When is a valid HIPAA authorization required?
HIPAA List of Questions
HIPAA mandates authorization for using or disclosing PHI in marketing communications, except in two specific cases:
- No authorization is needed if the communication happens in person between the covered entity and the individual.
- Again, if the communication includes a promotional gift of minimal value, no authorization is required.
However, there is more. A valid HIPAA authorization should include the following elements and statements:
Elements:
- Description of the PHI
- Purpose for the use or disclosure of PHI
- Name of the person granting the authorization
- Name of the authorized person or organization receiving the PHI
- Signature of the person granting the authorization
- Expiration date of the authorization
Statements:
- The person has the right to revoke the authorization in writing at any time, along with instructions on how to do so
- Any information disclosed under the authorization may be re-disclosed by the recipient and is no longer protected by federal or state health privacy laws
- The person’s treatment, payment, enrollment, or eligibility for benefits is not dependent on whether they sign the authorization
Sprinto: Your ally for all things compliance, risk, governance
