Releasing Protected Health Information

How to Authorize Release of PHI

Personal medical information is protected by law, with serious consequences for releasing it to an unauthorized recipient. All healthcare workers need to understand what the proper procedures are to protect individual medical privacy.

The Health Insurance Portability and Accountable Act of 1996 (HIPAA) and the Privacy Rule set standards for protecting individually identifiable health information obtained by health plans, healthcare providers, and health care clearinghouses.

It was further amended by the final HITECH Omnibus Rule in 2013, extending disclosure requirements to business associates. All covered entities need to understand what protected health information is and who can authorize it to be released or disclosed.

What is PHI - Protected Health Information

PHI or Protected Health Information refers to any individually identifying information included in a patient's medical record that is transmitted or maintained in any form. Although that seems to be a broad definition, according to, PHI can be broken down into 18 identifiers.

  1. Names
  2. Address
  3. Elements of dates including birth date,admission date,discharge date,and date of death
  4. Telephone numbers
  5. Fax numbers
  6. E-mail address
  7. Social security numbers
  8. Medical record numbers
  9. Insurance policy numbers
  10. Account numbers
  11. Certificate/license numbers
  12. License plate numbers
  13. Device identifiers and serial numbers
  14. URLs
  15. IP addresses and numbers
  1. Finger Prints
  2. Photos
  3. Any other unique identifying number,characteristic,or code

Authorizing Release of Protected Health Information

An individual can authorize the release of their protected health information. However, there are specific requirements for a valid authorization. These are included in Section 164.508 of the privacy rule.

Authorizations are generally done in print or electronic media, but voice authorizations based on state law are becoming more common. It is critical that any covered entity design their forms for release of information to ensure all of the needed elements are included.

A valid authorization to release protected health information includes:

  • Identity verification such as a driver's license.
  • A description of the information to be used or disclosed. It should be specific and meaningful.
  • The purpose of the requested use of disclosure. Note that this can be the general, "at the request of the individual."
  • The name of the person or organization authorized to disclose the information.
  • The name of the person or organization that the information is to be disclosed to.
  • The expiration date or event for the authorization.
  • Signature of the person authorized to release the information, and the date. If it isn't signed by the individual, there must be a description of how they are authorized to represent the individual. Electronic signatures are valid under the Uniform Electronic Transaction Act (UETA).
  • There must be a statement that the individual can revoke the authorization in writing, exceptions to the right to revoke, and how revocation can be requested.

    Who Can Authorize PHI Disclosures?

    • Adult patients or emancipated minors
    • Parent or guardian of a minor
    • Power of attorney
    • Executor of estate
    • Next of kin

    Invalid Authorizations

    If any of the elements of the authorization is missing, the privacy rule declares that it is invalid. A common problem seen with older authorizations are that didn't include the expiration date, or for which the expiration date has passed.