What to do when an individual revokes authorization

Protecting sensitive medical information's privacy and confidentiality depends heavily on patient authorization. Nonetheless, healthcare providers must respond carefully when patients revoke their authorization for various reasons.

Can an individual revoke authorization?

“The Privacy Rule gives individuals the right to revoke, at any time, an Authorization they have given,” says the U.S. Department of Health and Human Services (HHS).

Go deeper: Can an individual revoke authorization?

Understanding patient authorization revocation

Patient authorization allows healthcare providers to use and disclose protected health information (PHI) for specific purposes, such as treatment, payment, or healthcare operations. Authorization grants healthcare professionals the legal right to access and share relevant medical information while upholding patient privacy rights under regulations like the Health Insurance Portability and Accountability Act (HIPAA).

However, patients retain the right to revoke this authorization at any time, signaling their desire to limit or cease the use and disclosure of their PHI. Common reasons for revocation may include concerns about privacy, changes in healthcare providers, or personal preferences regarding information sharing.

Related: Sharing patient information with authorization

Implications for healthcare providers

When a patient revokes authorization, healthcare providers must respond promptly and appropriately to ensure compliance with legal and ethical standards while respecting patient autonomy and privacy. Failing to handle authorization revocation correctly can result in breaches of confidentiality, legal repercussions, and damage to patient-provider trust.

See also: HIPAA Compliant Email: The Definitive Guide

What to do when an individual revokes authorization

Verify the Revocation: Begin by verifying the authenticity of the revocation request. Ensure that the patient communicates their intent to revoke authorization and document the date of revocation.

• Cease use of PHI: Immediately cease any use or disclosure of PHI covered by the revoked authorization. This includes refraining from accessing or sharing relevant medical information unless necessary for emergency treatment or as required by law.
• Update records: According to the HHS, “the revocation must be in writing, and is not effective until the covered entity receives it.” Therefore, healthcare providers must document the revocation of authorization in the patient's medical records as soon as it is received. Note the date of revocation and any pertinent details provided by the patient.
• Communicate with relevant parties: Notify any healthcare providers or entities with whom PHI was previously shared based on the original authorization. Request that they cease further use or disclosure of the patient's information in accordance with the revocation.
• Respect patient privacy: Even after revocation, continue to uphold the patient's privacy rights by refraining from discussing their medical information with unauthorized individuals.
• Provide guidance: Offer guidance and support to the patient regarding the implications of revoking authorization. Address any concerns they may have and explain how the revocation may impact their healthcare or treatment options.
• Address concerns: Take the time to address any concerns or issues that may have prompted the patient to revoke authorization. 
• Maintain professionalism: Approach the situation with professionalism, empathy, and respect for the patient's autonomy. Ensure that the patient feels heard and supported throughout the process.
• Educate staff: Ensure that all staff members are informed and educated about the process of handling patient authorization revocation. Provide training on confidentiality protocols and the importance of respecting patient privacy rights.

FAQs

What does it mean to revoke authorization in healthcare?

Revoking authorization in healthcare refers to the act of withdrawing permission for healthcare providers to use or disclose an individual's PHI for specific purposes outlined in the original authorization. It effectively limits or terminates the authority granted by the patient for the sharing of their medical information.

How do patients revoke authorization?

Patients can revoke authorization by submitting a written request to their healthcare provider explicitly stating their intent to revoke authorization. Some healthcare facilities may have specific forms or procedures for revoking authorization. It is therefore, advisable for patients to inquire about the process with their provider.

Can patients revoke authorization for specific uses or disclosures of their PHI?

Yes, patients have the option to revoke authorization for specific uses or disclosures of their PHI while allowing others to remain in effect.