To use the PHI of an individual one must often obtain an authorization. Authorization and the HIPAA Rule is very specific. The use of PHI for treatment, payment or healthcare operation purposes does not require authorization. In addition if there are specific laws an authorization is not required.
An authorization for disclosure to an attorney’s office, and to a life or disability insurance company is another example.
To disclose medical records when a patient consents to participate in a research project and when they request a transfer of medical records to another medical providers office an entity must obtain authorization.
A request with a court order signed by a judge from a court with jurisdiction will not require authorization. To report an infectious disease according to state law does not require authorization. To disclose PHI for research, if an IRB (Institutional Review Board) grants a waiver of authorization does not require authorization.
State Law is Important
The HIPAA compliant authorization must contain certain elements, but don’t forget to look at state law requirements. There are many states with laws that are more protective of PHI than the Federal HIPAA Rules and they will require additional elements added to the authorization.