Section 6: Patient Authorization – Uses and Disclosures of PHI
Authorization: An “authorization” allows for the Use and Disclosure of PHI for purposes other than Treatment, Payment, and health care Operations (TPO).
Medical Record Administrator (MRA): The person appointed as the Callier Center record custodian responsible for the Medical Records Department and responsible for the maintenance, retention, access, data integrity, and data quality of PHI; including protecting patient privacy and providing information security, other duties related to access and review of PHI and complying with standards and regulations regarding PHI under the direction of the HIPAA Privacy Officer. For purposes of this policy, the MRA may also refer to individuals who have been officially designated to act in the place of the MRA.
Authorized Health Care Providers: The Workforce members charged with providing care and directing the provision of care to the Center’s patients.
Official Medical Record (OMR): The Callier Center medical record maintained by the Center that constitutes all significant medical/clinical information pertaining to a patient. Portions of the OMR may be housed at either Callier Center location until becoming scanned and filed in the electronic medical records system. The OMR has a permanent retention schedule. The OMR constitutes the Center’s Designated Record Set.
Shadow Records or Shadow Medical Records (Shadow MR): The medical record maintained by an authorized Workforce member, other than the Medical Records Department, that includes patient care information also included in the OMR. These records may be used for teaching purposes. Shadow MR information does not contain any pertinent patient care information that cannot be found in the OMR. A Shadow MR is considered a convenience copy and is destroyed as soon as it is no longer needed. The Shadow MR is sometimes referred to as Case Management Records.
General Rules of Authorizations: In order to Use and Disclose PHI one of the following circumstances must exist:
- The Center requires a valid authorization to disclose PHI unless a specific exception provided by this HIPAA Privacy Manual or the HIPAA Privacy Rule permits such action.
- A patient or a patient’s personal representative seeking access to the patient’s own PHI is not required to use an authorization. The process the patient or representative should use is described in this Manual Section 13 Releases and Disclosures Requiring No Authorization. (Note: Patients may also direct the Center to provide the requested records to a third party using the process described in section 13.)
- The MRA is authorized to disclose PHI to all third parties including UT Dallas faculty and staff that are not recognized as members of the Center workforce and any individual seeking access to PHI for research purposes. Providers and staff should direct all persons requesting access to PHI to the MRA. No disclosures shall be made from Shadow Records.
The MRA is responsible for:
- reviewing and determining the validity of all authorizations, in consultation with, as necessary, the HIPAA Privacy Office and legal counsel;
- releasing PHI in a matter that is consistent with any directives contained in the authorization;
- documenting each disclosure and retain all authorizations received;
- providing the patient with a copy of the authorization.
To be valid an authorization must:
- be written in plain language,
- specifically describe the information to be used or disclosed,
- identify the person or class of persons, authorized to make the requested use or disclosure,
- describe the person or class of persons, to whom the disclosure may be made,
- state the purpose of the disclosure,
- contain an expiration date or event and be signed by the individual or the individual’s personal representative authorizing the disclosure date signed. If signed by personal representative, a description of the representative’s authority to sign on behalf of the individual is required.
- contain the date on which it was signed,
- include a statement the patient has the right to revoke the authorization in writing and how to revoke the authorization,
- include a statement that once information is disclosed pursuant to a valid authorization, it may no longer be protected by federal privacy rules.
If the MRA has any questions or concerns regarding the validity of an authorization, the MRA shall consult with the HIPAA Privacy Officer and/or University legal counsel prior to taking any action in response to the authorization.
Callier Center authorized healthcare providers may release PHI for urgent treatment situations. The providers are required to complete the Disclosure Log Form and turn in the completed disclosure log to Medical Records.
To be invalid an authorization must include:
- an expiration date or event that has passed or already occurred,
- one or more missing items of content described,
- an authorization that has been revoked,
- an authorization that violates a Privacy Rule standard on conditioning or compound authorizations,
- material information in the authorization that is known to be false.
Revocation of Authorization: An Individual shall have the right to revoke his or her Authorization at any time, provided that the Individual’s revocation is in writing. The revocation is effective upon its receipt by the Privacy Officer. A form, Revocation of Authorization, a copy of which is contained in the Appendix to this Manual, may be used by the Individual.
Revocation of Authorization Form: When the Privacy Officer receives an Individual’s written revocation the Privacy Officer shall notify applicable parties of the revocation of authorization and document the revocation or information concerning the revocation received by the person obtaining the authorization. UT Dallas shall stop Using and Disclosing the Individual’s PHI in reliance on the Authorization, except to the extent UT Dallas has already acted in reliance on the Authorization. If UT Dallas has not yet Used or Disclosed the PHI, it shall refrain from doing so, pursuant to the revocation. If UT Dallas has already disclosed the information, UT Dallas need not retrieve the information.
Authorizations and Psychotherapy Notes: For specific rules governing refer to policy; Section 14 Use and Disclosure of Psychotherapy Notes.
Authorizations for Marketing and Fundraising Purposes: For specific rules governing the use and disclosure of PHI for marketing and fundraising purposes, Use and Disclosure of PHI for Marketing Purposes or Use and Disclosure of PHI for Fundraising see Section 7 Fundraising and Section 8 Marketing.
Research Authorization: For specific rules governing the use and disclosure of PHI for research purposes, see Section 15 Research Use and Disclosure of PHI.
Conditioning of Authorizations: The Callier Center shall never require a patient to sign an authorization in order to receive treatment, except the Center may condition the provision of “research related” treatment on provision of an authorization. The Center may condition the provision of health care that is solely for the purpose of creating PHI for disclosure to a third party on receipt of an authorization.
Revocation of Authorizations: For specific rules governing the Revocation of Authorizations, Revocation of Consent to Use or Disclose PHI and Revocation of Authorization to Release PHI see Revocation of Authorizations.
Surrogate Decision Makers, Minors, and Deceased Individuals: For information regarding who the proper person is to sign authorizations for the release of information about incapacitated individuals, minors, and deceased individuals, see Valid Authorizations.
Enforcement: All supervisors are responsible for enforcing this policy. Individuals who violate this policy will be subject to the appropriate and applicable disciplinary process, up to and including termination or dismissal of employment.
HIPAA Regulatory Citations: 45 CFR § 164.508, § 164.512
Reviewed: 03/16/2021, 08/15/2018, 06/09/2015
Donise W. Pearson, HIPAA Privacy Officer
UT Dallas Callier Center