New standard authorization forms must be accepted by health care providers in Ohio
Standard forms for the authorization of the release of medical information in Ohio have been developed by the Department of Medicaid. The two forms — one for use with protected health information governed by HIPAA and one for use with information covered by 42 CFR Part 2 — must be accepted if properly executed. That is, if a standard authorization form is submitted, a health care provider may not refuse the request to release information or insist that the provider’s own authorization form be used to process the request.
The standard authorization forms are included as an appendix to a new rule, Ohio Administrative Code 5160-1-32.1, that states:
If the standardized authorization form is properly executed, and adequately identifies the individual…it shall be accepted by any person or governmental entity in this state as valid authorization for the use or disclosure of the individual's protected health information to the persons or governmental entities specified in the form.
Development of the forms and issuance of the rule was authorized by Ohio Revised Code 3798.10. That statute also provides that the forms developed by the Department of Medicaid “shall be accepted by any person or governmental entity in this state as valid authorization for the use or disclosure of the individual’s protected health information.”
Hospitals and other health care providers in Ohio should note:
While the forms were developed by the Department of Medicaid, the requirement to accept the standard authorization forms applies to all medical records of all providers. Both the statute and the new rule apply to “any person” in the state who receives the form for the purpose of authorizing disclosure of protected health information.
Providers are only required to accept a standard authorization form if “properly executed,” which the new rule clarifies to mean that all required fields are completed and the form provides sufficient information to identify the records associated with the individual. Thus, a standard authorization form can be rejected if unsigned, for example.
While providers are required to accept a standard authorization form if it is presented to them, they are not required to otherwise use the standard authorization forms. That is, they are not required to adopt the forms as their own or distribute them at their facilities.
The new rule and standard authorization forms do not affect when an authorization form is required. Authorization is not required by HIPAA in many circumstances, such as disclosures for treatment and payment purposes or disclosures to individuals under the access rules. This is not changed by the new rule.
The new rule became effective January 3, 2019, and compliance is required within 30 days thereafter. Hospitals and other health care providers should take steps to ensure that the standard authorization forms are recognized and accepted by February 2, 2019. The Department of Medicaid has issued a Fact Sheet with additional information about the new standard authorization forms.Download PDF