Moore/May 2013 Page 2
HIPAA’s authorization rule.
2
The form must be signed by the appropriate person, which
may be the patient himself, or may be the patient’s personal representative (if, for
example, the patient is a child or an incapacitated adult).
o Practice tip: If a subpoena is accompanied by an authorization or other
document labeled “release” or “waiver” or something similar, the document
should be examined carefully by a staff member who is familiar with HIPAA’s
authorization requirements before any PHI is disclosed. Some of the elements of
an authorization form that is valid under HIPAA are not intuitive and may be left
out of a form prepared by a person (even an attorney) who is unaccustomed to
working with HIPAA.
• The information may be disclosed without the individual’s authorization if it is
accompanied by a court order for the information.
3
• The information may be disclosed without the individual’s authorization or a court order
if either of the following two conditions is satisfied:
o Written notice that the information has been subpoenaed is given to the
individual who is the subject of the PHI. The covered entity may give notice to the
individual itself, but it need not do so if it receives satisfactory assurance from
the party requesting the PHI that notice has been given.
4
o A qualified protective order is obtained from a court.
5
The health department
may obtain a qualified protective order itself, but it need not do so if it receives
satisfactory assurance from the party requesting the PHI that it has made
reasonable efforts to obtain a qualified protective order.
6
2
45 CFR 164.508.
3
45 CFR 164.512(e)(1)(i).
4
45 CFR 164.512(e)(1)(ii)(A). To constitute “satisfactory assurance,” the party requesting the information should
give the health department a written statement and supporting documentation demonstrating: (1) that the party
requesting the information has made a good faith effort to provide written notice to the individual; (2) that the
notice included sufficient information about the litigation or proceeding to permit the individual to raise an
objection with the court; and (3) that the time for the individual to raise objections has elapsed and either no
objections were filed, or all objections that were filed have been resolved by the court and the disclosures sought
are consistent with such resolution. 45 CFR 164.512(e)(iii).
5
45 CFR 164.512(e)(1)(ii)(B). A “qualified protective order” is either a court order or a stipulation by the parties to
the proceeding that: (1) prohibits the parties from using or disclosing the PHI for any purpose other than the
proceeding for which it was requested, and (2) requires that the information and any copies made of it be returned
to the covered entity that disclosed it or be destroyed at the end of the proceeding.
6
In this case, to constitute “satisfactory assurance,” the party requesting the PHI must provide the health
department with a written statement and supporting documentation demonstrating either of the following: (1)
that the parties to the dispute have agreed to a qualified protective order and have presented it to the court, or (2)
that the party seeking the PHI has requested a qualified protective order from the court. 45 CFR 164.512(e)(iv).