FAQ
FAQ’s
When is a valid HIPAA authorization required?

When is a valid HIPAA authorization required?

HIPAA mandates authorization for using or disclosing PHI in marketing communications, except in two specific cases:

  • No authorization is needed if the communication happens in person between the covered entity and the individual.
  • Again, if the communication includes a promotional gift of minimal value, no authorization is required.

However, there is more. A valid HIPAA authorization should include the following elements and statements:

Elements:

  • Description of the PHI
  • Purpose for the use or disclosure of PHI
  • Name of the person granting the authorization
  • Name of the authorized person or organization receiving the PHI
  • Signature of the person granting the authorization
  • Expiration date of the authorization

Statements:

  • The person has the right to revoke the authorization in writing at any time, along with instructions on how to do so
  • Any information disclosed under the authorization may be re-disclosed by the recipient and is no longer protected by federal or state health privacy laws
  • The person’s treatment, payment, enrollment, or eligibility for benefits is not dependent on whether they sign the authorization

Was this article helpful?

How can we improve this article?

Related questions

  • Which is the latest version of the PCI DSS compliance?
  • What is the current version of ISO 27001?
  • What is PCI DSS compliance verification?
  • What are PCI DSS compliance milestones?
  • What are the three steps of PCI compliance?
  • What are the functions of PCI?
  • How often must PCI DSS compliance be validated?
  • What is required for PCI DSS compliance?
  • How to reduce PCI DSS cost?
  • Does ISO 27001 require MFA?

Found this useful?

Get SOC 2 compliance
ready in 4 weeks!

Try Sprinto

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.

Contact sales