HIPAA Authorization

Requirements for Written Authorization under the HIPAA Privacy Rule

The HIPAA Privacy Rule requires written authorization for use or disclosure of private health information (PHI) for the purposes of research. If no PHI is used (e.g. obtained from the medical record), or research participants do not provide any information related to their past, present or future physical or mental health or condition, provision of health care to them or payments for the provision of health care, HIPAA may not apply to the study.
When the Authorization is combined with the consent document, the IRB must review and approve the combined document. When a stand-alone authorization is used, the responsibility falls on the investigator. The IRB's responsibilities related to HIPAA are described in more detail in the IRB's Role in HIPAA.

A valid authorization must meet contain the six core elements and must include three required statements unless the IRB has approved a waiver or alteration of one or more of these elements. See Waiver or Alteration of HIPAA for more detail.

The Authorization Core elements and Required Statements that are mandated by HIPAA are enumerated in 45 CFR 164.508.

Authorization Core Elements - 45 CFR 164.508 (c)(1)
Description of Private Health Information ('i) Description of PHI to be used or disclosed that identifies the information in a specific and meaningful manner;
Who May Use or Disclose PHI (ii) The name(s) or other specific identification of person(s) or class of persons authorized to make the requested use or disclosure;
Person Who May Receive and Use PHI (iii) The name(s) or other specific identification of the person(s) or class of persons who may use the PHI or to whom the covered entity may make the requested disclosure;
Purpose of Each Use or Disclosure (iv) Description of each purpose of the requested use or disclosure. Researchers should note that this element must be research study specific, not for future unspecified research;
Expiration Date (v) Authorization expiration date or event that relates to the individual or to the purpose of the use or disclosure. The terms end of the research study or none may be used for research, including for the creation and maintenance of a research database or repository;
Signature (vi) Signature of the individual and date. If the Authorization is signed by an individual's personal representative, a description of the individual's authority to act for the individual.
Authorization Required Statements 45 CFR 164.508(c)(2)
Right to Revoke Authorization ('i) The individual's right to revoke his/her Authorization in writing and either (A) the exceptions to the right to revoke and a description of how the individual may revoke his/her Authorization or (B) reference to the corresponding section(s) of the covered entity's Notice of Privacy Practices.
Inability to Condition Treatment (ii) Notice of the covered entity's ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the Authorization, including research-related treatment, and if applicable, consequences of refusing to sign the Authorization.
Potential for Redisclosure (iii) The potential for the PHI to be re-disclosed by the recipient and no longer protected by the Privacy Rule. This statement does not require an analysis of risk for re-disclosure but may be a general statement that the Privacy Rule may no longer protect health information.

Revoking Authorization

A research subject may revoke his/her Authorization at any time. The IRB has a template HIPAA-Withrawal of Authorization Letter available for investigators and subjects to complete.

  • The covered entity may continue to use and disclose PHI that was obtained before the individual revoked his/her Authorization.
  • This permits the covered entity and the researchers to protect the integrity of the research.
  • Withdrawal of Authorization stops the collection and use of information in the future but does not mean that the data collected to date must be disposed.

Electronic Signatures under the HIPAA Privacy Rule

The Standards for Privacy Authorization published in the Federal Register Dec 28, 2000, permit email and electronic signatures.

From page 82518:

Seventh, the authorization must include the individual's signature and the date of the signature. Once we adopt the standards for electronic signature, another of the required administrative simplification standards we are required to adopt under HIPAA, an electronic signature that meets those standards will be sufficient under this rule. We do not require verification of the individual's identity or authentication of the individual's signature.

From page 82660:

Comment - Many commenters requested clarification that covered entities may rely on electronic authorizations, including electronic signatures.

Response - All authorizations must be in writing and signed. We intend e-mail and electronic documents to qualify as written documents. Electronic signatures are sufficient, provided they meet standards to be adopted under HIPAA. In addition, we do not intend to interfere with the application of the Electronic Signature in Global and National Commerce Act.

Electronic Signature Standards

The Electronic Signature Standards in Global and National Commerce Act (E-SIGN) PUBLIC LAW 106-229-JUNE 30, 2000 establishes the standards for electronic signatures.

Sec. 106 Definitions:
(5) ELECTRONIC SIGNATURE. - The term "electronic signature" means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.