Standard for HIPAA Authorization

1. Exceptions to Authorization Requirements: PHI may be disclosed without an authorization if the disclosure is:
   1. Requested by the individual or their personal representative;
   2. For the purpose of treatment;
   3. For the purpose of Ohio University’s payment activities, or the payment activities of the entity receiving the PHI;
   4. For the purpose of Ohio University’s health care operations;
   5. In limited circumstances, for the health care operations of another covered entity, if the other covered entity has or had a relationship with the individual;
   6. To the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the HIPAA privacy regulations; or
   7. Required by other state or federal law. See Standard for HIPAA Uses and Disclosures for other exceptions.
2. Use or Disclosure Pursuant to an Authorization:
   1. When Ohio University receives a request for disclosure of PHI, the unit’s HIPAA Compliance Coordinator shall determine whether an authorization is required prior to disclosing the PHI.
      1. The unit’s HIPAA Compliance Coordinator is responsible for consulting with the University HIPAA Privacy Officer as necessary.
   2. PHI may never be used or disclosed in the absence of a valid written authorization if the use or disclosure is:
      1. Of psychotherapy notes ad defined by the HIPAA privacy regulations;
      2. For marketing, except if the communication is in the form of a face-to-face communication made by Ohio University to an individual, or a promotional gift of nominal value provided by Ohio University;
      3. For sale of PHI.
   3. If the use or disclosure requires a written authorization, Ohio University shall not use or disclose the PHI unless the request for disclosure is accompanied by a valid authorization.
   4. If the request for disclosure is not accompanied by a written authorization, the unit’s HIPAA Compliance Coordinator shall notify the requestor that it is unable to provide the PHI requested. The unit’s HIPAA Compliance Coordinator will supply the requestor with an Authorization for Disclosure of Medical Information (“Authorization”) form.
   5. If the request for disclosure is accompanied by a written authorization, the unit’s HIPAA Compliance Coordinator will review the authorization to assure that it is valid.
      1. The unit’s HIPAA Compliance Coordinator is responsible for consulting with the University HIPAA Privacy Officer as necessary.
   6. If the authorization is lacking a required element or does not otherwise satisfy the HIPAA requirements, the unit’s HIPAA Compliance Coordinator will notify the requestor, in writing, of the deficiencies in the authorization. No PHI will be disclosed unless and until a valid authorization is received.
   7. If the authorization is valid, the unit’s HIPAA Compliance Coordinator will disclose the requested PHI to the requestor. Only the PHI specified in the authorization will be disclosed.
   8. Each authorization shall be filed in the individual’s medical record.
3. Preparing an Authorization for Use or Disclosure:
   1. When Ohio University is using or disclosing PHI, and an authorization is required for the use or disclosure, Ohio University will not use or disclose the PHI without a valid written authorization from the individual or the individual’s personal representative.
   2. The authorization form must be fully completed, signed, and dated by the individual or the individual’s personal representative before the PHI is used or disclosed.
   3. Ohio University may not condition the provision of treatment on the receipt of an authorization except in the following limited circumstances:
      1. The provision of research-related treatment; or
      2. The provision of health care that is solely for the purpose of creating PHI for disclosure to a third party (i.e., performing an independent medical examination at the request for an insurer or other third party).
   4. An authorization may not be combined with any other document unless one of the following exceptions applies:
      1. Authorizations to use or disclose PHI for a research study may be combined with any other type of written permission for the same research study, including a consent to participate in such research;
      2. Authorizations to use or disclose psychotherapy notes may only be combined with another authorization related to psychotherapy notes; or
      3. Authorizations to use or disclose PHI other than psychotherapy notes may be combined, but only if Ohio University has not conditioned the provision of treatment or payment upon obtaining the authorization. The prohibition in this paragraph where one authorization conditions the provision of treatment or payment does not apply to a compound authorization created in accordance with paragraph (3)(d)(iii) of these Procedures.
4. Revoking an Authorization:
   1. The individual may revoke their authorization at any time.
   2. The authorization may be revoked only in writing. If the individual or individual’s personal representative informs Ohio University that they want to revoke the authorization, Ohio University will assist them with the process to revoke in writing.
   3. Upon receipt of a written revocation, the HIPAA Compliance Coordinator will write the effective date of the revocation on the authorization form.
   4. Upon receipt of a written revocation, Ohio University may no longer use or disclose and individual’s PHI pursuant to the authorization.
   5. Each revocation will be filed in the individual’s medical record.

This standard will be reviewed and approved by the University HIPAA Steering Committee, and other key stakeholders in the interest of ensuring the privacy and security of individual’s health information, as deemed appropriate based on the current regulatory requirement mandates.