(From HHS' formal guidance issued December 4, 2002)
Q: Does the HIPAA Privacy Rule strictly prohibit the use, disclosure, or request of an entire medical record? If not, are case-by-case justifications required each time an entire medical record is disclosed?
A: No. The Privacy Rule does not prohibit the use, disclosure, or request of an entire medical record. Finally, no justification is needed in those instances where the minimum necessary standard does not apply...."
(From the preamble to the 12/28/2000 Privacy Rule, 65 FR 82517: "There are no limitations on the information that can be authorized for disclosure.")
If an individual wishes to authorize a covered entity to disclose his or her entire medical record, the authorization can so specify. In order for the covered entity to disclose the entire medical record, the authorization must be specific enough to ensure that the individual has a clear understanding that the entire record will be disclosed. For example, if the VA seeks authorization for release of all health information to facilitate the processing of benefit applications, then the description on the authorization form must specify "all health information" or "the equivalent."
The Privacy Rule states (164.502(b)(2)) "Minimum necessary does not apply...to... (iii) uses or disclosures made pursuant to an authorization under Sec. 164.508."
Q: Must the HIPAA Privacy Rule's minimum necessary standard be applied to uses or disclosures that are authorized by an individual?
A: No. Uses and disclosures that are authorized by the individual are exempt from the minimum necessary requirements, 45 CFR 164.502(b)(2)(iii).
Q: Are providers required to make a minimum necessary determination to disclose to federal or state agencies, such as the VA, for individuals' applications for federal or state benefits?
A: No. These disclosures must be authorized by an individual and therefore, are exempt from the HIPAA Privacy Rule's minimum necessary requirements. Furthermore, use of the provider's own authorization form is not required. Providers can accept an agency's authorization form as long as it meets the requirements of 45 CFR 164.508 of the Privacy Rule. For example, disclosures to VA for purposes of determining eligibility for disability benefits are currently made subject to an individual's completed VA authorization form.
From the Federal Register, 65 FR 82660, the preamble to the final Privacy Rule (45 CFR 164) responding to public comments on the proposed rule:
Comment: Many commenters requested clarification that covered entities may rely on electronic authorizations, including electronic signatures.
Response: All authorizations must be in writing and signed. We intend e-mail and electronic documents to qualify as written documents. Electronic signatures are sufficient, provided they meet standards to be adopted under HIPAA.
Comment: Some commenters asked whether covered entities can rely on copies of authorizations rather than the original. Other comments asked whether covered entities can rely on the assurances of a third party, such as a government entity that a valid authorization has been obtained to use or disclose protected health information. These commenters suggested that such procedures would promote the timely provision of benefits for programs that require the collection of protected health information from multiple sources, such as determinations of eligibility for disability benefits.
Response: Covered entities must obtain the individual's authorization to use or disclose protected health information for any purpose not otherwise permitted or required under this rule. They may obtain this authorization directly from the individual or from a third party, such as a government agency, on the individual's behalf. In accordance with the requirements of Sec. 164.530(j), the covered entity must retain a written record of authorization forms signed by the individual. Covered entities must, therefore, obtain the authorization in writing. They may not rely on assurances from others that a proper authorization exists. They may, however, rely on copies of authorizations if doing so is consistent with other law."
From 45 CFR 164.508(c)(1) A valid authorization...must contain at least the following elements:
(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure."
From the preamble to the 12/28/200 Privacy Rule, 65 FR 82517:
"...the authorization must include the name or other specific identification of the person(s) or class of persons that are authorized to use or disclose the protected health information. If an authorization permits a class of covered entities to disclose information to an authorized person, the class must be stated with sufficient specificity so that a covered entity presented with the authorization will know with reasonable certainty that the individual intended the covered entity to release protected health information. For example, a covered licensed nurse practitioner presented with an authorization for "all physicians" to disclose protected health information could not know with reasonable certainty that the individual intended for the practitioner to be included in the authorization."
From the Federal Register, 65 FR 82662, the preamble to the final Privacy Rule (45 CFR 164) responding to public comments on the proposed rule:
Comment: Some commenters urged us to permit authorizations that designate a class of entities, rather than specifically named entities, that are authorized to use or disclose protected health information. Commenters made similar recommendations with respect to the authorized recipients. Commenters suggested these changes to prevent covered entities from having to seek, and individuals from having to sign, multiple authorizations for the same purpose.
Response: We agree. Under Sec. 164.508(c)(1), we require authorizations to identify both the person(s) authorized to use or disclose the protected health information and the person(s) authorized to receive protected health information. In both cases, we permit the authorization to identify either a specific person or a class of persons."
From 42 CFR Part 2, Confidentiality of Alcohol and Drug Abuse Patient Records, section 2.31: "A written consent...must include (1) the specific name or general designation of the program or persons permitted to make the disclosure." The preamble to the regulations makes it clear that the intent of that language was to permit the individual to make an informed choice about how specific they want to be re designating those authorized to disclose. e.g., "a patient who chooses to authorize disclosure of all his or her records without the necessity of completing multiple consent forms or individually designating each program on a single consent form would consent to disclosure from all programs in which the patient has been enrolled as an alcohol or drug abuse patient. ...The patient is in a position to be informed of any programs in which he or she was previously enrolled and from which he or she is willing to have information disclosed." [52 Federal Register 21799 (June 9, 1987)]
The VA Form 21-4142 clearly states at the heading "EXPIRES" that the authorization is good for 12 months from the date signed.
From the U.S. Federal Register, 65 FR 82662, and the preamble to the final Privacy Rule (45 CFR 164) responding to public comments on the proposed rule:
Comment: Some commenters requested clarification that covered entities are permitted to seek authorization at the time of enrollment or when individuals otherwise first interact with covered entities. Similarly, commenters requested clarification that covered entities may disclose protected health information created after the date the authorization was signed but prior to the expiration date of the authorization. These commenters were concerned that otherwise multiple authorizations would be required to accomplish a single purpose. Other comments suggested that we prohibit prospective authorizations (i.e., authorizations requested prior to the creation of the protected health information to be disclosed under the authorization) because it is not possible for individuals to make informed decisions about these authorizations.
Response: We confirm that covered entities may act on authorizations signed in advance of the creation of the protected health information to be released. We note, however, that all of the required elements must be completed, including a description of the protected health information to be used or disclosed pursuant to the authorization. This description must identify the information in a specific and meaningful fashion so that the individual can make an informed decision as to whether to sign the authorization.
From the U.S. Federal Register, 65 FR 82518, and the preamble to the final Privacy Rule (45 CFR 164) responding to public comments on the proposed rule: "We do not require verification of the individual's identity or authentication of the individual's signature."
Comment: From 65 FR 82660: We requested comments on reasonable steps that a covered entity could take to be assured that the individual who requests the disclosure is whom she or he purports to be. Some commenters stated that it would be extremely difficult to verify the identity of the person signing the authorization, particularly when the authorization is not obtained in person. Other comments recommended requiring authorizations to be notarized.
Response: To reduce burden on covered entities, we are not requiring verification of the identities of individuals signing authorization forms or notarization of the forms.