What are the required elements in an Authorization?

  • Specific and meaningful description of what information will be used or disclosed.
  • Identification of who may use or disclose the PHI.
  • Identification of to whom the PHI will be disclosed.
  • Why the use or disclosure is being made - each purpose must be included.
  • Statement regarding how long the use or disclosure will continue. For research purposes no expiration date is required but this must be stated in the authorization.
  • Notice that the authorization may be revoked by the subject.

Is coded information identifiable according to the Privacy rule?

The Privacy Rule considers coded information to be de-identified if 18 specific identifiers are coded and the individual cannot reasonably be identified. The Privacy Rule does consider the code itself to be identifiable and hence, protected health information. Note, the Common Rule, in contrast to the Privacy rule, considers coded information to be identifiable. So while access to the coded information alone is not covered by the Privacy rule it is covered by the common rule and requires IRB review.