Skip to Main Navigation
Skip to Main Content
The University of Texas at Dallas

HIPAA Privacy Manual

Section 5: Uses and Disclosures of PHI Based on Patient Authorization

Definitions:

Authorization: An "authorization" allows for the use and disclosure of PHI for purposes other than Treatment, Payment, and health care Operations (TPO).

Medical Record Custodian: The person or department responsible for the maintenance, retention, access, data integrity, and data quality of PHI; including protecting patient privacy and providing information security, analyzing clinical data for research and public policy, preparing PHI for accreditation surveys, and complying with standards and regulations regarding PHI.

Referring Physician: The source behind a particular episode of health care. The referring physician may be the consulting physician to whom the primary care physician referred the patient.

Case Management File/ Shadow Medical Record (Shadow MR): The medical record maintained by a specific departments, other than the Medical Records Department, that includes patient care information also included in the Official Medical Record (OMR). This information often includes copies of medical record information also in the Official Medical Record. A Shadow MR does not contain any pertinent patient care information that cannot be found in the Official Medical Record. A Shadow MR is considered a convenience copy and has no record retention schedule.

Official Medical Record (OMR): The UTD medical record maintained by the Medical Records Department that is designed to contain a composite of all significant hospital and clinical information gathered on a given patient. Portions of the OMR may be housed at various locations throughout the UTD system. However, the Medical Records Department maintains a tracking system that cross-references the various locations of the patient’s entire OMR. The OMR has a permanent retention schedule.

Policy

General Rules of Authorizations: In order to use and disclose PHI one of the following circumstances must exist:

  • The patient must have signed a Authorization to Use and Disclose PHI for Treatment, Payment and health care Operations (TPO). An authorization shall be required for release of PHI to all health providers, except for referring physicians. Referring physicians (physicians requesting consults or specialty procedures) will not require an authorization prior to the disclosure of PHI back to the physician that originally referred the patient.
  • The patient must have signed an Authorization to Release PHI for any non-TPO use or disclosure; and
  • PHI may be disclosed without an Authorization if law requires such disclosure.

The Medical Records Department is the custodian of the official medical record and has the sole authority to disclose PHI under this policy. Custodians of any shadow records or case management files must NOT disclose or release any PHI whatsoever. Custodians of any shadow records must direct all persons requesting information requiring an authorization to the Medical Records Department. If official custodians release PHI, which mandates the tracking of disclosures of PHI. All parties requesting the release of PHI from the official medical record must complete a UTD Authorization Form. UTD’s release of PHI must be consistent with the directives found in the authorization. The Medical Records Department must document each disclosure and retain all signed authorizations. The Medical Records will be responsible for retaining the signed authorization form for the disclosures of PHI.

Core Elements of a Valid Authorization: A valid authorization must contain at least the following elements and must be written in plain language:

  1. A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
  2. The name or other specific identification of the person or class of persons, authorized to make the requested use or disclosure.
  3. The name or other specific identification of the person or class of persons, to whom UTD may make the requested use or disclosure.
  4. Under Texas law, which is more restrictive than the HIPAA privacy regulations, an authorization is valid until the 365th day after the date it is signed unless the authorization provides otherwise or unless it is revoked.
  5. A statement of the individual’s right to revoke the authorization in writing and the exceptions to the right to revoke, together with a description of how the individual may revoke the authorization.
  6. A statement that the information used or disclosed pursuant to the authorization may be subject to re-disclosure by the recipient and no longer be protected by the HIPAA Privacy Regulations.
  7. Signature of the individual and the date.
  8. If a surrogate decision maker of the individual signs the authorization, a description of such surrogate decision maker’s authority to act for the individual.

The authorization may contain elements or information in addition to the required elements, provided that such additional elements or information are not inconsistent with the required elements.

Additional Elements Required for Certain Types of Authorizations: If UTD plans to use PHI for purposes other than TPO, an authorization must be obtained from the patient with elements in addition to the core elements stated above. These elements are based on the type of entity receiving the PHI. Authorizations required by UTD for its own uses and disclosures: If an authorization is requested by UTD for its own use or disclosure of PHI that it maintains, UTD must comply with the following requirements in addition to the requirements listed above as core elements and provide a copy of the signed authorization to the individual:

  • A statement that UTD will not condition treatment, payment or enrollment in the health plan, or eligibility for benefits on the individual providing the authorization, unless an exception exists.
    • UTD may condition the provision of research related treatment on provision of an authorization
    • UTD may condition the provision of health care that is solely for the purpose of creating PHI for disclosure to a third party on provision of an authorization for the disclosure of the PHI to such third party; or
    • UTD may condition enrollment and eligibility on the provision of an authorization, but these rules are not included in this policy because those activities are outside the scope of UTD’s operations.
  • A description of each purpose of the requested use or disclosure.
  • A statement that the individual may:
    • Inspect or receive a copy of the PHI to be used or disclosed, and
    • Refuse to sign the authorization
  • If use or disclosure of the requested information will result in direct or indirect remuneration to UTD from a third party, a statement of such remuneration will be required.

Authorization requested by UTD for disclosures by others: If UTD requests an authorization be signed to obtain records from another covered entity for UTD to carry out TPO, UTD must comply with the following requirements in addition to the core elements and provide a copy of the signed authorization to the individual:

  • A description of each purpose of the requested use or disclosure.
  • A statement that UTD will not condition treatment, payment or enrollment in the health plan, or eligibility for benefits on the individual’s providing the authorization, except for an authorization on which payment may be conditioned.
  • A statement that the individual may refuse to sign the authorization.

Defective Authorizations: An authorization is considered defective and invalid if any material information in the authorization is known to be false by UTD or its employees or if any of the following defects exist:

  • The expiration date has passed or the expiration event is known by the covered entity to have occurred;
  • The authorization has not been filled out completely;
  • The authorization is known by the covered entity to have been revoked;
  • The authorization lacks any one of the core elements previously described; or
  • The authorization violates the exception allowing compound authorizations for research purposes.

Authorizations and Psychotherapy Notes: For specific rules governing refer to policy; “Use and Disclosure of Psychotherapy Notes.”

Authorizations for Marketing and Fundraising Purposes: For specific rules governing the use and disclosure of PHI for marketing and fundraising purposes, Use and Disclosure of PHI for Marketing Purposes or Use and Disclosure of PHI for Fundraising.

Research Authorization: For specific rules governing the use and disclosure of PHI for research purposes, see Use and Disclosure of PHI for Research Purposes.

Compound Authorizations: An authorization for use and disclosure of PHI may not be combined with any other document to create a compound authorization, except for the following.

  • An authorization for the use or disclosure of PHI created for research that includes the treatment of the individual may be combined as permitted by the Research Policies.
  • An authorization for the use and disclosure of psychotherapy notes may only be combined with another authorization for use and disclosure of psychotherapy notes.
  • An authorization, other than that for a use and disclosure of psychotherapy notes, may be combined with any other such authorization. Unless UTD has conditioned the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits as prohibited by the section outlining Conditional Authorizations.

Conditioning of Authorizations: UTD may not condition the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits on the provision of an authorization, with the exceptions previously disclosed above in Authorizations required by UTD for its own uses and disclosures.

Revocation of Authorizations: For specific rules governing the Revocation of Authorizations, Revocation of Consent to Use or Disclose PHI and Revocation of Authorization to Release PHI.

Surrogate Decision Makers, Minors, and Deceased Individuals: For information regarding who the proper person is to sign authorizations for the release of information about incapacitated individuals, minors, and deceased individuals, see Surrogate Decision Makers, Minors, and Deceased Individuals.

Enforcement: All supervisors are responsible for enforcing this policy. Individuals who violate this policy will be subject to the appropriate and applicable disciplinary process, up to and including termination or dismissal.