HIPAA Policy-03

Scope

This policy applies to the workforce members in the designated Indiana University (IU) HIPAA Covered Healthcare Components and Critical Health Data Areas, anyone rendering services as a Business Associate, and anyone who creates, receives, maintains, or transmits Protected Health Information (PHI) in any capacity at IU, including, but not limited to, faculty, staff, students, trainees, volunteers, visiting scholars, and third-party agents. For the purposes of this policy, all the above will be referred to as workforce members.

Policy Statement

Workforce members shall obtain a valid, signed authorization from an individual prior to using or disclosing the individual’s PHI, unless the use or disclosure is otherwise permitted or required by federal and/or state law.

A. General Authorizations

Except as otherwise permitted or required by HIPAA, workforce members may not use or disclose PHI without a valid authorization.

When an IU Critical Health Data Area obtains or receives a valid Authorization for use or disclosure of PHI, such use or disclosure shall be consistent with such authorization.

B. Psychotherapy Notes

1. Psychotherapy Notes may not be disclosed without first obtaining the patient’s authorization except under specific circumstances, including:
   1. To carry out the following treatment, payment, or health care operations:
   2. Use by the originator of the psychotherapy notes for treatment;
   3. Use or disclosure by the covered entity for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling; or
   4. Use or disclosure by the covered entity to defend itself in a legal action or other proceeding brought by the individual; and
   5. A use or disclosure that is required or permitted by law.
      
      
2. The HIPAA Privacy Rule defines psychotherapy notes as notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date. (45 C.F.R. § 164.501)

C. Marketing

1. Notwithstanding any other provision of HIPAA, IU Critical Health Data Areas shall obtain an Authorization for any use or disclosure of PHI for all communications, whether for “treatment” or “health care operations” purposes, where the IU Critical Health Data Area receives payment (direct or indirect) for making the communication from a third party whose product or service is being marketed. Unless the communication is:
   1. A refill reminder or other communications that are about a drug or biologic that is currently being prescribed for the individual;
   2. A face-to-face communication made by the IU Critical Health Data Area to the Individual; or
   3. A promotional gift of nominal value provided by the IU Critical Health Data Area.
      
      
2. If the IU Critical Health Data Area will be paid by a third party for the marketing activity the Authorization must include a statement the marketing involves payment by a third party.
   
   
3. The following communications are exempt from the marketing requirements:
   1. Communications promoting health in general, which do not promote a product or service from a particular provider; and
   2. Communications about government and government-sponsored programs, such as Medicare, Medicaid, or the State Children’s Health Insurance Program.

D. Research

The HIPAA Privacy Rule states a covered entity is permitted to use and disclose PHI for research with an individual authorization or without individual authorization under limited circumstances set forth in the Privacy Rule (e.g. waiver of authorization to release PHI for research purposes).  Authorization for use and disclosures of PHI in research is covered in the Human Research Protections Program Policy Use of Protected Health Information (PHI) in Research.

E. Authorizations by Minors

1. In situations where the parent or guardian of a minor has the authority to act on behalf of the minor as the minor’s parent/legal guardian, and an Authorization to use or disclose the minor’s PHI is required, the Authorization may be signed by the minor’s legally authorized representative.
   
   
2. If the minor has the authority to act on their own behalf in receiving health care services, then the minor must sign their own Authorization. In this situation, the minor must authorize any disclosures to parents or guardians. IU Critical Health Data Areas shall refer to relevant state law for information about the legal rights of minors to act on their own behalf.

F. Required Contents of Authorization

1. Authorizations shall be written in plain language and shall include, at a minimum, the following required elements:
   1. A specific description of the PHI to be used or disclosed – must identify the information in a specific fashion;
   2. The name of the organization or other specific identification of the person(s) or class of persons (e.g., billing office, human resources department, medical director, etc.) being authorized to make the requested use or disclosure;
   3. The name of the organization or other specific identification of the person(s) or class of persons being authorized to receive the requested disclosure;
   4. A description of the purpose for each use or disclosure being requested. “At the request of the Individual” is sufficient description when the Individual initiates the request;
   5. A specific expiration date or expiration event relating to the purpose; and
   6. Individual name, address, signature, and date. If signature is by the personal representative, a description of the representative’s authority (e.g., custodial parent, executor, conservator).
      
      
2. A valid Authorization shall also include the following required statements to notify an Individual of:
   1. The right to revoke the Authorization at any time in writing; that the revocation is effective upon receipt, but a use or disclosure that has already occurred cannot be withdrawn;
   2. How to revoke an Authorization;
   3. Whether or not the Individual’s treatment or payment is conditioned on the Authorization (see Prohibition on Conditioning of Authorization below); and
   4. The potential for re-disclosure of PHI by a recipient who is not required by HIPAA to protect PHI.
      
      
3. Authorizations are not valid, if:
   1. The expiration date has passed or the expiration event is known by the covered entity to have occurred;
   2. The Authorization has not been filled out completely, if applicable;
   3. The Authorization is known to have been revoked;
   4. The Authorization violates any state or federal law, if applicable;
   5. Any material information in the Authorization is known by the covered entity to be false.

G. Compound Authorizations

1. An Authorization for use or disclosure of PHI may not be combined with any other document to create a compound Authorization, except as follows:
   1. Authorization to use or disclose PHI for a research study may be combined with other types of written permission for the same research study provided the conditions for a valid Authorization are satisfied.
   2. Authorization to use or disclose psychotherapy notes may only be combined with another authorization for the same psychotherapy notes.
      
      
2. Authorizations may be combined with other authorizations, except in the instance where a covered entity has conditioned the provision of treatment, payment, health plan enrollment or health benefits eligibility upon one of the Authorizations.

H. Prohibition on Conditioning of Authorization

1. IU Critical Health Data Areas shall not condition an Individual’s treatment or payment on whether the Individual signs a requested Authorization, except for:
   1. Research related treatment may be conditioned on an Authorization to use or disclose PHI for the research project; and
   2. Healthcare provided solely for the purpose of creating PHI for disclosure to a third party may be conditioned on an Authorization to disclose to the third party (e.g., pre-employment examinations, research treatments, school physicals).

I. Copy to Individual

IU Critical Health Data Areas shall provide a copy of the signed Authorization to the Individual.

J. Revocation of Authorization

IU Critical Health Data Areas shall permit an individual to revoke an Authorization at any time, provided that the revocation is in writing, except to the extent that the IU Critical Health Data Area has taken action in reliance of the Authorization.

K. Authorization Not Required

1. As provided in the IU HIPAA Policy Uses and Disclosures of Protected Health Information, IU Critical Health Data Areas may use and disclose PHI without an authorization:
   1. To carry out treatment, payment or health care operations;
   2. For its own training programs;
   3. To defend a legal action or other proceeding brought by the Individual;
   4. As required by the Secretary of HHS;
   5. For health oversight activities;
   6. As required by law;
   7. As required to public health authorities; or
   8. To prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
      

Reason for the Policy

To establish when an Authorization for using, requesting, or disclosing PHI is required and what a valid authorization must contain.

Definitions

Authorization: Written permission by the patient or the patient’s personal representative to use and/or disclose protected health information about the individual. The requirements of a valid authorization are defined in the HIPAA regulations.

See Glossary of HIPAA Related Terms for complete list of terms.

History

07/01/2014 – Effective Date
01/13/2016 – Updated Definition Section
08/01/2016 – Added link to Glossary
10/26/2016 – Added Appendix 1 & 2, added section L, updated section D
11/10/2016 – Added links under Related Information.
06/xx/2017 – Published on University policy site
12/13/2021 – Update policy contacts, Section B, and Section D, removed Section L and appendices
04/02/2025 – Updated the term "HIPAA Affected Areas" to "Critical Health Data Areas"

Related Information

HIPAA Privacy and Security Rules
45 CFR §§ 160
45 CFR §§ 164

HITECH Act - Amended
45 CFR §§ 160
45 CFR §§ 164

Related IU Policies
HIPAA-P01 – Uses and Disclosures of Protected Health Information
HIPAA-P02 – Minimum Necessary
HRPP Policy - Use of PHI in Research