HIPAA Authorization Form - Virginia

HIPAA AUTHORIZATION FOR USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION (VIRGINIA)

(Comprehensive - HIPAA and Virginia Health Records Privacy Act)

1. INDIVIDUAL AND HEALTH CARE ENTITY IDENTIFICATION

Disclosing Health Care Entity ("HCE"):
[Provider / Plan / Clearinghouse Legal Name]
[Address] | [Phone] | [HIPAA Privacy Officer]

Authorized Recipient(s):
[Recipient Name(s), Title, Organization, Address]

2. DESCRIPTION OF INFORMATION TO BE USED OR DISCLOSED

(Required by 45 C.F.R. § 164.508(c)(1)(i) and Va. Code § 32.1-127.1:03.)

☐ Complete health record (including the audit trail referenced in § 32.1-127.1:03(A)(1) on specific request)
☐ Office and progress notes from [__/__/____] to [__/__/____]
☐ Laboratory and pathology reports
☐ Diagnostic imaging and radiology reports / films
☐ Hospital admission, discharge, and operative reports
☐ Emergency department records
☐ Billing and payment records
☐ Immunization records
☐ Prescription / medication records
☐ Other: [____________________________]

Date range: From [__/__/____] to [__/__/____] (or ☐ all dates).

3. SPECIALLY PROTECTED CATEGORIES (VIRGINIA)

Initial each category authorized for disclosure. A blank line means the category is NOT released.

☐ HIV / AIDS test results (Va. Code § 32.1-36.1 - civil penalty up to $5,000 per willful or grossly negligent unauthorized disclosure; private right of action for actual damages or $100, whichever is greater, plus fees and costs). Initials: [____]

☐ Mental / behavioral health records (Va. Code §§ 37.2-804.2 and 32.1-127.1:03(D)). Initials: [____]

☐ Substance use disorder ("SUD") treatment records protected by 42 C.F.R. Part 2 and Va. Code § 32.1-127.1:03(B). I acknowledge Part 2 records may not be redisclosed without further written authorization. Initials: [____]

☐ Genetic testing results and genetic information (Va. Code § 38.2-508.4 for insurance contexts; redisclosure also restricted by § 32.1-127.1:03(A)(3)). Initials: [____]

☐ Psychotherapy notes as defined in 45 C.F.R. § 164.501 (separate authorization required under § 164.508(a)(2)). Initials: [____]

☐ STD / communicable disease information reported under Va. Code § 32.1-36. Initials: [____]

4. PURPOSE OF DISCLOSURE

(Required by 45 C.F.R. § 164.508(c)(1)(iv).)

☐ Continuity of care / treatment by another health care entity
☐ Personal use ("at the request of the individual")
☐ Legal proceeding: Case caption [____________________________], Case No. [______________], Court [____________________________]
☐ Subpoena response under Va. Code § 8.01-413 (attach subpoena and certification)
☐ Insurance / claim review / disability determination
☐ Workers' compensation (Va. Code title 65.2)
☐ Social Security / public benefits application
☐ Employment / pre-employment screening
☐ Research study: [____________________________]
☐ Other: [____________________________]

5. EXPIRATION

(Required by 45 C.F.R. § 164.508(c)(1)(v).)

This Authorization expires on the earliest to occur of:

a. Specific expiration date: [__/__/____];
b. Specific expiration event: [e.g., "final disposition of Case No. ____"];
c. ☐ Six (6) months from signature if no date or event is specified (or such other default period as the HCE applies, not to exceed Virginia practice norms); or
d. The Individual's written revocation under Section 6.

6. RIGHT TO REVOKE

(Required by 45 C.F.R. § 164.508(c)(2)(i).)

I may revoke this Authorization at any time by delivering a written revocation to:

[HCE Name, attn: HIPAA Privacy Officer, Address]

Revocation is effective on receipt, except to the extent the HCE or Recipient has already acted in reliance on it. Revocation does not extend to information already disclosed.

7. RE-DISCLOSURE PROHIBITION (VIRGINIA)

I understand that:

a. Under Va. Code § 32.1-127.1:03(A)(3), the Recipient may NOT redisclose or otherwise reveal my health records beyond the purpose stated in Section 4 without first obtaining my specific further written authorization.
b. HIV test results disclosed under § 32.1-36.1 remain confidential; unauthorized redisclosure may result in civil penalty and damages liability.
c. 42 C.F.R. Part 2 SUD records remain subject to federal redisclosure prohibition; further redisclosure requires written consent or another Part 2 exception.
d. Genetic information in insurance contexts remains subject to Va. Code § 38.2-508.4.
e. Once disclosed to a non-health care recipient, federal HIPAA protections may no longer apply, but Virginia state-law protections continue to bind any Virginia recipient.

8. CONDITIONS, REMUNERATION, AND MARKETING

a. No conditioning of treatment. The HCE may not condition treatment, payment, enrollment, or eligibility for benefits on whether I sign this Authorization, except as permitted by 45 C.F.R. § 164.508(b)(4).
b. Marketing. PHI will not be used or disclosed for marketing without separate written authorization.
c. Sale of PHI. PHI will not be sold without my separate written authorization disclosing remuneration. ☐ Acknowledged if applicable: [Describe]
d. Subpoena / litigation copies. When records are produced under a Va. Code § 8.01-413 subpoena, the HCE may charge the statutory fees permitted by that section and applicable Virginia Department of Health Professions regulations.

9. INDIVIDUAL'S RIGHTS NOTICE

I understand and acknowledge that:

a. I have a recognized right of privacy in my health records under Va. Code § 32.1-127.1:03(A).
b. I have the right to inspect and copy the PHI to be disclosed, subject to 45 C.F.R. § 164.524 and Va. Code § 32.1-127.1:03(E)-(F).
c. I have the right to receive a copy of this signed Authorization.
d. The HCE's Notice of Privacy Practices describes how PHI is used and disclosed; a copy is available upon request.
e. Unauthorized disclosure of HIV test results may result in civil penalty up to $5,000 per violation and an individual cause of action for actual damages or $100, whichever is greater, plus attorney fees and costs (Va. Code § 32.1-36.1).
f. Health care providers receive statutory immunity for good-faith disclosures made pursuant to § 37.2-804.2.

10. SIGNATURE

By signing below, I represent that I have read and understood this Authorization, have had an opportunity to ask questions, and voluntarily authorize the Use and Disclosure of my PHI as set forth above.

Authority of Personal Representative (check one):
☐ Parent / legal guardian of unemancipated minor
☐ Court-appointed guardian of the person (Va. Code § 64.2-2000 et seq.)
☐ Agent under Va. Code § 54.1-2981 et seq. (Health Care Decisions Act / Advance Directive)
☐ Executor / administrator of decedent's estate
☐ Attorney-in-fact under durable power of attorney for health care
☐ Other: [____________________________]

Witness / Notary (optional; recommended for sensitive disclosures):
Signature: _____________________ Printed Name: _____________________ Date: [__/__/____]

11. SOURCES AND REFERENCES

• 45 C.F.R. § 164.508 - HIPAA authorization core elements
• Va. Code § 32.1-127.1:03 - Virginia Health Records Privacy Act
• Va. Code § 37.2-804.2 - Behavioral health disclosure in proceedings
• Va. Code § 32.1-36.1 - Confidentiality of HIV test; civil penalty; private action
• Va. Code § 32.1-36 - Reports by physicians and laboratory directors
• Va. Code § 38.2-508.4 - Genetic information privacy (insurance)
• Va. Code § 8.01-413 - Medical records; subpoena duces tecum
• Va. Code § 54.1-2981 et seq. - Health Care Decisions Act
• 42 C.F.R. Part 2 - Federal SUD record confidentiality
• 45 C.F.R. § 164.524 - Right to access PHI