Skip to Main Navigation
Skip to Main Content
The University of Texas at Dallas

HIPAA Privacy Manual

Section 6: Patient Authorization - Uses and Disclosures of PHI

Definitions

Authorization: An "authorization" allows for the use and disclosure of PHI for purposes other than Treatment, Payment, and health care Operations (TPO).

Medical Record Administrator (MRA): The person appointed as the Callier Center record custodian responsible for the Medical Records Department and responsible for the maintenance, retention, access, data integrity, and data quality of PHI; including protecting patient privacy and providing information security, other duties related to access and review of PHI and complying with standards and regulations regarding PHI under the direction of the HIPAA Privacy Officer. For purposes of this policy, the MRA may also refer to individuals who have been officially designated to act in the place of the MRA.

Authorized Health Care Providers: The staff charged with providing care and directing the provision of care to the Center’s patients.

Official Medical Record (OMR): The Callier Center medical record maintained by the Center that constitutes all significant medical/clinical information pertaining to a patient. Portions of the OMR may be housed at either Callier Center location until becoming scanned and filed in the electronic medical records system. The OMR has a permanent retention schedule.

Shadow Medical Record (Shadow MR): The medical record maintained by a clinician, other than the Medical Records Department, that includes patient care information also included in the Official Medical Record (OMR). These records may be used for teaching purposes. Shadow MR information often includes copies of medical record information also in the OMR and does not contain any pertinent patient care information that cannot be found in the OMR. A Shadow MR is considered a convenience copy and has no record retention schedule.

Policy

General Rules of Authorizations: In order to use and disclose PHI one of the following circumstances must exist:

  • The Center requires a valid authorization to disclose PHI unless a specific exception provided by this HIPAA Privacy Manual or the HIPAA Privacy Rule permits such action.
  • A patient or a patient’s personal representative seeking access to the patient’s own PHI is not required to use an authorization. The process the patient or representative should use is described in this Manual Section 13 Releases and Disclosures Requiring No Authorization. (Note: Patients may also direct the Center to provide the requested records to a third party using the process described in section 13.)
  • The MRA is authorized to disclose PHI to all third parties including UT Dallas faculty and staff that are not recognized as members of the Center workforce and any individual seeking access to PHI for research purposes. Providers and staff should direct all persons requesting access to PHI to the MRA. No disclosures shall be made from Shadow Records.
  • The MRA is responsible for:

    • reviewing and determining the validity of all authorizations, in consultation with, as necessary, the HIPAA Privacy Office and legal counsel;
    • releasing PHI in a matter that is consistent with any directives contained in the authorization;
    • documenting each disclosure and retain all authorizations received.

Valid Authorization:

To be valid an authorization must:

  • be written in plain language,
  • specifically describe the information to be used or disclosed,
  • identify the person or class of persons, authorized to make the requested use or disclosure,
  • describe the person or class of persons, to whom the disclosure may be made,
  • state the purpose of the disclosure,
  • contain an expiration date or event and be signed by the individual or the individual’s personal representative authorizing the disclosure date signed. If signed by personal representative, a description of the representative’s authority to sign on behalf of the individual is required.
  • contain the date on which it was signed,
  • include a statement the patient has the right to revoke the authorization in writing and how to revoke the authorization,
  • include a statement that once information is disclosed pursuant to a valid authorization, it may no longer be protected by federal privacy rules.

If the MRA has any questions or concerns regarding the validity of an authorization, the MRA shall consult with the HIPAA Privacy Officer and/or University legal counsel prior to taking any action in response to the authorization.

Callier Center authorized healthcare providers may release PHI for urgent treatment situations. The providers are required to complete the Disclosure Log Form and turn in the completed disclosure log to Medical Records.

Revocation of Authorization: An Individual shall have the right to revoke his or her Authorization at any time, provided that the Individual’s revocation is in writing. The revocation is effective upon its receipt by the Privacy Officer. A form, Revocation of Authorization , a copy of which is contained in the Appendix to this Manual, may be used by the Individual.

Revocation of Authorization Form: When the Privacy Officer receives an Individual’s written revocation the Privacy Officer shall notify applicable parties of the revocation of authorization and document the revocation or information concerning the revocation received by the person obtaining the authorization. UT Dallas shall stop Using and Disclosing the Individual’s PHI in reliance on the Authorization, except to the extent UT Dallas has already taken action in reliance on the Authorization. If UT Dallas has not yet Used or Disclosed the PHI, it shall refrain from doing so, pursuant to the revocation. If UT Dallas has already disclosed the information, UT Dallas need not retrieve the information.

Authorizations and Psychotherapy Notes: For specific rules governing refer to policy; Section 14 Use and Disclosure of Psychotherapy Notes.

Authorizations for Marketing and Fundraising Purposes: For specific rules governing the use and disclosure of PHI for marketing and fundraising purposes, Use and Disclosure of PHI for Marketing Purposes or Use and Disclosure of PHI for Fundraising see Section 7 Fundraising and Section 8 Marketing.

Research Authorization: For specific rules governing the use and disclosure of PHI for research purposes, see Section 15 Research Use and Disclosure of PHI.

Conditioning of Authorizations: The Callier Center shall never require a patient to sign an authorization in order to receive treatment.

Revocation of Authorizations: For specific rules governing the Revocation of Authorizations, Revocation of Consent to Use or Disclose PHI and Revocation of Authorization to Release PHI see Revocation of Authorizations.

Surrogate Decision Makers, Minors, and Deceased Individuals: For information regarding who the proper person is to sign authorizations for the release of information about incapacitated individuals, minors, and deceased individuals, see Valid Authorizations.

Enforcement: All supervisors are responsible for enforcing this policy. Individuals who violate this policy will be subject to the appropriate and applicable disciplinary process, up to and including termination or dismissal of employment.