Paubox blog: HIPAA compliant email made easy

Can an individual revoke authorization?

Written by Kirsten Peremore | November 07, 2023

An individual retains the right to revoke authorization, as established under the Privacy Rule guidelines. This revocation needs to meet specific requirements but remains subject to limitations.

See also: How does HIPAA differentiate between consent and authorization?

 

Requirements to revoke authorization

  1. Revocation in writing: The individual must submit the cancellation in writing to the covered entity initially authorized for disclosure. This revocation must be received by the covered entity to be effective. Verbal revocation is not sufficient under these guidelines.
  2. Notice of revocation: The authorization document must explicitly state the individual's right to revoke the authorization. The revocation process details need to be outlined in the authorization form itself or can be referred to in the Notice of Privacy Practices provided by the covered entity.
  3. Effectiveness of revocation: The revocation only becomes effective after it's received by the covered entity. However, it might not nullify actions taken by the covered entity in reliance on the initial authorization. These actions are likely valid based on the terms of the approval before the revocation.

 

When can authorization be revoked?

The revocation of authorization can occur at any time after it's initially granted. This means that the person who provided the authorization can choose to revoke it for any reason they see fit. However, there are certain specific situations or conditions where revocation might be especially pertinent or necessary. 

For instance, an individual might decide to revoke authorization when they no longer wish to participate in a research study or when they become aware of the disclosure of information that they're uncomfortable with. 

Revocation may be necessary if initial authorization was obtained for insurance and the insurer can contest claims.

See also: HIPAA Compliant Email: The Definitive Guide

 

Limitations to revoking authorization

While individuals have the right to revoke their authorization, limitations may apply based on the specific terms and context of the authorization, and the actions taken by the covered entity before the revocation.

These include:

  1. Actions taken in reliance on authorization: Actions already performed by the covered entity based on the initial authorization might not be affected by the revocation. For example, if disclosures or uses of information were made in reliance on the authorization before it was revoked, these actions likely remain valid.
  2. Insurance-related authorizations: In cases where the authorization was obtained as a condition for obtaining insurance coverage and the insurer retains the right to contest a claim under the policy, the revocation might not void the initial authorization.
  3. Research integrity and legal obligations: In the context of ongoing research or legal obligations, certain actions taken based on the initial authorization might continue to be valid to ensure the integrity of the research, to address subject withdrawals, scientific misconduct investigations, or to report adverse events. In such cases, the covered entity might be permitted to continue using or disclosing protected health information obtained before the revocation.

See also: The role of patient consent in research