HIPAA Authorization Form - North Dakota

HIPAA AUTHORIZATION FOR USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION (NORTH DAKOTA)

(Comprehensive - HIPAA, North Dakota Health Information Protection Act, and Sensitive-Records Overlays)

1. DOCUMENT HEADER

HIPAA AUTHORIZATION FOR USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION

Effective Date: [MM/DD/YYYY]

This HIPAA Authorization ("Authorization") is executed by:

2. DEFINITIONS

"Authorization" - This HIPAA authorization form, including appendices and amendments.

"Covered Entity" or "CE" - The health-care provider, health plan, or health-care clearinghouse identified above that is subject to HIPAA and to the North Dakota Health Information Protection Act, N.D.C.C. ch. 23-01.3.

"Disclose" or "Disclosure" - The release, transfer, provision of access to, or divulging in any other manner of PHI outside CE, as used in 45 C.F.R. Section 160.103.

"HIPAA" - The Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, and its implementing regulations at 45 C.F.R. Parts 160 and 164.

"Individual" - The subject of the PHI and signatory hereto, as used in 45 C.F.R. Section 160.103.

"PHI" - Protected Health Information, including [describe categories, e.g., laboratory test results dated [DATE RANGE], diagnostic imaging, physician progress notes, behavioral health records, and discharge summaries].

"Recipient" - The person(s) or entity(ies) authorized to receive the PHI, as set forth in Section 3.1(b).

"Use" - The sharing, employment, application, utilization, examination, or analysis of PHI within CE, as used in 45 C.F.R. Section 160.103.

3. OPERATIVE PROVISIONS

3.1 Grant of Authorization.

a. Authorized PHI. CE is hereby authorized to Use and Disclose the PHI specifically described in the definition of "PHI" above.

b. Authorized Recipient(s). Disclosure may be made to: [Recipient Name / Title / Address].

c. Purpose(s). PHI may be Used or Disclosed solely for the following purpose(s): [e.g., "continuity of care," "insurance underwriting," "legal proceeding in Case No. ____," "research study titled ____," or "at the request of the Individual"].

d. Expiration. This Authorization shall expire on the earliest of:

(i) [MM/DD/YYYY];

(ii) completion of the purpose(s) stated in 3.1(c); or

(iii) revocation pursuant to Section 3.2.

3.2 Right of Revocation.

Individual may revoke this Authorization at any time by delivering written notice to CE at [Designated HIPAA Privacy Office Address]. Revocation is effective upon receipt except to the extent CE or Recipient has already acted in reliance on this Authorization, consistent with 45 C.F.R. Section 164.508(b)(5).

3.3 Re-Disclosure Warning.

Information disclosed under this Authorization may be subject to re-disclosure by Recipient and may no longer be protected by HIPAA or North Dakota law. CE has no responsibility for any re-disclosure outside its control.

3.4 Conditions for Treatment, Payment, Enrollment, or Eligibility.

Except for research-related treatment or enrollment in a health plan, CE may not condition treatment, payment, enrollment, or eligibility for benefits on the execution of this Authorization, consistent with 45 C.F.R. Section 164.508(b)(4).

3.5 Special Categories of PHI - North Dakota Sensitive Records.

The following sensitive categories of PHI require the Individual's specific, knowing initials. CE shall not Disclose any sensitive category for which the corresponding box is not initialed.

a. Psychotherapy Notes (45 C.F.R. Section 164.508(a)(2)). ☐ Authorized. Initials: [____]

b. Mental Health / Behavioral Health Records (N.D.C.C. Section 25-03.1-43). Records made or maintained in connection with mental health treatment, evaluation, or commitment are confidential and may be disclosed only with the Individual's specific authorization or as otherwise permitted by statute. ☐ Authorized. Initials: [____]

c. HIV / Bloodborne Pathogen Test Results (N.D.C.C. Section 23-07.5-05). Results of an HIV or other bloodborne pathogen test, and the identity of the subject of such testing, may not be disclosed without a written authorization specifically referencing such results. ☐ Authorized. Initials: [____]

d. Substance Use Disorder Treatment Records (42 C.F.R. Part 2; N.D.C.C. ch. 50-31, including Section 50-31-06). Records identifying the Individual as having sought or received substance use disorder treatment from a federally assisted program or a North Dakota-licensed substance use disorder treatment program may not be Disclosed except in strict compliance with 42 C.F.R. Part 2 and N.D.C.C. ch. 50-31. ☐ Authorized. Initials: [____]

e. Genetic Information. Genetic test results may only be Disclosed consistent with the Genetic Information Nondiscrimination Act (GINA) and applicable North Dakota law.

3.6 Prohibition on Sale of PHI; Marketing.

CE shall not Disclose PHI in exchange for direct or indirect remuneration except as permitted under HIPAA and North Dakota law, and shall not Use or Disclose PHI for marketing without a separate, compliant written authorization.

3.7 Right to Access and to Copy.

Individual retains the right to inspect and obtain a copy of PHI under 45 C.F.R. Section 164.524 and under N.D.C.C. ch. 23-01.3 (Health Information Protection Act), including Section 23-01.3-03 governing patient access to health records.

3.8 Physician-Patient Privilege.

Disclosure pursuant to this Authorization constitutes a knowing and limited waiver of the physician and mental health professional-patient privilege under N.D. R. Evid. 503 to the extent reasonably necessary to effectuate the purpose(s) stated in Section 3.1(c), and not otherwise.

4. REPRESENTATIONS & WARRANTIES

4.1 Individual's Representations.

a. Individual is at least 18 years of age and possesses full legal capacity, or is the parent, legal guardian, or personal representative duly authorized under North Dakota law to execute this Authorization on behalf of the Individual.

b. The information provided herein is accurate and complete to the best of Individual's knowledge.

4.2 CE's Representations.

a. CE will Use and Disclose PHI only as expressly authorized herein and as permitted by applicable law.

b. CE maintains the administrative, physical, and technical safeguards required by HIPAA and by N.D.C.C. ch. 23-01.3.

4.3 Recipient's Representations.

Recipient shall maintain the confidentiality of PHI in accordance with all applicable laws and this Authorization and shall not Use or Disclose PHI except as expressly permitted herein.

5. COVENANTS & RESTRICTIONS

5.1 Recipient Safeguards.

Recipient shall implement reasonable administrative, physical, and technical safeguards to prevent unauthorized Use or Disclosure of PHI and shall immediately notify CE and Individual of any breach or suspected breach.

5.2 Prohibited Actions.

Recipient shall not (a) sell PHI; (b) Use PHI for marketing without separate written authorization; or (c) combine PHI with other data in a manner that violates HIPAA, N.D.C.C. ch. 23-01.3, or other applicable law.

5.3 Minimum Necessary.

Disclosure shall be limited to the minimum necessary to accomplish the purpose(s) in Section 3.1(c), except where Section 164.502(b)(2) provides otherwise (e.g., disclosure to the Individual or pursuant to an authorization).

6. DEFAULT & REMEDIES

6.1 Events of Default. (a) Material breach of any provision of Sections 3-5; (b) failure to comply with any applicable law regarding PHI; or (c) written notice of breach delivered by a governmental authority.

6.2 Notice & Cure. The non-breaching Party shall give written notice of default. The breaching Party shall have [30] days from receipt to cure, if curable.

6.3 Remedies. (a) Termination of this Authorization, in whole or in part; (b) limited injunctive relief to prevent imminent or continuing unauthorized Disclosure of PHI; (c) recovery of direct damages subject to statutory limits; (d) reasonable attorney fees and costs to the prevailing Party.

7. RISK ALLOCATION

7.1 Indemnification.

Recipient shall indemnify, defend, and hold harmless CE and its affiliates from third-party claims, losses, or liabilities directly arising from Recipient's Use or Disclosure of PHI in violation of this Authorization or applicable law.

7.2 Limitation of Liability.

To the fullest extent permitted by law, aggregate liability under this Authorization shall not exceed the statutory damages or penalties authorized by HIPAA (42 U.S.C. Section 1320d-5), N.D.C.C. ch. 23-01.3, and related regulations. No Party shall be liable for incidental, consequential, or punitive damages, except as required by statute.

7.3 Insurance (Optional).

Recipient shall maintain cyber/privacy liability insurance with limits of not less than $[1,000,000] per claim.

8. DISPUTE RESOLUTION

8.1 Governing Law.

This Authorization shall be governed by HIPAA and, to the extent not preempted, the laws of the State of North Dakota, including N.D.C.C. ch. 23-01.3.

8.2 Forum Selection.

The Parties consent to exclusive jurisdiction and venue in the state and federal courts located in [COUNTY], NORTH DAKOTA.

8.3 Optional Arbitration.

By mutual written election after a dispute arises, the Parties may submit the matter to binding arbitration administered by the American Arbitration Association under its Healthcare Payor Provider Rules.

8.4 Jury Trial.

Nothing herein waives any Party's constitutional right to a jury trial.

9. GENERAL PROVISIONS

9.1 Amendment & Waiver. Any amendment must be in writing and signed by all Parties. No waiver shall be deemed continuing unless expressly stated.

9.2 Assignment. No Party may assign without prior written consent, except CE may assign to a successor by merger or acquisition.

9.3 Severability. If any provision is held invalid, it shall be reformed to the minimum extent necessary, and the remaining provisions remain in effect.

9.4 Integration. This Authorization constitutes the entire agreement on its subject matter.

9.5 Counterparts & Electronic Signatures. Permitted; electronic signatures are equivalent to handwritten.

10. EXECUTION BLOCK

IN WITNESS WHEREOF, the Parties have executed this Authorization as of the Effective Date.

Individual / Patient

Signature: _________________________________

Printed Name: _____________________________

Date: __________________

If signing as Personal Representative or Guardian:

Authority / Relationship: _____________________

Covered Entity

By: __________________________ Title: ____________________

Printed Name: _____________________________

Date: __________________

Recipient

By: __________________________ Title: ____________________

Printed Name: _____________________________

Date: __________________

SOURCES AND REFERENCES

• 45 C.F.R. Section 164.508 (required authorization elements)
• 42 C.F.R. Part 2 (substance use disorder records)
• N.D.C.C. ch. 23-01.3 (Health Information Protection Act)
• N.D.C.C. Section 23-07.5-05 (bloodborne pathogen / HIV test confidentiality)
• N.D.C.C. Section 25-03.1-43 (mental health record disclosure)
• N.D.C.C. ch. 50-31 (substance use disorder treatment programs; Section 50-31-06 confidentiality)
• N.D. R. Evid. 503 (physician and mental health professional-patient privilege)