The Health Insurance Portability and Accountability Act (HIPAA) requires an "authorization" for any use or disclosure of protected health information that is not specifically permitted by the privacy rule. The privacy rule specifically allows the use and disclosure of PHI for treatment, payment and health care operations.
An authorization is a detailed document that gives covered entities (health plans, health care providers and health care clearinghouses) permission to use protected health information for certain specified purposes other than treatment, payment and health care operations, or to disclose protected health information to a third party specified by the individual.
An authorization must include several specific elements, including a description of the PHI to be used or disclosed, the person authorized to make the use or disclosure, the person to whom the disclosure may be made, an expiration date, and the purpose for the disclosure. A valid authorization may authorize disclosures to a particular entity, person or class of persons.
HIPAA gives individuals the right to revoke an authorization at any time. The revocation must be in writing and will not be considered effective until it is received. It will not be effective for any actions taken in reliance on the authorization before it was revoked.
BAS requires that an employee complete a written authorization before BAS will correspond with anyone other than the employee about his or her benefits. BAS has a format authorization form for this purpose which can be accessed on MyEnroll360 or by contacting service@BASusa.com.