Download PDF
Effective Date: August 1, 2013 Revised: November 1, 2018

HIPAA Policies for Healthcare Providers at Covered Components: Policy 5, Situations in which Authorizations are Necessary

Responsible Office Research Compliance

This Policy 5 is part of the HIPAA Policy Manual: Privacy and Security of Protected Health Information for BU Healthcare Provider Covered Components.

5.1 General Rules on Authorization

When an Authorization is Required

If you are not using/disclosing PHI for treatment, payment or to manage the clinic as described in Policy 3 or for reasons that are required or permitted by law, then the patient must sign a written Authorization allowing you to use/disclose the patient’s information.

BU’s Authorization Form

Each Covered Component has an Authorization form approved by the BU HIPAA Privacy Officer which contains the elements required by HIPAA.  These are found at  Contact the BU HIPAA Privacy Officer if you want to change the language of the Authorization form for any reason.

Other Entities’ Authorization Forms

Covered Components may accept and comply with authorizations on BU’s standard form, if sufficient information is provided.  If the Covered Component receives an Authorization that is on a form other than the standard BU Authorization, Covered Components may accept the Authorization if it contains the same elements as BU’s Authorization and is consistent with this Policy.  Questions about the validity of an Authorization can be directed to the BU HIPAA Privacy Officer for guidance.

Using the Authorization Form

Below are instructions on the use of the Authorization form.  Any questions about whether an Authorization form is needed or about using the form should be directed to the BU HIPAA Privacy Officer.

When completing the Authorization or reviewing Authorizations, please keep the following in mind:

  • The information to be used or disclosed must be identified with enough specificity to allow the Covered Component to comply.
  • The name or other specific identification of the person or entity the information should be disclosed to must be provided. (e.g., “send a complete copy of my records dated 1/1/2016-7/1/2016 to Dr. Laura Smith at [address]”; or “to Boston Medical Center”).
  • A description of the reason for the use or disclosure (e.g., “at the request of the individual,” or “for follow up care” or “for personal use”).
  • An expiration date or an expiration event must be provided (e.g., “this Authorization expires in six months;” “12/31/2016;” or “at the end of the research study”).
  • The individual whose PHI is to be used or disclosed must sign and date the Authorization. If someone other than the individual is authorized to sign, that person’s capacity should be noted (e.g., “Guardian” or “Mother of minor child”).  See Policy 5, Section 5.2 and Section 5.3 for more information.
  • The Covered Component is responsible for maintaining signed Authorizations for six (6) years.
  • The Minimum Necessary Rule does not apply to disclosures based on patient Authorization. Rather, the Covered Component should disclose documents requested in the Authorization.
Defective Authorizations

Authorizations are defective and invalid if any material information in the Authorization is known to the Covered Component to be false or if any of the following other defects exist:

  • The expiration date has passed, or the expiration event is known by The Covered Component to have occurred;
  • The Authorization has not been filled out correctly or completely;
  • The Authorization is known by The Covered Component to have been revoked; or
  • The Authorization violates the prohibition on conditioning of Authorizations, as described immediately below.

Questions should be directed to the BU HIPAA Privacy Officer.

Prohibition on Conditioning of Authorizations

We may not condition the provision of treatment on the patient’s signing an Authorization, except when the patient is participating in a clinical research trial.  If the Authorization is required for disclosures related to the research, then the researchers may condition enrollment in the clinical trial on the Individual signing an Authorization for disclosures needed for the clinical trial.

HIV Tests and Results

Covered Components may report the results of HIV tests without patient authorization to the individual tested and to the Massachusetts Department of Health for infectious disease surveillance.

In all other circumstances, Covered Components may disclose the fact of HIV testing or HIV test results only after receiving the patients’ written authorization for that disclosure.  Each release of HIV test results must be authorized by a separate written authorization.

Genetic Information

Covered Components whose medical records include genetic information about an individual may not disclose that genetic information to anyone other than the individual tested, except (i): upon written consent of the individual; or (ii) upon proper judicial order; or (iii) for research purposes, in compliance with the policies for use and disclosure of PHI for research purposes.  See Section 5.5, Accessing and Using PHI for Research.

Revocation of an Authorization

A person who has signed an Authorization may revoke it at any time by providing a written notice of revocation to the Covered Component.  When an individual revokes his/her Authorization, the Covered Component may no longer rely on the revoked Authorization. However, the revocation does not affect disclosures that were made pursuant to the Authorization prior to receiving the Revocation.

Authorization Not Needed to Disclose Immunization Information to a School

Massachusetts schools are required by law to obtain immunization records for students.  Mass. General Laws Chapter 76, Section 15.  Therefore, we do not need to obtain and Authorization to provide information on immunizations to any school.

Release of Information Practices

Each Covered Component will adopt procedures for release of information.

5.2 Parents, Guardians and Minors

General rules:
  1. Adults age eighteen (18) and older make their own decisions on their rights under HIPAA and sign their own Authorizations.
  2. Persons under the age of 18 are minors. A parent of the minor makes decisions for the child and signs the child’s Authorization.  The parent should note his/her capacity, e.g., “mother/father/parent” on the Authorization.

Exceptions to both of these general rules are described below.

Minors and their Parents

A Covered Component may assume either parent of a child under age 18 is authorized to sign Authorizations for the child, unless they have knowledge of a court order that has limited or taken away a parent’s authority.

When parents are divorced, the fact that one parent has full custody does not mean that the other parent’s authority has been limited; a court order would state any such restriction.

If a Covered Component has reason to believe a parent who wishes to make decisions for, and sign Authorizations on behalf of, a minor child is not authorized to do so, the Covered Component should request a copy of the court order restricting a parent’s rights and/or specifying who may make decisions regarding the minor’s health care and who may sign Authorizations for the child.  Questions may be directed to the BU HIPAA Privacy Officer or the Office of the General Counsel.

Emancipated Minors

Massachusetts law includes the Emancipated Minor statute which allows health care providers to provide treatment to minors (persons who have not attained the age of eighteen) based on the Informed consent of the Emancipated Minor.

Reasons for emancipation include:

  • The minor is married, widowed or divorced;
  • The minor is the parent of a child, in which case s/he may also give consent to medical or dental care of his/her child;
  • The minor is a member of any of the armed forces;
  • The minor is pregnant or believes herself to be pregnant;
  • The minor is living separate and apart from his/her parent or legal guardian, and is managing his/her own financial affairs; or
  • The minor reasonably believes him/herself to be suffering from or to have come in contact with any disease defined by the Massachusetts Department of Health as dangerous to the public health. However, the minor may only consent to care which relates to the diagnosis or treatment of that disease.

Note that a minor may not consent to an abortion or sterilization, even if Emancipated.

Drug Dependent Minors

Under Massachusetts law, a minor twelve years of age or older who is found to be drug dependent by two or more physicians may give consent to hospital or medical care related to the diagnosis or treatment of such drug dependency. The consent of the parent or legal guardian of such minor is not necessary to authorize hospital and/or medical care related to drug dependency.

When Parent or Legal Guardian agrees to confidentiality

If a parent or legal guardian has signed an agreement of confidentiality between the provider and the minor with respect to health care service, then the parents/legal guardian are not authorized to make decisions for the minor for the matters covered by the Agreement, and any Authorization for disclosure must be signed by the minor.

Verifying Identify When Releasing Records

The Covered Component is responsible for verifying the identity of the person requesting PHI and the authority of such person to have access to the PHI or to authorize its disclosure.

If the person is known to the Covered Component, and there is no question as to his/her authority, the Covered Component may accept the signed Authorization from the known person.  This commonly occurs when a patient over the age of 18 who has not been found incompetent signs his/her own Authorization; when a parent of an unemancipated minor is known to the Covered Component based on the parent’s involvement in the minor’s care signs for the minor patient; and when the Covered Component has previously verified the legal status of a guardian or other representative.

If the person requesting records or presenting an Authorization is not known to the Covered Component, the Covered Component must make reasonable efforts to verify the person’s identity and authority.  Following are common ways of verifying:

  • Check the requesting party’s picture identification;
  • Verify that the address to which the records are requested to be sent is the address of record of the individual; and/or
  • Obtain a copy of a court appointment or other document that authorizes access to the PHI under law (such as a letter from the Department of Public Health authorizing the disclosure).

The Covered Component may rely on documents presented that appear to be legitimate on their face.  Any questions regarding a person’s authority to obtain PHI should be directed to the BU HIPAA Privacy Officer.

5.3 Legally Authorized Representative of an Adult Patient

If an adult is not competent to make his/her own decisions, a Legally Authorized Representative may exercise the patient’s rights and sign Authorizations on behalf of the patient.

Legally Authorized Representatives may hold a variety of titles, including Personal Representative, Guardian; Conservator, Substitute Decision Maker, Health Care Agent, and others; for simplicity, the term Legally Authorized Representative is used in these policies.  When a Legally Authorized Representative (by whatever title) signs an Authorization on behalf of the patient, the Covered Component must verify the authority of the Legally Authorized Representative, typically by obtaining the court order, administrative tribunal order, or appointment document.  Legally Authorized Representatives usually have these documents readily available. Any questions about the authority of a Personal Representative should be directed to the BU HIPAA Privacy Officer or Office of the General Counsel.

Appointment of Health Care Agent

If an adult patient has appointed a health care agent in accordance with Massachusetts law and the adult has subsequently been found incapacitated and incapable of making or communicating health care decisions by a physician, Authorizations must be handled as follows:

  1. Obtain a signature on the Authorization from the health care agent, not from the patient.
  2. A copy of the health care proxy form listing the agent’s name must accompany the request and be filed with the Authorization and request for PHI.
  3. If multiple parties have been named as agent, obtain Authorization from all parties. If, the proxy lists “Party A” OR “Party B,” the Authorization of either is sufficient.
  4. The Covered Component must observe the terms of the appointment. If the individual regains mental capacity, the health care proxy is rendered ineffective and then signature of the proxy on an Authorization does not suffice.  Instead, the individual must then sign any Authorization.
  5. Take care not to disclose PHI based on the Authorization of the health care agent if you have no corroborating evidence that the individual has been declared incapacitated by a physician as required by Massachusetts law.

Contact the HIPAA Privacy Officer or Office of the General Counsel with any questions.


5.4 After a Patient’s Death

PHI of deceased individuals remains protected under HIPAA for 50 years following the date of death.

Who can authorize a release of the records of the deceased?

If the individual is deceased, the Covered Component must obtain the Authorization from the court-appointed administrator or executor of the decedent’s estate. If the Covered Component is unable to obtain the court order naming the administrator or executor, or if an administrator or executor has not been appointed, contact the BU HIPAA Privacy Officer or the Office of the General Counsel.

Family and Friends Rights to Records

If a family member (or friend) was involved with an individual’s care during his/her life, we may release the individual’s records upon Authorization by that person, just as we shared the patient’s PHI with the involved family member during the patient’s life.

If the person requesting records of a deceased patient was not involved in the patient’s care during the patient’s lifetime, then only a legally authorized representative of the estate may authorize release of the patient’s medical records. The Covered Component should receive a court order nominating the person as a Personal Representative or Executor of the deceased patient’s estate before releasing records of a deceased person.

A deceased patient’s surviving spouse, children, family members, friends and others are not authorized to request and receive the deceased patient’s PHI simply by virtue of the family relationship.

Disclosing Records of Deceased Individual for Research Purposes

Please see the next Section, 5.5: Accessing and Using PHI for Research.

5.5 Research:  Authorizations and Waivers

Research is not one of the purposes for which PHI may be used without patient Authorization (Treatment, Payment or Health Care Operations (see Policies 3.4, 3.5, 3.6) and so Covered Components may not allow access to its PHI for research purposes unless the researcher has obtained and presented to the Covered Component HIPAA Contact:

  • Institutional Review Board (IRB) approval and
    1. Authorizations signed by each patient whose information is requested, or
    2. An IRB Waiver of patient Authorization
  • in the case of Activities Preparatory to Research, an acceptable attestation. A form for this purpose is found at

In order for Covered Components to determine whether it is permissible to release PHI to a researcher, the HIPAA Contact must determine the following:

  • Is the activity for which PHI is requested “research” under HIPAA?
  • If so, is the researcher authorized to receive the PHI requested?
What is Research under HIPAA?

HIPAA defines “research” as an activity intended to lead to generalizable knowledge.

Quality assurance activities conducted by the Covered Component solely for its internal purposes (e.g., to assess or improve the quality of care provided to patients/clients) is not “research” but instead falls within “operations” and is generally permissible without the individual’s Authorization; the rules for using PHI in research will not apply because it is not research.

Access to PHI for research purposes

Authorization:  The Covered Component may permit access to PHI for research if an Authorization for such access has been received from the individual or individual’s representative.

IRB Waiver of Authorization:

The Covered Component may permit access to PHI for research without an Authorization if a Waiver of Authorization has been obtained from an IRB.  A form is available for this purpose.

Special Rules for Activities Preparatory to Research:

Researchers often need to access PHI in order to get sufficient information to design a study, evaluate the feasibility of a study, or otherwise prepare for research.  This typically takes place in advance of presenting the study to the IRB or seeking financial support for the study.

Researchers may not access any PHI for these purposes unless:

  • the patients have explicitly authorized such activities, e.g., in an authorization signed to allow the creation of a data repository; or
  • the researcher completes a Waiver Preparatory to Research form, attesting to certain security and privacy measures, such as:
  • the researcher seeks the PHI solely to prepare a research protocol or for similar purposes preparatory to research;
  • The researcher will access only the PHI necessary for this purpose;
  • The researcher will not remove any PHI from the premises of the Covered Component.

Special Rules for Access to Records of Decedents for Research Purposes:

A Covered Component may permit access to PHI for research if the Covered Component’s HIPAA Contact receives from the researcher:

  • a representation that the use or disclosure sought is solely for research on the PHI of decedents;
  • documentation, at the request of the Covered Component, of the death of such individuals; and
  • a representation that the PHI sought is necessary for the research.

Covered Components may accept such a statement from a researcher if it has been reviewed and approved by the IRB.

Research Data Repositories Containing PHI

Creating Data Repository from PHI:  If a Covered Component wishes to create a repository of information from clinical records for a specific study or potential future research, the creation must be approved by the IRB and by the BU HIPAA Privacy Officer.  This will ensure that patients properly authorize the inclusion of their information in the database, or that a waiver has been approved.  If the repository contains only a Limited Data Set, its use can be governed by a simple Data Use Agreement, which

Using the PHI in an approved Data Repository:

Use of data in a repository must be separately approved by the IRB for each study.

5.6 Students and Observers


 Students enrolled in one of BU’s health schools who participate in patient care within a Covered Component as part of their training are part of that Covered Component’s Workforce.  However, there are restrictions on their use of PHI in their education, and on faculty use of patient PHI in education.

PHI, including excerpts from the patient medical record, images, and factual summaries, may be used for educating students only as follows:

  • If the PHI is fully de-identified by absence of the 18 identifiers (see Policy 1, HIPAA Basics, Section 1.4: De-Identified PHI), it can be used without an Authorization. For example:
    • a faculty member or student may use an x-ray image if all identifying information is redacted, as the image itself does not identify the individual;
    • A faculty member or student may describe the health condition of a specific patient who suffered complications following standard treatment if the minimum necessary rule is followed, and the information is de-identified.
  • All other uses of PHI in education require a signed Authorization.

Students who do not participate in patient care are not part of the Covered Component Workforce.  See next section on Shadowing.

Shadowing, Observers

Covered Components that choose to allow students and others to “shadow” patient care as Observers must document a procedure for approving the shadowing as part of the Covered Component’s education mission (e.g., prospective students) or health care operations (e.g., a prospective faculty member or employee allowed to shadow as part of the recruiting process).

If allowed, the following safeguards must be in place:

  • Patients must be told who the person shadowing is and given an opportunity to object to their presence. If a patient objects, the Observer must leave the patient’s area;
  • Observers may not interfere with patient care;
  • Observers may not participate in any way in patient care; and
  • Observers must sign an attestation in advance of the shadowing experience confirming their health status, as required by the Covered Component, and their understanding of the confidentiality of all patient care information. Observers are not members of the Workforce and are not required to complete HIPAA training.

An Observer form is available at

5.7 Using PHI in Publishing

Publishing case reports and articles in professional journals is an important part of the educational mission of the University. Faculty, residents and students in BU Covered Components may wish to write about the diagnosis, treatment, response to treatment, and follow-up after treatment of one or more individual patients (“Articles”). The usual rules apply:

  • If the case report uses only de-identified data (see Section 1.4: De-identified PHI) then it is permissible under HIPAA to use the information for the case report without the patient’s Authorization.
  • If some of the 18 identifiers remain in the Article, it would not meet the above standard for De-identification. There is an alternate method of de-identification:  the author does not wish to obtain an Authorization and believes the information in the case not cannot be used to identify any individual, s/he may contact the BU HIPAA Privacy Officer, who will review the matter and may obtain an expert opinion on De-identification.  Send the case note or article to for review.
  • If the information used is not de-identified in one of the ways described above, the author will be required to obtain a signed HIPAA authorization from the patients (or their legally authorized representatives) for the use and disclosure of their PHI in the Case Note.

Please always consider obtaining patient authorization for the use of the PHI, given reports in the press of patients who have been upset upon recognizing themselves, or upon being recognized by others despite use of only de-identified PHI.

A special-purpose Authorization is available for this purpose at  See also HRRP policies on the IRB’s role in approving case series.