May a valid authorization list categories of persons who may use or disclose protected health information, without naming specific individuals or entities?
Yes. One authorization form may be used to authorize uses and disclosures by classes or categories of persons or entities, without naming the particular persons or entities. See 45 CFR 64.508 (c)(1)(ii). For example, it would be sufficient if an authorization authorized disclosures by “any health plan, physician, health care professional, hospital, clinic, laboratory, pharmacy, medical facility, or other health care provider that has provided payment, treatment or services to me or on my behalf” or if an authorization authorized disclosures by “all medical sources.” A separate authorization specifically naming each health care provider from whom protected health information may be sought is not required. Similarly, the Rule permits the identification of classes of persons to whom the covered entity is authorized to make a disclosure. See 45 CFR 164.508(c) (1)(iii). Thus, a valid authorization may authorize disclosures to a particular entity, particular person, or class of persons, such
Related Questions
- May a covered entity disclose protected health information specified in an authorization, even if that information was created after the authorization was signed?
- May a valid authorization list categories of persons who may use or disclose protected health information, without naming specific individuals or entities?
- When is authorization to disclose protected health information (PHI) not required for research?
