Checklist to Validate Authorization Forms

An authorization to use or disclose protected health information (PHI) must contain the following elements:

• A description of the information to be used or disclosed, that identifies the information in a specific and meaningful fashion.  Examples:  “laboratory results from July, 1998” or “all laboratory results” or “results of MRI performed in July, 1998” or “entire medical record.”  The description must be specific enough to indicate that the patient has a clear understanding of how much information will be used or released.
• The name or other specific identification of who is authorized to use or disclose the information.  Examples:  “Clearfield Hospital” or “any health care provider.” 
• The name or other specific identification of the person or organization to which Clearfield Hospital is authorized to make the disclosure.  Examples:  “ABC Life Insurance Co.” or “John Smith, JD, attorney.”  If the authorization is intended to permit Clearfield Hospital to use PHI internally, and does not authorize any disclosure of PHI to other parties, the correct entry is “Clearfield Hospital.”  An entry of “not applicable” or “NA” is not valid.
• A description of each purpose of the requested use or disclosure.  The statement “at the request of the individual” is a sufficient description of the purpose when a patient initiates the authorization and does not, or elects not to, provide a statement of the purpose.
• An expiration date, or an expiration event that relates to the patient or to the reason for the use or disclosure.  Examples:  “December 31, 2002” or “one year from the date of this form” or “as long as enrolled in the health plan authorized to receive the information.”  The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.
• A statement that the patient has the right to revoke the authorization in writing, and that the revocation does not apply as defined in the Notice of Privacy Practice.
• To the extent that Clearfield Hospital has taken action in reliance on the authorization; and
• If the authorization is to permit disclosure of PHI to an insurance company, as a condition of obtaining coverage, to the extent that other law allows the insurer to contest claims or coverage.
• A description of how the patient may revoke the authorization.
• If the treatment is research-related, provision of treatment may be conditioned on receipt of an authorization to use and disclose PHI related to this treatment as necessary for the research; or
• If the purpose of the treatment services is to create PHI for disclosure to a third party, provision of the services may be conditioned on receipt of an authorization to disclose the PHI to that third party.
• A statement that information that is disclosed in accordance with the authorization may be disclosed further by the recipient, and that the information may no longer be protected by federal privacy rules regarding protected health information.
• If the authorization is for the use or disclosure of PHI for marketing, and the use or disclosure will involve direct or indirect remuneration to Clearfield Hospital from a third party, the authorization must state that such remuneration is involved.
• The patient’s signature, or the signature of the patient’s personal representative, with a description of the representative’s authority to act for the patient.  Example:  “power of attorney or minor”
• The date of the signature.

Prior to releasing or disclosing the PHI, the Medical Records Department must verify the identity of the person making the request and the authority of that person to have access to the information.  Refer to ADM # 01.08.04.  Sources of verification should be driver’s license, ID badge, or document if the staff personally knows the individual.

A copy of the authorization will be given to the patient or personal representative. The authorization will be filed in the patient’s medical record with a notation of what information was released, the date it was released, and who released it.   This document will be maintained for at least 6 years.

April 14, 2003