiality in terms of patient data and healthcare records while standardizing electronic data transmission relating to patients’ personal data

Why Would I Need to Share My Information?

A HIPAA Authorization works with a Living Will to ensure the people designated to make medical decisions for you are able to communicate with your healthcare providers about your condition, treatment and prognosis. 

Without a HIPAA Authorization, your family, loved ones and your designated representatives may be left in the dark, unable to receive information about your medical condition.

Creating a HIPAA Authorization avoids this by authorizing specific people to receive healthcare information so they can stay informed about your condition and make medical decisions on your behalf.

Is My Entire Medical History Shared?

No, your entire medical history isn’t automatically shared just because you sign a HIPAA Authorization. 

First, a large portion of the form is what’s known as “protected information.” Your name, phone number, address, social security number and most of the health information in the authorization are still protected. 

Also, keep in mind that HIPAA Authorizations have a standard of what’s known as a “minimum necessary.” Healthcare professionals will only release whatever information is necessary to allow for a specific, intended purpose. 

What to include in your HIPAA Authorization

There are several things to include in your HIPAA Authorization. For example, your HIPAA Authorization form should be written in plain, clear language and have: 

  • A statement of purpose, which is essentially just a description of information that will be disclosed
  • The name or names of anyone authorized to use or request the disclosure
  • The name or names of anyone you are allowing information to be disclosed to
  • A description of the requested use
  • A time frame, including an expiration date (can be “none”)
  • Your signature and date 
  • A description of your right to revoke authorization

Other common questions

Many people have concerns about how HIPAA Authorizations work or if they really need one in place. We cover some of the most common questions here.  

Does HIPAA Authorization Need to be Notarized?

No, a HIPAA Authorization does not need to be notarized. In fact, you don’t even need a witness to see you sign the form. 

How Long is HIPAA Authorization Valid?

Your HIPAA Authorization is valid until the expiration date you note. You can always revoke it in writing earlier than that date. 

Can a HIPAA Authorization Be Revoked?

Yes, you can revoke your HIPAA Authorization at any time, but you should do so in writing.  

What is the Difference Between ‘Consent’ and ‘Authorization’ in HIPAA?

“Consent” and “Authorization” are both terms used in the HIPAA Privacy Rule, but “Consent” is much more general, whereas an “Authorization” is more detailed and specific. 

Consent is the document giving permission to just one healthcare provider to disclose or use Protected Health Information (PHI) for Treatment, Payment and Operations (TPO).

Authorization is the customized document that gives Covered Entities (CEs) permission to disclose PHI for a specific purpose or to disclose information to a third party as specified by the document. 

What Isn’t Protected by HIPAA?

Some things are not protected by HIPAA. For example, if you are exposed to an infectious disease a doctor may be required to notify proper agencies or health authorities. Or, if information is requested by local, state or federal authorities.