CMS describes HIPAA authorization form
The Centers for Medicare & Medicaid Services (CMS) offers a preview of a privacy authorization form that includes the core elements and necessary statements required in the privacy rule of the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
CMS is developing a standard authorization form for Medicare beneficiaries to use to authorize CMS to release personal health information to a third party. Although the form will not be available for several months, the program memorandum offers a guide to the elements necessary for a valid privacy authorization. The core elements of a valid authorization must contain at least the following elements:
- Description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
- Name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
- Name or other specific identification of the person(s) or class of persons, to whom the covered entity may make the requested use or disclosure.
- Description of each purpose of the requested use or disclosure. The statement, "at the request of the individual" is a sufficient description of the purpose when the beneficiary initiates the authorization and does not, or elects not to, provide a statement of the purpose.
- Expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.
- Signature of the individual and date. If a personal representative of the individual signs the authorization, a description of such representative’s authority to act for the individual also must be provided. Although the HIPAA Privacy Rule only requires a description of the representative’s authority to act for the individual, CMS is requiring that documentation showing their authority, such as a power of attorney, be attached to the authorization.
The memorandum also includes examples of wording that may be used to place an individual on notice that he or she can revoke the authorization and the process that must be followed to revoke authorization.