Does the Privacy Rule permit a covered entity to use or disclose protected health information pursuant to an authorization form that was prepared by a third party?
Yes. A covered entity is permitted to use or disclose protected health information pursuant to any authorization that meets the Privacy Rules requirements at 45 CFR 164.508. The Privacy Rule requires that an authorization contain certain core elements and statements, but does not specify who may draft an authorization (i.e., it could be drafted by any entity) or dictate any particular format for an authorization. Thus, a covered entity may disclose protected health information as specified in a valid authorization that has been created by another covered entity or a third party, such as an insurance company or researcher.
Related Questions
- What are a covered entity’s obligations under the HIPAA Privacy Rule with respect to protected health information held by a business associate during the contract transition period?
- Does the Privacy Rule permit a covered entity to use or disclose protected health information pursuant to an authorization form that was prepared by a third party?
- Does the Privacy Rule permit health plans to disclose protected health information to pharmaceutical manufacturers for the adjudication of drug rebate contracts?
