Policy – Authorizations for Use and Disclosure of PHI

Authorizations for Use and Disclosure of Protected Health Information

The Health Center will obtain a valid authorization from the patient, or the patient’s legal guardian or other authorized representative, prior to the release of protected health information for purposes other than treatment, payment and health care operations, unless an exception as described in this policy and procedure applies. [§ 164.508(a)(1)]

Responsibility:

1. It will be the responsibility of Medical Records personnel or designated staff  to obtain a signed authorization from the patient, or the patient’s legal guardian or other authorized representative, when a request for the release of protected health information is made.
2. It will be the responsibility of the Health Center’s privacy officer to respond to questions about the Health Center’s authorization process.

Procedure: 

1. Obtaining a Patient’s Signed Authorization. The Health Center will obtain a valid authorization from the patient, or the patient’s legal guardian or other authorized representative, prior to the release of protected health information for purposes other than treatment, payment and health care operations, unless an exception as described in this policy and procedure applies.

[§ 164.508(a)(1)]  Such authorizations will include requests for releases initiated by:

• a patient for the use and disclosure of protected health information by the patient or other third party.
• the Health Center for its own use and disclosure of the protected health information that it maintains.
• the Health Center for the use and disclosure of protected health information maintained by a third party.

All requests initiated by patients will be processed in accordance with the Health Center’s policy and procedure on patient access to protected health information.

2. Uses and Disclosures Pursuant to Authorization. When the Health Center receives a valid authorization for the use or disclosure of protected health information, its use or disclosure will be consistent with the authorization.  [§ 164.508(a)(1)] 
3. Exceptions for Uses and Disclosures Required or Authorized by Law. A valid authorization is not required if the release is authorized or required by law as described in the Health Center’s policies and procedures governing the following types of releases:

• releases according to a patient’s oral permission.
• releases required or authorized by law.

4. Psychotherapy Notes. The Health Center will obtain a valid authorization for the release of psychotherapy notes unless use and disclosure of the notes is for any one of the following types of treatment or health care operations:

• for treatment purposes by the health care professional who created the notes.
• for uses and disclosures by the Health Center for its own training programs in which students, trainees or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling.
• for uses or disclosures by the Health Center to defend a legal action or other proceeding brought by the patient.
• for uses and disclosures required by law or otherwise permitted without the patient’s consent or authorization as described in the Health Center’s policy and procedures on releases required or authorized by law. [§ 164.508(a)(2)] 

The requirements applicable to psychotherapy notes will not apply to medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items:  diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.  [§§ 164.501 & 164.508 (a)(2)]

5. Marketing. The Health Center will obtain a valid authorization for any use or disclosure of protected health information for marketing purposes, unless one of the following exceptions applies:

• a member of the Health Center’s workforce engages in a face-to-face communication with a patient.
• a promotional gift of nominal value is provided by the Health Center.
• If the marketing involves direct or indirect remuneration to the Health Center from a third party, the authorization shall state that such remuneration is involved.  [§ 164.508(a)(3)] 

6. Contents of a Valid Authorization. The Health Center may use its own authorization form or can accept a written authorization supplied by the patient as long as the authorization meets the requirements of this procedure.  A valid authorization will be written in plain language and must include:

• a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
• the name, address, phone and fax numbers or other specific identification of the person(s) or class of persons authorized to make the requested use or disclosure.
• the name, address, phone and fax numbers or other specific identification of the person(s) or class of persons or to whom the Health Center may release information.
• a description of each purpose of the requested use or disclosure. If the patient is requesting access and does not wish to disclose this information, the statement “at the request of the patient” is sufficient.
• an expiration date or event that relates to the patient or the purpose of the use or disclosure. If no expiration date is specified, calculate 30 days from the date of the request and enter this date on the authorization.
• the signature of the patient and date of signature.  If the authorization is signed by a representative of the patient, a description of the person’s authority to act for the patient.
• a statement of the patient’s right to revoke the authorization in writing and either a statement of the exceptions to the right to revoke and how the patient may revoke an authorization or, if this information is included in the Health Center’s Notice of Privacy Practices, a reference to the Notice.
• a statement that the Health Center may not condition the provision of treatment on the patient’s provision of a signed authorization.
• a statement that the information may be subject to redisclosure by the recipient and may no longer be protected by the Health Center’s privacy practices or applicable privacy law.
• if the authorization is for marketing purposes and involves direct or indirect remuneration to the Health Center, a statement that such remuneration is involved.

The authorization may include additional elements and information, provided that these elements are not inconsistent with the elements required by this procedure.  [§§ 164.508(a)(3)(ii), (b)(1) &  (c)(1)-(3)] 

7. Copy to Patient. If the Health Center seeks an authorization from a patient for a use or disclosure of protected health information, the Health Center will provide the patient with a copy of the patient’s signed authorization.  [§ 164.508(c)(4)] 
8. Attorney Requests. If the request is from an attorney, it will be honored only upon receipt of a valid authorization signed by the patient (or the patient’s legal guardian or other representative), or a court order directing the Health Center to release the information to the named attorney.  If the request is from an attorney or marked for legal purposes, the Health Center will follow its policy and procedure for handling such requests or, in the absence of any such policy, notify the Privacy Officer.
9. Electronic Request. If the Health Center receives a valid authorization for the release of protected health information to be disclosure by electronic transmission, the Health Center will process the request in accordance with the policy and procedure on the patient access to protected health information. The information released will be limited to the minimum necessary to meet the requestor’s needs.  Whenever possible, de-identified information will be used
   • E-mail users will be set up with a unique identity complete with unique password and file access controls.
   • All email address will be verified for accuracy before sending any PHI and, if possible, use email addresses loaded in the system address book. E-mail users may not intercept, disclose or assist in intercepting and disclosing e-mail communications.
   • Patient specific information regarding highly sensitive health information must not be sent via e-mail, even within the internal email system (i.e. information relating to AIDS/HIV, drug and alcohol abuse and psychotherapy notes). 

Contact Us

If you have any questions about this Policy or our data practices, please contact us at:

Broward Community and Family Health Centers, Inc.
5010-5012 Hollywood Blvd., Hollywood, FL 33021
(954) 624-3200

---

This policy is designed to provide clear and comprehensive information about how we handle your personal information. We are committed to maintaining your privacy and ensuring that your information is protected.