Uses and Disclosures for which an Authorization is Required – Documentation and Content

§164.508(b)(6) Documentation. A covered entity must document and retain any signed authorization under this section as required by §164.530(j).

§164.508(c) Implementation specifications: Core elements and requirements. (1) Core elements. A valid authorization under this section must contain at least the following elements:
(i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
(iv) A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
(v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.
(vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.
§164.508(c)(2) Required Statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following:
(i) The individual’s right to revoke the authorization in writing and either:
(ii) The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization.
(iii) The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient can no longer be protected by this subpart.
§164.508(c)(3) The authorization must be written in plain language.
§164.508(c)(4) If a covered entity seeks an authorization from an individual for a use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization.

Audit Inquiry

Does the covered entity document and retain signed, valid authorizations?

Obtain and review a sample of authorizations used as the basis for making uses and disclosures to determine if the authorizations are valid.