HIPAA Authorization: What You Need to Know to Protect Your Medical Privacy
Learn about HIPAA Authorization forms, why they matter for your healthcare privacy, and how to use them effectively regardless of your family or financial situation.
Introduction
A HIPAA Authorization is a legal document that gives healthcare providers permission to share your protected health information with specific people or organizations. Unlike the basic HIPAA privacy notices you routinely sign at doctor's offices, a HIPAA Authorization provides you with control over who can access your medical information beyond your direct healthcare providers. Whether you're married with children, single, or have significant assets to protect, understanding how to use HIPAA Authorizations effectively is crucial for maintaining privacy while ensuring your loved ones can help during medical emergencies.
Key Things to Know
- 1
HIPAA Authorizations are revocable at any time—you can change your mind about who has access to your information.
- 2
Without a HIPAA Authorization, healthcare providers may be legally prohibited from sharing your medical information, even with close family members.
- 3
Consider updating your HIPAA Authorization after major life events such as marriage, divorce, or when children reach adulthood.
- 4
Be specific about what information can be shared—you can exclude sensitive information like mental health records or genetic testing if desired.
- 5
Keep copies of your signed HIPAA Authorization with your other important documents and provide copies to your designated representatives.
- 6
A HIPAA Authorization works best when paired with other healthcare documents like an advance directive and healthcare power of attorney.
- 7
Different healthcare systems may have their own HIPAA Authorization forms, so you may need to complete multiple forms for different providers.
Key Decisions
HIPAA Authorization Requirements
Full legal name, date of birth, address, phone number, and other identifying information of the individual whose protected health information will be disclosed.
Include the patient's medical record number or other healthcare identifier if available.
North Carolina Requirements for HIPAA Authorization
The HIPAA Authorization must be written in plain language and contain specific elements including a description of the information to be disclosed, the person authorized to make the disclosure, the person to whom the disclosure may be made, an expiration date, and a statement of the individual's right to revoke the authorization.
The authorization must include a description of the information to be used or disclosed, identification of persons authorized to make the requested use or disclosure, identification of persons to whom the covered entity may make the requested use or disclosure, purpose of the requested use or disclosure, expiration date or event, and signature of the individual with date.
The authorization must include a statement of the individual's right to revoke the authorization in writing, and either the exceptions to the right to revoke and a description of how to revoke, or a reference to the covered entity's notice of privacy practices.
The authorization must include a statement that information used or disclosed pursuant to the authorization may be subject to re-disclosure by the recipient and no longer protected by the Privacy Rule.
The authorization must include statements that the covered entity may not condition treatment, payment, enrollment, or eligibility for benefits on whether the individual signs the authorization, with specific exceptions.
The covered entity must provide the individual with a copy of the signed authorization.
North Carolina law provides patients with the right to access, examine, and obtain a copy of their medical records maintained by healthcare providers, consistent with HIPAA requirements.
Special provisions apply to the disclosure of mental health, developmental disabilities, and substance abuse services information, requiring specific authorization for release.
Disclosure of HIV test results requires specific written consent that meets both state requirements and HIPAA standards.
Special provisions apply to minors who consent to certain treatments (such as for STDs, pregnancy, or substance abuse) without parental consent, affecting who can authorize disclosure of related records.
A separate authorization is required for the use or disclosure of psychotherapy notes, with limited exceptions.
If the authorization is for marketing purposes that involve financial remuneration, the authorization must state that such remuneration is involved.
If the authorization is for the sale of protected health information, it must state that the disclosure will result in remuneration to the covered entity.
North Carolina law provides additional protections for genetic information, requiring specific informed consent for disclosure.
Federal regulations provide additional protections for substance use disorder records from federally assisted programs, requiring specific authorization elements beyond HIPAA.
North Carolina law establishes the NC Health Information Exchange Authority (NC HIEA) and requires certain providers to connect and submit data, with specific provisions for patient opt-out rights.
An authorization for the use or disclosure of protected health information may not be combined with any other document to create a compound authorization, with specific exceptions.
The authorization must be written in plain language that the individual can understand.
North Carolina requires healthcare providers to maintain medical records for specific periods, affecting the availability of records that might be subject to authorization.
North Carolina's Uniform Electronic Transactions Act allows for electronic signatures on HIPAA Authorizations, provided they comply with both state and federal requirements.