Can an individual revoke his or her authorization?
Yes. The Privacy Rule gives individuals the right to revoke, at any time, an authorization they have given. The revocation must be in writing, and is not effective until the covered entity receives it. In addition, a written revocation is not effective with respect to actions a covered entity took in reliance on a valid authorization, or where the authorization was obtained as a condition of obtaining insurance coverage and other law provides the insurer with the right to contest a claim under the policy or the policy itself. The Privacy Rule requires that the authorization must clearly state the individuals right to revoke; and the process for revocation must either be set forth clearly on the authorization itself, or if the covered entity creates the authorization, and its Notice of Privacy Practices contains a clear description of the revocation process, the authorization can refer to the Notice of Privacy Practices. Authorization forms created by or submitted through a third party
