HIPAA Policies for Healthcare Providers at Covered Components: Policy 5, Situations in which Authorizations and Attestations are Necessary
This Policy 5 is part of the HIPAA Policy Manual: Privacy and Security of Protected Health Information for BU Healthcare Provider Covered Components.
5.1 General Rules on Authorization
When an Authorization is Required
If you are not using/disclosing PHI for treatment, payment or to manage the clinic as described in Policy 3 or for reasons that are required or permitted by law, then the patient must sign a written Authorization allowing you to use/disclose the patient’s information.
BU’s Authorization Form
Each Covered Component has an Authorization form approved by the BU HIPAA Privacy Officer which contains the elements required by HIPAA. These are found at http://www.bu.edu/hipaa/forms-for-health-care-providers/ Contact the BU HIPAA Privacy Officer if you want to change the language of the Authorization form for any reason.
Other Entities’ Authorization Forms
Covered Components may accept and comply with authorizations on BU’s standard form, if sufficient information is provided. If the Covered Component receives an Authorization that is on a form other than the standard BU Authorization, Covered Components may accept the Authorization if it contains the same elements as BU’s Authorization and is consistent with this Policy. Questions about the validity of an Authorization can be directed to the BU HIPAA Privacy Officer for guidance.
Using the Authorization Form
Below are instructions on the use of the Authorization form. Any questions about whether an Authorization form is needed or about using the form should be directed to the BU HIPAA Privacy Officer.
When completing the Authorization or reviewing Authorizations, please keep the following in mind:
- The information to be used or disclosed must be identified with enough specificity to allow the Covered Component to comply.
- The name or other specific identification of the person or entity the information should be disclosed to must be provided. (e.g., “send a complete copy of my records dated 1/1/2016-7/1/2016 to Dr. Laura Smith at [address]”; or “to Boston Medical Center”).
- A description of the reason for the use or disclosure (e.g., “at the request of the individual,” or “for follow up care” or “for personal use”).
- An expiration date or an expiration event must be provided (e.g., “this Authorization expires in six months;” “12/31/2016;” or “at the end of the research study”).
- The individual whose PHI is to be used or disclosed must sign and date the Authorization. If someone other than the individual is authorized to sign, that person’s capacity should be noted (e.g., “Guardian” or “Mother of minor child”). See Policy 5, Section 5.2 and Section 5.3 for more information.
- The Covered Component is responsible for maintaining signed Authorizations for six (6) years.
- The Minimum Necessary Rule does not apply to disclosures based on patient Authorization. Rather, the Covered Component should disclose documents requested in the Authorization.
Defective Authorizations
Authorizations are defective and invalid if any material information in the Authorization is known to the Covered Component to be false or if any of the following other defects exist:
- The expiration date has passed, or the expiration event is known by The Covered Component to have occurred;
- The Authorization has not been filled out correctly or completely;
- The Authorization is known by The Covered Component to have been revoked; or
- The Authorization violates the prohibition on conditioning of Authorizations, as described immediately below.
Questions should be directed to the BU HIPAA Privacy Officer.
Prohibition on Conditioning of Authorizations
We may not condition the provision of treatment on the patient’s signing an Authorization, except when the patient is participating in a clinical research trial. If the Authorization is required for disclosures related to the research, then the researchers may condition enrollment in the clinical trial on the Individual signing an Authorization for disclosures needed for the clinical trial.
Sensitive Information
A specific authorization is required for the release of sensitive information. Sensitive information includes: (1) HIV information/test results; (2) sexually transmitted diseases; (3) information related to diagnosis or treatment of pregnancy; (4) genetic counseling/screening test results; (5) domestic violence; (6) sexual assault; (7) human trafficking; (8) social work counseling/therapy; (9) details of mental health diagnosis and/or treatment by a psychiatrist, psychologist, mental health clinical nurse specialist or licensed health clinician; and (10) substance use disorder patient records. If an individual’s medical record contains sensitive information and a specific authorization is not provided for such information, the individual’s medical record will need to be redacted, so it no longer contains the sensitive information, prior to it being used or disclosed.
Revocation of an Authorization
A person who has signed an Authorization may revoke it at any time by providing a written notice of revocation to the Covered Component. When an individual revokes his/her Authorization, the Covered Component may no longer rely on the revoked Authorization. However, the revocation does not affect disclosures that were made pursuant to the Authorization prior to receiving the Revocation.
Authorization Not Needed to Disclose Immunization Information to a School
Massachusetts schools are required by law to obtain immunization records for students. Mass. General Laws Chapter 76, Section 15. Therefore, we do not need to obtain and Authorization to provide information on immunizations to any school.
Release of Information Practices
Each Covered Component will adopt procedures for release of information.
5.2 Parents, Guardians and Minors
General rules:
- Adults age eighteen (18) and older make their own decisions on their rights under HIPAA and sign their own Authorizations.
- Persons under the age of 18 are minors. A parent of the minor makes decisions for the child and signs the child’s Authorization. The parent should note his/her capacity, e.g., “mother/father/parent” on the Authorization.
Exceptions to both of these general rules are described below.
Minors and their Parents
A Covered Component may assume either parent of a child under age 18 is authorized to sign Authorizations for the child, unless they have knowledge of a court order that has limited or taken away a parent’s authority.
When parents are divorced, the fact that one parent has full custody does not mean that the other parent’s authority has been limited; a court order would state any such restriction.
If a Covered Component has reason to believe a parent who wishes to make decisions for, and sign Authorizations on behalf of, a minor child is not authorized to do so, the Covered Component should request a copy of the court order restricting a parent’s rights and/or specifying who may make decisions regarding the minor’s health care and who may sign Authorizations for the child. Questions may be directed to the BU HIPAA Privacy Officer or the Office of the General Counsel.
Emancipated Minors
Massachusetts law includes the Emancipated Minor statute which allows health care providers to provide treatment to minors (persons who have not attained the age of eighteen) based on the Informed consent of the Emancipated Minor.
Reasons for emancipation include:
- The minor is married, widowed or divorced;
- The minor is the parent of a child, in which case s/he may also give consent to medical or dental care of his/her child;
- The minor is a member of any of the armed forces;
- The minor is pregnant or believes herself to be pregnant;
- The minor is living separate and apart from his/her parent or legal guardian, and is managing his/her own financial affairs; or
- The minor reasonably believes him/herself to be suffering from or to have come in contact with any disease defined by the Massachusetts Department of Health as dangerous to the public health. However, the minor may only consent to care which relates to the diagnosis or treatment of that disease.
Note that a minor may not consent to an abortion or sterilization, even if Emancipated.
Drug Dependent Minors
Under Massachusetts law, a minor twelve years of age or older who is found to be drug dependent by two or more physicians may give consent to hospital or medical care related to the diagnosis or treatment of such drug dependency. The consent of the parent or legal guardian of such minor is not necessary to authorize hospital and/or medical care related to drug dependency.
When Parent or Legal Guardian agrees to confidentiality
If a parent or legal guardian has signed an agreement of confidentiality between the provider and the minor with respect to health care service, then the parents/legal guardian are not authorized to make decisions for the minor for the matters covered by the Agreement, and any Authorization for disclosure must be signed by the minor.
Verifying Identify When Releasing Records
The Covered Component is responsible for verifying the identity of the person requesting PHI and the authority of such person to have access to the PHI or to authorize its disclosure.
If the person is known to the Covered Component, and there is no question as to his/her authority, the Covered Component may accept the signed Authorization from the known person. This commonly occurs when a patient over the age of 18 who has not been found incompetent signs his/her own Authorization; when a parent of an unemancipated minor is known to the Covered Component based on the parent’s involvement in the minor’s care signs for the minor patient; and when the Covered Component has previously verified the legal status of a guardian or other representative.
If the person requesting records or presenting an Authorization is not known to the Covered Component, the Covered Component must make reasonable efforts to verify the person’s identity and authority. Following are common ways of verifying:
- Check the requesting party’s picture identification;
- Verify that the address to which the records are requested to be sent is the address of record of the individual; and/or
- Obtain a copy of a court appointment or other document that authorizes access to the PHI under law (such as a letter from the Department of Public Health authorizing the disclosure).
The Covered Component may rely on documents presented that appear to be legitimate on their face. Any questions regarding a person’s authority to obtain PHI should be directed to the BU HIPAA Privacy Officer.
5.3 Legally Authorized Representative of an Adult Patient
If an adult is not competent to make his/her own decisions, a Legally Authorized Representative may exercise the patient’s rights and sign Authorizations on behalf of the patient. However, a Covered Component has the right to not treat them as such, if there is a belief that: (1) the individual has been or may be subjected to domestic violence, abuse, or neglect by such person; (2) treating such person as the Legally Authorized Representative could endanger the individual; and (3) it is not in the best interest of the individual to treat the person as the individual’s Legally Authorized Representative. The belief cannot be based on the fact that the Legally Authorized Representative has helped or provided reproductive health care for and at the request of the individual. If there is uncertainty as to whether the person should be treated as the personal representative, contact a supervisor or manager (as applicable), who can reach out to the HIPAA contact, if necessary.
Verification
Legally Authorized Representatives may hold a variety of titles, including Personal Representative, Guardian; Conservator, Substitute Decision Maker, Health Care Agent, and others; for simplicity, the term Legally Authorized Representative is used in these policies. When a Legally Authorized Representative (by whatever title) signs an Authorization on behalf of the patient, the Covered Component must verify the authority of the Legally Authorized Representative, typically by obtaining the court order, administrative tribunal order, or appointment document. Legally Authorized Representatives usually have these documents readily available. Any questions about the authority of a Personal Representative should be directed to the BU HIPAA Privacy Officer or Office of the General Counsel.
Appointment of Health Care Agent
If an adult patient has appointed a health care agent in accordance with Massachusetts law and the adult has subsequently been found incapacitated and incapable of making or communicating health care decisions by a physician, Authorizations must be handled as follows:
- Obtain a signature on the Authorization from the health care agent, not from the patient.
- A copy of the health care proxy form listing the agent’s name must accompany the request and be filed with the Authorization and request for PHI.
- If multiple parties have been named as agent, obtain Authorization from all parties. If, the proxy lists “Party A” OR “Party B,” the Authorization of either is sufficient.
- The Covered Component must observe the terms of the appointment. If the individual regains mental capacity, the health care proxy is rendered ineffective and then signature of the proxy on an Authorization does not suffice. Instead, the individual must then sign any Authorization.
- Take care not to disclose PHI based on the Authorization of the health care agent if you have no corroborating evidence that the individual has been declared incapacitated by a physician as required by Massachusetts law.
Contact the HIPAA Privacy Officer or Office of the General Counsel with any questions.
5.4 After a Patient’s Death
PHI of deceased individuals remains protected under HIPAA for 50 years following the date of death.
Who can authorize a release of the records of the deceased?
If the individual is deceased, the Covered Component must obtain the Authorization from the court-appointed administrator or executor of the decedent’s estate. If the Covered Component is unable to obtain the court order naming the administrator or executor, or if an administrator or executor has not been appointed, contact the BU HIPAA Privacy Officer or the Office of the General Counsel.
Family and Friends Rights to Records
If a family member (or friend) was involved with an individual’s care during his/her life, we may release the individual’s records upon Authorization by that person, just as we shared the patient’s PHI with the involved family member during the patient’s life.
If the person requesting records of a deceased patient was not involved in the patient’s care during the patient’s lifetime, then only a legally authorized representative of the estate may authorize release of the patient’s medical records. The Covered Component should receive a court order nominating the person as a Personal Representative or Executor of the deceased patient’s estate before releasing records of a deceased person.
A deceased patient’s surviving spouse, children, family members, friends and others are not authorized to request and receive the deceased patient’s PHI simply by virtue of the family relationship.
Discloures to Funeral Directors, Coroners, and Medical Examiners
See Policy 4, Section 4.1 for disclosures to funeral directors, coroners, and medical examiners.
Disclosing Records of Deceased Individual for Research Purposes
Please see the next Section, 5.5: Accessing and Using PHI for Research.
5.5 Research: Authorizations and Waivers
Research is not one of the purposes for which PHI may be used without patient Authorization (Treatment, Payment or Health Care Operations (see Policies 3.4, 3.5, 3.6) and so Covered Components may not allow access to its PHI for research purposes unless the researcher has obtained and presented to the Covered Component HIPAA Contact:
- Institutional Review Board (IRB) approval and
- Authorizations signed by each patient whose information is requested, or
- An IRB Waiver of patient Authorization
- in the case of Activities Preparatory to Research, an acceptable attestation. A form for this purpose is found at http://www.bu.edu/hipaa/forms-for-health-care-providers/
In order for Covered Components to determine whether it is permissible to release PHI to a researcher, the HIPAA Contact must determine the following:
- Is the activity for which PHI is requested “research” under HIPAA?
- If so, is the researcher authorized to receive the PHI requested?
What is Research under HIPAA?
HIPAA defines “research” as an activity intended to lead to generalizable knowledge.
Quality assurance activities conducted by the Covered Component solely for its internal purposes (e.g., to assess or improve the quality of care provided to patients/clients) is not “research” but instead falls within “operations” and is generally permissible without the individual’s Authorization; the rules for using PHI in research will not apply because it is not research.
Access to PHI for research purposes
Authorization: The Covered Component may permit access to PHI for research if an Authorization for such access has been received from the individual or individual’s representative.
IRB Waiver of Authorization:
The Covered Component may permit access to PHI for research without an Authorization if a Waiver of Authorization has been obtained from an IRB. A form is available for this purpose. However, Massachusetts state law will not permit a Waiver of Authorization for research purposes for the following types of records: (1) mental health treatment information; (2) HIV test results or related information; (3) venereal disease; (4) confidential communications with a sexual assault counselor, domestic violence victims’ counselor, or human trafficking victims’ caseworker; and (5) abortion information.
Special Rules for Activities Preparatory to Research:
Researchers often need to access PHI in order to get sufficient information to design a study, evaluate the feasibility of a study, or otherwise prepare for research. This typically takes place in advance of presenting the study to the IRB or seeking financial support for the study.
Researchers may not access any PHI for these purposes unless:
- the patients have explicitly authorized such activities, e.g., in an authorization signed to allow the creation of a data repository; or
- the researcher completes a Waiver Preparatory to Research form, attesting to certain security and privacy measures, such as:
- the researcher seeks the PHI solely to prepare a research protocol or for similar purposes preparatory to research;
- The researcher will access only the PHI necessary for this purpose;
- The researcher will not remove any PHI from the premises of the Covered Component.
Special Rules for Access to Records of Decedents for Research Purposes:
A Covered Component may permit access to PHI for research if the Covered Component’s HIPAA Contact receives from the researcher:
- a representation that the use or disclosure sought is solely for research on the PHI of decedents;
- documentation, at the request of the Covered Component, of the death of such individuals; and
- a representation that the PHI sought is necessary for the research.
Covered Components may accept such a statement from a researcher if it has been reviewed and approved by the IRB.
Research Data Repositories Containing PHI
Creating Data Repository from PHI: If a Covered Component wishes to create a repository of information from clinical records for a specific study or potential future research, the creation must be approved by the IRB and by the BU HIPAA Privacy Officer. This will ensure that patients properly authorize the inclusion of their information in the database, or that a waiver has been approved. If the repository contains only a Limited Data Set, its use can be governed by a simple Data Use Agreement, which
Using the PHI in an approved Data Repository:
Use of data in a repository must be separately approved by the IRB for each study.
5.6 Students and Observers
Trainees:
Students enrolled in one of BU’s health schools who participate in patient care within a Covered Component as part of their training are part of that Covered Component’s Workforce. However, there are restrictions on their use of PHI in their education, and on faculty use of patient PHI in education.
PHI, including excerpts from the patient medical record, images, and factual summaries, may be used for educating students only as follows:
- If the PHI is fully de-identified by absence of the 18 identifiers (see Policy 1, HIPAA Basics, Section 1.4: De-Identified PHI), it can be used without an Authorization. For example:
- a faculty member or student may use an x-ray image if all identifying information is redacted, as the image itself does not identify the individual;
- A faculty member or student may describe the health condition of a specific patient who suffered complications following standard treatment if the minimum necessary rule is followed, and the information is de-identified.
- All other uses of PHI in education require a signed Authorization.
Students who do not participate in patient care are not part of the Covered Component Workforce. See next section on Shadowing.
Shadowing, Observers
Covered Components that choose to allow students and others to “shadow” patient care as Observers must document a procedure for approving the shadowing as part of the Covered Component’s education mission (e.g., prospective students) or health care operations (e.g., a prospective faculty member or employee allowed to shadow as part of the recruiting process).
If allowed, the following safeguards must be in place:
- Patients must be told who the person shadowing is and given an opportunity to object to their presence. If a patient objects, the Observer must leave the patient’s area;
- Observers may not interfere with patient care;
- Observers may not participate in any way in patient care; and
- Observers must sign an attestation in advance of the shadowing experience confirming their health status, as required by the Covered Component, and their understanding of the confidentiality of all patient care information. Observers are not members of the Workforce and are not required to complete HIPAA training.
An Observer form is available at http://www.bu.edu/hipaa/forms-for-health-care-providers.
5.7 Using PHI in Publishing
Publishing case reports and articles in professional journals is an important part of the educational mission of the University. Faculty, residents and students in BU Covered Components may wish to write about the diagnosis, treatment, response to treatment, and follow-up after treatment of one or more individual patients (“Articles”). The usual rules apply:
- If the case report uses only de-identified data (see Section 1.4: De-identified PHI) then it is permissible under HIPAA to use the information for the case report without the patient’s Authorization.
- If some of the 18 identifiers remain in the Article, it would not meet the above standard for De-identification. There is an alternate method of de-identification: the author does not wish to obtain an Authorization and believes the information in the case not cannot be used to identify any individual, s/he may contact the BU HIPAA Privacy Officer, who will review the matter and may obtain an expert opinion on De-identification. Send the case note or article to hipaa@bu.edu for review.
- If the information used is not de-identified in one of the ways described above, the author will be required to obtain a signed HIPAA authorization from the patients (or their legally authorized representatives) for the use and disclosure of their PHI in the Case Note.
Please always consider obtaining patient authorization for the use of the PHI, given reports in the press of patients who have been upset upon recognizing themselves, or upon being recognized by others despite use of only de-identified PHI.
A special-purpose Authorization is available for this purpose at http://www.bu.edu/hipaa/forms-for-health-care-providers/ See also HRRP policies on the IRB’s role in approving case series.
5.8 General Rules on Attestations
When an Attestation is Required
An Attestation is required from a person, who is requesting PHI potentially related to reproductive health care, for the following purposes: (1) health oversight activities; (2) law enforcement purposes; (3) judicial or administrative proceedings; and (4) disclosures to corners and medical examiners.
BU’s Attestation Form
Each Covered Component has an Attestation form approved by the BU HIPAA Privacy Officer which contains the elements required by HIPAA. These are found at http://www.bu.edu/hipaa/forms-for-health-care-providers/ Contact the BU HIPAA Privacy Officer if you want to change the language of the Authorization form for any reason.
Other Entities Attestation Forms
Covered Components may accept and comply with an Attestation on BU’s standard form, if sufficient information is provided. If the Covered Component receives an Attestation that is on a form other than the standard BU Attestation, Covered Components may accept the Attestation if it contains the same elements as BU’s Attestation and is consistent with this Policy. Questions about the validity of an Authorization can be directed to the BU HIPAA Privacy Officer for guidance.
Using the Attestation Form
Below are instructions on the use of the Attestation form. Any questions about whether an Attestation form is needed or about using the form should be directed to the BU HIPAA Privacy Officer.
When completing the Attestation or reviewing Attestations please keep the following in mind:
- Covered Components should obtain an Attestation for any of the following purposes: (1) health oversight activities; (2) law enforcement purposes; (3) judicial or administrative proceedings; and (4) disclosures to corners and medical examiners, regardless of the type of information being requested.
- The information to be used or disclosed must be identified with enough specificity to allow the Covered Component to comply.
- The name of any individual(s) whose PHI is sought (if practicable) or a description of the class of individuals whose PHI is sought (if name is not practicable) must be included.
- The name or other specific identification of the person or entity the information should be disclosed to must be provided.
- A clear statement is required that the purpose of the use or disclosure of PHI is either:
- Not to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care or to identify any person for such purposes; or
- To investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, or to identify any person for such purposes, but the reproductive health care at issue was not lawful under the circumstances in which it was provided.
- If the requestor states that the reproductive care at issue was not lawful, they must provide information to demonstrate a substantial factual basis that the reproductive health care was not lawful.
- A statement must be included that a person may be subject to criminal penalties pursuant to 42 U.S.C. 1320d-6 if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person.
- The person who is requesting the PHI must sign and date the Attestation (which may be an electronic signature and date). If the attestation is signed by a representative of the person requesting the information, a description of such representative’s authority to act for the person must also be provided.
- The Covered Component is responsible for maintaining signed Attestations for six (6) years.
Defective Attestations
Attestations are defective and invalid if it has any of the following defects:
- The Attestation is not complete, or sufficient information has not been provided to demonstrate a substantial factual basis that the reproductive care was not lawful (if applicable).
- The Attestation contains additional information/statements not requested on the form.
- The Attestation is combined with another document(s), other than documentation to demonstrate a substantial factual basis that the reproductive care was not lawful (if applicable), if applicable.
- The Covered Component has actual knowledge that the material information in the Attestation (or provided to demonstrate a substantial factual basis that the reproductive care was not lawful, if applicable) is false.
- A reasonable person, in the same position as the Covered Component, would believe that the Requestor is using or disclosing the PHI to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care or to identify any person for such purposes when Requestor said that they were not using or disclosing PHI for those purposes.
Questions should be directed to the BU HIPAA Privacy Officer.
Cessation of Use or Disclosure
If, while using or disclosing PHI in connection with an Attestation, the Covered Component discovers that the Attestation was materially false, the Covered Component must cease such use or disclosure of PHI to the request.
Additional Resources Regarding This Policy
Related Policies, Procedures, and Guides
- HIPAA
- Data Security
BU Websites