Drexel University Clinical Covered Entities
Privacy Program Policies and Procedures
Policy Title: Authorization
Policy Number: IM-06
Effective Date: April 14, 2003; September 23, 2013
Last Revision: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer
Table of Contents
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
Patients may authorize Drexel University (DU) to use their Patient Health Information (PHI) for reasons other than the Treatment, Payment and Healthcare Operations (TPO) purposes that are covered by the Notice of Privacy Practices. However, the Practice may not condition the provision of health care based on the patient signing an Authorization for this type of use. Authorizations are required for uses or disclosures of protected health information for purposes other than treatment, payment or health care operations. Typically, these may involve disclosures for research, marketing, fundraising, the sale of protected health information and psychotherapy notes.
The policy provides the opportunity for the patient to sign an authorization for the use of information beyond treatment, payment and operations uses.
- A patient, or an authorized surrogate decision maker can complete the authorization form found in this policy.
- The treating clinician will consider the authorization and release information as appropriate.
- Copies of all documents will be made part of the Medical Record or patient file in the treating department.
- Authorizations must include:
Because Authorizations are very specific, patients must complete a separate form for each use or disclosure. A provider may not condition treatment on whether or not a patient will execute an Authorization for a particular purpose.
When Authorization is Not Required:
- A specific description of information to be used or disclosed;
- The identification of a specific individuals who may use or disclose the information;
- The identification of a specific individuals who may receive and use the disclosed information;
- A description of each purpose of the requested use or disclosure;
- The expiration date of the use or disclosure;
- A statement of the patient's right to revoke the Authorization at any time in writing along with procedure for revocation;
- A statement that the PHI used or disclosed may be subject to re-disclosure by the party receiving the information and may no longer be protected;
- Patient's signature and date.
- Protected health information may be released without authorization only as follows:
- if the information is being used for TPO purposes;
- if the information is used for a marketing communication that is either:
- a face to face communication or
- a promotional gift of nominal value.
- for research purposes when an Authorization is independently approved by a privacy board or Institutional Review Board;
- in judicial and administrative proceedings;
- in limited law enforcement activities;
- in investigations of abuse or neglect;
- for the identification of a deceased person or the cause of death;
- for activities related to national defense;
- for proof of immunization in accordance with Policy IM-23.
Health care information that does not identify or for which there is no reasonable basis to believe will identify a patient individually is not protected by the Privacy Regulations. If, for example, your Practice compiles statistics that have no individually identifiable information, you do not need an Authorization.
The authorization specialist will review the authorization request for completeness. The treating clinician will approve release of the information.
IM-01, "Information Management Policy"
Back to Top