Use of Authorizations

Op10.03-9 Use of Authorizations

Applies to the Administrative Requirements of the Health Insurance Portability and Accountability Act of 1996. 45 CFR Section 164.508


Authorizations are required for the use and disclosure of Protected Health Information ("PHI") for purposes other than the permitted uses and disclosures specified in the Privacy Rule.


  • The Employee Benefit Plan is not required to obtain an authorization from the participant to:
  • Use or disclose PHI for the Employee Benefit Plan's payment or Health Care Operations;
  • Disclose PHI to a Health Care Provider for the participant's treatment;
  • Disclose PHI to another Covered Entity or a Health Care Provider for that entity's payment activities;
  • Disclose PHI to another Covered Entity for that entity's Health Care Operations if both entities have or had a relationship with the participant whose PHI is being requested, the PHI pertains to the current or former relationship, and the purpose of the disclosure is for:
  • A Health Care Operations activity for which the Privacy Rule states an authorization is not required; or
  • Detection of health care fraud and abuse or compliance with health care fraud and abuse laws.
  • Use or disclose PHI as specifically permitted by the Privacy Rule pursuant to an exception.
  • When authorization is needed, the participant is provided with a copy of the authorization form and asked to sign it.
  • Signing the authorization form is voluntary and the participant may refuse to sign it.
  • A copy of the signed authorization is provided to the participant.
  • The participant may revoke the authorization, in writing, at any time, however, the revocation cannot be retroactive.
  • The permissions granted in the authorization are not acted upon if the authorization has been revoked or if it has expired.
  • The authorization is documented and retained for a period of six (6) years after it was created or expired, whichever date is later.

Effective Date: April 14, 2003