HIPAA Authorization Form - Minnesota

HIPAA AUTHORIZATION FOR USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION (MINNESOTA)

(Comprehensive - HIPAA and Minnesota Health Records Act)

TABLE OF CONTENTS

1. Document Header
2. Definitions
3. Operative Provisions
4. Representations & Warranties
5. Covenants & Restrictions
6. Default & Remedies
7. Risk Allocation
8. Dispute Resolution
9. General Provisions
10. Execution Block

1. DOCUMENT HEADER

HIPAA AUTHORIZATION FOR USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION
Effective Date: [__/__/____]

This HIPAA Authorization ("Authorization") is made by and between:

Recitals

A. CE maintains Protected Health Information ("PHI") pertaining to Individual subject to the Health Insurance Portability and Accountability Act of 1996, 45 C.F.R. Parts 160 and 164 ("HIPAA"), and the Minnesota Health Records Act, Minn. Stat. §§ 144.291-.298 ("MHRA").

B. Individual desires to authorize the Use and Disclosure of PHI as described herein, subject to HIPAA, MHRA, and other applicable Minnesota law.

C. The Parties acknowledge that MHRA generally requires patient consent for release of health records and that this Authorization is intended to satisfy both federal and Minnesota state-law requirements.

NOW, THEREFORE, in consideration of the mutual promises contained herein, the Parties agree as follows:

2. DEFINITIONS

"Authorization" - This HIPAA/MHRA authorization form, including appendices.

"Covered Entity" or "CE" - The health-care provider, health plan, or health-care clearinghouse identified above subject to HIPAA and, where applicable, "provider" as defined under Minn. Stat. § 144.291, subd. 2(i).

"Disclose" or "Disclosure" - The release, transfer, provision of access to, or divulging of PHI outside CE.

"HIPAA" - 45 C.F.R. Parts 160 and 164.

"MHRA" - The Minnesota Health Records Act, Minn. Stat. §§ 144.291-.298.

"Individual" - The patient/subject of the PHI and signatory hereto.

"PHI" - Protected Health Information, specifically: [describe categories and date range, e.g., "office visit notes, lab results, imaging, and discharge summaries dated __/__/____ to __/__/____"].

"Recipient" - The person(s) or entity(ies) authorized to receive PHI under Section 3.1(b).

"Use" - The sharing, employment, application, utilization, examination, or analysis of PHI within CE.

3. OPERATIVE PROVISIONS

3.1 Grant of Authorization

a. Authorized PHI. CE is authorized to Use and Disclose the PHI specifically described above.

b. Authorized Recipient(s). Disclosure may be made to: [Recipient Name / Title / Address].

c. Purpose(s). PHI may be Used or Disclosed solely for: [e.g., "continuity of care," "insurance underwriting," "litigation in Case No. ____," or "at the request of the Individual"].

d. Expiration. This Authorization shall expire on the earliest of:
(i) [__/__/____];
(ii) completion of the purpose stated in 3.1(c); or
(iii) revocation under Section 3.2.

3.2 Right of Revocation

Individual may revoke this Authorization at any time by delivering written notice to CE at [Designated Privacy Office Address]. Revocation is effective upon receipt, except to the extent CE or Recipient has already acted in reliance. Revocation rights are preserved under both 45 C.F.R. § 164.508(b)(5) and Minn. Stat. § 144.293, subd. 4.

3.3 Re-Disclosure Warning

Information disclosed pursuant to this Authorization may be subject to re-disclosure by Recipient and may no longer be protected by HIPAA or Minnesota law. Under Minn. Stat. § 144.293, subd. 8, persons receiving health records may be subject to use and re-disclosure restrictions notice requirements.

3.4 Conditions for Treatment and Payment

Except for research-related treatment, enrollment in a health plan, or as otherwise permitted, CE may not condition treatment, payment, enrollment, or eligibility on the execution of this Authorization.

3.5 Special Categories of PHI - Minnesota-Sensitive Information

Individual must specifically initial each category authorized for Disclosure:

3.6 42 C.F.R. Part 2 Notice (Substance Use Disorder Records)

If Substance Use Disorder records are authorized above, the following notice applies: "This information has been disclosed to you from records protected by federal confidentiality rules (42 C.F.R. Part 2). The federal rules prohibit you from making any further disclosure of information in this record that identifies a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person unless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed or as otherwise permitted by 42 C.F.R. Part 2."

3.7 Compensation; No Sale of PHI

No Party shall receive remuneration for the Use or Disclosure of PHI except as permitted under HIPAA and Minnesota law. PHI shall not be sold.

4. REPRESENTATIONS & WARRANTIES

4.1 Individual's Representations

a. Individual is of legal age and has full capacity, or is the personal representative duly authorized under Minn. Stat. § 144.291, subd. 2(g) and applicable law.

b. The information provided is accurate and complete.

4.2 CE's Representations

a. CE will Use and Disclose PHI only as permitted by this Authorization, HIPAA, and MHRA.

b. CE maintains administrative, physical, and technical safeguards required by 45 C.F.R. Part 164, Subpart C.

4.3 Recipient's Representations

Recipient shall maintain confidentiality of PHI consistent with HIPAA, MHRA, and Minn. Stat. § 144.293, subd. 8, and shall not Use or Disclose PHI except as expressly permitted herein.

4.4 Survival

The representations survive expiration or termination to the extent necessary to protect PHI and enforce Parties' rights.

5. COVENANTS & RESTRICTIONS

5.1 Recipient Covenant

Recipient shall implement reasonable safeguards to prevent unauthorized Use or Disclosure of PHI and shall immediately notify CE and Individual of any breach or suspected breach.

5.2 Compliance Monitoring

Recipient shall provide, upon reasonable written request, evidence satisfactory to CE of compliance with this Authorization.

5.3 Prohibited Actions

Recipient shall not:

• Sell PHI;
• Use PHI for marketing without separate written authorization under 45 C.F.R. § 164.508(a)(3); or
• Combine PHI with other data in a manner that violates HIPAA, MHRA, or other Minnesota law.

6. DEFAULT & REMEDIES

6.1 Events of Default

a. Material breach of Sections 3-5;
b. Failure to comply with HIPAA, MHRA, or other applicable law regarding PHI; or
c. Written notice of breach from a governmental authority.

6.2 Notice & Cure

Upon an Event of Default, the non-breaching Party shall provide written notice. The breaching Party has [30] days to cure, if curable.

6.3 Remedies

a. Termination of this Authorization, in whole or part;
b. Limited Injunctive Relief to prevent imminent or continuing unauthorized Disclosure;
c. Direct Damages subject to statutory limits (see Section 7.2). Minn. Stat. § 144.298 provides civil remedies for MHRA violations, including actual damages, costs, and attorney fees;
d. Attorney Fees to the prevailing Party in enforcing this Authorization.

7. RISK ALLOCATION

7.1 Indemnification (Authorization Scope)

Recipient shall indemnify, defend, and hold harmless CE and its affiliates against third-party claims, losses, or liabilities directly arising from Recipient's Use or Disclosure of PHI in violation of this Authorization or applicable law.

7.2 Limitation of Liability

To the fullest extent permitted by law, aggregate liability under this Authorization shall not exceed statutory damages or penalties expressly authorized by HIPAA, 42 U.S.C. § 1320d-5, Minn. Stat. § 144.298, and related regulations. No Party shall be liable for incidental, consequential, or punitive damages, except as expressly provided by statute.

7.3 Insurance

[Optional] Recipient shall maintain cyber/privacy liability insurance with limits of not less than $[1,000,000] per claim.

7.4 Force Majeure

No Party shall be liable for delay or failure to perform due to events beyond reasonable control, provided the affected Party gives prompt notice and resumes performance as soon as practicable.

8. DISPUTE RESOLUTION

8.1 Governing Law

This Authorization shall be governed by HIPAA and, to the extent not preempted, the laws of the State of Minnesota, including the MHRA.

8.2 Forum Selection

The Parties consent to exclusive jurisdiction and venue in the state and federal courts located in [COUNTY, MINNESOTA].

8.3 Optional Arbitration

By mutual written election after a dispute arises, the Parties may submit the matter to binding arbitration administered by the American Arbitration Association under its Healthcare Payor Provider Rules.

8.4 Jury Trial

Nothing herein waives any Party's constitutional right to a jury trial.

8.5 Equitable Relief

Equitable relief shall be limited to the minimum scope necessary to protect PHI consistent with Section 6.3(b).

9. GENERAL PROVISIONS

9.1 Amendment & Waiver

Any amendment must be in writing and signed by all Parties. No waiver shall be deemed continuing unless expressly stated.

9.2 Assignment

No Party may assign or delegate without prior written consent, except CE may assign to a successor upon merger or acquisition.

9.3 Severability

If any provision is held invalid, it shall be reformed to the minimum extent necessary, with the remainder continuing in full force.

9.4 Integration

This Authorization constitutes the entire agreement on the subject matter and supersedes all prior understandings.

9.5 Counterparts & Electronic Signatures

This Authorization may be executed in counterparts. Electronic signatures are deemed equivalent to handwritten signatures for all purposes, consistent with Minn. Stat. ch. 325L (Uniform Electronic Transactions Act).

10. EXECUTION BLOCK

IN WITNESS WHEREOF, the Parties have executed this Authorization as of the Effective Date.

Individual / Patient

Signature: _________________________________
Printed Name: _____________________________
Date: [__/__/____]

If signing as Personal Representative under Minn. Stat. § 144.291, subd. 2(g):
Authority/Relationship: _____________________

Covered Entity

By: __________________________ Title: ____________________
Printed Name: _____________________________
Date: [__/__/____]

Recipient

By: __________________________ Title: ____________________
Printed Name: _____________________________
Date: [__/__/____]

SOURCES AND REFERENCES

• 45 C.F.R. § 164.508 (HIPAA Authorization Core Elements)
• Minn. Stat. §§ 144.291-.298 (Minnesota Health Records Act)
• Minn. Stat. § 144.293 (Release or Disclosure of Health Records)
• Minn. Stat. § 144.294 (Records Relating to Mental Health)
• Minn. Stat. § 144.7414 (Blood-Borne Pathogen Disclosure Protocols)
• Minn. Stat. § 254A.09 (Chemical Dependency Records)
• Minn. Stat. § 13.386 (Genetic Information)
• Minn. Stat. § 144.298 (MHRA Civil Remedies)
• 42 C.F.R. Part 2 (Substance Use Disorder Confidentiality)
• 42 U.S.C. § 1320d-5 (HIPAA Civil Penalties)