Q

QuestionLaw

A HIPAA authorization is a document that allows a covered entity to disclose protected health information (PHI) to a third party. It is governed by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

Let's examine each option to determine if it accurately describes a HIPAA authorization: a) Cannot be revoked by the data subject: This statement is incorrect. According to the HIPAA Privacy Rule, the data subject has the right to revoke a HIPAA authorization in writing, and the covered entity must honor the revocation, except in certain limited circumstances. b) Cannot be combined with any other document related to the research: This statement is mostly correct. A HIPAA authorization should be a standalone document and not combined with other documents, except for specific situations where the Privacy Rule allows for the use of a short-form authorization. c) Uses "plain language" that the data subject can understand, similar to the requirement for an informed consent document: This statement is correct. The Privacy Rule requires that a HIPAA authorization be written in plain language that the data subject can understand. d) Is provided at the investigator's discretion: This statement is incorrect. The Privacy Rule requires that a covered entity obtain a valid HIPAA authorization before disclosing PHI for research purposes, unless a specific exception applies.

A HIPAA authorization: - Cannot be combined with any other document related to the research (with some exceptions) - Uses "plain language" that the data subject can understand - Must be obtained by the covered entity before disclosing PHI for research purposes (except for specific exceptions)