NRPM: Standards for Privacy of Individually Identifiable Health Information. 8. Expired, deficient, or false authorization.


The model authorization form or a document that includes the elements set out at proposed § 164.508 would meet the requirements of this proposed rule and would have to be accepted by the covered entity. Under § 164.508(b), there would be no “authorization” within the meaning of the rules proposed below if the submitted document has any of the following defects:

  • the date has expired;
  • on its face it substantially fails to conform to any of the requirements set out in proposed § 164.508, because it lacks an element;
  • it has not been filled out completely. Covered entities may not rely on a blank or incomplete authorization;
  • the authorization is known to have been revoked; or
  • the information on the form is known by the person holding the records to be materially false.

We understand that it would be difficult for a covered entity to confirm the identity of the person who signed the authorization. We invite comment on reasonable steps that a covered entity could take to be assured that the individual who requests the disclosure is whom she or he purports to be.