Download PDF
Effective Date: April 10, 2017

HIPAA Policies for BU Health Plans: Policy 5, Authorizations

Responsible Office Research Compliance

This Policy 5 is part of the HIPAA Policies for BU Health Plans Manual – Privacy and Security of Protected Health Information for BU Health Plans.

5.1 General Rules on Authorization

Authorization for Uses and Disclosures of PHI
Authorizations are required for the Use and Disclosure of PHI for purposes other than the permitted Uses and Disclosures specified in the HIPAA privacy regulation and in these policies.

Employees within the workforce firewall will obtain the Individual’s permission prior to using or disclosing PHI when it is used for any purpose other than those described above as Routine or Non-Routine Uses and Disclosures

When an employee within the workforce firewall receives a properly authorized request for the release of PHI, he/she will adhere to the terms of the Authorization. Employees within the firewall will document and retain any signed Authorizations.


  • Signing an Authorization form is voluntary and the Individual may refuse to sign it;
  • The Individual may revoke the Authorization, in writing, at any time;
  • The permissions granted in the Authorization should not be acted upon if the Authorization has been revoked or if it has expired; and
  • The Authorization will be retained for a period of six years after it was created or expired, whichever date is later.

Employees within the workplace firewall do not need to obtain an Authorization from the Individual to:

  • Disclose PHI to a Health Care Provider for the Individual’s Treatment;
  • Disclose PHI to another Covered Entity or a Health Care Provider for that entity’s Payment activities; or
  • Disclose PHI to another Covered Entity for that entity’s Health Care Operations if both entities have or had a relationship with the Individual whose PHI is being requested, the PHI pertains to the current or former relationship, and the purpose of the Disclosure is for:
    • A Health Care Operations activity for which the HIPAA Privacy requirement states an Authorization is not required;
    • Detection of Health Care fraud and abuse or compliance with health care fraud and abuse laws; and/or
    • Use or disclose PHI as specifically permitted by the HIPAA Privacy regulation pursuant to an exception.

Employees within the firewall will honor revocations made in writing. Authorizations acquired by Business Associates will need to be revoked via the Business Associate and not by BU.

When an Authorization is Required
If a use or disclosure of PHI does not fall into one of the circumstances described above in these policies as being permissible without the patient’s Authorization, then the Individual must authorize the use or disclosure by signing an Authorization.

BU’s Authorization Form
The BU Health Plans have an Authorization form approved by the BU HIPAA Privacy Officer which contains the elements required by HIPAA. No changes should be made to the approved form without the approval of the BU HIPAA Privacy Officer.

Other Entities’ Authorization Forms
BU Health Plans may accept and comply with authorizations on BU’s standard form, if sufficient information is provided. If the BU Health Plans receive an Authorization that is on a form other than the standard BU Authorization, BU Health Plans may accept the Authorization if it contains the same elements as BU’s Authorization and is consistent with this Policy. Questions about the validity of an Authorization can be directed to the BU HIPAA Privacy Officer for guidance.

Using the Authorization Form
Below are instructions on the use of the Authorization form. Any questions about whether an Authorization form is needed or about using the form should be directed to the BU HIPAA Privacy Officer.
When completing the Authorization or reviewing Authorizations, please keep the following in mind:
• The information to be used or disclosed must be identified with enough specificity to allow the BU Health Plans to comply.
• The name or other specific identification of the person or entity the information should be disclosed to must be provided. (e.g., “send a complete copy of my records dated 1/1/2016-7/1/2016 to Dr. Smith at [address]”; or “to Boston Medical Center”).
• A description of the reason for the use or disclosure (e.g., “at the request of the individual,” or “for follow up care” or “for personal use”).
• An expiration date or an expiration event must be provided (e.g., “this Authorization expires in six months;” “12/31/2016;” or “at the end of the research study”).
• The individual whose PHI is to be used or disclosed must sign and date the Authorization. If someone other than the individual is authorized to sign, that person’s capacity should be noted (e.g., “Guardian” or “Mother of minor child”).
• The BU Health Plans are responsible for maintaining signed Authorizations for six (6) years.
• The Minimum Necessary Rule does not apply to disclosures based on Authorization. Rather the BU Health Plans should disclose documents requested in the Authorization.
Defective Authorizations
Authorizations are considered defective and invalid if any material information in the Authorization is known to the BU Health Plans to be false or if any of the following other defects exist:
• The expiration date has passed or the expiration event is known by the BU Health Plans to have occurred,
• The Authorization has not been filled out correctly or completely,
• The Authorization is known by the BU Health Plans to have been revoked, or
• The Authorization violates the prohibition on conditioning of Authorizations, as described immediately below.
Questions should be directed to the BU HIPAA Privacy Officer.
Prohibition on Conditioning of Authorizations
The BU Health Plans may not condition the provision of treatment, plan participation or payment of benefits on the individual’s signing an Authorization.
Genetic Information
BU Health Plans have no genetic information about Participants.
Revocation of an Authorization
Individuals may revoke their signed Authorizations to use or disclose PHI at any time by providing a written notice of revocation to the BU Health Plans. When an individual revokes his/her Authorization, the BU Health Plans may no longer rely on the revoked Authorization. However, the revocation does not affect disclosures that were made pursuant to the Authorization prior to receiving the Revocation.
Release of Information Practices
Each BU Health Plan will adopt procedures for release of information.

5.2 Authorization by Parents, Guardians and Minors

General rules

  1. Adults age eighteen (18) and older generally make their own decisions on their rights under HIPAA, and sign their own Authorizations.
  2. Persons under the age of 18 are minors.  Generally, a parent of the minor makes decisions for the child, and signs the child’s Authorization.  The parent should note his/her capacity, e.g., “mother/father/parent” on the Authorization.

The exceptions to both of these rules are described below.

Minors and their Parents
The BU Health Plans may assume either parent of a child under age 18 is authorized to sign Authorizations for the child, unless they have knowledge of a court order that has limited or taken away a parent’s authority.  When the parents are divorced, the fact that one parent has full custody does not mean that the other parent’s authority has been limited; a court order would state any such restriction.

If a BU Health Plan has reason to believe a parent who wishes to make decisions for, and sign Authorizations on behalf of, a minor child is not authorized to do so, the BU Health Plan should request a copy of the court order restricting a parent’s rights and/or specifying who may make decisions regarding the minor’s health care and who may sign Authorizations for the child.  Questions may be directed to the BU HIPAA Privacy Officer or the Office of the General Counsel.

Verification Requirements when Releasing Records
The BU Health Plans are responsible for verifying the identity of the person requesting PHI and the authority of such person to have access to the PHI or to authorize its disclosure.

Employees within the firewall will verify the identity of a person requesting PHI or ePHI and the authority of any person to have access to PHI or ePHI, if the identity or authority of the person is not known.

A Participant’s personal information, collected during enrollment, can be used to establish identity, especially for verbal or electronic inquiries.  For example, an employee within the firewall may ask for the social security number or employee number of Individuals seeking information or assistance by telephone.

A form of photo identification such as a driver’s license or certain personal information such as date of birth may also be used to verify the identity of the Individual.

Employees within firewall will obtain any documentation, statements, or representations, whether oral or written, from the person requesting PHI when it is a condition of the Disclosure. This applies to all Disclosures of PHI, including Treatment, Payment and Health Care Operations, where the identity of the recipient is not known.

Employees within the firewall may rely, if such reliance is reasonable under the circumstances, on any of the following to verify identity when the Disclosure of PHI is to a public official or a person acting on behalf of the public official:

  • If the request is made in person, presentation of an agency identification badge, or other official credentials, or other proof of government status;
  • If the request is in writing, the request is on appropriate government letterhead; or
  • If the Disclosure is made to a person acting on behalf of a public official, a written statement on appropriate government letterhead that the person is acting under the government’s authority or other evidence or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official.

If the person requesting records or presenting an Authorization is not a public official and is not known to the BU Health Plans, the BU Health Plans must make reasonable efforts to verify the person’s identity and authority.  Following are common ways of verifying:

  • Check the requesting party’s picture identification;
  • Verify that the address to which the records are requested to be sent is the address of record of the individual; and/or
  • Obtain a copy of a court appointment or other document that authorizes access to the PHI under law (such as a letter on letterhead from the Department of Public Health authorizing the disclosure).

The BU Health Plans may reasonably rely on documents presented that appear to be legitimate on their face.  Any questions regarding a person’s authority to obtain PHI should be directed to the BU HIPAA Privacy Officer.

5.3 Authorization by a Legally Authorized Representative of an Adult

If an adult is not competent to make his/her own decisions, a Legally Authorized Representative may exercise the patient’s rights and sign Authorizations on behalf of the patient.

Legally Authorized Representatives may hold a variety of titles, including Personal Representative, Guardian; Conservator, Substitute Decision Maker, Health Care Agent, and others; for simplicity, the term Legally Authorized Representative is used in these policies.  When a Legally Authorized Representative (by whatever title) signs an Authorization on behalf of the patient, the BU Health Plans must verify the authority of the Legally Authorized Representative, typically by obtaining the order of the court, administrative tribunal order, or appointment document.  Legally Authorized Representatives usually have these documents readily available. Any questions about the authority of a Personal Representative should be directed to the BU HIPAA Privacy Officer or Office of the General Counsel.

Appointment of Health Care Agent
If the adult has appointed a health care agent in accordance with Massachusetts law and the adult has been found incapacitated and incapable of making or communicating health care decisions by a physician, Authorizations must be handled as follows:

a. Obtain the Authorization from the then current health care agent, not from the patient.
b. A copy of the health care proxy form listing the agent’s name must accompany the request and be filed with the Authorization and request for PHI.
c. If multiple parties have been named as agent, obtain Authorization from all parties. If however, the proxy lists “Party A” OR “Party B,” the Authorization of either is sufficient.
d. The BU Health Plans must observe the terms of the appointment.  If the individual regains mental capacity, the health care proxy is rendered ineffective and then signature of the proxy on an Authorization does not suffice.  Instead, the individual must then sign the Authorization.
e. Take care not to disclose PHI based on the Authorization of the health care agent if you have no corroborating evidence that the individual has been declared incapacitated by a physician as required by Massachusetts law.

Contact the HIPAA Privacy Officer or Office of the General Counsel with any questions.

5.4 Authorization on Behalf of a Deceased Individual

PHI of deceased individuals remains protected under HIPAA for 50 years following the date of death.

Who can authorize a release of the records of the deceased individual?
If the individual is deceased, the BU Health Plans must obtain the Authorization from the court-appointed administrator or executor of the decedent’s estate. If the BU Health Plans are unable to obtain the court order naming the administrator or executor, or if an administrator or executor has not been appointed, contact the BU HIPAA Privacy Officer or the Office of the General Counsel.

Family and Friends Rights to Records
A deceased patient’s surviving spouse, children, family members, friends and others are not authorized to request and receive the deceased patient’s PHI simply by virtue of the family relationship. In some circumstances, if a family member (or friend) was involved with an individual’s health plan payment affairs during his/her life, it may be possible to release the individual’s records upon Authorization by that person; if this arises, please contact the BU HIPAA Privacy Officer or the Office of the General Counsel.

The BU Health Plans should receive a court order nominating the person as a Personal Representative or Executor of the deceased patient’s estate before releasing records of a deceased person.

Disclosing Records of Deceased Individual for Research Purposes
Please see the next Section, 5.5, Accessing and Using PHI for Research.

5.5 Accessing and Using PHI for Research:  Authorizations and Waivers

Research is not one of the purposes for which PHI may be used without patient Authorization (Treatment, Payment or Health Care Operations (see Policies 3.4, 3.5, 3.6) and so BU Health Plans may not allow access to their PHI for research purposes unless the researcher (whether affiliated with the BU Health Plans or external) has obtained and presented to the BU Health Plans HIPAA Contact:

(i) Institutional Review Board (IRB) approval, and
(ii) either Authorizations signed by each patient whose information is requested, or
(iii) a Waiver of Patient Authorization, or,
(iv) in the case of Activities Preparatory to Research, an acceptable attestation.

In order for BU Health Plans to determine whether it is permissible to release PHI to a researcher, the HIPAA Contact must determine the following:

Is the activity for which PHI is requested “research” under HIPAA? If so, is the researcher authorized to receive the PHI requested?

What is Research under HIPAA?
HIPAA defines “research” as an activity intended to lead to generalizable knowledge.

Quality assurance activities conducted by the BU Health Plans solely for its internal purposes (e.g., to assess or improve the quality of care provided to patients/clients) is not “research” but instead falls within “operations” and is generally permissible; the rules for using PHI in research will not apply.  See Policy 5.4 above.

Conditions under Which BU Health Plans may allow access to PHI for research purposes
The BU Health Plans may permit access to PHI for research if an Authorization for such access has been received from the individual or individual’s representative.

IRB Waiver of Authorization:
The BU Health Plans may permit access to PHI for research without Authorization, if a Waiver of Authorization has been obtained from an IRB.  A form is available for this purpose.

Special Rules for Activities Preparatory to Research:
Researchers often need to access PHI in order to get sufficient information to design a study, evaluate the feasibility of a study, or otherwise prepare for research.  Typically this takes place in advance of presenting the study to the IRB, or seeking financial support for the study.  Researchers may not access any PHI for these purposes unless:  (i) the patients have explicitly authorized such activities, e.g., in an authorization signed to allow the creation of a data repository; or (ii) the researcher completes a Waiver Preparatory to Research form, attesting to certain security and privacy measures, such as:

(a) the researcher seeks the PHI solely to prepare a research protocol or for similar purposes preparatory to research;
(b) The researcher will access only the PHI necessary for this purpose; or
(c) The researcher will not remove any PHI from the premises of the BU Health Plans.

Special Rules for Access to Records of Decedents for Research Purposes:
BU Health Plans may permit access to PHI for research if the BU Health Plans’ HIPAA Contact receives from the researcher:

  • a representation that the use or disclosure sought is solely for research on the PHI of decedents;
  • documentation, at the request of the BU Health Plans, of the death of such individuals; and
  • a representation that the PHI for which use or disclosure is sought is necessary for the research.

BU Health Plans may accept such a statement from a researcher if it has been reviewed and approved by the IRB.

Research Data Repositories Containing PHI

Creating Data Repository from PHI:
If a BU Health Plan wishes to create a repository of information for specific or potential future research, the creation must be approved by the IRB and by the BU HIPAA Privacy Officer.  This will ensure that patients properly authorize the inclusion of their information in the database, or that a waiver has been approved.

Using the PHI in an approved Data Repository:
Use of data in a repository for research purposes must be separately approved by the IRB.