Consent Authorizations Profile Trust Interoperability Profile
Table of Contents
Overall Organization
Trustmark Definition Checklist
Authorization Revocation
- [ ] Revocation by Consenting Individual: Has the individual revoked the consent authorization? [assessment_01]
- [ ] Action in Reliance of Consent: Has the covered entity has taken action in reliance the consent authorization? [assessment_02]
- [ ] Insurance Coverage and Contest of Claim : Was the consent authorization obtained as a condition of obtaining insurance coverage and does other law provides the insurer with the right to contest a claim under the policy or the policy itself? [assessment_03]
Issuance Criteria:
no(assessment_01) OR (yes(assessment_02) OR yes(assessment_03))
HIPAA Consent Authorization Form Requirements - Elements
- [ ] Information to be Disclosed: Does the authorization include a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion? [assessment_01]
- [ ] Identification of Persons Authorized to Request or Disclose: Does the authorization include the name or other specific identification of the person(s) or class of persons authorized to make the requested use or disclosure? [assessment_02]
- [ ] Identification of Persons Authorized to Receive Disclosure: Does the authorization include the name or other specific identification of the person(s) or class of persons to whom the covered entity may make the requested use or disclosure? [assessment_03]
- [ ] Purpose of Use or Disclosure: Does the authorization include a description of each purpose of the requested use or disclosure. Note: The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose? [assessment_04]
- [ ] Expiration Conditions Specified: Does the authorization include an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. Note: The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of PHI for research, including for the creation and maintenance of a research database or research repository? [assessment_05]
- [ ] Signature of Person Authorizing Disclosure: Does the authorization include the signature of the individual and date signed. Note: If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual also must be provided? [assessment_06]
HIPAA Consent Authorization Form Requirements - Notice Statements
- [ ] Notice of Right to Revoke: Does the authorization contain statements adequate to place the individual on notice of the individual’s right to revoke the authorization in writing, and either:
- The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or
- To the extent that the exceptions to the right to revoke are included in the notice required by HIPAA’s notice of privacy practices for PHI, as per § 164.520, a reference to the covered entity’s notice? [assessment_07]
- [ ] Notice of Ability to Condition on Authorization: Does the authorization contain statements adequate to place the individual on notice of the ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization, by stating either:
- The covered entity may not condition treatment, payment, enrollment, or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations applies; or
- The consequences to the individual of a refusal to sign the authorization when the covered entity can, per § 164.508(b)(4), condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization? [assessment_08]
- [ ] Notice of Potential Redisclosure: Does the authorization contain statements adequate to place the individual on notice of the potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer to be protected? [assessment_09]
Issuance Criteria:
yes(ALL)
42 CFR Part 2 Consent Authorization Form Requirements - Elements
- [ ] Identification of Entity Making the Disclosure: Does the written consent to a disclosure include the specific name or general designation of the program or person permitted to make the disclosure? [assessment_01]
- [ ] Identification of Entity Receiving the Disclosure: Does the written consent to a disclosure include the name or title of the individual or the name of the organization to which disclosure is to be made. Note: The authorization has to specifically state the name of the provider or the general designation of the treatment center (e.g., Shady Grove Substance Abuse Center)? [assessment_02]
- [ ] Patient Name: Does the written consent to a disclosure include the name of the patient? [assessment_03]
- [ ] Purpose of Disclosure: Does the written consent to a disclosure include the purpose of the disclosure? [assessment_04]
- [ ] Kind and Amount to be Disclosed: Does the written consent to a disclosure include how much and what kind of information is to be disclosed? [assessment_05]
- [ ] Signature of Authorizing Person: Does the written consent to a disclosure include the signature of the patient and, when required for a patient who is a minor, the signature of a person authorized to give consent under § 2.14; or, when required for a patient who is incompetent or deceased, the signature of a person authorized to sign under § 2.15 in lieu of the patient? [assessment_06]
- [ ] Date Consent Form Signed: Does the written consent to a disclosure include the date on which the consent is signed? [assessment_07]
- [ ] Expiration Conditions Specified: Does the written consent to a disclosure include the date, event, or condition upon which the consent will expire if not revoked before. This date, event, or condition must ensure that the consent will last no longer than reasonably necessary to serve the purpose for which it is given? [assessment_08]
42 CFR Part 2 Consent Authorization Form Requirements - Notice Statements
- [ ] Notice of Potential Revocation: Does the authorization contain statements adequate to place the individual on notice that the consent is subject to revocation at any time, except to the extent that the program or person making the disclosure has already acted in reliance on it. Acting in reliance includes the provision of treatment services in reliance on a valid consent to disclose information to a third-party payer? [assessment_09]
- [ ] Notice of Subsequent Redisclosure: Under 42 CFR Part 2, a single consent form can authorize a disclosure of information about a patient to one recipient, and simultaneously authorize that recipient to redisclose that information to any additional entity or entities (such as other affiliated health-care providers identified in the consent form), provided that the purpose for the disclosure is the same. Does the authorization contain the following required statement prohibiting redisclosure, so that each subsequent recipient of that information is notified of the prohibitions on redisclosure?
This notice covers the disclosure of information to you concerning a client in alcohol/drug treatment, made to you with the consent of such client. This information has been disclosed to you from records protected by federal confidentiality rules (42 C.F.R. Part 2). The federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 C.F.R. Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The federal rules restrict any use of the information to criminally investigate or prosecute any substance abuse patient. [assessment_10]
Issuance Criteria:
yes(ALL)
HIPPA Defective Authorizations
- [ ] Expiration: Has the expiration date passed or does the covered entity know that the expiration event has occurred? [assessment_01]
- [ ] Completeness: Has the authorization been filled out completely, with respect to required elements? [assessment_02]
- [ ] Revocation: Does covered entity know that the authorization has been revoked? [assessment_03]
- [ ] False Information: Is any material information in the authorization known by the covered entity to be false? [assessment_04]
Compound Authorizations
- [ ] Compound Authorizations: Is the authorization combined with any other document to create a compound authorization? [assessment_05]
- [ ] Research Studies: Is the authorization for a research study and is combined with any other type of written permission for the same research study, including another authorization for the use or disclosure of PHI for such research or a consent to participate in such research? [assessment_06]
- [ ] Psychotherapy Notes: Is the authorization for a use or disclosure of psychotherapy notes and is combined only with another authorization for a use or disclosure of psychotherapy notes? [assessment_07]
- [ ] Psychotherapy Notes: Is the authorization for a use or disclosure of psychotherapy notes and is combined with any other such authorization under this Trustmark Definition? [assessment_08]
Prohibition on Conditioning of Authorizations
- [ ] Conditioned Authorizations: Does the covered entity condition the provision treatment, payment, enrollment in a health plan, or eligibility for benefits to an individual on a Consent Authorization? [assessment_09]
- [ ] Research-Related Treatment: Is a covered health-care provider conditioning the provision of research-related treatment on a consent authorization for the use or disclosure of PHI for such research? [assessment_10]
- [ ] Health Care Plan Enrollment and Benefits: Is a covered health-care provider conditioning health plan enrollment or eligibility for benefits on a consent authorization requested by the health plan prior to an individual’s enrollment in the health plan, and the authorization sought is for the health plan’s eligibility or enrollment determinations relating to the individual or for its underwriting or risk-rating determinations, and the authorization is not for a use or disclosure of psychotherapy notes? [assessment_11]
- [ ] PHI-Creation-Specific Health Care: Is the health care being provisioned solely for the purpose of creating PHI for disclosure to a third party on provision of an authorization for the disclosure of the PHI to such third party? [assessment_12]
Issuance Criteria:
(no(assessment_01) AND yes(assessment_02) AND no(assessment_03) AND no(assessment_04)) AND (!yes(assessment_05) OR yes(assessment_06) OR yes(assessment_07)) AND (!yes(assessment_09) OR yes(assessment_10 OR yes(assessment_11) OR yes(assessment_12))
HIPAA Consent Authorization Form Requirements - Elements
- [ ] Expiration: Has the consent form expired? [assessment_01]
- [ ] Revocation: Is the consent form known to have been revoked? [assessment_02]
- [ ] Material Falsehood: Is the consent form known, or through a reasonable effort could be known, by the person holding the records to be materially false? [assessment_03]
Issuance Criteria:
no(ALL)
Consent Authorizations Profile Trust Interoperability Profile
URI:
http://ncsc.org/trustmarks/trustmark-definitions/consent-authorization/consent-authorizations/1.0/
Description:
This Trust Interoperability Profile defines requirements for HIPAA and 42 CFR Part 2 Compliant Consent Authorizations.
References
Trustmark Definition Requirements
Trust Interoperability Profiles
Trust Expression:
TIP_01 AND TIP_02 AND TD_01
Consent Authorization Revocation Trustmark Definition
URI:
http://ncsc.org/trustmarks/trustmark-definitions/consent-authorization/consent-authorization-revocation/1.0/
Description:
This Trustmark Definition defines requirements to determine if a consent authorization has been revoked.
Key |
Value |
tf:TargetStakeholderDescription |
Organizations that are interested in safely and legally exchanging information in a manner that complies with HIPAA and 42 CFR Part 2 regulations. |
tf:TargetRecipientDescription |
Organizations that want to demonstrate that they provide and/or consume digital information services in a manner that complies with with HIPAA and 42 CFR Part 2 regulations. |
tf:TargetRelyingPartyDescription |
Organizations and individuals that require their trusted partners' computer and information systems to comply with HIPAA and 42 CFR Part 2 regulations. |
tf:TargetProviderDescription |
Organizations that audit or evaluate other organizations for compliance with HIPAA and 42 CFR Part 2 regulations. |
tf:ProviderEligibilityCriteria |
Any organization or business entity may act as a Trustmark Provider for trustmarks under this Trustmark Definition. |
tf:AssessorQualificationsDescription |
Any individual employed or contracted by the Trustmark Provider may act as the assessor for trustmarks under this Trustmark Definition. |
tf:TrustmarkRevocationCriteria |
For any trustmark issued under this Trustmark Definition, the Trustmark Provider must revoke the trustmark upon any condition whereby one or more Conformance Criteria cease to be satisfied. |
tf:ExtensionDescription |
This Trustmark Definition requires no extension data. |
tf:LegalNotice |
This document and the information contained herein is provided on an “AS IS” basis, and the National Center for State Courts disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, the National Center for State Courts disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein. |
tf:Notes |
The National Center for State Courts (NCSC) has published this document with the support of the [TBD] via [TBD]. The views expressed herein do not necessarily reflect the official policies of NCSC, [TBD], or [TBD]; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government. |
Authorization Revocation
Description: A consent authorization MUST NOT have been revoked.
- Revocation by Consenting Individual: Has the individual revoked the consent authorization? [assessment_01]
- Action in Reliance of Consent: Has the covered entity has taken action in reliance the consent authorization? [assessment_02]
- Insurance Coverage and Contest of Claim : Was the consent authorization obtained as a condition of obtaining insurance coverage and does other law provides the insurer with the right to contest a claim under the policy or the policy itself? [assessment_03]
Issuance Criteria:
no(assessment_01) OR (yes(assessment_02) OR yes(assessment_03))
URI:
http://ncsc.org/trustmarks/trustmark-definitions/consent-authorization/consent-authorization-form-requirements/1.0/
Description:
This Trust Interoperability Profile defines requirements for creating HIPAA and 42 CFR Part 2 Compliant Consent Authorization Forms.
References
Trustmark Definition Requirements
Trust Interoperability Profiles
Trust Expression:
TD_01 AND TD_02
URI:
http://ncsc.org/trustmarks/trustmark-definitions/consent-authorization/HIPAA-consent-authorization-form-requirements/1.0/
Description:
This Trustmark Definition defines requirements for creating a HIPAA Consent Authorization Form.
Key |
Value |
tf:TargetStakeholderDescription |
Organizations that are interested in safely and legally exchanging information in a manner that complies with HIPAA and 42 CFR Part 2 regulations. |
tf:TargetRecipientDescription |
Organizations that want to demonstrate that they provide and/or consume digital information services in a manner that complies with with HIPAA and 42 CFR Part 2 regulations. |
tf:TargetRelyingPartyDescription |
Organizations and individuals that require their trusted partners' computer and information systems to comply with HIPAA and 42 CFR Part 2 regulations. |
tf:TargetProviderDescription |
Organizations that audit or evaluate other organizations for compliance with HIPAA and 42 CFR Part 2 regulations. |
tf:ProviderEligibilityCriteria |
Any organization or business entity may act as a Trustmark Provider for trustmarks under this Trustmark Definition. |
tf:AssessorQualificationsDescription |
Any individual employed or contracted by the Trustmark Provider may act as the assessor for trustmarks under this Trustmark Definition. |
tf:TrustmarkRevocationCriteria |
For any trustmark issued under this Trustmark Definition, the Trustmark Provider must revoke the trustmark upon any condition whereby one or more Conformance Criteria cease to be satisfied. |
tf:ExtensionDescription |
This Trustmark Definition requires no extension data. |
tf:LegalNotice |
This document and the information contained herein is provided on an “AS IS” basis, and the National Center for State Courts disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, the National Center for State Courts disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein. |
tf:Notes |
The National Center for State Courts (NCSC) has published this document with the support of the [TBD] via [TBD]. The views expressed herein do not necessarily reflect the official policies of NCSC, [TBD], or [TBD]; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government. |
Description: A consent authorization MUST include the required elements.
- Information to be Disclosed: Does the authorization include a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion? [assessment_01]
- Identification of Persons Authorized to Request or Disclose: Does the authorization include the name or other specific identification of the person(s) or class of persons authorized to make the requested use or disclosure? [assessment_02]
- Identification of Persons Authorized to Receive Disclosure: Does the authorization include the name or other specific identification of the person(s) or class of persons to whom the covered entity may make the requested use or disclosure? [assessment_03]
- Purpose of Use or Disclosure: Does the authorization include a description of each purpose of the requested use or disclosure. Note: The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose? [assessment_04]
- Expiration Conditions Specified: Does the authorization include an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. Note: The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of PHI for research, including for the creation and maintenance of a research database or research repository? [assessment_05]
- Signature of Person Authorizing Disclosure: Does the authorization include the signature of the individual and date signed. Note: If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual also must be provided? [assessment_06]
Description: A consent authorization MUST include the required notice statements.
- Notice of Right to Revoke: Does the authorization contain statements adequate to place the individual on notice of the individual’s right to revoke the authorization in writing, and either:
- The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or
- To the extent that the exceptions to the right to revoke are included in the notice required by HIPAA’s notice of privacy practices for PHI, as per § 164.520, a reference to the covered entity’s notice? [assessment_07]
- Notice of Ability to Condition on Authorization: Does the authorization contain statements adequate to place the individual on notice of the ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization, by stating either:
- The covered entity may not condition treatment, payment, enrollment, or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations applies; or
- The consequences to the individual of a refusal to sign the authorization when the covered entity can, per § 164.508(b)(4), condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization? [assessment_08]
- Notice of Potential Redisclosure: Does the authorization contain statements adequate to place the individual on notice of the potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer to be protected? [assessment_09]
Issuance Criteria:
yes(ALL)
URI:
http://ncsc.org/trustmarks/trustmark-definitions/consent-authorization/24-CFR-part-2-consent-authorization-form-requirements/1.0/
Description:
This Trustmark Definition defines requirements for creating a 42 CFR Part 2 Consent Authorization Form.
Key |
Value |
tf:TargetStakeholderDescription |
Organizations that are interested in safely and legally exchanging information in a manner that complies with HIPAA and 42 CFR Part 2 regulations. |
tf:TargetRecipientDescription |
Organizations that want to demonstrate that they provide and/or consume digital information services in a manner that complies with with HIPAA and 42 CFR Part 2 regulations. |
tf:TargetRelyingPartyDescription |
Organizations and individuals that require their trusted partners' computer and information systems to comply with HIPAA and 42 CFR Part 2 regulations. |
tf:TargetProviderDescription |
Organizations that audit or evaluate other organizations for compliance with HIPAA and 42 CFR Part 2 regulations. |
tf:ProviderEligibilityCriteria |
Any organization or business entity may act as a Trustmark Provider for trustmarks under this Trustmark Definition. |
tf:AssessorQualificationsDescription |
Any individual employed or contracted by the Trustmark Provider may act as the assessor for trustmarks under this Trustmark Definition. |
tf:TrustmarkRevocationCriteria |
For any trustmark issued under this Trustmark Definition, the Trustmark Provider must revoke the trustmark upon any condition whereby one or more Conformance Criteria cease to be satisfied. |
tf:ExtensionDescription |
This Trustmark Definition requires no extension data. |
tf:LegalNotice |
This document and the information contained herein is provided on an “AS IS” basis, and the National Center for State Courts disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, the National Center for State Courts disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein. |
tf:Notes |
The National Center for State Courts (NCSC) has published this document with the support of the [TBD] via [TBD]. The views expressed herein do not necessarily reflect the official policies of NCSC, [TBD], or [TBD]; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government. |
Description: A consent authorization MUST include the required elements.
- Identification of Entity Making the Disclosure: Does the written consent to a disclosure include the specific name or general designation of the program or person permitted to make the disclosure? [assessment_01]
- Identification of Entity Receiving the Disclosure: Does the written consent to a disclosure include the name or title of the individual or the name of the organization to which disclosure is to be made. Note: The authorization has to specifically state the name of the provider or the general designation of the treatment center (e.g., Shady Grove Substance Abuse Center)? [assessment_02]
- Patient Name: Does the written consent to a disclosure include the name of the patient? [assessment_03]
- Purpose of Disclosure: Does the written consent to a disclosure include the purpose of the disclosure? [assessment_04]
- Kind and Amount to be Disclosed: Does the written consent to a disclosure include how much and what kind of information is to be disclosed? [assessment_05]
- Signature of Authorizing Person: Does the written consent to a disclosure include the signature of the patient and, when required for a patient who is a minor, the signature of a person authorized to give consent under § 2.14; or, when required for a patient who is incompetent or deceased, the signature of a person authorized to sign under § 2.15 in lieu of the patient? [assessment_06]
- Date Consent Form Signed: Does the written consent to a disclosure include the date on which the consent is signed? [assessment_07]
- Expiration Conditions Specified: Does the written consent to a disclosure include the date, event, or condition upon which the consent will expire if not revoked before. This date, event, or condition must ensure that the consent will last no longer than reasonably necessary to serve the purpose for which it is given? [assessment_08]
Description: A consent authorization MUST include the required notice statements.
- Notice of Potential Revocation: Does the authorization contain statements adequate to place the individual on notice that the consent is subject to revocation at any time, except to the extent that the program or person making the disclosure has already acted in reliance on it. Acting in reliance includes the provision of treatment services in reliance on a valid consent to disclose information to a third-party payer? [assessment_09]
- Notice of Subsequent Redisclosure: Under 42 CFR Part 2, a single consent form can authorize a disclosure of information about a patient to one recipient, and simultaneously authorize that recipient to redisclose that information to any additional entity or entities (such as other affiliated health-care providers identified in the consent form), provided that the purpose for the disclosure is the same. Does the authorization contain the following required statement prohibiting redisclosure, so that each subsequent recipient of that information is notified of the prohibitions on redisclosure?
This notice covers the disclosure of information to you concerning a client in alcohol/drug treatment, made to you with the consent of such client. This information has been disclosed to you from records protected by federal confidentiality rules (42 C.F.R. Part 2). The federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 C.F.R. Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The federal rules restrict any use of the information to criminally investigate or prosecute any substance abuse patient. [assessment_10]
Issuance Criteria:
yes(ALL)
Defective Consent Authorizations Profile Trust Interoperability Profile
URI:
http://ncsc.org/trustmarks/trustmark-definitions/consent-authorization/defective-consent-authorizations/1.0/
Description:
This Trust Interoperability Profile specifies requirements for creating a generic Policy.
References
Trustmark Definition Requirements
Trust Interoperability Profiles
Trust Expression:
TD_01 AND TD_02
HIPAA Defective Consent Authorizations Trustmark Definition
URI:
http://ncsc.org/trustmarks/trustmark-definitions/consent-authorization/HIPAA-defective-consent-authorizations/1.0/
Description:
This Trustmark Definition defines requirements to determine if a consent authorization is not defective.
Key |
Value |
tf:TargetStakeholderDescription |
Organizations that are interested in safely and legally exchanging information in a manner that complies with HIPAA and 42 CFR Part 2 regulations. |
tf:TargetRecipientDescription |
Organizations that want to demonstrate that they provide and/or consume digital information services in a manner that complies with with HIPAA and 42 CFR Part 2 regulations. |
tf:TargetRelyingPartyDescription |
Organizations and individuals that require their trusted partners' computer and information systems to comply with HIPAA and 42 CFR Part 2 regulations. |
tf:TargetProviderDescription |
Organizations that audit or evaluate other organizations for compliance with HIPAA and 42 CFR Part 2 regulations. |
tf:ProviderEligibilityCriteria |
Any organization or business entity may act as a Trustmark Provider for trustmarks under this Trustmark Definition. |
tf:AssessorQualificationsDescription |
Any individual employed or contracted by the Trustmark Provider may act as the assessor for trustmarks under this Trustmark Definition. |
tf:TrustmarkRevocationCriteria |
For any trustmark issued under this Trustmark Definition, the Trustmark Provider must revoke the trustmark upon any condition whereby one or more Conformance Criteria cease to be satisfied. |
tf:ExtensionDescription |
This Trustmark Definition requires no extension data. |
tf:LegalNotice |
This document and the information contained herein is provided on an “AS IS” basis, and the National Center for State Courts disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, the National Center for State Courts disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein. |
tf:Notes |
The National Center for State Courts (NCSC) has published this document with the support of the [TBD] via [TBD]. The views expressed herein do not necessarily reflect the official policies of NCSC, [TBD], or [TBD]; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government. |
HIPPA Defective Authorizations
Description: A consent authorization MUST NOT be defective.
- Expiration: Has the expiration date passed or does the covered entity know that the expiration event has occurred? [assessment_01]
- Completeness: Has the authorization been filled out completely, with respect to required elements? [assessment_02]
- Revocation: Does covered entity know that the authorization has been revoked? [assessment_03]
- False Information: Is any material information in the authorization known by the covered entity to be false? [assessment_04]
Compound Authorizations
Description: A compound consent authorization MUST NOT be defective.
- Compound Authorizations: Is the authorization combined with any other document to create a compound authorization? [assessment_05]
- Research Studies: Is the authorization for a research study and is combined with any other type of written permission for the same research study, including another authorization for the use or disclosure of PHI for such research or a consent to participate in such research? [assessment_06]
- Psychotherapy Notes: Is the authorization for a use or disclosure of psychotherapy notes and is combined only with another authorization for a use or disclosure of psychotherapy notes? [assessment_07]
- Psychotherapy Notes: Is the authorization for a use or disclosure of psychotherapy notes and is combined with any other such authorization under this Trustmark Definition? [assessment_08]
Prohibition on Conditioning of Authorizations
Description: A consent authorization MUST NOT violate requirements involving authorizations being used as a condition for other services.
- Conditioned Authorizations: Does the covered entity condition the provision treatment, payment, enrollment in a health plan, or eligibility for benefits to an individual on a Consent Authorization? [assessment_09]
- Research-Related Treatment: Is a covered health-care provider conditioning the provision of research-related treatment on a consent authorization for the use or disclosure of PHI for such research? [assessment_10]
- Health Care Plan Enrollment and Benefits: Is a covered health-care provider conditioning health plan enrollment or eligibility for benefits on a consent authorization requested by the health plan prior to an individual’s enrollment in the health plan, and the authorization sought is for the health plan’s eligibility or enrollment determinations relating to the individual or for its underwriting or risk-rating determinations, and the authorization is not for a use or disclosure of psychotherapy notes? [assessment_11]
- PHI-Creation-Specific Health Care: Is the health care being provisioned solely for the purpose of creating PHI for disclosure to a third party on provision of an authorization for the disclosure of the PHI to such third party? [assessment_12]
Issuance Criteria:
(no(assessment_01) AND yes(assessment_02) AND no(assessment_03) AND no(assessment_04)) AND (!yes(assessment_05) OR yes(assessment_06) OR yes(assessment_07)) AND (!yes(assessment_09) OR yes(assessment_10 OR yes(assessment_11) OR yes(assessment_12))
42 CFR Part 2 Defective Consent Authorizations Trustmark Definition
URI:
http://ncsc.org/trustmarks/trustmark-definitions/consent-authorization/42-CFR-part-2-defective-consent-authorizations/1.0/
Description:
This Trustmark Definition defines requirements to determine if a consent authorization is not defective.
Key |
Value |
tf:TargetStakeholderDescription |
Organizations that are interested in safely and legally exchanging information in a manner that complies with HIPAA and 42 CFR Part 2 regulations. |
tf:TargetRecipientDescription |
Organizations that want to demonstrate that they provide and/or consume digital information services in a manner that complies with with HIPAA and 42 CFR Part 2 regulations. |
tf:TargetRelyingPartyDescription |
Organizations and individuals that require their trusted partners' computer and information systems to comply with HIPAA and 42 CFR Part 2 regulations. |
tf:TargetProviderDescription |
Organizations that audit or evaluate other organizations for compliance with HIPAA and 42 CFR Part 2 regulations. |
tf:ProviderEligibilityCriteria |
Any organization or business entity may act as a Trustmark Provider for trustmarks under this Trustmark Definition. |
tf:AssessorQualificationsDescription |
Any individual employed or contracted by the Trustmark Provider may act as the assessor for trustmarks under this Trustmark Definition. |
tf:TrustmarkRevocationCriteria |
For any trustmark issued under this Trustmark Definition, the Trustmark Provider must revoke the trustmark upon any condition whereby one or more Conformance Criteria cease to be satisfied. |
tf:ExtensionDescription |
This Trustmark Definition requires no extension data. |
tf:LegalNotice |
This document and the information contained herein is provided on an “AS IS” basis, and the National Center for State Courts disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, the National Center for State Courts disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein. |
tf:Notes |
The National Center for State Courts (NCSC) has published this document with the support of the [TBD] via [TBD]. The views expressed herein do not necessarily reflect the official policies of NCSC, [TBD], or [TBD]; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government. |
Description: A consent authorization MUST include the required elements.
- Expiration: Has the consent form expired? [assessment_01]
- Revocation: Is the consent form known to have been revoked? [assessment_02]
- Material Falsehood: Is the consent form known, or through a reasonable effort could be known, by the person holding the records to be materially false? [assessment_03]
Issuance Criteria:
no(ALL)
Glossary
Term |
Definition |
Authorization |
The process of granting a person, computer process, or device with access to certain information, services, or functionality. Authorization is derived from the identity of the person, computer process, or device requesting access that is verified through authentication. |
Disclosure |
The release, transfer, provision of access to, sharing, publication, or divulging of personal information in any manner—electronic, verbal, or in writing—to an individual, entity, or organization outside the entity that collected it. Disclosure is an aspect of privacy focusing on information which may be available only to certain people for certain purposes but which is not available to everyone. |
HIPAA |
Health Insurance Portability and Accountability Act of 1996 |
PHI |
Protected Health Information |