Patient’s Guide to HIPAA – Uses and Disclosures: What Should I Do if Asked to Sign an Authorization to Disclose my Record?
You are reading the Patient’s Guide to HIPAA, FAQ 61 .
HIPAA Guide Quick Links:
FAQ 61: What Should I Do if Asked to Sign an Authorization to Disclose my Record?
Although not everyone who asks you to sign an authorization will have a sinister motive, you should be cautious in signing an authorization for more disclosure of your information. Here are some things to look out for:
• Does the authorization say that all of your information can be disclosed? If you are authorizing disclosure to another physician who is treating you, a broad authorization may be appropriate. If you are authorizing disclosure to a life insurance company, the company will likely insist on a broad authorization as part of the application process. However, if the authorization is for disclosure to your employer to explain your absence from work, you may want to be sure that the authorization only covers your recent illness and not records from the past. You may not want your employer to know, for example, that you were treated for a psychiatric ailment ten years ago.
• Is there an expiration date or event for the authorization? There should be in nearly all cases. You should try to understand why the date or event was chosen and be very suspicious of any open-ended authorizations. Some long-term research activities may be able to justify not having an expiration date. Otherwise, you should try to insist on a short expiration date or near-term event.
• Is the person authorized to receive the information properly described? It is okay if the form says ABC Life Insurance Company rather than the name of a specific individual at the company. However, if the form is too vague (e.g., “bearer”), then you should definitely think twice.
• Is the purpose for the disclosure properly described? If you tell the covered entity why you are authorizing the disclosure, you may be revealing information that you don’t want to reveal and don’t have to share. It is okay to sign a form that merely describes the purpose as “at the request of the individual.” However, we wouldn’t normally sign an authorization written that way without a good reason and then only if we trusted the recipient. By stating a purpose, you may limit what the recipient can do with the information. Anyone seeking an authorization in good faith should be willing to include an appropriate purpose and, if someone does not suggest a narrow purpose, you should be wary. This can be a bit tricky when you authorize disclosure to a lawyer for a malpractice suit against a provider.
• Is the authorization for a marketing activity? We would never sign a disclosure for a marketing purpose, no matter what the inducement. Once a marketer obtains your information, the marketer can use it, keep it, and sell it without any restriction for the rest of your life. Don’t give away your health privacy for a chance to win a t-shirt. The Rule allows prescription refill reminders even though they are marketing, but it imposes a limit on how much a provider can be paid for sending a reminder.
The Rule about sale of PHI for marketing activities got a bit more complex in 2013. Generally, a covered entity needs your authorization if is getting paid (“financial remuneration”) for the use of your information for a marketing purpose. That’s good, but limiting the sale of PHI made for a complicated rule because there are some times when it’s okay if a provider receives payment for disclosing PHI. For example, a health researcher may pay a hospital for the cost of providing records for the research project. The Rule explains this, but we won’t because it’s not relevant to most patients.
• Is the authorization for a research project? Read it carefully because a 2013 rule change allows research authorizations to be more expansive than in the past. The same authorization can cover the project itself and the storage of a blood, data, or tissue sample about you forever. You may or may not be comfortable with that. We encourage you to ask lots of questions about research and researchers. Not all researchers are truly trustworthy.
We want to emphasize that while we think that you should be cautious in signing authorizations, in some circumstances it will be the right thing to do. Being asked to sign an authorization should happen infrequently enough that you can spend a little time asking questions.
We would be cautious if asked to sign an authorization as part of the process for admission to a hospital. The HIPAA rule allows the hospital to make all the disclosure necessary for your care and for the hospital’s operations. If you are presented with an authorization to sign, ask questions. We have heard that some hospitals routinely collect authorizations that allow disclosures to employers. Some standard authorizations allow the hospital to film your operation or use your blood or tissue samples for purposes unrelated to treatment. These are examples of disclosure that you may not want to permit without a specific reason. The hospital may seek a broad authorization for its own convenience so that it can make a disclosure without getting your signature later. We suggest that any extra paperwork may be worth it, because it may protect you. You can decline to sign the authorization or you can limit its effectiveness to the period while you are in the hospital or perhaps for an additional week. If we were asked to sign an authorization that has language we didn’t like, we would just cross it out.
Roadmap: Patient’s Guide to HIPAA: Part 3: What You Should Know about Uses and Disclosures (FAQ 61 of 65)