3.2 Release of Information and Disclosure

Elements of a Valid Authorization

When a use or disclosure is not permitted under TPO or another exception, a HIPAA-compliant authorization is required (45 CFR 164.508). A valid authorization must contain six core elements and three required statements:

Core elements:

1. A specific, meaningful description of the information to be disclosed.
2. The name of the person/class authorized to disclose (the source).
3. The name of the person/class to whom disclosure is made (the recipient).
4. A description of the purpose ("at the request of the individual" suffices if patient-initiated).
5. An expiration date or event.
6. The individual's signature and date (or personal representative's, with authority described).

Required statements: the right to revoke in writing (and how, plus exceptions); a statement that treatment, payment, enrollment, or eligibility may not be conditioned on signing (with limited exceptions such as research-related treatment); and notice that information may be redisclosed by the recipient and lose HIPAA protection. The authorization must be written in plain language, and the individual must be given a copy.

An authorization is defective — and must not be honored — when it is missing any required element or statement, has a known expired date or event, is known to have been revoked, lacks a required signature, is combined improperly with another document, or contains information the entity knows to be materially false. Compound authorizations (combining an authorization with another legal permission) are generally prohibited, except for research, where they are allowed. Psychotherapy notes require their own separate, standalone authorization and cannot be bundled with a general records authorization.

The ROI Workflow and Accounting of Disclosures

Release of Information (ROI) staff process requests in a defined sequence: log the request, verify the requester's identity and authority, validate the authorization against the six elements and three statements, apply the minimum necessary standard to pull only what was requested, screen for special-protection content (substance use, HIV/AIDS, mental health, genetic information per state and federal law), fulfill the copy (paper or electronic in the requested format), document the disclosure, and bill any allowable fee.

A misstep at any stage — releasing on an expired authorization, sending the wrong patient's record, or skipping the special-protection screen — is a reportable privacy incident. Best practice is a documented turnaround standard (many facilities target processing routine ROI requests within a set number of business days) and a second-person verification of the patient match and authorization scope before any record leaves the department.

Under 45 CFR 164.528, an individual may request an accounting of disclosures — a list of disclosures of their PHI in the six years prior to the request. The accounting excludes disclosures for TPO, those made to the individual, those made pursuant to an authorization, incidental disclosures, and disclosures for facility directories or to family. It must include disclosures for public health, law enforcement, research, court orders, and mandatory reporting. The first accounting in any 12-month period must be free.

Subpoenas, Court Orders, and Special Disclosures

A court order (or order from an administrative tribunal) signed by a judge permits disclosure of the PHI expressly authorized by the order. A subpoena, discovery request, or warrant signed only by an attorney is not a court order — HIPAA requires satisfactory assurances first: written documentation that the patient was given notice and an opportunity to object, or that a qualified protective order has been sought.

Other non-authorization disclosures permitted by the Privacy Rule include those required by law, public health activities (disease reporting, FDA-regulated product tracking), reporting suspected abuse, neglect, or domestic violence, law enforcement under specified conditions (court orders, identifying a suspect, reporting certain wounds), cadaveric organ and tissue donation, certain research with IRB/Privacy Board waiver, averting a serious and imminent threat to health or safety, workers' compensation as authorized by law, and to family members or caregivers involved in the patient's care.

For family disclosures, staff use professional judgment when the patient is present and able to agree, and a best-interest judgment when the patient is incapacitated or in an emergency.

Redisclosure: once PHI is lawfully released to a non-covered recipient (an attorney, an employer, the patient), HIPAA generally does not control what that recipient subsequently does with it — which is exactly why the redisclosure notice is a required authorization statement. The recipient is not a covered entity and not bound by the Privacy Rule.

Substance use disorder (SUD) records from federally assisted programs under 42 CFR Part 2 are far stricter than HIPAA: they require specific patient consent, and the disclosure must carry a prohibition-on-redisclosure notice that legally travels with the record, barring the recipient from passing it on without further consent. Court-ordered access to Part 2 records requires a special order beyond an ordinary subpoena. RHIT candidates must remember that the more stringent rule controls — where state law or Part 2 is tighter than HIPAA, follow the tighter rule.